1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2013 Red Hat
4  * Author: Rob Clark <robdclark@gmail.com>
5  */
6 
7 #include <linux/file.h>
8 #include <linux/sync_file.h>
9 #include <linux/uaccess.h>
10 
11 #include <drm/drm_drv.h>
12 #include <drm/drm_file.h>
13 #include <drm/drm_syncobj.h>
14 
15 #include "msm_drv.h"
16 #include "msm_gpu.h"
17 #include "msm_gem.h"
18 #include "msm_gpu_trace.h"
19 
20 /*
21  * Cmdstream submission:
22  */
23 
24 static struct msm_gem_submit *submit_create(struct drm_device *dev,
25 		struct msm_gpu *gpu,
26 		struct msm_gpu_submitqueue *queue, uint32_t nr_bos,
27 		uint32_t nr_cmds)
28 {
29 	struct msm_gem_submit *submit;
30 	uint64_t sz;
31 	int ret;
32 
33 	sz = struct_size(submit, bos, nr_bos) +
34 			((u64)nr_cmds * sizeof(submit->cmd[0]));
35 
36 	if (sz > SIZE_MAX)
37 		return ERR_PTR(-ENOMEM);
38 
39 	submit = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
40 	if (!submit)
41 		return ERR_PTR(-ENOMEM);
42 
43 	ret = drm_sched_job_init(&submit->base, queue->entity, queue);
44 	if (ret) {
45 		kfree(submit);
46 		return ERR_PTR(ret);
47 	}
48 
49 	kref_init(&submit->ref);
50 	submit->dev = dev;
51 	submit->aspace = queue->ctx->aspace;
52 	submit->gpu = gpu;
53 	submit->cmd = (void *)&submit->bos[nr_bos];
54 	submit->queue = queue;
55 	submit->ring = gpu->rb[queue->ring_nr];
56 	submit->fault_dumped = false;
57 
58 	INIT_LIST_HEAD(&submit->node);
59 
60 	return submit;
61 }
62 
63 void __msm_gem_submit_destroy(struct kref *kref)
64 {
65 	struct msm_gem_submit *submit =
66 			container_of(kref, struct msm_gem_submit, ref);
67 	unsigned i;
68 
69 	if (submit->fence_id) {
70 		mutex_lock(&submit->queue->lock);
71 		idr_remove(&submit->queue->fence_idr, submit->fence_id);
72 		mutex_unlock(&submit->queue->lock);
73 	}
74 
75 	dma_fence_put(submit->user_fence);
76 	dma_fence_put(submit->hw_fence);
77 
78 	put_pid(submit->pid);
79 	msm_submitqueue_put(submit->queue);
80 
81 	for (i = 0; i < submit->nr_cmds; i++)
82 		kfree(submit->cmd[i].relocs);
83 
84 	kfree(submit);
85 }
86 
87 static int submit_lookup_objects(struct msm_gem_submit *submit,
88 		struct drm_msm_gem_submit *args, struct drm_file *file)
89 {
90 	unsigned i;
91 	int ret = 0;
92 
93 	for (i = 0; i < args->nr_bos; i++) {
94 		struct drm_msm_gem_submit_bo submit_bo;
95 		void __user *userptr =
96 			u64_to_user_ptr(args->bos + (i * sizeof(submit_bo)));
97 
98 		/* make sure we don't have garbage flags, in case we hit
99 		 * error path before flags is initialized:
100 		 */
101 		submit->bos[i].flags = 0;
102 
103 		if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) {
104 			ret = -EFAULT;
105 			i = 0;
106 			goto out;
107 		}
108 
109 /* at least one of READ and/or WRITE flags should be set: */
110 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
111 
112 		if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) ||
113 			!(submit_bo.flags & MANDATORY_FLAGS)) {
114 			DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
115 			ret = -EINVAL;
116 			i = 0;
117 			goto out;
118 		}
119 
120 		submit->bos[i].handle = submit_bo.handle;
121 		submit->bos[i].flags = submit_bo.flags;
122 		/* in validate_objects() we figure out if this is true: */
123 		submit->bos[i].iova  = submit_bo.presumed;
