1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2009 Red Hat, Inc.
3 * Copyright (C) 2006 Rusty Russell IBM Corporation
5 * Author: Michael S. Tsirkin <mst@redhat.com>
7 * Inspiration, some code, and most witty comments come from
8 * Documentation/virtual/lguest/lguest.c, by Rusty Russell
10 * Generic code for virtio server in host kernel.
13 #include <linux/eventfd.h>
14 #include <linux/vhost.h>
15 #include <linux/uio.h>
17 #include <linux/miscdevice.h>
18 #include <linux/mutex.h>
19 #include <linux/poll.h>
20 #include <linux/file.h>
21 #include <linux/highmem.h>
22 #include <linux/slab.h>
23 #include <linux/vmalloc.h>
24 #include <linux/kthread.h>
25 #include <linux/module.h>
26 #include <linux/sort.h>
27 #include <linux/sched/mm.h>
28 #include <linux/sched/signal.h>
29 #include <linux/sched/vhost_task.h>
30 #include <linux/interval_tree_generic.h>
31 #include <linux/nospec.h>
32 #include <linux/kcov.h>
36 static ushort max_mem_regions = 64;
37 module_param(max_mem_regions, ushort, 0444);
38 MODULE_PARM_DESC(max_mem_regions,
39 "Maximum number of memory regions in memory map. (default: 64)");
40 static int max_iotlb_entries = 2048;
41 module_param(max_iotlb_entries, int, 0444);
42 MODULE_PARM_DESC(max_iotlb_entries,
43 "Maximum number of iotlb entries. (default: 2048)");
46 VHOST_MEMORY_F_LOG = 0x1,
49 #define vhost_used_event(vq) ((__virtio16 __user *)&vq->avail->ring[vq->num])
50 #define vhost_avail_event(vq) ((__virtio16 __user *)&vq->used->ring[vq->num])
52 #ifdef CONFIG_VHOST_CROSS_ENDIAN_LEGACY
53 static void vhost_disable_cross_endian(struct vhost_virtqueue *vq)
55 vq->user_be = !virtio_legacy_is_little_endian();
58 static void vhost_enable_cross_endian_big(struct vhost_virtqueue *vq)
63 static void vhost_enable_cross_endian_little(struct vhost_virtqueue *vq)
68 static long vhost_set_vring_endian(struct vhost_virtqueue *vq, int __user *argp)
70 struct vhost_vring_state s;
75 if (copy_from_user(&s, argp, sizeof(s)))
78 if (s.num != VHOST_VRING_LITTLE_ENDIAN &&
79 s.num != VHOST_VRING_BIG_ENDIAN)
82 if (s.num == VHOST_VRING_BIG_ENDIAN)
83 vhost_enable_cross_endian_big(vq);
85 vhost_enable_cross_endian_little(vq);
90 static long vhost_get_vring_endian(struct vhost_virtqueue *vq, u32 idx,
93 struct vhost_vring_state s = {
98 if (copy_to_user(argp, &s, sizeof(s)))
104 static void vhost_init_is_le(struct vhost_virtqueue *vq)
106 /* Note for legacy virtio: user_be is initialized at reset time
107 * according to the host endianness. If userspace does not set an
108 * explicit endianness, the default behavior is native endian, as
109 * expected by legacy virtio.
111 vq->is_le = vhost_has_feature(vq, VIRTIO_F_VERSION_1) || !vq->user_be;
114 static void vhost_disable_cross_endian(struct vhost_virtqueue *vq)
118 static long vhost_set_vring_endian(struct vhost_virtqueue *vq, int __user *argp)
123 static long vhost_get_vring_endian(struct vhost_virtqueue *vq, u32 idx,
129 static void vhost_init_is_le(struct vhost_virtqueue *vq)
131 vq->is_le = vhost_has_feature(vq, VIRTIO_F_VERSION_1)
132 || virtio_legacy_is_little_endian();
134 #endif /* CONFIG_VHOST_CROSS_ENDIAN_LEGACY */
136 static void vhost_reset_is_le(struct vhost_virtqueue *vq)
138 vhost_init_is_le(vq);
141 struct vhost_flush_struct {
142 struct vhost_work work;
143 struct completion wait_event;
146 static void vhost_flush_work(struct vhost_work *work)
148 struct vhost_flush_struct *s;
150 s = container_of(work, struct vhost_flush_struct, work);
151 complete(&s->wait_event);
154 static void vhost_poll_func(struct file *file, wait_queue_head_t *wqh,
157 struct vhost_poll *poll;
159 poll = container_of(pt, struct vhost_poll, table);
161 add_wait_queue(wqh, &poll->wait);
164 static int vhost_poll_wakeup(wait_queue_entry_t *wait, unsigned mode, int sync,
167 struct vhost_poll *poll = container_of(wait, struct vhost_poll, wait);
168 struct vhost_work *work = &poll->work;
170 if (!(key_to_poll(key) & poll->mask))
173 if (!poll->dev->use_worker)
176 vhost_poll_queue(poll);
181 void vhost_work_init(struct vhost_work *work, vhost_work_fn_t fn)
183 clear_bit(VHOST_WORK_QUEUED, &work->flags);
186 EXPORT_SYMBOL_GPL(vhost_work_init);
188 /* Init poll structure */
189 void vhost_poll_init(struct vhost_poll *poll, vhost_work_fn_t fn,
190 __poll_t mask, struct vhost_dev *dev)
192 init_waitqueue_func_entry(&poll->wait, vhost_poll_wakeup);
193 init_poll_funcptr(&poll->table, vhost_poll_func);
198 vhost_work_init(&poll->work, fn);
200 EXPORT_SYMBOL_GPL(vhost_poll_init);
202 /* Start polling a file. We add ourselves to file's wait queue. The caller must
203 * keep a reference to a file until after vhost_poll_stop is called. */
204 int vhost_poll_start(struct vhost_poll *poll, struct file *file)
211 mask = vfs_poll(file, &poll->table);
213 vhost_poll_wakeup(&poll->wait, 0, 0, poll_to_key(mask));
214 if (mask & EPOLLERR) {
215 vhost_poll_stop(poll);
221 EXPORT_SYMBOL_GPL(vhost_poll_start);
223 /* Stop polling a file. After this function returns, it becomes safe to drop the
224 * file reference. You must also flush afterwards. */
225 void vhost_poll_stop(struct vhost_poll *poll)
228 remove_wait_queue(poll->wqh, &poll->wait);
232 EXPORT_SYMBOL_GPL(vhost_poll_stop);
234 static bool vhost_worker_queue(struct vhost_worker *worker,
235 struct vhost_work *work)
240 * vsock can queue while we do a VHOST_SET_OWNER, so we have a smp_wmb
241 * when setting up the worker. We don't have a smp_rmb here because
242 * test_and_set_bit gives us a mb already.
244 if (!test_and_set_bit(VHOST_WORK_QUEUED, &work->flags)) {
245 /* We can only add the work to the list after we're
246 * sure it was not in the list.
247 * test_and_set_bit() implies a memory barrier.
