1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2013 Red Hat 4 * Author: Rob Clark <robdclark@gmail.com> 5 */ 6 7 #include <linux/sync_file.h> 8 9 #include "msm_drv.h" 10 #include "msm_gpu.h" 11 #include "msm_gem.h" 12 #include "msm_gpu_trace.h" 13 14 /* 15 * Cmdstream submission: 16 */ 17 18 /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ 19 #define BO_VALID 0x8000 /* is current addr in cmdstream correct/valid? */ 20 #define BO_LOCKED 0x4000 21 #define BO_PINNED 0x2000 22 23 static struct msm_gem_submit *submit_create(struct drm_device *dev, 24 struct msm_gpu *gpu, struct msm_gpu_submitqueue *queue, 25 uint32_t nr_bos, uint32_t nr_cmds) 26 { 27 struct msm_gem_submit *submit; 28 uint64_t sz = sizeof(*submit) + ((u64)nr_bos * sizeof(submit->bos[0])) + 29 ((u64)nr_cmds * sizeof(submit->cmd[0])); 30 31 if (sz > SIZE_MAX) 32 return NULL; 33 34 submit = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 35 if (!submit) 36 return NULL; 37 38 submit->dev = dev; 39 submit->gpu = gpu; 40 submit->fence = NULL; 41 submit->cmd = (void *)&submit->bos[nr_bos]; 42 submit->queue = queue; 43 submit->ring = gpu->rb[queue->prio]; 44 45 /* initially, until copy_from_user() and bo lookup succeeds: */ 46 submit->nr_bos = 0; 47 submit->nr_cmds = 0; 48 49 INIT_LIST_HEAD(&submit->node); 50 INIT_LIST_HEAD(&submit->bo_list); 51 ww_acquire_init(&submit->ticket, &reservation_ww_class); 52 53 return submit; 54 } 55 56 void msm_gem_submit_free(struct msm_gem_submit *submit) 57 { 58 dma_fence_put(submit->fence); 59 list_del(&submit->node); 60 put_pid(submit->pid); 61 msm_submitqueue_put(submit->queue); 62 63 kfree(submit); 64 } 65 66 static int submit_lookup_objects(struct msm_gem_submit *submit, 67 struct drm_msm_gem_submit *args, struct drm_file *file) 68 { 69 unsigned i; 70 int ret = 0; 71 72 for (i = 0; i < args->nr_bos; i++) { 73 struct drm_msm_gem_submit_bo submit_bo; 74 void __user *userptr = 75 u64_to_user_ptr(args->bos + (i * sizeof(submit_bo))); 76 77 /* make sure we don't have garbage flags, in case we hit 78 * error path before flags is initialized: 79 */ 80 submit->bos[i].flags = 0; 81 82 if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) { 83 ret = -EFAULT; 84 i = 0; 85 goto out; 86 } 87 88 /* at least one of READ and/or WRITE flags should be set: */ 89 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) 90 91 if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) || 92 !(submit_bo.flags & MANDATORY_FLAGS)) { 93 DRM_ERROR("invalid flags: %x\n", submit_bo.flags); 94 ret = -EINVAL; 95 i = 0; 96 goto out; 97 } 98 99 submit->bos[i].handle = submit_bo.handle; 100 submit->bos[i].flags = submit_bo.flags; 101 /* in validate_objects() we figure out if this is true: */ 102 submit->bos[i].iova = submit_bo.presumed; 103 } 104 105 spin_lock(&file->table_lock); 106 107 for (i = 0; i < args->nr_bos; i++) { 108 struct drm_gem_object *obj; 109 struct msm_gem_object *msm_obj; 110 111 /* normally use drm_gem_object_lookup(), but for bulk lookup 112 * all under single table_lock just hit object_idr directly: 113 */ 114 obj = idr_find(&file->object_idr, submit->bos[i].handle); 115 if (!obj) { 116 DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i); 117 ret = -EINVAL; 118 goto out_unlock; 119 } 120 121 msm_obj = to_msm_bo(obj); 122 123 if (!list_empty(&msm_obj->submit_entry)) { 124 DRM_ERROR("handle %u at index %u already on submit list\n", 125 submit->bos[i].handle, i); 126 ret = -EINVAL; 127 goto out_unlock; 128 } 129 130 drm_gem_object_get(obj); 131 132 submit->bos[i].obj = msm_obj; 133 134 list_add_tail(&msm_obj->submit_entry, &submit->bo_list); 135 } 136 137 out_unlock: 138 spin_unlock(&file->table_lock); 139 140 out: 141 submit->nr_bos = i; 142 143 return ret; 144 } 145 146 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, 147 int i, bool backoff) 148 { 149 struct msm_gem_object *msm_obj = submit->bos[i].obj; 150 151 if (submit->bos[i].flags & BO_PINNED) 152 msm_gem_unpin_iova(&msm_obj->base, submit->gpu->aspace); 153 154 if (submit->bos[i].flags & BO_LOCKED) 155 ww_mutex_unlock(&msm_obj->base.resv->lock); 156 157 if (backoff && !