124 	}
125 
126 	spin_lock(&file->table_lock);
127 
128 	for (i = 0; i < args->nr_bos; i++) {
129 		struct drm_gem_object *obj;
130 
131 		/* normally use drm_gem_object_lookup(), but for bulk lookup
132 		 * all under single table_lock just hit object_idr directly:
133 		 */
134 		obj = idr_find(&file->object_idr, submit->bos[i].handle);
135 		if (!obj) {
136 			DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i);
137 			ret = -EINVAL;
138 			goto out_unlock;
139 		}
140 
141 		drm_gem_object_get(obj);
142 
143 		submit->bos[i].obj = to_msm_bo(obj);
144 	}
145 
146 out_unlock:
147 	spin_unlock(&file->table_lock);
148 
149 out:
150 	submit->nr_bos = i;
151 
152 	return ret;
153 }
154 
155 static int submit_lookup_cmds(struct msm_gem_submit *submit,
156 		struct drm_msm_gem_submit *args, struct drm_file *file)
157 {
158 	unsigned i;
159 	size_t sz;
160 	int ret = 0;
161 
162 	for (i = 0; i < args->nr_cmds; i++) {
163 		struct drm_msm_gem_submit_cmd submit_cmd;
164 		void __user *userptr =
165 			u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
166 
167 		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
168 		if (ret) {
169 			ret = -EFAULT;
170 			goto out;
171 		}
172 
173 		/* validate input from userspace: */
174 		switch (submit_cmd.type) {
175 		case MSM_SUBMIT_CMD_BUF:
176 		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
177 		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
178 			break;
179 		default:
180 			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
181 			return -EINVAL;
182 		}
183 
184 		if (submit_cmd.size % 4) {
185 			DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
186 					submit_cmd.size);
187 			ret = -EINVAL;
188 			goto out;
189 		}
190 
191 		submit->cmd[i].type = submit_cmd.type;
192 		submit->cmd[i].size = submit_cmd.size / 4;
193 		submit->cmd[i].offset = submit_cmd.submit_offset / 4;
194 		submit->cmd[i].idx  = submit_cmd.submit_idx;
195 		submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
196 
197 		userptr = u64_to_user_ptr(submit_cmd.relocs);
198 
199 		sz = array_size(submit_cmd.nr_relocs,
200 				sizeof(struct drm_msm_gem_submit_reloc));
201 		/* check for overflow: */
202 		if (sz == SIZE_MAX) {
203 			ret = -ENOMEM;
204 			goto out;
205 		}
206 		submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL);
207 		ret = copy_from_user(submit->cmd[i].relocs, userptr, sz);
208 		if (ret) {
209 			ret = -EFAULT;
210 			goto out;
211 		}
212 	}
213 
214 out:
215 	return ret;
216 }
217 
218 /* Unwind bo state, according to cleanup_flags.  In the success case, only
219  * the lock is dropped at the end of the submit (and active/pin ref is dropped
220  * later when the submit is retired).
221  */
222 static void submit_cleanup_bo(struct msm_gem_submit *submit, int i,
223 		unsigned cleanup_flags)
224 {
225 	struct drm_gem_object *obj = &submit->bos[i].obj->base;
226 	unsigned flags = submit->bos[i].flags & cleanup_flags;
227 
228 	/*
229 	 * Clear flags bit before dropping lock, so that the msm_job_run()
230 	 * path isn't racing with submit_cleanup() (ie. the read/modify/
231 	 * write is protected by the obj lock in all paths)
232 	 */
233 	submit->bos[i].flags &= ~cleanup_flags;
234 
235 	if (flags & BO_PINNED)