249 llist_add(&work->node, &worker->work_list);
250 vhost_task_wake(worker->vtsk);
256 bool vhost_work_queue(struct vhost_dev *dev, struct vhost_work *work)
258 return vhost_worker_queue(dev->worker, work);
260 EXPORT_SYMBOL_GPL(vhost_work_queue);
262 bool vhost_vq_work_queue(struct vhost_virtqueue *vq, struct vhost_work *work)
264 return vhost_worker_queue(vq->worker, work);
266 EXPORT_SYMBOL_GPL(vhost_vq_work_queue);
268 void vhost_dev_flush(struct vhost_dev *dev)
270 struct vhost_flush_struct flush;
272 init_completion(&flush.wait_event);
273 vhost_work_init(&flush.work, vhost_flush_work);
275 if (vhost_work_queue(dev, &flush.work))
276 wait_for_completion(&flush.wait_event);
278 EXPORT_SYMBOL_GPL(vhost_dev_flush);
280 /* A lockless hint for busy polling code to exit the loop */
281 bool vhost_vq_has_work(struct vhost_virtqueue *vq)
283 return !llist_empty(&vq->worker->work_list);
285 EXPORT_SYMBOL_GPL(vhost_vq_has_work);
287 void vhost_poll_queue(struct vhost_poll *poll)
289 vhost_work_queue(poll->dev, &poll->work);
291 EXPORT_SYMBOL_GPL(vhost_poll_queue);
293 static void __vhost_vq_meta_reset(struct vhost_virtqueue *vq)
297 for (j = 0; j < VHOST_NUM_ADDRS; j++)
298 vq->meta_iotlb[j] = NULL;
301 static void vhost_vq_meta_reset(struct vhost_dev *d)
305 for (i = 0; i < d->nvqs; ++i)
306 __vhost_vq_meta_reset(d->vqs[i]);
309 static void vhost_vring_call_reset(struct vhost_vring_call *call_ctx)
311 call_ctx->ctx = NULL;
312 memset(&call_ctx->producer, 0x0, sizeof(struct irq_bypass_producer));
315 bool vhost_vq_is_setup(struct vhost_virtqueue *vq)
317 return vq->avail && vq->desc && vq->used && vhost_vq_access_ok(vq);
319 EXPORT_SYMBOL_GPL(vhost_vq_is_setup);
321 static void vhost_vq_reset(struct vhost_dev *dev,
322 struct vhost_virtqueue *vq)
328 vq->last_avail_idx = 0;
330 vq->last_used_idx = 0;
331 vq->signalled_used = 0;
332 vq->signalled_used_valid = false;
334 vq->log_used = false;
335 vq->log_addr = -1ull;
336 vq->private_data = NULL;
337 vq->acked_features = 0;
338 vq->acked_backend_features = 0;
340 vq->error_ctx = NULL;
343 vhost_disable_cross_endian(vq);
344 vhost_reset_is_le(vq);
345 vq->busyloop_timeout = 0;
349 vhost_vring_call_reset(&vq->call_ctx);
350 __vhost_vq_meta_reset(vq);
353 static bool vhost_worker(void *data)
355 struct vhost_worker *worker = data;
356 struct vhost_work *work, *work_next;
357 struct llist_node *node;
359 node = llist_del_all(&worker->work_list);
361 __set_current_state(TASK_RUNNING);
363 node = llist_reverse_order(node);
364 /* make sure flag is seen after deletion */
366 llist_for_each_entry_safe(work, work_next, node, node) {
367 clear_bit(VHOST_WORK_QUEUED, &work->flags);
368 kcov_remote_start_common(worker->kcov_handle);
378 static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq)
388 /* Helper to allocate iovec buffers for all vqs. */
389 static long vhost_dev_alloc_iovecs(struct vhost_dev *dev)
391 struct vhost_virtqueue *vq;
394 for (i = 0; i < dev->nvqs; ++i) {
396 vq->indirect = kmalloc_array(UIO_MAXIOV,
397 sizeof(*vq->indirect),
399 vq->log = kmalloc_array(dev->iov_limit, sizeof(*vq->log),
401 vq->heads = kmalloc_array(dev->iov_limit, sizeof(*vq->heads),
403 if (!vq->indirect || !vq->log || !vq->heads)
410 vhost_vq_free_iovecs(dev->vqs[i]);
414 static void vhost_dev_free_iovecs(struct vhost_dev *dev)
418 for (i = 0; i < dev->nvqs; ++i)
419 vhost_vq_free_iovecs(dev->vqs[i]);
422 bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
423 int pkts, int total_len)
425 struct vhost_dev *dev = vq->dev;
427 if ((dev->byte_weight && total_len >= dev->byte_weight) ||
428 pkts >= dev->weight) {
429 vhost_poll_queue(&vq->poll);
435 EXPORT_SYMBOL_GPL(vhost_exceeds_weight);
437 static size_t vhost_get_avail_size(struct vhost_virtqueue *vq,
440 size_t event __maybe_unused =
441 vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
443 return size_add(struct_size(vq->avail, ring, num), event);
446 static size_t vhost_get_used_size(struct vhost_virtqueue *vq,
449 size_t event __maybe_unused =
450 vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
452 return size_add(struct_size(vq->used, ring, num), event);
455 static size_t vhost_get_desc_size(struct vhost_virtqueue *vq,
458 return sizeof(*vq->desc) * num;
461 void vhost_dev_init(struct vhost_dev *dev,
462 struct vhost_virtqueue **vqs, int nvqs,
463 int iov_limit, int weight, int byte_weight,
465 int (*msg_handler)(struct vhost_dev *dev, u32 asid,
466 struct vhost_iotlb_msg *msg))
468 struct vhost_virtqueue *vq;
473 mutex_init(&dev->mutex);
479 dev->iov_limit = iov_limit;
480 dev->weight = weight;
481 dev->byte_weight = byte_weight;
482 dev->use_worker = use_worker;
483 dev->msg_handler = msg_handler;
484 init_waitqueue_head(&dev->wait);
485 INIT_LIST_HEAD(&dev->read_list);
486 INIT_LIST_HEAD(&dev->pending_list);
487 spin_lock_init(&dev->iotlb_lock);
490 for (i = 0; i < dev->nvqs; ++i) {
496 mutex_init(&vq->mutex);
497 vhost_vq_reset(dev, vq);
499 vhost_poll_init(&vq->poll, vq->handle_kick,
503 EXPORT_SYMBOL_GPL(vhost_dev_init);
505 /* Caller should have device mutex */
506 long vhost_dev_check_owner(struct vhost_dev *dev)
508 /* Are you the owner? If not, I don't think you mean to do that */
509 return dev->mm == current->mm ? 0 : -EPERM;
511 EXPORT_SYMBOL_GPL(vhost_dev_check_owner);
513 /* Caller should have device mutex */
514 bool vhost_dev_has_owner(struct vhost_dev *dev)
518 EXPORT_SYMBOL_GPL(vhost_dev_has_owner);
520 static void vhost_attach_mm(struct vhost_dev *dev)
522 /* No owner, become one */
523 if (dev->use_worker) {
524 dev->mm = get_task_mm(current);
526 /* vDPA device does not use worker thead, so there's
527 * no need to hold the address space for mm. This help
528 * to avoid deadlock in the case of mmap() which may
529 * held the refcnt of the file and depends on release
530 * method to remove vma.
532 dev->mm = current->mm;
537 static void vhost_detach_mm(struct vhost_dev *dev)
550 static void vhost_worker_free(struct vhost_dev *dev)
555 WARN_ON(!llist_empty(&dev->worker->work_list));
556 vhost_task_stop(dev->worker->vtsk);
561 static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev)
563 struct vhost_worker *worker;
564 struct vhost_task *vtsk;
565 char name[TASK_COMM_LEN];
567 worker = kzalloc(sizeof(*worker), GFP_KERNEL_ACCOUNT);
571 snprintf(name, sizeof(name), "vhost-%d", current->pid);
573 vtsk = vhost_task_create(vhost_worker, worker, name);
577 init_llist_head(&worker->work_list);
578 worker->kcov_handle = kcov_common_handle();
581 * vsock can already try to queue so make sure llist and vtsk are both
582 * set before vhost_work_queue sees dev->worker is set.
585 dev->worker = worker;
587 vhost_task_start(vtsk);
595 /* Caller should have device mutex */
596 long vhost_dev_set_owner(struct vhost_dev *dev)
598 struct vhost_worker *worker;
601 /* Is there an owner already? */
602 if (vhost_dev_has_owner(dev)) {
607 vhost_attach_mm(dev);
609 err = vhost_dev_alloc_iovecs(dev);
613 if (dev->use_worker) {
615 * This should be done last, because vsock can queue work
616 * before VHOST_SET_OWNER so it simplifies the failure path
617 * below since we don't have to worry about vsock queueing
618 * while we free the worker.
620 worker = vhost_worker_create(dev);
626 for (i = 0; i < dev->nvqs; i++)
627 dev->vqs[i]->worker = worker;
633 vhost_dev_free_iovecs(dev);
635 vhost_detach_mm(dev);
639 EXPORT_SYMBOL_GPL(vhost_dev_set_owner);
641 static struct vhost_iotlb *iotlb_alloc(void)
643 return vhost_iotlb_alloc(max_iotlb_entries,
644 VHOST_IOTLB_FLAG_RETIRE);
647 struct vhost_iotlb *vhost_dev_reset_owner_prepare(void)
649 return iotlb_alloc();
651 EXPORT_SYMBOL_GPL(vhost_dev_reset_owner_prepare);
653 /* Caller should have device mutex */
654 void vhost_dev_reset_owner(struct vhost_dev *dev, struct vhost_iotlb *umem)
658 vhost_dev_cleanup(dev);
661 /* We don't need VQ locks below since vhost_dev_cleanup makes sure
662 * VQs aren't running.