(submit->bos[i].flags & BO_VALID)) 158 submit->bos[i].iova = 0; 159 160 submit->bos[i].flags &= ~(BO_LOCKED | BO_PINNED); 161 } 162 163 /* This is where we make sure all the bo's are reserved and pin'd: */ 164 static int submit_lock_objects(struct msm_gem_submit *submit) 165 { 166 int contended, slow_locked = -1, i, ret = 0; 167 168 retry: 169 for (i = 0; i < submit->nr_bos; i++) { 170 struct msm_gem_object *msm_obj = submit->bos[i].obj; 171 172 if (slow_locked == i) 173 slow_locked = -1; 174 175 contended = i; 176 177 if (!(submit->bos[i].flags & BO_LOCKED)) { 178 ret = ww_mutex_lock_interruptible(&msm_obj->base.resv->lock, 179 &submit->ticket); 180 if (ret) 181 goto fail; 182 submit->bos[i].flags |= BO_LOCKED; 183 } 184 } 185 186 ww_acquire_done(&submit->ticket); 187 188 return 0; 189 190 fail: 191 for (; i >= 0; i--) 192 submit_unlock_unpin_bo(submit, i, true); 193 194 if (slow_locked > 0) 195 submit_unlock_unpin_bo(submit, slow_locked, true); 196 197 if (ret == -EDEADLK) { 198 struct msm_gem_object *msm_obj = submit->bos[contended].obj; 199 /* we lost out in a seqno race, lock and retry.. */ 200 ret = ww_mutex_lock_slow_interruptible(&msm_obj->base.resv->lock, 201 &submit->ticket); 202 if (!ret) { 203 submit->bos[contended].flags |= BO_LOCKED; 204 slow_locked = contended; 205 goto retry; 206 } 207 } 208 209 return ret; 210 } 211 212 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit) 213 { 214 int i, ret = 0; 215 216 for (i = 0; i < submit->nr_bos; i++) { 217 struct msm_gem_object *msm_obj = submit->bos[i].obj; 218 bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE; 219 220 if (!write) { 221 /* NOTE: _reserve_shared() must happen before 222 * _add_shared_fence(), which makes this a slightly 223 * strange place to call it. OTOH this is a 224 * convenient can-fail point to hook it in. 225 */ 226 ret = reservation_object_reserve_shared(msm_obj->base.resv, 227 1); 228 if (ret) 229 return ret; 230 } 231 232 if (no_implicit) 233 continue; 234 235 ret = msm_gem_sync_object(&msm_obj->base, submit->ring->fctx, 236 write); 237 if (ret) 238 break; 239 } 240 241 return ret; 242 } 243 244 static int submit_pin_objects(struct msm_gem_submit *submit) 245 { 246 int i, ret = 0; 247 248 submit->valid = true; 249 250 for (i = 0; i < submit->nr_bos; i++) { 251 struct msm_gem_object *msm_obj = submit->bos[i].obj; 252 uint64_t iova; 253 254 /* if locking succeeded, pin bo: */ 255 ret = msm_gem_get_and_pin_iova(&msm_obj->base, 256 submit->gpu->aspace, &iova); 257 258 if (ret) 259 break; 260 261 submit->bos[i].flags |= BO_PINNED; 262 263 if (iova == submit->bos[i].iova) { 264 submit->bos[i].flags |= BO_VALID; 265 } else { 266 submit->bos[i].iova = iova; 267 /* iova changed, so address in cmdstream is not valid: */ 268 submit->bos[i].flags &= ~BO_VALID; 269 submit->valid = false; 270 } 271 } 272 273 return ret; 274 } 275 276 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, 277 struct msm_gem_object **obj, uint64_t *iova, bool *valid) 278 { 279 if (idx >= submit->nr_bos) { 280 DRM_ERROR("invalid buffer index: %u (out of %u)\n", 281 idx, submit->nr_bos); 282 return -EINVAL; 283 } 284 285 if (obj) 286 *obj = submit->bos[idx].obj; 287 if (iova) 288 *iova = submit->bos[idx].iova; 289 if (valid) 290 *valid = !!