236 		msm_gem_unpin_vma_locked(obj, submit->bos[i].vma);
237 
238 	if (flags & BO_ACTIVE)
239 		msm_gem_active_put(obj);
240 
241 	if (flags & BO_LOCKED)
242 		dma_resv_unlock(obj->resv);
243 }
244 
245 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, int i)
246 {
247 	submit_cleanup_bo(submit, i, BO_PINNED | BO_ACTIVE | BO_LOCKED);
248 
249 	if (!(submit->bos[i].flags & BO_VALID))
250 		submit->bos[i].iova = 0;
251 }
252 
253 /* This is where we make sure all the bo's are reserved and pin'd: */
254 static int submit_lock_objects(struct msm_gem_submit *submit)
255 {
256 	int contended, slow_locked = -1, i, ret = 0;
257 
258 retry:
259 	for (i = 0; i < submit->nr_bos; i++) {
260 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
261 
262 		if (slow_locked == i)
263 			slow_locked = -1;
264 
265 		contended = i;
266 
267 		if (!(submit->bos[i].flags & BO_LOCKED)) {
268 			ret = dma_resv_lock_interruptible(msm_obj->base.resv,
269 							  &submit->ticket);
270 			if (ret)
271 				goto fail;
272 			submit->bos[i].flags |= BO_LOCKED;
273 		}
274 	}
275 
276 	ww_acquire_done(&submit->ticket);
277 
278 	return 0;
279 
280 fail:
281 	if (ret == -EALREADY) {
282 		DRM_ERROR("handle %u at index %u already on submit list\n",
283 				submit->bos[i].handle, i);
284 		ret = -EINVAL;
285 	}
286 
287 	for (; i >= 0; i--)
288 		submit_unlock_unpin_bo(submit, i);
289 
290 	if (slow_locked > 0)
291 		submit_unlock_unpin_bo(submit, slow_locked);
292 
293 	if (ret == -EDEADLK) {
294 		struct msm_gem_object *msm_obj = submit->bos[contended].obj;
295 		/* we lost out in a seqno race, lock and retry.. */
296 		ret = dma_resv_lock_slow_interruptible(msm_obj->base.resv,
297 						       &submit->ticket);
298 		if (!ret) {
299 			submit->bos[contended].flags |= BO_LOCKED;
300 			slow_locked = contended;
301 			goto retry;
302 		}
303 
304 		/* Not expecting -EALREADY here, if the bo was already
305 		 * locked, we should have gotten -EALREADY already from
306 		 * the dma_resv_lock_interruptable() call.
307 		 */
308 		WARN_ON_ONCE(ret == -EALREADY);
309 	}
310 
311 	return ret;
312 }
313 
314 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit)
315 {
316 	int i, ret = 0;
317 
318 	for (i = 0; i < submit->nr_bos; i++) {
319 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
320 		bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE;
321 
322 		/* NOTE: _reserve_shared() must happen before
323 		 * _add_shared_fence(), which makes this a slightly
324 		 * strange place to call it.  OTOH this is a
325 		 * convenient can-fail point to hook it in.
326 		 */
327 		ret = dma_resv_reserve_fences(obj->resv, 1);
328 		if (ret)
329 			return ret;
330 
331 		/* exclusive fences must be ordered */
332 		if (no_implicit && !write)
333 			continue;
334 
335 		ret = drm_sched_job_add_implicit_dependencies(&submit->base,
336 							      obj,
337 							      write);
338 		if (ret)
339 			break;
340 	}
341 
342 	return ret;
343 }
344 
345 static int submit_pin_objects(struct msm_gem_submit *submit)
346 {
347 	int i, ret = 0;
348 
349 	submit->valid = true;
350 
351 	/*
352 	 * Increment active_count first, so if under memory pressure, we
353 	 * don't inadvertently evict a bo needed by the submit in order
354 	 * to pin an earlier bo in the same submit.