664 for (i = 0; i < dev->nvqs; ++i)
665 dev->vqs[i]->umem = umem;
667 EXPORT_SYMBOL_GPL(vhost_dev_reset_owner);
669 void vhost_dev_stop(struct vhost_dev *dev)
673 for (i = 0; i < dev->nvqs; ++i) {
674 if (dev->vqs[i]->kick && dev->vqs[i]->handle_kick)
675 vhost_poll_stop(&dev->vqs[i]->poll);
678 vhost_dev_flush(dev);
680 EXPORT_SYMBOL_GPL(vhost_dev_stop);
682 void vhost_clear_msg(struct vhost_dev *dev)
684 struct vhost_msg_node *node, *n;
686 spin_lock(&dev->iotlb_lock);
688 list_for_each_entry_safe(node, n, &dev->read_list, node) {
689 list_del(&node->node);
693 list_for_each_entry_safe(node, n, &dev->pending_list, node) {
694 list_del(&node->node);
698 spin_unlock(&dev->iotlb_lock);
700 EXPORT_SYMBOL_GPL(vhost_clear_msg);
702 void vhost_dev_cleanup(struct vhost_dev *dev)
706 for (i = 0; i < dev->nvqs; ++i) {
707 if (dev->vqs[i]->error_ctx)
708 eventfd_ctx_put(dev->vqs[i]->error_ctx);
709 if (dev->vqs[i]->kick)
710 fput(dev->vqs[i]->kick);
711 if (dev->vqs[i]->call_ctx.ctx)
712 eventfd_ctx_put(dev->vqs[i]->call_ctx.ctx);
713 vhost_vq_reset(dev, dev->vqs[i]);
715 vhost_dev_free_iovecs(dev);
717 eventfd_ctx_put(dev->log_ctx);
719 /* No one will access memory at this point */
720 vhost_iotlb_free(dev->umem);
722 vhost_iotlb_free(dev->iotlb);
724 vhost_clear_msg(dev);
725 wake_up_interruptible_poll(&dev->wait, EPOLLIN | EPOLLRDNORM);
726 vhost_worker_free(dev);
727 vhost_detach_mm(dev);
729 EXPORT_SYMBOL_GPL(vhost_dev_cleanup);
731 static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz)
733 u64 a = addr / VHOST_PAGE_SIZE / 8;
735 /* Make sure 64 bit math will not overflow. */
736 if (a > ULONG_MAX - (unsigned long)log_base ||
737 a + (unsigned long)log_base > ULONG_MAX)
740 return access_ok(log_base + a,
741 (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8);
744 /* Make sure 64 bit math will not overflow. */
745 static bool vhost_overflow(u64 uaddr, u64 size)
747 if (uaddr > ULONG_MAX || size > ULONG_MAX)
753 return uaddr > ULONG_MAX - size + 1;
756 /* Caller should have vq mutex and device mutex. */
757 static bool vq_memory_access_ok(void __user *log_base, struct vhost_iotlb *umem,
760 struct vhost_iotlb_map *map;
765 list_for_each_entry(map, &umem->list, link) {
766 unsigned long a = map->addr;
768 if (vhost_overflow(map->addr, map->size))
772 if (!access_ok((void __user *)a, map->size))
774 else if (log_all && !log_access_ok(log_base,
782 static inline void __user *vhost_vq_meta_fetch(struct vhost_virtqueue *vq,
783 u64 addr, unsigned int size,
786 const struct vhost_iotlb_map *map = vq->meta_iotlb[type];
791 return (void __user *)(uintptr_t)(map->addr + addr - map->start);
794 /* Can we switch to this memory table? */
795 /* Caller should have device mutex but not vq mutex */
796 static bool memory_access_ok(struct vhost_dev *d, struct vhost_iotlb *umem,
801 for (i = 0; i < d->nvqs; ++i) {
805 mutex_lock(&d->vqs[i]->mutex);
806 log = log_all || vhost_has_feature(d->vqs[i], VHOST_F_LOG_ALL);
807 /* If ring is inactive, will check when it's enabled. */
808 if (d->vqs[i]->private_data)
809 ok = vq_memory_access_ok(d->vqs[i]->log_base,
813 mutex_unlock(&d->vqs[i]->mutex);
820 static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
821 struct iovec iov[], int iov_size, int access);
823 static int vhost_copy_to_user(struct vhost_virtqueue *vq, void __user *to,
824 const void *from, unsigned size)
829 return __copy_to_user(to, from, size);
831 /* This function should be called after iotlb
832 * prefetch, which means we're sure that all vq
833 * could be access through iotlb. So -EAGAIN should
834 * not happen in this case.
837 void __user *uaddr = vhost_vq_meta_fetch(vq,
838 (u64)(uintptr_t)to, size,
842 return __copy_to_user(uaddr, from, size);
844 ret = translate_desc(vq, (u64)(uintptr_t)to, size, vq->iotlb_iov,
845 ARRAY_SIZE(vq->iotlb_iov),
849 iov_iter_init(&t, ITER_DEST, vq->iotlb_iov, ret, size);
850 ret = copy_to_iter(from, size, &t);
858 static int vhost_copy_from_user(struct vhost_virtqueue *vq, void *to,
859 void __user *from, unsigned size)
864 return __copy_from_user(to, from, size);
866 /* This function should be called after iotlb
867 * prefetch, which means we're sure that vq
868 * could be access through iotlb. So -EAGAIN should
869 * not happen in this case.
871 void __user *uaddr = vhost_vq_meta_fetch(vq,
872 (u64)(uintptr_t)from, size,
877 return __copy_from_user(to, uaddr, size);
879 ret = translate_desc(vq, (u64)(uintptr_t)from, size, vq->iotlb_iov,
880 ARRAY_SIZE(vq->iotlb_iov),
883 vq_err(vq, "IOTLB translation failure: uaddr "
884 "%p size 0x%llx\n", from,
885 (unsigned long long) size);
888 iov_iter_init(&f, ITER_SOURCE, vq->iotlb_iov, ret, size);
889 ret = copy_from_iter(to, size, &f);
898 static void __user *__vhost_get_user_slow(struct vhost_virtqueue *vq,
899 void __user *addr, unsigned int size,
904 ret = translate_desc(vq, (u64)(uintptr_t)addr, size, vq->iotlb_iov,
905 ARRAY_SIZE(vq->iotlb_iov),
908 vq_err(vq, "IOTLB translation failure: uaddr "
909 "%p size 0x%llx\n", addr,
910 (unsigned long long) size);
914 if (ret != 1 || vq->iotlb_iov[0].iov_len != size) {
915 vq_err(vq, "Non atomic userspace memory access: uaddr "
916 "%p size 0x%llx\n", addr,
917 (unsigned long long) size);
921 return vq->iotlb_iov[0].iov_base;
924 /* This function should be called after iotlb
925 * prefetch, which means we're sure that vq
926 * could be access through iotlb. So -EAGAIN should
927 * not happen in this case.
929 static inline void __user *__vhost_get_user(struct vhost_virtqueue *vq,
930 void __user *addr, unsigned int size,
933 void __user *uaddr = vhost_vq_meta_fetch(vq,
934 (u64)(uintptr_t)addr, size, type);
938 return __vhost_get_user_slow(vq, addr, size, type);
941 #define vhost_put_user(vq, x, ptr) \
945 ret = __put_user(x, ptr); \
947 __typeof__(ptr) to = \
948 (__typeof__(ptr)) __vhost_get_user(vq, ptr, \
949 sizeof(*ptr), VHOST_ADDR_USED); \
951 ret = __put_user(x, to); \
958 static inline int vhost_put_avail_event(struct vhost_virtqueue *vq)
960 return vhost_put_user(vq, cpu_to_vhost16(vq, vq->avail_idx),
961 vhost_avail_event(vq));
964 static inline int vhost_put_used(struct vhost_virtqueue *vq,
965 struct vring_used_elem *head, int idx,
968 return vhost_copy_to_user(vq, vq->used->ring + idx, head,
969 count * sizeof(*head));
972 static inline int vhost_put_used_flags(struct vhost_virtqueue *vq)
975 return vhost_put_user(vq, cpu_to_vhost16(vq, vq->used_flags),
979 static inline int vhost_put_used_idx(struct vhost_virtqueue *vq)
982 return vhost_put_user(vq, cpu_to_vhost16(vq, vq->last_used_idx),
986 #define vhost_get_user(vq, x, ptr, type) \
990 ret = __get_user(x, ptr); \
992 __typeof__(ptr) from = \
993 (__typeof__(ptr)) __vhost_get_user(vq, ptr, \
997 ret = __get_user(x, from); \
1004 #define vhost_get_avail(vq, x, ptr) \