(submit->bos[idx].flags & BO_VALID); 291 292 return 0; 293 } 294 295 /* process the reloc's and patch up the cmdstream as needed: */ 296 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj, 297 uint32_t offset, uint32_t nr_relocs, uint64_t relocs) 298 { 299 uint32_t i, last_offset = 0; 300 uint32_t *ptr; 301 int ret = 0; 302 303 if (!nr_relocs) 304 return 0; 305 306 if (offset % 4) { 307 DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset); 308 return -EINVAL; 309 } 310 311 /* For now, just map the entire thing. Eventually we probably 312 * to do it page-by-page, w/ kmap() if not vmap()d.. 313 */ 314 ptr = msm_gem_get_vaddr(&obj->base); 315 316 if (IS_ERR(ptr)) { 317 ret = PTR_ERR(ptr); 318 DBG("failed to map: %d", ret); 319 return ret; 320 } 321 322 for (i = 0; i < nr_relocs; i++) { 323 struct drm_msm_gem_submit_reloc submit_reloc; 324 void __user *userptr = 325 u64_to_user_ptr(relocs + (i * sizeof(submit_reloc))); 326 uint32_t off; 327 uint64_t iova; 328 bool valid; 329 330 if (copy_from_user(&submit_reloc, userptr, sizeof(submit_reloc))) { 331 ret = -EFAULT; 332 goto out; 333 } 334 335 if (submit_reloc.submit_offset % 4) { 336 DRM_ERROR("non-aligned reloc offset: %u\n", 337 submit_reloc.submit_offset); 338 ret = -EINVAL; 339 goto out; 340 } 341 342 /* offset in dwords: */ 343 off = submit_reloc.submit_offset / 4; 344 345 if ((off >= (obj->base.size / 4)) || 346 (off < last_offset)) { 347 DRM_ERROR("invalid offset %u at reloc %u\n", off, i); 348 ret = -EINVAL; 349 goto out; 350 } 351 352 ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid); 353 if (ret) 354 goto out; 355 356 if (valid) 357 continue; 358 359 iova += submit_reloc.reloc_offset; 360 361 if (submit_reloc.shift < 0) 362 iova >>= -submit_reloc.shift; 363 else 364 iova <<= submit_reloc.shift; 365 366 ptr[off] = iova | submit_reloc.or; 367 368 last_offset = off; 369 } 370 371 out: 372 msm_gem_put_vaddr(&obj->base); 373 374 return ret; 375 } 376 377 static void submit_cleanup(struct msm_gem_submit *submit) 378 { 379 unsigned i; 380 381 for (i = 0; i < submit->nr_bos; i++) { 382 struct msm_gem_object *msm_obj = submit->bos[i].obj; 383 submit_unlock_unpin_bo(submit, i, false); 384 list_del_init(&msm_obj->submit_entry); 385 drm_gem_object_put(&msm_obj->base); 386 } 387 388 ww_acquire_fini(&submit->ticket); 389 } 390 391 int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 392 struct drm_file *file) 393 { 394 static atomic_t ident = ATOMIC_INIT(0); 395 struct msm_drm_private *priv = dev->dev_private; 396 struct drm_msm_gem_submit *args = data; 397 struct msm_file_private *ctx = file->driver_priv; 398 struct msm_gem_submit *submit; 399 struct msm_gpu *gpu = priv->gpu; 400 struct sync_file *sync_file = NULL; 401 struct msm_gpu_submitqueue *queue; 402 struct msm_ringbuffer *ring; 403 int out_fence_fd = -1; 404 struct pid *pid = get_pid(task_pid(current)); 405 unsigned i; 406 int ret, submitid; 407 if (!gpu) 408 return -ENXIO; 409 410 /* for now, we just have 3d pipe.. eventually this would need to 411 * be more clever to dispatch to appropriate gpu module: 412 */ 413 if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0) 414 return -EINVAL; 415 416 if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS) 417 return -EINVAL; 418 419 if (args->flags & MSM_SUBMIT_SUDO) { 420 if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) || 421 !capable(CAP_SYS_RAWIO)) 422 return -EINVAL; 423 } 424 425 queue = msm_submitqueue_get(ctx, args->queueid); 426 if (!queue) 427 return -ENOENT; 428 429 /* Get a unique identifier for the submission for logging purposes */ 430 submitid = atomic_inc_return(&ident) - 1; 431 432 ring = gpu->rb[queue->prio]; 433 trace_msm_gpu_submit(pid_nr(pid), ring->id, submitid, 434 args->nr_bos, args->nr_cmds); 435 436 if (args->flags & MSM_SUBMIT_FENCE_FD_IN) { 437 struct dma_fence *in_fence; 438 439 in_fence = sync_file_get_fence(args->fence_fd); 440 441 if (!in_fence) 442 return -EINVAL; 443 444 /* 445 * Wait if the fence is from a foreign context, or if the fence 446 * array contains any fence from a foreign context. 