355 	 */
356 	for (i = 0; i < submit->nr_bos; i++) {
357 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
358 
359 		msm_gem_active_get(obj, submit->gpu);
360 		submit->bos[i].flags |= BO_ACTIVE;
361 	}
362 
363 	for (i = 0; i < submit->nr_bos; i++) {
364 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
365 		struct msm_gem_vma *vma;
366 
367 		/* if locking succeeded, pin bo: */
368 		vma = msm_gem_get_vma_locked(obj, submit->aspace);
369 		if (IS_ERR(vma)) {
370 			ret = PTR_ERR(vma);
371 			break;
372 		}
373 
374 		ret = msm_gem_pin_vma_locked(obj, vma);
375 		if (ret)
376 			break;
377 
378 		submit->bos[i].flags |= BO_PINNED;
379 		submit->bos[i].vma = vma;
380 
381 		if (vma->iova == submit->bos[i].iova) {
382 			submit->bos[i].flags |= BO_VALID;
383 		} else {
384 			submit->bos[i].iova = vma->iova;
385 			/* iova changed, so address in cmdstream is not valid: */
386 			submit->bos[i].flags &= ~BO_VALID;
387 			submit->valid = false;
388 		}
389 	}
390 
391 	return ret;
392 }
393 
394 static void submit_attach_object_fences(struct msm_gem_submit *submit)
395 {
396 	int i;
397 
398 	for (i = 0; i < submit->nr_bos; i++) {
399 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
400 
401 		if (submit->bos[i].flags & MSM_SUBMIT_BO_WRITE)
402 			dma_resv_add_fence(obj->resv, submit->user_fence,
403 					   DMA_RESV_USAGE_WRITE);
404 		else if (submit->bos[i].flags & MSM_SUBMIT_BO_READ)
405 			dma_resv_add_fence(obj->resv, submit->user_fence,
406 					   DMA_RESV_USAGE_READ);
407 	}
408 }
409 
410 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx,
411 		struct msm_gem_object **obj, uint64_t *iova, bool *valid)
412 {
413 	if (idx >= submit->nr_bos) {
414 		DRM_ERROR("invalid buffer index: %u (out of %u)\n",
415 				idx, submit->nr_bos);
416 		return -EINVAL;
417 	}
418 
419 	if (obj)
420 		*obj = submit->bos[idx].obj;
421 	if (iova)
422 		*iova = submit->bos[idx].iova;
423 	if (valid)
424 		*valid = !!(submit->bos[idx].flags & BO_VALID);
425 
426 	return 0;
427 }
428 
429 /* process the reloc's and patch up the cmdstream as needed: */
430 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj,
431 		uint32_t offset, uint32_t nr_relocs, struct drm_msm_gem_submit_reloc *relocs)
432 {
433 	uint32_t i, last_offset = 0;
434 	uint32_t *ptr;
435 	int ret = 0;
436 
437 	if (!nr_relocs)
438 		return 0;
439 
440 	if (offset % 4) {
441 		DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset);
442 		return -EINVAL;
443 	}
444 
445 	/* For now, just map the entire thing.  Eventually we probably
446 	 * to do it page-by-page, w/ kmap() if not vmap()d..
447 	 */
448 	ptr = msm_gem_get_vaddr_locked(&obj->base);
449 
450 	if (IS_ERR(ptr)) {
451 		ret = PTR_ERR(ptr);
452 		DBG("failed to map: %d", ret);
453 		return ret;
454 	}
455 
456 	for (i = 0; i < nr_relocs; i++) {
457 		struct drm_msm_gem_submit_reloc submit_reloc = relocs[i];
458 		uint32_t off;
459 		uint64_t iova;
460 		bool valid;
461 
462 		if (submit_reloc.submit_offset % 4) {
463 			DRM_ERROR("non-aligned reloc offset: %u\n",
464 					submit_reloc.submit_offset);
465 			ret = -EINVAL;
466 			goto out;
467 		}
468 
469 		/* offset in dwords: */
470 		off = submit_reloc.submit_offset / 4;
471 
472 		if ((off >= (obj->base.size / 4)) ||
473 				(off < last_offset)) {
474 			DRM_ERROR("invalid offset %u at reloc %u\n", off, i);
475 			ret = -EINVAL;
476 			goto out;
477 		}
478 
479 		ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid);
480 		if (ret)
481 			goto out;
482 
483 		if (valid)
484 			continue;
485 
486 		iova += submit_reloc.reloc_offset;
487 
488 		if (submit_reloc.shift < 0)
489 			iova >>= -submit_reloc.shift;
490 		else
491 			iova <<= submit_reloc.shift;
492 
493 		ptr[off] = iova | submit_reloc.or;
494 
495 		last_offset = off;
496 	}
497 
498 out:
499 	msm_gem_put_vaddr_locked(&obj->base);
500 
501 	return ret;
502 }
503 
504 /* Cleanup submit at end of ioctl.  In the error case, this also drops
505  * references, unpins, and drops active refcnt.  In the non-error case,
506  * this is done when the submit is retired.