1005 vhost_get_user(vq, x, ptr, VHOST_ADDR_AVAIL)
1007 #define vhost_get_used(vq, x, ptr) \
1008 vhost_get_user(vq, x, ptr, VHOST_ADDR_USED)
1010 static void vhost_dev_lock_vqs(struct vhost_dev *d)
1013 for (i = 0; i < d->nvqs; ++i)
1014 mutex_lock_nested(&d->vqs[i]->mutex, i);
1017 static void vhost_dev_unlock_vqs(struct vhost_dev *d)
1020 for (i = 0; i < d->nvqs; ++i)
1021 mutex_unlock(&d->vqs[i]->mutex);
1024 static inline int vhost_get_avail_idx(struct vhost_virtqueue *vq,
1027 return vhost_get_avail(vq, *idx, &vq->avail->idx);
1030 static inline int vhost_get_avail_head(struct vhost_virtqueue *vq,
1031 __virtio16 *head, int idx)
1033 return vhost_get_avail(vq, *head,
1034 &vq->avail->ring[idx & (vq->num - 1)]);
1037 static inline int vhost_get_avail_flags(struct vhost_virtqueue *vq,
1040 return vhost_get_avail(vq, *flags, &vq->avail->flags);
1043 static inline int vhost_get_used_event(struct vhost_virtqueue *vq,
1046 return vhost_get_avail(vq, *event, vhost_used_event(vq));
1049 static inline int vhost_get_used_idx(struct vhost_virtqueue *vq,
1052 return vhost_get_used(vq, *idx, &vq->used->idx);
1055 static inline int vhost_get_desc(struct vhost_virtqueue *vq,
1056 struct vring_desc *desc, int idx)
1058 return vhost_copy_from_user(vq, desc, vq->desc + idx, sizeof(*desc));
1061 static void vhost_iotlb_notify_vq(struct vhost_dev *d,
1062 struct vhost_iotlb_msg *msg)
1064 struct vhost_msg_node *node, *n;
1066 spin_lock(&d->iotlb_lock);
1068 list_for_each_entry_safe(node, n, &d->pending_list, node) {
1069 struct vhost_iotlb_msg *vq_msg = &node->msg.iotlb;
1070 if (msg->iova <= vq_msg->iova &&
1071 msg->iova + msg->size - 1 >= vq_msg->iova &&
1072 vq_msg->type == VHOST_IOTLB_MISS) {
1073 vhost_poll_queue(&node->vq->poll);
1074 list_del(&node->node);
1079 spin_unlock(&d->iotlb_lock);
1082 static bool umem_access_ok(u64 uaddr, u64 size, int access)
1084 unsigned long a = uaddr;
1086 /* Make sure 64 bit math will not overflow. */
1087 if (vhost_overflow(uaddr, size))
1090 if ((access & VHOST_ACCESS_RO) &&
1091 !access_ok((void __user *)a, size))
1093 if ((access & VHOST_ACCESS_WO) &&
1094 !access_ok((void __user *)a, size))
1099 static int vhost_process_iotlb_msg(struct vhost_dev *dev, u32 asid,
1100 struct vhost_iotlb_msg *msg)
1107 mutex_lock(&dev->mutex);
1108 vhost_dev_lock_vqs(dev);
1109 switch (msg->type) {
1110 case VHOST_IOTLB_UPDATE:
1115 if (!umem_access_ok(msg->uaddr, msg->size, msg->perm)) {
1119 vhost_vq_meta_reset(dev);
1120 if (vhost_iotlb_add_range(dev->iotlb, msg->iova,
1121 msg->iova + msg->size - 1,
1122 msg->uaddr, msg->perm)) {
1126 vhost_iotlb_notify_vq(dev, msg);
1128 case VHOST_IOTLB_INVALIDATE:
1133 vhost_vq_meta_reset(dev);
1134 vhost_iotlb_del_range(dev->iotlb, msg->iova,
1135 msg->iova + msg->size - 1);
1142 vhost_dev_unlock_vqs(dev);
1143 mutex_unlock(&dev->mutex);
1147 ssize_t vhost_chr_write_iter(struct vhost_dev *dev,
1148 struct iov_iter *from)
1150 struct vhost_iotlb_msg msg;
1155 ret = copy_from_iter(&type, sizeof(type), from);
1156 if (ret != sizeof(type)) {
1162 case VHOST_IOTLB_MSG:
1163 /* There maybe a hole after type for V1 message type,
1166 offset = offsetof(struct vhost_msg, iotlb) - sizeof(int);
1168 case VHOST_IOTLB_MSG_V2:
1169 if (vhost_backend_has_feature(dev->vqs[0],
1170 VHOST_BACKEND_F_IOTLB_ASID)) {
1171 ret = copy_from_iter(&asid, sizeof(asid), from);
1172 if (ret != sizeof(asid)) {
1178 offset = sizeof(__u32);
1185 iov_iter_advance(from, offset);
1186 ret = copy_from_iter(&msg, sizeof(msg), from);
1187 if (ret != sizeof(msg)) {
1192 if ((msg.type == VHOST_IOTLB_UPDATE ||
1193 msg.type == VHOST_IOTLB_INVALIDATE) &&
1199 if (dev->msg_handler)
1200 ret = dev->msg_handler(dev, asid, &msg);
1202 ret = vhost_process_iotlb_msg(dev, asid, &msg);
1208 ret = (type == VHOST_IOTLB_MSG) ? sizeof(struct vhost_msg) :
1209 sizeof(struct vhost_msg_v2);
1213 EXPORT_SYMBOL(vhost_chr_write_iter);
1215 __poll_t vhost_chr_poll(struct file *file, struct vhost_dev *dev,
1220 poll_wait(file, &dev->wait, wait);
1222 if (!list_empty(&dev->read_list))
1223 mask |= EPOLLIN | EPOLLRDNORM;
1227 EXPORT_SYMBOL(vhost_chr_poll);
1229 ssize_t vhost_chr_read_iter(struct vhost_dev *dev, struct iov_iter *to,
1233 struct vhost_msg_node *node;
1235 unsigned size = sizeof(struct vhost_msg);
1237 if (iov_iter_count(to) < size)
1242 prepare_to_wait(&dev->wait, &wait,
1243 TASK_INTERRUPTIBLE);
1245 node = vhost_dequeue_msg(dev, &dev->read_list);
1252 if (signal_pending(current)) {
1265 finish_wait(&dev->wait, &wait);
1268 struct vhost_iotlb_msg *msg;
1269 void *start = &node->msg;
1271 switch (node->msg.type) {
1272 case VHOST_IOTLB_MSG:
1273 size = sizeof(node->msg);
1274 msg = &node->msg.iotlb;
1276 case VHOST_IOTLB_MSG_V2:
1277 size = sizeof(node->msg_v2);
1278 msg = &node->msg_v2.iotlb;
1285 ret = copy_to_iter(start, size, to);
1286 if (ret != size || msg->type != VHOST_IOTLB_MISS) {
1290 vhost_enqueue_msg(dev, &dev->pending_list, node);
1295 EXPORT_SYMBOL_GPL(vhost_chr_read_iter);
1297 static int vhost_iotlb_miss(struct vhost_virtqueue *vq, u64 iova, int access)
1299 struct vhost_dev *dev = vq->dev;
1300 struct vhost_msg_node *node;
1301 struct vhost_iotlb_msg *msg;
1302 bool v2 = vhost_backend_has_feature(vq, VHOST_BACKEND_F_IOTLB_MSG_V2);
1304 node = vhost_new_msg(vq, v2 ? VHOST_IOTLB_MSG_V2 : VHOST_IOTLB_MSG);
1309 node->msg_v2.type = VHOST_IOTLB_MSG_V2;
1310 msg = &node->msg_v2.iotlb;
1312 msg = &node->msg.iotlb;
1315 msg->type = VHOST_IOTLB_MISS;
1319 vhost_enqueue_msg(dev, &dev->read_list, node);
1324 static bool vq_access_ok(struct vhost_virtqueue *vq, unsigned int num,
1325 vring_desc_t __user *desc,
1326 vring_avail_t __user *avail,
1327 vring_used_t __user *used)
1330 /* If an IOTLB device is present, the vring addresses are
1331 * GIOVAs. Access validation occurs at prefetch time. */
1335 return access_ok(desc, vhost_get_desc_size(vq, num)) &&
1336 access_ok(avail, vhost_get_avail_size(vq, num)) &&
1337 access_ok(used, vhost_get_used_size(vq, num));
1340 static void vhost_vq_meta_update(struct vhost_virtqueue *vq,
1341 const struct vhost_iotlb_map *map,
1344 int access = (type == VHOST_ADDR_USED) ?
1345 VHOST_ACCESS_WO : VHOST_ACCESS_RO;
1347 if (likely(map->perm & access))
1348 vq->meta_iotlb[type] = map;
1351 static bool iotlb_access_ok(struct vhost_virtqueue *vq,
1352 int access, u64 addr, u64 len, int type)
1354 const struct vhost_iotlb_map *map;
1355 struct vhost_iotlb *umem = vq->iotlb;
1356 u64 s = 0, size, orig_addr = addr, last = addr + len - 1;
1358 if (vhost_vq_meta_fetch(vq, addr, len, type))
1362 map = vhost_iotlb_itree_first(umem, addr, last);
1363 if (map == NULL || map->start > addr) {
1364 vhost_iotlb_miss(vq, addr, access);
1366 } else if (!(map->perm & access)) {
1367 /* Report the possible access violation by
1368 * request another translation from userspace.
