1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2013 Red Hat 4 * Author: Rob Clark <robdclark@gmail.com> 5 */ 6 7 #include <linux/sync_file.h> 8 9 #include "msm_drv.h" 10 #include "msm_gpu.h" 11 #include "msm_gem.h" 12 #include "msm_gpu_trace.h" 13 14 /* 15 * Cmdstream submission: 16 */ 17 18 /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ 19 #define BO_VALID 0x8000 /* is current addr in cmdstream correct/valid? */ 20 #define BO_LOCKED 0x4000 21 #define BO_PINNED 0x2000 22 23 static struct msm_gem_submit *submit_create(struct drm_device *dev, 24 struct msm_gpu *gpu, struct msm_gem_address_space *aspace, 25 struct msm_gpu_submitqueue *queue, uint32_t nr_bos, 26 uint32_t nr_cmds) 27 { 28 struct msm_gem_submit *submit; 29 uint64_t sz = sizeof(*submit) + ((u64)nr_bos * sizeof(submit->bos[0])) + 30 ((u64)nr_cmds * sizeof(submit->cmd[0])); 31 32 if (sz > SIZE_MAX) 33 return NULL; 34 35 submit = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 36 if (!submit) 37 return NULL; 38 39 submit->dev = dev; 40 submit->aspace = aspace; 41 submit->gpu = gpu; 42 submit->fence = NULL; 43 submit->cmd = (void *)&submit->bos[nr_bos]; 44 submit->queue = queue; 45 submit->ring = gpu->rb[queue->prio]; 46 47 /* initially, until copy_from_user() and bo lookup succeeds: */ 48 submit->nr_bos = 0; 49 submit->nr_cmds = 0; 50 51 INIT_LIST_HEAD(&submit->node); 52 INIT_LIST_HEAD(&submit->bo_list); 53 ww_acquire_init(&submit->ticket, &reservation_ww_class); 54 55 return submit; 56 } 57 58 void msm_gem_submit_free(struct msm_gem_submit *submit) 59 { 60 dma_fence_put(submit->fence); 61 list_del(&submit->node); 62 put_pid(submit->pid); 63 msm_submitqueue_put(submit->queue); 64 65 kfree(submit); 66 } 67 68 static int submit_lookup_objects(struct msm_gem_submit *submit, 69 struct drm_msm_gem_submit *args, struct drm_file *file) 70 { 71 unsigned i; 72 int ret = 0; 73 74 for (i = 0; i < args->nr_bos; i++) { 75 struct drm_msm_gem_submit_bo submit_bo; 76 void __user *userptr = 77 u64_to_user_ptr(args->bos + (i * sizeof(submit_bo))); 78 79 /* make sure we don't have garbage flags, in case we hit 80 * error path before flags is initialized: 81 */ 82 submit->bos[i].flags = 0; 83 84 if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) { 85 ret = -EFAULT; 86 i = 0; 87 goto out; 88 } 89 90 /* at least one of READ and/or WRITE flags should be set: */ 91 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) 92 93 if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) || 94 !(submit_bo.flags & MANDATORY_FLAGS)) { 95 DRM_ERROR("invalid flags: %x\n", submit_bo.flags); 96 ret = -EINVAL; 97 i = 0; 98 goto out; 99 } 100 101 submit->bos[i].handle = submit_bo.handle; 102 submit->bos[i].flags = submit_bo.flags; 103 /* in validate_objects() we figure out if this is true: */ 104 submit->bos[i].iova = submit_bo.presumed; 105 } 106 107 spin_lock(&file->table_lock); 108 109 for (i = 0; i < args->nr_bos; i++) { 110 struct drm_gem_object *obj; 111 struct msm_gem_object *msm_obj; 112 113 /* normally use drm_gem_object_lookup(), but for bulk lookup 114 * all under single table_lock just hit object_idr directly: 115 */ 116 obj = idr_find(&file->object_idr, submit->bos[i].handle); 117 if (!obj) { 118 DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i); 119 ret = -EINVAL; 120 goto out_unlock; 121 } 122 123 msm_obj = to_msm_bo(obj); 124 125 if (!list_empty(&msm_obj->submit_entry)) { 126 DRM_ERROR("handle %u at index %u already on submit list\n", 127 submit->bos[i].handle, i); 128 ret = -EINVAL; 129 goto out_unlock; 130 } 131 132 drm_gem_object_get(obj); 133 134 submit->bos[i].obj = msm_obj; 135 136 list_add_tail(&msm_obj->submit_entry, &submit->bo_list); 137 } 138 139 out_unlock: 140 spin_unlock(&file->table_lock); 141 142 out: 143 submit->nr_bos = i; 144 145 return ret; 146 } 147 148 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, 149 int i, bool backoff) 150 { 151 struct msm_gem_object *msm_obj = submit->bos[i].obj; 152 153 if (submit->bos[i].flags & BO_PINNED) 154 msm_gem_unpin_iova(&msm_obj->base, submit->aspace); 155 156 if (submit->bos[i].flags & BO_LOCKED) 157 ww_mutex_unlock(&msm_obj->base.resv->lock); 158 159 if (backoff && !