507  */
508 static void submit_cleanup(struct msm_gem_submit *submit, bool error)
509 {
510 	unsigned cleanup_flags = BO_LOCKED;
511 	unsigned i;
512 
513 	if (error)
514 		cleanup_flags |= BO_PINNED | BO_ACTIVE;
515 
516 	for (i = 0; i < submit->nr_bos; i++) {
517 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
518 		submit_cleanup_bo(submit, i, cleanup_flags);
519 		if (error)
520 			drm_gem_object_put(&msm_obj->base);
521 	}
522 }
523 
524 void msm_submit_retire(struct msm_gem_submit *submit)
525 {
526 	int i;
527 
528 	for (i = 0; i < submit->nr_bos; i++) {
529 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
530 
531 		msm_gem_lock(obj);
532 		submit_cleanup_bo(submit, i, BO_PINNED | BO_ACTIVE);
533 		msm_gem_unlock(obj);
534 		drm_gem_object_put(obj);
535 	}
536 }
537 
538 struct msm_submit_post_dep {
539 	struct drm_syncobj *syncobj;
540 	uint64_t point;
541 	struct dma_fence_chain *chain;
542 };
543 
544 static struct drm_syncobj **msm_parse_deps(struct msm_gem_submit *submit,
545                                            struct drm_file *file,
546                                            uint64_t in_syncobjs_addr,
547                                            uint32_t nr_in_syncobjs,
548                                            size_t syncobj_stride,
549                                            struct msm_ringbuffer *ring)
550 {
551 	struct drm_syncobj **syncobjs = NULL;
552 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
553 	int ret = 0;
554 	uint32_t i, j;
555 
556 	syncobjs = kcalloc(nr_in_syncobjs, sizeof(*syncobjs),
557 	                   GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
558 	if (!syncobjs)
559 		return ERR_PTR(-ENOMEM);
560 
561 	for (i = 0; i < nr_in_syncobjs; ++i) {
562 		uint64_t address = in_syncobjs_addr + i * syncobj_stride;
563 		struct dma_fence *fence;
564 
565 		if (copy_from_user(&syncobj_desc,
566 			           u64_to_user_ptr(address),
567 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
568 			ret = -EFAULT;
569 			break;
570 		}
571 
572 		if (syncobj_desc.point &&
573 		    !drm_core_check_feature(submit->dev, DRIVER_SYNCOBJ_TIMELINE)) {
574 			ret = -EOPNOTSUPP;
575 			break;
576 		}
577 
578 		if (syncobj_desc.flags & ~MSM_SUBMIT_SYNCOBJ_FLAGS) {
579 			ret = -EINVAL;
580 			break;
581 		}
582 
583 		ret = drm_syncobj_find_fence(file, syncobj_desc.handle,
584 		                             syncobj_desc.point, 0, &fence);
585 		if (ret)
586 			break;
587 
588 		ret = drm_sched_job_add_dependency(&submit->base, fence);
589 		if (ret)
590 			break;
591 
592 		if (syncobj_desc.flags & MSM_SUBMIT_SYNCOBJ_RESET) {
593 			syncobjs[i] =
594 				drm_syncobj_find(file, syncobj_desc.handle);
595 			if (!syncobjs[i]) {
596 				ret = -EINVAL;
597 				break;
598 			}
599 		}
600 	}
601 
602 	if (ret) {
603 		for (j = 0; j <= i; ++j) {
604 			if (syncobjs[j])
605 				drm_syncobj_put(syncobjs[j]);
606 		}
607 		kfree(syncobjs);
608 		return ERR_PTR(ret);
609 	}
610 	return syncobjs;
611 }
612 
613 static void msm_reset_syncobjs(struct drm_syncobj **syncobjs,
614                                uint32_t nr_syncobjs)
615 {
616 	uint32_t i;
617 
618 	for (i = 0; syncobjs && i < nr_syncobjs; ++i) {
619 		if (syncobjs[i])
620 			drm_syncobj_replace_fence(syncobjs[i], NULL);
621 	}
622 }
623 
624 static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
625                                                        struct drm_file *file,
626                                                        uint64_t syncobjs_addr,
627                                                        uint32_t nr_syncobjs,
628                                                        size_t syncobj_stride)
629 {
630 	struct msm_submit_post_dep *post_deps;
631 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
632 	int ret = 0;
633 	uint32_t i, j;
634 
635 	post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps),