1373 size = map->size - addr + map->start;
1375 if (orig_addr == addr && size >= len)
1376 vhost_vq_meta_update(vq, map, type);
1385 int vq_meta_prefetch(struct vhost_virtqueue *vq)
1387 unsigned int num = vq->num;
1392 return iotlb_access_ok(vq, VHOST_MAP_RO, (u64)(uintptr_t)vq->desc,
1393 vhost_get_desc_size(vq, num), VHOST_ADDR_DESC) &&
1394 iotlb_access_ok(vq, VHOST_MAP_RO, (u64)(uintptr_t)vq->avail,
1395 vhost_get_avail_size(vq, num),
1396 VHOST_ADDR_AVAIL) &&
1397 iotlb_access_ok(vq, VHOST_MAP_WO, (u64)(uintptr_t)vq->used,
1398 vhost_get_used_size(vq, num), VHOST_ADDR_USED);
1400 EXPORT_SYMBOL_GPL(vq_meta_prefetch);
1402 /* Can we log writes? */
1403 /* Caller should have device mutex but not vq mutex */
1404 bool vhost_log_access_ok(struct vhost_dev *dev)
1406 return memory_access_ok(dev, dev->umem, 1);
1408 EXPORT_SYMBOL_GPL(vhost_log_access_ok);
1410 static bool vq_log_used_access_ok(struct vhost_virtqueue *vq,
1411 void __user *log_base,
1415 /* If an IOTLB device is present, log_addr is a GIOVA that
1416 * will never be logged by log_used(). */
1420 return !log_used || log_access_ok(log_base, log_addr,
1421 vhost_get_used_size(vq, vq->num));
1424 /* Verify access for write logging. */
1425 /* Caller should have vq mutex and device mutex */
1426 static bool vq_log_access_ok(struct vhost_virtqueue *vq,
1427 void __user *log_base)
1429 return vq_memory_access_ok(log_base, vq->umem,
1430 vhost_has_feature(vq, VHOST_F_LOG_ALL)) &&
1431 vq_log_used_access_ok(vq, log_base, vq->log_used, vq->log_addr);
1434 /* Can we start vq? */
1435 /* Caller should have vq mutex and device mutex */
1436 bool vhost_vq_access_ok(struct vhost_virtqueue *vq)
1438 if (!vq_log_access_ok(vq, vq->log_base))
1441 return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
1443 EXPORT_SYMBOL_GPL(vhost_vq_access_ok);
1445 static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m)
1447 struct vhost_memory mem, *newmem;
1448 struct vhost_memory_region *region;
1449 struct vhost_iotlb *newumem, *oldumem;
1450 unsigned long size = offsetof(struct vhost_memory, regions);
1453 if (copy_from_user(&mem, m, size))
1457 if (mem.nregions > max_mem_regions)
1459 newmem = kvzalloc(struct_size(newmem, regions, mem.nregions),
1464 memcpy(newmem, &mem, size);
1465 if (copy_from_user(newmem->regions, m->regions,
1466 flex_array_size(newmem, regions, mem.nregions))) {
1471 newumem = iotlb_alloc();
1477 for (region = newmem->regions;
1478 region < newmem->regions + mem.nregions;
1480 if (vhost_iotlb_add_range(newumem,
1481 region->guest_phys_addr,
1482 region->guest_phys_addr +
1483 region->memory_size - 1,
1484 region->userspace_addr,
1489 if (!memory_access_ok(d, newumem, 0))
1495 /* All memory accesses are done under some VQ mutex. */
1496 for (i = 0; i < d->nvqs; ++i) {
1497 mutex_lock(&d->vqs[i]->mutex);
1498 d->vqs[i]->umem = newumem;
1499 mutex_unlock(&d->vqs[i]->mutex);
1503 vhost_iotlb_free(oldumem);
1507 vhost_iotlb_free(newumem);
1512 static long vhost_vring_set_num(struct vhost_dev *d,
1513 struct vhost_virtqueue *vq,
1516 struct vhost_vring_state s;
1518 /* Resizing ring with an active backend?
1519 * You don't want to do that. */
1520 if (vq->private_data)
1523 if (copy_from_user(&s, argp, sizeof s))
1526 if (!s.num || s.num > 0xffff || (s.num & (s.num - 1)))
1533 static long vhost_vring_set_addr(struct vhost_dev *d,
1534 struct vhost_virtqueue *vq,
1537 struct vhost_vring_addr a;
1539 if (copy_from_user(&a, argp, sizeof a))
1541 if (a.flags & ~(0x1 << VHOST_VRING_F_LOG))
1544 /* For 32bit, verify that the top 32bits of the user
1545 data are set to zero. */
1546 if ((u64)(unsigned long)a.desc_user_addr != a.desc_user_addr ||
1547 (u64)(unsigned long)a.used_user_addr != a.used_user_addr ||
1548 (u64)(unsigned long)a.avail_user_addr != a.avail_user_addr)
1551 /* Make sure it's safe to cast pointers to vring types. */
1552 BUILD_BUG_ON(__alignof__ *vq->avail > VRING_AVAIL_ALIGN_SIZE);
1553 BUILD_BUG_ON(__alignof__ *vq->used > VRING_USED_ALIGN_SIZE);
1554 if ((a.avail_user_addr & (VRING_AVAIL_ALIGN_SIZE - 1)) ||
1555 (a.used_user_addr & (VRING_USED_ALIGN_SIZE - 1)) ||
1556 (a.log_guest_addr & (VRING_USED_ALIGN_SIZE - 1)))
1559 /* We only verify access here if backend is configured.
1560 * If it is not, we don't as size might not have been setup.
1561 * We will verify when backend is configured. */
1562 if (vq->private_data) {
1563 if (!vq_access_ok(vq, vq->num,
1564 (void __user *)(unsigned long)a.desc_user_addr,
1565 (void __user *)(unsigned long)a.avail_user_addr,
1566 (void __user *)(unsigned long)a.used_user_addr))
1569 /* Also validate log access for used ring if enabled. */
1570 if (!vq_log_used_access_ok(vq, vq->log_base,
1571 a.flags & (0x1 << VHOST_VRING_F_LOG),
1576 vq->log_used = !!(a.flags & (0x1 << VHOST_VRING_F_LOG));
1577 vq->desc = (void __user *)(unsigned long)a.desc_user_addr;
1578 vq->avail = (void __user *)(unsigned long)a.avail_user_addr;
1579 vq->log_addr = a.log_guest_addr;
1580 vq->used = (void __user *)(unsigned long)a.used_user_addr;
1585 static long vhost_vring_set_num_addr(struct vhost_dev *d,
1586 struct vhost_virtqueue *vq,
1592 mutex_lock(&vq->mutex);
1595 case VHOST_SET_VRING_NUM:
1596 r = vhost_vring_set_num(d, vq, argp);
1598 case VHOST_SET_VRING_ADDR:
1599 r = vhost_vring_set_addr(d, vq, argp);
1605 mutex_unlock(&vq->mutex);
1609 long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
1611 struct file *eventfp, *filep = NULL;
1612 bool pollstart = false, pollstop = false;
1613 struct eventfd_ctx *ctx = NULL;
1614 u32 __user *idxp = argp;
1615 struct vhost_virtqueue *vq;
1616 struct vhost_vring_state s;
1617 struct vhost_vring_file f;
1621 r = get_user(idx, idxp);
1627 idx = array_index_nospec(idx, d->nvqs);
1630 if (ioctl == VHOST_SET_VRING_NUM ||
1631 ioctl == VHOST_SET_VRING_ADDR) {
1632 return vhost_vring_set_num_addr(d, vq, ioctl, argp);
1635 mutex_lock(&vq->mutex);
1638 case VHOST_SET_VRING_BASE:
1639 /* Moving base with an active backend?