(submit->bos[i].flags & BO_VALID)) 160 submit->bos[i].iova = 0; 161 162 submit->bos[i].flags &= ~(BO_LOCKED | BO_PINNED); 163 } 164 165 /* This is where we make sure all the bo's are reserved and pin'd: */ 166 static int submit_lock_objects(struct msm_gem_submit *submit) 167 { 168 int contended, slow_locked = -1, i, ret = 0; 169 170 retry: 171 for (i = 0; i < submit->nr_bos; i++) { 172 struct msm_gem_object *msm_obj = submit->bos[i].obj; 173 174 if (slow_locked == i) 175 slow_locked = -1; 176 177 contended = i; 178 179 if (!(submit->bos[i].flags & BO_LOCKED)) { 180 ret = ww_mutex_lock_interruptible(&msm_obj->base.resv->lock, 181 &submit->ticket); 182 if (ret) 183 goto fail; 184 submit->bos[i].flags |= BO_LOCKED; 185 } 186 } 187 188 ww_acquire_done(&submit->ticket); 189 190 return 0; 191 192 fail: 193 for (; i >= 0; i--) 194 submit_unlock_unpin_bo(submit, i, true); 195 196 if (slow_locked > 0) 197 submit_unlock_unpin_bo(submit, slow_locked, true); 198 199 if (ret == -EDEADLK) { 200 struct msm_gem_object *msm_obj = submit->bos[contended].obj; 201 /* we lost out in a seqno race, lock and retry.. */ 202 ret = ww_mutex_lock_slow_interruptible(&msm_obj->base.resv->lock, 203 &submit->ticket); 204 if (!ret) { 205 submit->bos[contended].flags |= BO_LOCKED; 206 slow_locked = contended; 207 goto retry; 208 } 209 } 210 211 return ret; 212 } 213 214 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit) 215 { 216 int i, ret = 0; 217 218 for (i = 0; i < submit->nr_bos; i++) { 219 struct msm_gem_object *msm_obj = submit->bos[i].obj; 220 bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE; 221 222 if (!write) { 223 /* NOTE: _reserve_shared() must happen before 224 * _add_shared_fence(), which makes this a slightly 225 * strange place to call it. OTOH this is a 226 * convenient can-fail point to hook it in. 227 */ 228 ret = reservation_object_reserve_shared(msm_obj->base.resv, 229 1); 230 if (ret) 231 return ret; 232 } 233 234 if (no_implicit) 235 continue; 236 237 ret = msm_gem_sync_object(&msm_obj->base, submit->ring->fctx, 238 write); 239 if (ret) 240 break; 241 } 242 243 return ret; 244 } 245 246 static int submit_pin_objects(struct msm_gem_submit *submit) 247 { 248 int i, ret = 0; 249 250 submit->valid = true; 251 252 for (i = 0; i < submit->nr_bos; i++) { 253 struct msm_gem_object *msm_obj = submit->bos[i].obj; 254 uint64_t iova; 255 256 /* if locking succeeded, pin bo: */ 257 ret = msm_gem_get_and_pin_iova(&msm_obj->base, 258 submit->aspace, &iova); 259 260 if (ret) 261 break; 262 263 submit->bos[i].flags |= BO_PINNED; 264 265 if (iova == submit->bos[i].iova) { 266 submit->bos[i].flags |= BO_VALID; 267 } else { 268 submit->bos[i].iova = iova; 269 /* iova changed, so address in cmdstream is not valid: */ 270 submit->bos[i].flags &= ~BO_VALID; 271 submit->valid = false; 272 } 273 } 274 275 return ret; 276 } 277 278 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, 279 struct msm_gem_object **obj, uint64_t *iova, bool *valid) 280 { 281 if (idx >= submit->nr_bos) { 282 DRM_ERROR("invalid buffer index: %u (out of %u)\n", 283 idx, submit->nr_bos); 284 return -EINVAL; 285 } 286 287 if (obj) 288 *obj = submit->bos[idx].obj; 289 if (iova) 290 *iova = submit->bos[idx].iova; 291 if (valid) 292 *valid = !!