636 	                          GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
637 	if (!post_deps)
638 		return ERR_PTR(-ENOMEM);
639 
640 	for (i = 0; i < nr_syncobjs; ++i) {
641 		uint64_t address = syncobjs_addr + i * syncobj_stride;
642 
643 		if (copy_from_user(&syncobj_desc,
644 			           u64_to_user_ptr(address),
645 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
646 			ret = -EFAULT;
647 			break;
648 		}
649 
650 		post_deps[i].point = syncobj_desc.point;
651 		post_deps[i].chain = NULL;
652 
653 		if (syncobj_desc.flags) {
654 			ret = -EINVAL;
655 			break;
656 		}
657 
658 		if (syncobj_desc.point) {
659 			if (!drm_core_check_feature(dev,
660 			                            DRIVER_SYNCOBJ_TIMELINE)) {
661 				ret = -EOPNOTSUPP;
662 				break;
663 			}
664 
665 			post_deps[i].chain = dma_fence_chain_alloc();
666 			if (!post_deps[i].chain) {
667 				ret = -ENOMEM;
668 				break;
669 			}
670 		}
671 
672 		post_deps[i].syncobj =
673 			drm_syncobj_find(file, syncobj_desc.handle);
674 		if (!post_deps[i].syncobj) {
675 			ret = -EINVAL;
676 			break;
677 		}
678 	}
679 
680 	if (ret) {
681 		for (j = 0; j <= i; ++j) {
682 			dma_fence_chain_free(post_deps[j].chain);
683 			if (post_deps[j].syncobj)
684 				drm_syncobj_put(post_deps[j].syncobj);
685 		}
686 
687 		kfree(post_deps);
688 		return ERR_PTR(ret);
689 	}
690 
691 	return post_deps;
692 }
693 
694 static void msm_process_post_deps(struct msm_submit_post_dep *post_deps,
695                                   uint32_t count, struct dma_fence *fence)
696 {
697 	uint32_t i;
698 
699 	for (i = 0; post_deps && i < count; ++i) {
700 		if (post_deps[i].chain) {
701 			drm_syncobj_add_point(post_deps[i].syncobj,
702 			                      post_deps[i].chain,
703 			                      fence, post_deps[i].point);
704 			post_deps[i].chain = NULL;
705 		} else {
706 			drm_syncobj_replace_fence(post_deps[i].syncobj,
707 			                          fence);
708 		}
709 	}
710 }
711 
712 int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
713 		struct drm_file *file)
714 {
715 	static atomic_t ident = ATOMIC_INIT(0);
716 	struct msm_drm_private *priv = dev->dev_private;
717 	struct drm_msm_gem_submit *args = data;
718 	struct msm_file_private *ctx = file->driver_priv;
719 	struct msm_gem_submit *submit = NULL;
720 	struct msm_gpu *gpu = priv->gpu;
721 	struct msm_gpu_submitqueue *queue;
722 	struct msm_ringbuffer *ring;
723 	struct msm_submit_post_dep *post_deps = NULL;
724 	struct drm_syncobj **syncobjs_to_reset = NULL;
725 	int out_fence_fd = -1;
726 	struct pid *pid = get_pid(task_pid(current));
727 	bool has_ww_ticket = false;
728 	unsigned i;
729 	int ret, submitid;
730 
731 	if (!gpu)
732 		return -ENXIO;
733 
734 	if (args->pad)
735 		return -EINVAL;
736 
737 	if (unlikely(!ctx->aspace) && !capable(CAP_SYS_RAWIO)) {
738 		DRM_ERROR_RATELIMITED("IOMMU support or CAP_SYS_RAWIO required!\n");
739 		return -EPERM;
740 	}
741 
742 	/* for now, we just have 3d pipe.. eventually this would need to
743 	 * be more clever to dispatch to appropriate gpu module:
744 	 */
745 	if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0)
746 		return -EINVAL;
747 
748 	if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS)
749 		return -EINVAL;
750 
751 	if (args->flags & MSM_SUBMIT_SUDO) {
752 		if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) ||
753 		    !capable(CAP_SYS_RAWIO))
754 			return -EINVAL;
755 	}
756 
757 	queue = msm_submitqueue_get(ctx, args->queueid);
758 	if (!queue)
759 		return -ENOENT;
760 
761 	/* Get a unique identifier for the submission for logging purposes */
762 	submitid = atomic_inc_return(&ident) - 1;
763 
764 	ring = gpu->rb[queue->ring_nr];
765 	trace_msm_gpu_submit(pid_nr(pid), ring->id, submitid,
766 		args->nr_bos, args->nr_cmds);
767 
768 	ret = mutex_lock_interruptible(&queue->lock);