1640 * You don't want to do that. */
1641 if (vq->private_data) {
1645 if (copy_from_user(&s, argp, sizeof s)) {
1649 if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) {
1650 vq->last_avail_idx = s.num & 0xffff;
1651 vq->last_used_idx = (s.num >> 16) & 0xffff;
1653 if (s.num > 0xffff) {
1657 vq->last_avail_idx = s.num;
1659 /* Forget the cached index value. */
1660 vq->avail_idx = vq->last_avail_idx;
1662 case VHOST_GET_VRING_BASE:
1664 if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED))
1665 s.num = (u32)vq->last_avail_idx | ((u32)vq->last_used_idx << 16);
1667 s.num = vq->last_avail_idx;
1668 if (copy_to_user(argp, &s, sizeof s))
1671 case VHOST_SET_VRING_KICK:
1672 if (copy_from_user(&f, argp, sizeof f)) {
1676 eventfp = f.fd == VHOST_FILE_UNBIND ? NULL : eventfd_fget(f.fd);
1677 if (IS_ERR(eventfp)) {
1678 r = PTR_ERR(eventfp);
1681 if (eventfp != vq->kick) {
1682 pollstop = (filep = vq->kick) != NULL;
1683 pollstart = (vq->kick = eventfp) != NULL;
1687 case VHOST_SET_VRING_CALL:
1688 if (copy_from_user(&f, argp, sizeof f)) {
1692 ctx = f.fd == VHOST_FILE_UNBIND ? NULL : eventfd_ctx_fdget(f.fd);
1698 swap(ctx, vq->call_ctx.ctx);
1700 case VHOST_SET_VRING_ERR:
1701 if (copy_from_user(&f, argp, sizeof f)) {
1705 ctx = f.fd == VHOST_FILE_UNBIND ? NULL : eventfd_ctx_fdget(f.fd);
1710 swap(ctx, vq->error_ctx);
1712 case VHOST_SET_VRING_ENDIAN:
1713 r = vhost_set_vring_endian(vq, argp);
1715 case VHOST_GET_VRING_ENDIAN:
1716 r = vhost_get_vring_endian(vq, idx, argp);
1718 case VHOST_SET_VRING_BUSYLOOP_TIMEOUT:
1719 if (copy_from_user(&s, argp, sizeof(s))) {
1723 vq->busyloop_timeout = s.num;
1725 case VHOST_GET_VRING_BUSYLOOP_TIMEOUT:
1727 s.num = vq->busyloop_timeout;
1728 if (copy_to_user(argp, &s, sizeof(s)))
1735 if (pollstop && vq->handle_kick)
1736 vhost_poll_stop(&vq->poll);
1738 if (!IS_ERR_OR_NULL(ctx))
1739 eventfd_ctx_put(ctx);
1743 if (pollstart && vq->handle_kick)
1744 r = vhost_poll_start(&vq->poll, vq->kick);
1746 mutex_unlock(&vq->mutex);
1748 if (pollstop && vq->handle_kick)
1749 vhost_dev_flush(vq->poll.dev);
1752 EXPORT_SYMBOL_GPL(vhost_vring_ioctl);
1754 int vhost_init_device_iotlb(struct vhost_dev *d)
1756 struct vhost_iotlb *niotlb, *oiotlb;
1759 niotlb = iotlb_alloc();
1766 for (i = 0; i < d->nvqs; ++i) {
1767 struct vhost_virtqueue *vq = d->vqs[i];
1769 mutex_lock(&vq->mutex);
1771 __vhost_vq_meta_reset(vq);
1772 mutex_unlock(&vq->mutex);
1775 vhost_iotlb_free(oiotlb);
1779 EXPORT_SYMBOL_GPL(vhost_init_device_iotlb);
1781 /* Caller must have device mutex */
1782 long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
1784 struct eventfd_ctx *ctx;
1789 /* If you are not the owner, you can become one */
1790 if (ioctl == VHOST_SET_OWNER) {
1791 r = vhost_dev_set_owner(d);
1795 /* You must be the owner to do anything else */
1796 r = vhost_dev_check_owner(d);
1801 case VHOST_SET_MEM_TABLE:
1802 r = vhost_set_memory(d, argp);
1804 case VHOST_SET_LOG_BASE:
1805 if (copy_from_user(&p, argp, sizeof p)) {
1809 if ((u64)(unsigned long)p != p) {
1813 for (i = 0; i < d->nvqs; ++i) {
1814 struct vhost_virtqueue *vq;
1815 void __user *base = (void __user *)(unsigned long)p;
1817 mutex_lock(&vq->mutex);
1818 /* If ring is inactive, will check when it's enabled. */
1819 if (vq->private_data && !vq_log_access_ok(vq, base))
1822 vq->log_base = base;
1823 mutex_unlock(&vq->mutex);
1826 case VHOST_SET_LOG_FD:
1827 r = get_user(fd, (int __user *)argp);
1830 ctx = fd == VHOST_FILE_UNBIND ? NULL : eventfd_ctx_fdget(fd);
1835 swap(ctx, d->log_ctx);
1836 for (i = 0; i < d->nvqs; ++i) {
1837 mutex_lock(&d->vqs[i]->mutex);
1838 d->vqs[i]->log_ctx = d->log_ctx;
1839 mutex_unlock(&d->vqs[i]->mutex);
1842 eventfd_ctx_put(ctx);
1851 EXPORT_SYMBOL_GPL(vhost_dev_ioctl);
1853 /* TODO: This is really inefficient. We need something like get_user()
1854 * (instruction directly accesses the data, with an exception table entry
1855 * returning -EFAULT). See Documentation/arch/x86/exception-tables.rst.
1857 static int set_bit_to_user(int nr, void __user *addr)
1859 unsigned long log = (unsigned long)addr;
1862 int bit = nr + (log % PAGE_SIZE) * 8;
1865 r = pin_user_pages_fast(log, 1, FOLL_WRITE, &page);
1869 base = kmap_atomic(page);
1871 kunmap_atomic(base);
1872 unpin_user_pages_dirty_lock(&page, 1, true);
1876 static int log_write(void __user *log_base,
1877 u64 write_address, u64 write_length)
1879 u64 write_page = write_address / VHOST_PAGE_SIZE;
1884 write_length += write_address % VHOST_PAGE_SIZE;
1886 u64 base = (u64)(unsigned long)log_base;
1887 u64 log = base + write_page / 8;
1888 int bit = write_page % 8;
1889 if ((u64)(unsigned long)log != log)
1891 r = set_bit_to_user(bit, (void __user *)(unsigned long)log);
1894 if (write_length <= VHOST_PAGE_SIZE)
1896 write_length -= VHOST_PAGE_SIZE;
1902 static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len)
1904 struct vhost_iotlb *umem = vq->umem;
1905 struct vhost_iotlb_map *u;
1906 u64 start, end, l, min;
1912 /* More than one GPAs can be mapped into a single HVA. So
1913 * iterate all possible umems here to be safe.
1915 list_for_each_entry(u, &umem->list, link) {
1916 if (u->addr > hva - 1 + len ||
1917 u->addr - 1 + u->size < hva)
1919 start = max(u->addr, hva);
1920 end = min(u->addr - 1 + u->size, hva - 1 + len);
1921 l = end - start + 1;
1922 r = log_write(vq->log_base,
1923 u->start + start - u->addr,
1941 static int log_used(struct vhost_virtqueue *vq, u64 used_offset, u64 len)
1943 struct iovec *iov = vq->log_iov;
1947 return log_write(vq->log_base, vq->log_addr + used_offset, len);
1949 ret = translate_desc(vq, (uintptr_t)vq->used + used_offset,
1950 len, iov, 64, VHOST_ACCESS_WO);
1954 for (i = 0; i < ret; i++) {
1955 ret = log_write_hva(vq, (uintptr_t)iov[i].iov_base,
1964 int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
1965 unsigned int log_num, u64 len, struct iovec *iov, int count)
1969 /* Make sure data written is seen before log. */
1973 for (i = 0; i < count; i++) {
1974 r = log_write_hva(vq, (uintptr_t)iov[i].iov_base,
1982 for (i = 0; i < log_num; ++i) {
1983 u64 l = min(log[i].len, len);
1984 r = log_write(vq->log_base, log[i].addr, l);
1990 eventfd_signal(vq->log_ctx, 1);
1994 /* Length written exceeds what we have stored. This is a bug. */
1998 EXPORT_SYMBOL_GPL(vhost_log_write);
2000 static int vhost_update_used_flags(struct vhost_virtqueue *vq)
2003 if (vhost_put_used_flags(vq))
2005 if (unlikely(vq->log_used)) {
2006 /* Make sure the flag is seen before log. */
2008 /* Log used flag write. */
2009 used = &vq->used->flags;
2010 log_used(vq, (used - (void __user *)vq->used),
2011 sizeof vq->used->flags);
2013 eventfd_signal(vq->log_ctx, 1);
2018 static int vhost_update_avail_event(struct vhost_virtqueue *vq)
2020 if (vhost_put_avail_event(vq))
2022 if (unlikely(vq->log_used)) {
2024 /* Make sure the event is seen before log. */
2026 /* Log avail event write */
2027 used = vhost_avail_event(vq);
2028 log_used(vq, (used - (void __user *)vq->used),
2029 sizeof *vhost_avail_event(vq));
2031 eventfd_signal(vq->log_ctx, 1);
2036 int vhost_vq_init_access(struct vhost_virtqueue *vq)
2038 __virtio16 last_used_idx;
2040 bool is_le = vq->is_le;
2042 if (!vq->private_data)
2045 vhost_init_is_le(vq);
2047 r = vhost_update_used_flags(vq);
2050 vq->signalled_used_valid = false;
2052 !access_ok(&vq->used->idx, sizeof vq->used->idx)) {
2056 r = vhost_get_used_idx(vq, &last_used_idx);
2058 vq_err(vq, "Can't access used idx at %p\n",
2062 vq->last_used_idx = vhost16_to_cpu(vq, last_used_idx);
2069 EXPORT_SYMBOL_GPL(vhost_vq_init_access);
2071 static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