447 */ 448 ret = 0; 449 if (!dma_fence_match_context(in_fence, ring->fctx->context)) 450 ret = dma_fence_wait(in_fence, true); 451 452 dma_fence_put(in_fence); 453 if (ret) 454 return ret; 455 } 456 457 ret = mutex_lock_interruptible(&dev->struct_mutex); 458 if (ret) 459 return ret; 460 461 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 462 out_fence_fd = get_unused_fd_flags(O_CLOEXEC); 463 if (out_fence_fd < 0) { 464 ret = out_fence_fd; 465 goto out_unlock; 466 } 467 } 468 469 submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds); 470 if (!submit) { 471 ret = -ENOMEM; 472 goto out_unlock; 473 } 474 475 submit->pid = pid; 476 submit->ident = submitid; 477 478 if (args->flags & MSM_SUBMIT_SUDO) 479 submit->in_rb = true; 480 481 ret = submit_lookup_objects(submit, args, file); 482 if (ret) 483 goto out; 484 485 ret = submit_lock_objects(submit); 486 if (ret) 487 goto out; 488 489 ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT)); 490 if (ret) 491 goto out; 492 493 ret = submit_pin_objects(submit); 494 if (ret) 495 goto out; 496 497 for (i = 0; i < args->nr_cmds; i++) { 498 struct drm_msm_gem_submit_cmd submit_cmd; 499 void __user *userptr = 500 u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); 501 struct msm_gem_object *msm_obj; 502 uint64_t iova; 503 504 ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); 505 if (ret) { 506 ret = -EFAULT; 507 goto out; 508 } 509 510 /* validate input from userspace: */ 511 switch (submit_cmd.type) { 512 case MSM_SUBMIT_CMD_BUF: 513 case MSM_SUBMIT_CMD_IB_TARGET_BUF: 514 case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: 515 break; 516 default: 517 DRM_ERROR("invalid type: %08x\n", submit_cmd.type); 518 ret = -EINVAL; 519 goto out; 520 } 521 522 ret = submit_bo(submit, submit_cmd.submit_idx, 523 &msm_obj, &iova, NULL); 524 if (ret) 525 goto out; 526 527 if (submit_cmd.size % 4) { 528 DRM_ERROR("non-aligned cmdstream buffer size: %u\n", 529 submit_cmd.size); 530 ret = -EINVAL; 531 goto out; 532 } 533 534 if (!submit_cmd.size || 535 ((submit_cmd.size + submit_cmd.submit_offset) > 536 msm_obj->base.size)) { 537 DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); 538 ret = -EINVAL; 539 goto out; 540 } 541 542 submit->cmd[i].type = submit_cmd.type; 543 submit->cmd[i].size = submit_cmd.size / 4; 544 submit->cmd[i].iova = iova + submit_cmd.submit_offset; 545 submit->cmd[i].idx = submit_cmd.submit_idx; 546 547 if (submit->valid) 548 continue; 549 550 ret = submit_reloc(submit, msm_obj, submit_cmd.submit_offset, 551 submit_cmd.nr_relocs, submit_cmd.relocs); 552 if (ret) 553 goto out; 554 } 555 556 submit->nr_cmds = i; 557 558 submit->fence = msm_fence_alloc(ring->fctx); 559 if (IS_ERR(submit->fence)) { 560 ret = PTR_ERR(submit->fence); 561 submit->fence = NULL; 562 goto out; 563 } 564 565 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 566 sync_file = sync_file_create(submit->fence); 567 if (!sync_file) { 568 ret = -ENOMEM; 569 goto out; 570 } 571 } 572 573 msm_gpu_submit(gpu, submit, ctx); 574 575 args->fence = submit->fence->seqno; 576 577 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 578 fd_install(out_fence_fd, sync_file->file); 579 args->fence_fd = out_fence_fd; 580 } 581 582 out: 583 submit_cleanup(submit); 584 if (ret) 585 msm_gem_submit_free(submit); 586 out_unlock: 587 if (ret && (out_fence_fd >= 0)) 588 put_unused_fd(out_fence_fd); 589 mutex_unlock(&dev->struct_mutex); 590 return ret; 591 } 592