769 	if (ret)
770 		goto out_post_unlock;
771 
772 	if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
773 		out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
774 		if (out_fence_fd < 0) {
775 			ret = out_fence_fd;
776 			goto out_unlock;
777 		}
778 	}
779 
780 	submit = submit_create(dev, gpu, queue, args->nr_bos,
781 		args->nr_cmds);
782 	if (IS_ERR(submit)) {
783 		ret = PTR_ERR(submit);
784 		submit = NULL;
785 		goto out_unlock;
786 	}
787 
788 	submit->pid = pid;
789 	submit->ident = submitid;
790 
791 	if (args->flags & MSM_SUBMIT_SUDO)
792 		submit->in_rb = true;
793 
794 	if (args->flags & MSM_SUBMIT_FENCE_FD_IN) {
795 		struct dma_fence *in_fence;
796 
797 		in_fence = sync_file_get_fence(args->fence_fd);
798 
799 		if (!in_fence) {
800 			ret = -EINVAL;
801 			goto out_unlock;
802 		}
803 
804 		ret = drm_sched_job_add_dependency(&submit->base, in_fence);
805 		if (ret)
806 			goto out_unlock;
807 	}
808 
809 	if (args->flags & MSM_SUBMIT_SYNCOBJ_IN) {
810 		syncobjs_to_reset = msm_parse_deps(submit, file,
811 		                                   args->in_syncobjs,
812 		                                   args->nr_in_syncobjs,
813 		                                   args->syncobj_stride, ring);
814 		if (IS_ERR(syncobjs_to_reset)) {
815 			ret = PTR_ERR(syncobjs_to_reset);
816 			goto out_unlock;
817 		}
818 	}
819 
820 	if (args->flags & MSM_SUBMIT_SYNCOBJ_OUT) {
821 		post_deps = msm_parse_post_deps(dev, file,
822 		                                args->out_syncobjs,
823 		                                args->nr_out_syncobjs,
824 		                                args->syncobj_stride);
825 		if (IS_ERR(post_deps)) {
826 			ret = PTR_ERR(post_deps);
827 			goto out_unlock;
828 		}
829 	}
830 
831 	ret = submit_lookup_objects(submit, args, file);
832 	if (ret)
833 		goto out;
834 
835 	ret = submit_lookup_cmds(submit, args, file);
836 	if (ret)
837 		goto out;
838 
839 	/* copy_*_user while holding a ww ticket upsets lockdep */
840 	ww_acquire_init(&submit->ticket, &reservation_ww_class);
841 	has_ww_ticket = true;
842 	ret = submit_lock_objects(submit);
843 	if (ret)
844 		goto out;
845 
846 	ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT));
847 	if (ret)
848 		goto out;
849 
850 	ret = submit_pin_objects(submit);
851 	if (ret)
852 		goto out;
853 
854 	for (i = 0; i < args->nr_cmds; i++) {
855 		struct msm_gem_object *msm_obj;
856 		uint64_t iova;
857 
858 		ret = submit_bo(submit, submit->cmd[i].idx,
859 				&msm_obj, &iova, NULL);
860 		if (ret)
861 			goto out;
862 
863 		if (!submit->cmd[i].size ||
864 			((submit->cmd[i].size + submit->cmd[i].offset) >
865 				msm_obj->base.size / 4)) {
866 			DRM_ERROR("invalid cmdstream size: %u\n", submit->cmd[i].size * 4);
867 			ret = -EINVAL;
868 			goto out;
869 		}
870 
871 		submit->cmd[i].iova = iova + (submit->cmd[i].offset * 4);
872 
873 		if (submit->valid)
874 			continue;
875 
876 		ret = submit_reloc(submit, msm_obj, submit->cmd[i].offset * 4,
877 				submit->cmd[i].nr_relocs, submit->cmd[i].relocs);
878 		if (ret)
879 			goto out;
880 	}
881 
882 	submit->nr_cmds = i;
883 
884 	/*
885 	 * If using userspace provided seqno fence, validate that the id
886 	 * is available before arming sched job.  Since access to fence_idr
887 	 * is serialized on the queue lock, the slot should be still avail
888 	 * after the job is armed
889 	 */
890 	if ((args->flags & MSM_SUBMIT_FENCE_SN_IN) &&
891 			idr_find(&queue->fence_idr, args->fence)) {
892 		ret = -EINVAL;
893 		goto out;
894 	}
895 
896 	drm_sched_job_arm(&submit->base);
897 
898 	submit->user_fence = dma_fence_get(&submit->base.s_fence->finished);
899 
900 	if (args->flags & MSM_SUBMIT_FENCE_SN_IN) {
901 		/*
902 		 * Userspace has assigned the seqno fence that it wants
903 		 * us to use.  It is an error to pick a fence sequence
904 		 * number that is not available.