2072 struct iovec iov[], int iov_size, int access)
2074 const struct vhost_iotlb_map *map;
2075 struct vhost_dev *dev = vq->dev;
2076 struct vhost_iotlb *umem = dev->iotlb ? dev->iotlb : dev->umem;
2078 u64 s = 0, last = addr + len - 1;
2081 while ((u64)len > s) {
2083 if (unlikely(ret >= iov_size)) {
2088 map = vhost_iotlb_itree_first(umem, addr, last);
2089 if (map == NULL || map->start > addr) {
2090 if (umem != dev->iotlb) {
2096 } else if (!(map->perm & access)) {
2102 size = map->size - addr + map->start;
2103 _iov->iov_len = min((u64)len - s, size);
2104 _iov->iov_base = (void __user *)(unsigned long)
2105 (map->addr + addr - map->start);
2112 vhost_iotlb_miss(vq, addr, access);
2116 /* Each buffer in the virtqueues is actually a chain of descriptors. This
2117 * function returns the next descriptor in the chain,
2118 * or -1U if we're at the end. */
2119 static unsigned next_desc(struct vhost_virtqueue *vq, struct vring_desc *desc)
2123 /* If this descriptor says it doesn't chain, we're done. */
2124 if (!(desc->flags & cpu_to_vhost16(vq, VRING_DESC_F_NEXT)))
2127 /* Check they're not leading us off end of descriptors. */
2128 next = vhost16_to_cpu(vq, READ_ONCE(desc->next));
2132 static int get_indirect(struct vhost_virtqueue *vq,
2133 struct iovec iov[], unsigned int iov_size,
2134 unsigned int *out_num, unsigned int *in_num,
2135 struct vhost_log *log, unsigned int *log_num,
2136 struct vring_desc *indirect)
2138 struct vring_desc desc;
2139 unsigned int i = 0, count, found = 0;
2140 u32 len = vhost32_to_cpu(vq, indirect->len);
2141 struct iov_iter from;
2145 if (unlikely(len % sizeof desc)) {
2146 vq_err(vq, "Invalid length in indirect descriptor: "
2147 "len 0x%llx not multiple of 0x%zx\n",
2148 (unsigned long long)len,
2153 ret = translate_desc(vq, vhost64_to_cpu(vq, indirect->addr), len, vq->indirect,
2154 UIO_MAXIOV, VHOST_ACCESS_RO);
2155 if (unlikely(ret < 0)) {
2157 vq_err(vq, "Translation failure %d in indirect.\n", ret);
2160 iov_iter_init(&from, ITER_SOURCE, vq->indirect, ret, len);
2161 count = len / sizeof desc;
2162 /* Buffers are chained via a 16 bit next field, so
2163 * we can have at most 2^16 of these. */
2164 if (unlikely(count > USHRT_MAX + 1)) {
2165 vq_err(vq, "Indirect buffer length too big: %d\n",
2171 unsigned iov_count = *in_num + *out_num;
2172 if (unlikely(++found > count)) {
2173 vq_err(vq, "Loop detected: last one at %u "
2174 "indirect size %u\n",
2178 if (unlikely(!copy_from_iter_full(&desc, sizeof(desc), &from))) {
2179 vq_err(vq, "Failed indirect descriptor: idx %d, %zx\n",
2180 i, (size_t)vhost64_to_cpu(vq, indirect->addr) + i * sizeof desc);
2183 if (unlikely(desc.flags & cpu_to_vhost16(vq, VRING_DESC_F_INDIRECT))) {
2184 vq_err(vq, "Nested indirect descriptor: idx %d, %zx\n",
2185 i, (size_t)vhost64_to_cpu(vq, indirect->addr) + i * sizeof desc);
2189 if (desc.flags & cpu_to_vhost16(vq, VRING_DESC_F_WRITE))
2190 access = VHOST_ACCESS_WO;
2192 access = VHOST_ACCESS_RO;
2194 ret = translate_desc(vq, vhost64_to_cpu(vq, desc.addr),
2195 vhost32_to_cpu(vq, desc.len), iov + iov_count,
2196 iov_size - iov_count, access);
2197 if (unlikely(ret < 0)) {
2199 vq_err(vq, "Translation failure %d indirect idx %d\n",
2203 /* If this is an input descriptor, increment that count. */
2204 if (access == VHOST_ACCESS_WO) {
2206 if (unlikely(log && ret)) {
2207 log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
2208 log[*log_num].len = vhost32_to_cpu(vq, desc.len);
2212 /* If it's an output descriptor, they're all supposed
2213 * to come before any input descriptors. */
2214 if (unlikely(*in_num)) {
2215 vq_err(vq, "Indirect descriptor "
2216 "has out after in: idx %d\n", i);
2221 } while ((i = next_desc(vq, &desc)) != -1);
2225 /* This looks in the virtqueue and for the first available buffer, and converts
2226 * it to an iovec for convenient access. Since descriptors consist of some
2227 * number of output then some number of input descriptors, it's actually two
2228 * iovecs, but we pack them into one and note how many of each there were.
2230 * This function returns the descriptor number found, or vq->num (which is
2231 * never a valid descriptor number) if none was found. A negative code is
2232 * returned on error. */
2233 int vhost_get_vq_desc(struct vhost_virtqueue *vq,
2234 struct iovec iov[], unsigned int iov_size,
2235 unsigned int *out_num, unsigned int *in_num,
2236 struct vhost_log *log, unsigned int *log_num)
2238 struct vring_desc desc;
2239 unsigned int i, head, found = 0;
2241 __virtio16 avail_idx;
2242 __virtio16 ring_head;
2245 /* Check it isn't doing very strange things with descriptor numbers. */
2246 last_avail_idx = vq->last_avail_idx;
2248 if (vq->avail_idx == vq->last_avail_idx) {
2249 if (unlikely(vhost_get_avail_idx(vq, &avail_idx))) {
2250 vq_err(vq, "Failed to access avail idx at %p\n",
2254 vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
2256 if (unlikely((u16)(vq->avail_idx - last_avail_idx) > vq->num)) {
2257 vq_err(vq, "Guest moved used index from %u to %u",
2258 last_avail_idx, vq->avail_idx);
2262 /* If there's nothing new since last we looked, return
2265 if (vq->avail_idx == last_avail_idx)
2268 /* Only get avail ring entries after they have been
2274 /* Grab the next descriptor number they're advertising, and increment
2275 * the index we've seen. */
2276 if (unlikely(vhost_get_avail_head(vq, &ring_head, last_avail_idx))) {
2277 vq_err(vq, "Failed to read head: idx %d address %p\n",
2279 &vq->avail->ring[last_avail_idx % vq->num]);
2283 head = vhost16_to_cpu(vq, ring_head);
2285 /* If their number is silly, that's an error. */
2286 if (unlikely(head >= vq->num)) {
2287 vq_err(vq, "Guest says index %u > %u is available",
2292 /* When we start there are none of either input nor output. */
2293 *out_num = *in_num = 0;
2299 unsigned iov_count = *in_num + *out_num;
2300 if (unlikely(i >= vq->num)) {
2301 vq_err(vq, "Desc index is %u > %u, head = %u",
2305 if (unlikely(++found > vq->num)) {
2306 vq_err(vq, "Loop detected: last one at %u "
2307 "vq size %u head %u\n",
2311 ret = vhost_get_desc(vq, &desc, i);
2312 if (unlikely(ret)) {
2313 vq_err(vq, "Failed to get descriptor: idx %d addr %p\n",
2317 if (desc.flags & cpu_to_vhost16(vq, VRING_DESC_F_INDIRECT)) {
2318 ret = get_indirect(vq, iov, iov_size,
2320 log, log_num, &desc);
2321 if (unlikely(ret < 0)) {
2323 vq_err(vq, "Failure detected "
2324 "in indirect descriptor at idx %d\n", i);
2330 if (desc.flags & cpu_to_vhost16(vq, VRING_DESC_F_WRITE))
2331 access = VHOST_ACCESS_WO;
2333 access = VHOST_ACCESS_RO;
2334 ret = translate_desc(vq, vhost64_to_cpu(vq, desc.addr),
2335 vhost32_to_cpu(vq, desc.len), iov + iov_count,
2336 iov_size - iov_count, access);
2337 if (unlikely(ret < 0)) {
2339 vq_err(vq, "Translation failure %d descriptor idx %d\n",
2343 if (access == VHOST_ACCESS_WO) {
2344 /* If this is an input descriptor,
2345 * increment that count. */
2347 if (unlikely(log && ret)) {
2348 log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
2349 log[*log_num].len = vhost32_to_cpu(vq, desc.len);
2353 /* If it's an output descriptor, they're all supposed
2354 * to come before any input descriptors. */
2355 if (unlikely(*in_num)) {
2356 vq_err(vq, "Descriptor has out after in: "
2362 } while ((i = next_desc(vq, &desc)) != -1);
2364 /* On success, increment avail index. */
2365 vq->last_avail_idx++;
2367 /* Assume notifications from guest are disabled at this point,
2368 * if they aren't we would need to update avail_event index. */
2369 BUG_ON(!(vq->used_flags & VRING_USED_F_NO_NOTIFY));
2372 EXPORT_SYMBOL_GPL(vhost_get_vq_desc);
2374 /* Reverse the effect of vhost_get_vq_desc. Useful for error handling. */