(submit->bos[idx].flags & BO_VALID); 293 294 return 0; 295 } 296 297 /* process the reloc's and patch up the cmdstream as needed: */ 298 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj, 299 uint32_t offset, uint32_t nr_relocs, uint64_t relocs) 300 { 301 uint32_t i, last_offset = 0; 302 uint32_t *ptr; 303 int ret = 0; 304 305 if (!nr_relocs) 306 return 0; 307 308 if (offset % 4) { 309 DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset); 310 return -EINVAL; 311 } 312 313 /* For now, just map the entire thing. Eventually we probably 314 * to do it page-by-page, w/ kmap() if not vmap()d.. 315 */ 316 ptr = msm_gem_get_vaddr(&obj->base); 317 318 if (IS_ERR(ptr)) { 319 ret = PTR_ERR(ptr); 320 DBG("failed to map: %d", ret); 321 return ret; 322 } 323 324 for (i = 0; i < nr_relocs; i++) { 325 struct drm_msm_gem_submit_reloc submit_reloc; 326 void __user *userptr = 327 u64_to_user_ptr(relocs + (i * sizeof(submit_reloc))); 328 uint32_t off; 329 uint64_t iova; 330 bool valid; 331 332 if (copy_from_user(&submit_reloc, userptr, sizeof(submit_reloc))) { 333 ret = -EFAULT; 334 goto out; 335 } 336 337 if (submit_reloc.submit_offset % 4) { 338 DRM_ERROR("non-aligned reloc offset: %u\n", 339 submit_reloc.submit_offset); 340 ret = -EINVAL; 341 goto out; 342 } 343 344 /* offset in dwords: */ 345 off = submit_reloc.submit_offset / 4; 346 347 if ((off >= (obj->base.size / 4)) || 348 (off < last_offset)) { 349 DRM_ERROR("invalid offset %u at reloc %u\n", off, i); 350 ret = -EINVAL; 351 goto out; 352 } 353 354 ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid); 355 if (ret) 356 goto out; 357 358 if (valid) 359 continue; 360 361 iova += submit_reloc.reloc_offset; 362 363 if (submit_reloc.shift < 0) 364 iova >>= -submit_reloc.shift; 365 else 366 iova <<= submit_reloc.shift; 367 368 ptr[off] = iova | submit_reloc.or; 369 370 last_offset = off; 371 } 372 373 out: 374 msm_gem_put_vaddr(&obj->base); 375 376 return ret; 377 } 378 379 static void submit_cleanup(struct msm_gem_submit *submit) 380 { 381 unsigned i; 382 383 for (i = 0; i < submit->nr_bos; i++) { 384 struct msm_gem_object *msm_obj = submit->bos[i].obj; 385 submit_unlock_unpin_bo(submit, i, false); 386 list_del_init(&msm_obj->submit_entry); 387 drm_gem_object_put(&msm_obj->base); 388 } 389 390 ww_acquire_fini(&submit->ticket); 391 } 392 393 int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 394 struct drm_file *file) 395 { 396 static atomic_t ident = ATOMIC_INIT(0); 397 struct msm_drm_private *priv = dev->dev_private; 398 struct drm_msm_gem_submit *args = data; 399 struct msm_file_private *ctx = file->driver_priv; 400 struct msm_gem_submit *submit; 401 struct msm_gpu *gpu = priv->gpu; 402 struct sync_file *sync_file = NULL; 403 struct msm_gpu_submitqueue *queue; 404 struct msm_ringbuffer *ring; 405 int out_fence_fd = -1; 406 struct pid *pid = get_pid(task_pid(current)); 407 unsigned i; 408 int ret, submitid; 409 if (!gpu) 410 return -ENXIO; 411 412 /* for now, we just have 3d pipe.. eventually this would need to 413 * be more clever to dispatch to appropriate gpu module: 414 */ 415 if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0) 416 return -EINVAL; 417 418 if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS) 419 return -EINVAL; 420 421 if (args->flags & MSM_SUBMIT_SUDO) { 422 if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) || 423 !capable(CAP_SYS_RAWIO)) 424 return -EINVAL; 425 } 426 427 queue = msm_submitqueue_get(ctx, args->queueid); 428 if (!queue) 429 return -ENOENT; 430 431 /* Get a unique identifier for the submission for logging purposes */ 432 submitid = atomic_inc_return(&ident) - 1; 433 434 ring = gpu->rb[queue->prio]; 435 trace_msm_gpu_submit(pid_nr(pid), ring->id, submitid, 436 args->nr_bos, args->nr_cmds); 437 438 if (args->flags & MSM_SUBMIT_FENCE_FD_IN) { 439 struct dma_fence *in_fence; 440 441 in_fence = sync_file_get_fence(args->fence_fd); 442 443 if (!in_fence) 444 return -EINVAL; 445 446 /* 447 * Wait if the fence is from a foreign context, or if the fence 448 * array contains any fence from a foreign context. 