905 		 */
906 		submit->fence_id = args->fence;
907 		ret = idr_alloc_u32(&queue->fence_idr, submit->user_fence,
908 				    &submit->fence_id, submit->fence_id,
909 				    GFP_KERNEL);
910 		/*
911 		 * We've already validated that the fence_id slot is valid,
912 		 * so if idr_alloc_u32 failed, it is a kernel bug
913 		 */
914 		WARN_ON(ret);
915 	} else {
916 		/*
917 		 * Allocate an id which can be used by WAIT_FENCE ioctl to map
918 		 * back to the underlying fence.
919 		 */
920 		submit->fence_id = idr_alloc_cyclic(&queue->fence_idr,
921 						    submit->user_fence, 1,
922 						    INT_MAX, GFP_KERNEL);
923 	}
924 	if (submit->fence_id < 0) {
925 		ret = submit->fence_id = 0;
926 		submit->fence_id = 0;
927 	}
928 
929 	if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
930 		struct sync_file *sync_file = sync_file_create(submit->user_fence);
931 		if (!sync_file) {
932 			ret = -ENOMEM;
933 		} else {
934 			fd_install(out_fence_fd, sync_file->file);
935 			args->fence_fd = out_fence_fd;
936 		}
937 	}
938 
939 	submit_attach_object_fences(submit);
940 
941 	/* The scheduler owns a ref now: */
942 	msm_gem_submit_get(submit);
943 
944 	drm_sched_entity_push_job(&submit->base);
945 
946 	args->fence = submit->fence_id;
947 	queue->last_fence = submit->fence_id;
948 
949 	msm_reset_syncobjs(syncobjs_to_reset, args->nr_in_syncobjs);
950 	msm_process_post_deps(post_deps, args->nr_out_syncobjs,
951 	                      submit->user_fence);
952 
953 
954 out:
955 	submit_cleanup(submit, !!ret);
956 	if (has_ww_ticket)
957 		ww_acquire_fini(&submit->ticket);
958 out_unlock:
959 	if (ret && (out_fence_fd >= 0))
960 		put_unused_fd(out_fence_fd);
961 	mutex_unlock(&queue->lock);
962 	if (submit)
963 		msm_gem_submit_put(submit);
964 out_post_unlock:
965 	if (!IS_ERR_OR_NULL(post_deps)) {
966 		for (i = 0; i < args->nr_out_syncobjs; ++i) {
967 			kfree(post_deps[i].chain);
968 			drm_syncobj_put(post_deps[i].syncobj);
969 		}
970 		kfree(post_deps);
971 	}
972 
973 	if (!IS_ERR_OR_NULL(syncobjs_to_reset)) {
974 		for (i = 0; i < args->nr_in_syncobjs; ++i) {
975 			if (syncobjs_to_reset[i])
976 				drm_syncobj_put(syncobjs_to_reset[i]);
977 		}
978 		kfree(syncobjs_to_reset);
979 	}
980 
981 	return ret;
982 }
983