2375 void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n)
2377 vq->last_avail_idx -= n;
2379 EXPORT_SYMBOL_GPL(vhost_discard_vq_desc);
2381 /* After we've used one of their buffers, we tell them about it. We'll then
2382 * want to notify the guest, using eventfd. */
2383 int vhost_add_used(struct vhost_virtqueue *vq, unsigned int head, int len)
2385 struct vring_used_elem heads = {
2386 cpu_to_vhost32(vq, head),
2387 cpu_to_vhost32(vq, len)
2390 return vhost_add_used_n(vq, &heads, 1);
2392 EXPORT_SYMBOL_GPL(vhost_add_used);
2394 static int __vhost_add_used_n(struct vhost_virtqueue *vq,
2395 struct vring_used_elem *heads,
2398 vring_used_elem_t __user *used;
2402 start = vq->last_used_idx & (vq->num - 1);
2403 used = vq->used->ring + start;
2404 if (vhost_put_used(vq, heads, start, count)) {
2405 vq_err(vq, "Failed to write used");
2408 if (unlikely(vq->log_used)) {
2409 /* Make sure data is seen before log. */
2411 /* Log used ring entry write. */
2412 log_used(vq, ((void __user *)used - (void __user *)vq->used),
2413 count * sizeof *used);
2415 old = vq->last_used_idx;
2416 new = (vq->last_used_idx += count);
2417 /* If the driver never bothers to signal in a very long while,
2418 * used index might wrap around. If that happens, invalidate
2419 * signalled_used index we stored. TODO: make sure driver
2420 * signals at least once in 2^16 and remove this. */
2421 if (unlikely((u16)(new - vq->signalled_used) < (u16)(new - old)))
2422 vq->signalled_used_valid = false;
2426 /* After we've used one of their buffers, we tell them about it. We'll then
2427 * want to notify the guest, using eventfd. */
2428 int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
2433 start = vq->last_used_idx & (vq->num - 1);
2434 n = vq->num - start;
2436 r = __vhost_add_used_n(vq, heads, n);
2442 r = __vhost_add_used_n(vq, heads, count);
2444 /* Make sure buffer is written before we update index. */
2446 if (vhost_put_used_idx(vq)) {
2447 vq_err(vq, "Failed to increment used idx");
2450 if (unlikely(vq->log_used)) {
2451 /* Make sure used idx is seen before log. */
2453 /* Log used index update. */
2454 log_used(vq, offsetof(struct vring_used, idx),
2455 sizeof vq->used->idx);
2457 eventfd_signal(vq->log_ctx, 1);
2461 EXPORT_SYMBOL_GPL(vhost_add_used_n);
2463 static bool vhost_notify(struct vhost_dev *dev, struct vhost_virtqueue *vq)
2468 /* Flush out used index updates. This is paired
2469 * with the barrier that the Guest executes when enabling
2473 if (vhost_has_feature(vq, VIRTIO_F_NOTIFY_ON_EMPTY) &&
2474 unlikely(vq->avail_idx == vq->last_avail_idx))
2477 if (!vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX)) {
2479 if (vhost_get_avail_flags(vq, &flags)) {
2480 vq_err(vq, "Failed to get flags");
2483 return !(flags & cpu_to_vhost16(vq, VRING_AVAIL_F_NO_INTERRUPT));
2485 old = vq->signalled_used;
2486 v = vq->signalled_used_valid;
2487 new = vq->signalled_used = vq->last_used_idx;
2488 vq->signalled_used_valid = true;
2493 if (vhost_get_used_event(vq, &event)) {
2494 vq_err(vq, "Failed to get used event idx");
2497 return vring_need_event(vhost16_to_cpu(vq, event), new, old);
2500 /* This actually signals the guest, using eventfd. */
2501 void vhost_signal(struct vhost_dev *dev, struct vhost_virtqueue *vq)
2503 /* Signal the Guest tell them we used something up. */
2504 if (vq->call_ctx.ctx && vhost_notify(dev, vq))
2505 eventfd_signal(vq->call_ctx.ctx, 1);
2507 EXPORT_SYMBOL_GPL(vhost_signal);
2509 /* And here's the combo meal deal. Supersize me! */
2510 void vhost_add_used_and_signal(struct vhost_dev *dev,
2511 struct vhost_virtqueue *vq,
2512 unsigned int head, int len)
2514 vhost_add_used(vq, head, len);
2515 vhost_signal(dev, vq);
2517 EXPORT_SYMBOL_GPL(vhost_add_used_and_signal);
2519 /* multi-buffer version of vhost_add_used_and_signal */
2520 void vhost_add_used_and_signal_n(struct vhost_dev *dev,
2521 struct vhost_virtqueue *vq,
2522 struct vring_used_elem *heads, unsigned count)
2524 vhost_add_used_n(vq, heads, count);
2525 vhost_signal(dev, vq);
2527 EXPORT_SYMBOL_GPL(vhost_add_used_and_signal_n);
2529 /* return true if we're sure that avaiable ring is empty */
2530 bool vhost_vq_avail_empty(struct vhost_dev *dev, struct vhost_virtqueue *vq)
2532 __virtio16 avail_idx;
2535 if (vq->avail_idx != vq->last_avail_idx)
2538 r = vhost_get_avail_idx(vq, &avail_idx);
2541 vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
2543 return vq->avail_idx == vq->last_avail_idx;
2545 EXPORT_SYMBOL_GPL(vhost_vq_avail_empty);
2547 /* OK, now we need to know about added descriptors. */
2548 bool vhost_enable_notify(struct vhost_dev *dev, struct vhost_virtqueue *vq)
2550 __virtio16 avail_idx;
2553 if (!(vq->used_flags & VRING_USED_F_NO_NOTIFY))
2555 vq->used_flags &= ~VRING_USED_F_NO_NOTIFY;
2556 if (!vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX)) {
2557 r = vhost_update_used_flags(vq);
2559 vq_err(vq, "Failed to enable notification at %p: %d\n",
2560 &vq->used->flags, r);
2564 r = vhost_update_avail_event(vq);
2566 vq_err(vq, "Failed to update avail event index at %p: %d\n",
2567 vhost_avail_event(vq), r);
2571 /* They could have slipped one in as we were doing that: make
2572 * sure it's written, then check again. */
2574 r = vhost_get_avail_idx(vq, &avail_idx);
2576 vq_err(vq, "Failed to check avail idx at %p: %d\n",
2577 &vq->avail->idx, r);
2580 vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
2582 return vq->avail_idx != vq->last_avail_idx;
2584 EXPORT_SYMBOL_GPL(vhost_enable_notify);
2586 /* We don't need to be notified again. */
2587 void vhost_disable_notify(struct vhost_dev *dev, struct vhost_virtqueue *vq)
2591 if (vq->used_flags & VRING_USED_F_NO_NOTIFY)
2593 vq->used_flags |= VRING_USED_F_NO_NOTIFY;
2594 if (!vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX)) {
2595 r = vhost_update_used_flags(vq);
2597 vq_err(vq, "Failed to disable notification at %p: %d\n",
2598 &vq->used->flags, r);
2601 EXPORT_SYMBOL_GPL(vhost_disable_notify);
2603 /* Create a new message. */
2604 struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
2606 /* Make sure all padding within the structure is initialized. */
2607 struct vhost_msg_node *node = kzalloc(sizeof(*node), GFP_KERNEL);
2612 node->msg.type = type;
2615 EXPORT_SYMBOL_GPL(vhost_new_msg);
2617 void vhost_enqueue_msg(struct vhost_dev *dev, struct list_head *head,
2618 struct vhost_msg_node *node)
2620 spin_lock(&dev->iotlb_lock);
2621 list_add_tail(&node->node, head);
2622 spin_unlock(&dev->iotlb_lock);
2624 wake_up_interruptible_poll(&dev->wait, EPOLLIN | EPOLLRDNORM);
2626 EXPORT_SYMBOL_GPL(vhost_enqueue_msg);
2628 struct vhost_msg_node *vhost_dequeue_msg(struct vhost_dev *dev,
2629 struct list_head *head)
2631 struct vhost_msg_node *node = NULL;
2633 spin_lock(&dev->iotlb_lock);
2634 if (!list_empty(head)) {
2635 node = list_first_entry(head, struct vhost_msg_node,
2637 list_del(&node->node);
2639 spin_unlock(&dev->iotlb_lock);
2643 EXPORT_SYMBOL_GPL(vhost_dequeue_msg);
2645 void vhost_set_backend_features(struct vhost_dev *dev, u64 features)
2647 struct vhost_virtqueue *vq;
2650 mutex_lock(&dev->mutex);
2651 for (i = 0; i < dev->nvqs; ++i) {
2653 mutex_lock(&vq->mutex);
2654 vq->acked_backend_features = features;
2655 mutex_unlock(&vq->mutex);
2657 mutex_unlock(&dev->mutex);
2659 EXPORT_SYMBOL_GPL(vhost_set_backend_features);
2661 static int __init vhost_init(void)
2666 static void __exit vhost_exit(void)
2670 module_init(vhost_init);
2671 module_exit(vhost_exit);
2673 MODULE_VERSION("0.0.1");
2674 MODULE_LICENSE("GPL v2");
2675 MODULE_AUTHOR("Michael S. Tsirkin");
2676 MODULE_DESCRIPTION("Host kernel accelerator for virtio");