449 */ 450 ret = 0; 451 if (!dma_fence_match_context(in_fence, ring->fctx->context)) 452 ret = dma_fence_wait(in_fence, true); 453 454 dma_fence_put(in_fence); 455 if (ret) 456 return ret; 457 } 458 459 ret = mutex_lock_interruptible(&dev->struct_mutex); 460 if (ret) 461 return ret; 462 463 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 464 out_fence_fd = get_unused_fd_flags(O_CLOEXEC); 465 if (out_fence_fd < 0) { 466 ret = out_fence_fd; 467 goto out_unlock; 468 } 469 } 470 471 submit = submit_create(dev, gpu, ctx->aspace, queue, args->nr_bos, 472 args->nr_cmds); 473 if (!submit) { 474 ret = -ENOMEM; 475 goto out_unlock; 476 } 477 478 submit->pid = pid; 479 submit->ident = submitid; 480 481 if (args->flags & MSM_SUBMIT_SUDO) 482 submit->in_rb = true; 483 484 ret = submit_lookup_objects(submit, args, file); 485 if (ret) 486 goto out; 487 488 ret = submit_lock_objects(submit); 489 if (ret) 490 goto out; 491 492 ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT)); 493 if (ret) 494 goto out; 495 496 ret = submit_pin_objects(submit); 497 if (ret) 498 goto out; 499 500 for (i = 0; i < args->nr_cmds; i++) { 501 struct drm_msm_gem_submit_cmd submit_cmd; 502 void __user *userptr = 503 u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); 504 struct msm_gem_object *msm_obj; 505 uint64_t iova; 506 507 ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); 508 if (ret) { 509 ret = -EFAULT; 510 goto out; 511 } 512 513 /* validate input from userspace: */ 514 switch (submit_cmd.type) { 515 case MSM_SUBMIT_CMD_BUF: 516 case MSM_SUBMIT_CMD_IB_TARGET_BUF: 517 case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: 518 break; 519 default: 520 DRM_ERROR("invalid type: %08x\n", submit_cmd.type); 521 ret = -EINVAL; 522 goto out; 523 } 524 525 ret = submit_bo(submit, submit_cmd.submit_idx, 526 &msm_obj, &iova, NULL); 527 if (ret) 528 goto out; 529 530 if (submit_cmd.size % 4) { 531 DRM_ERROR("non-aligned cmdstream buffer size: %u\n", 532 submit_cmd.size); 533 ret = -EINVAL; 534 goto out; 535 } 536 537 if (!submit_cmd.size || 538 ((submit_cmd.size + submit_cmd.submit_offset) > 539 msm_obj->base.size)) { 540 DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); 541 ret = -EINVAL; 542 goto out; 543 } 544 545 submit->cmd[i].type = submit_cmd.type; 546 submit->cmd[i].size = submit_cmd.size / 4; 547 submit->cmd[i].iova = iova + submit_cmd.submit_offset; 548 submit->cmd[i].idx = submit_cmd.submit_idx; 549 550 if (submit->valid) 551 continue; 552 553 ret = submit_reloc(submit, msm_obj, submit_cmd.submit_offset, 554 submit_cmd.nr_relocs, submit_cmd.relocs); 555 if (ret) 556 goto out; 557 } 558 559 submit->nr_cmds = i; 560 561 submit->fence = msm_fence_alloc(ring->fctx); 562 if (IS_ERR(submit->fence)) { 563 ret = PTR_ERR(submit->fence); 564 submit->fence = NULL; 565 goto out; 566 } 567 568 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 569 sync_file = sync_file_create(submit->fence); 570 if (!sync_file) { 571 ret = -ENOMEM; 572 goto out; 573 } 574 } 575 576 msm_gpu_submit(gpu, submit, ctx); 577 578 args->fence = submit->fence->seqno; 579 580 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 581 fd_install(out_fence_fd, sync_file->file); 582 args->fence_fd = out_fence_fd; 583 } 584 585 out: 586 submit_cleanup(submit); 587 if (ret) 588 msm_gem_submit_free(submit); 589 out_unlock: 590 if (ret && (out_fence_fd >= 0)) 591 put_unused_fd(out_fence_fd); 592 mutex_unlock(&dev->struct_mutex); 593 return ret; 594 } 595