4 * Copyright (C) 2012 Red Hat, Inc. All rights reserved.
5 * Author: Alex Williamson <alex.williamson@redhat.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * Derived from original vfio:
12 * Copyright 2010 Cisco Systems, Inc. All rights reserved.
13 * Author: Tom Lyon, pugs@cisco.com
16 #include <linux/cdev.h>
17 #include <linux/compat.h>
18 #include <linux/device.h>
19 #include <linux/file.h>
20 #include <linux/anon_inodes.h>
22 #include <linux/idr.h>
23 #include <linux/iommu.h>
24 #include <linux/list.h>
25 #include <linux/miscdevice.h>
26 #include <linux/module.h>
27 #include <linux/mutex.h>
28 #include <linux/pci.h>
29 #include <linux/rwsem.h>
30 #include <linux/sched.h>
31 #include <linux/slab.h>
32 #include <linux/stat.h>
33 #include <linux/string.h>
34 #include <linux/uaccess.h>
35 #include <linux/vfio.h>
36 #include <linux/wait.h>
38 #define DRIVER_VERSION "0.3"
39 #define DRIVER_AUTHOR "Alex Williamson <alex.williamson@redhat.com>"
40 #define DRIVER_DESC "VFIO - User Level meta-driver"
44 struct list_head iommu_drivers_list;
45 struct mutex iommu_drivers_lock;
46 struct list_head group_list;
48 struct mutex group_lock;
49 struct cdev group_cdev;
51 wait_queue_head_t release_q;
54 struct vfio_iommu_driver {
55 const struct vfio_iommu_driver_ops *ops;
56 struct list_head vfio_next;
59 struct vfio_container {
61 struct list_head group_list;
62 struct rw_semaphore group_lock;
63 struct vfio_iommu_driver *iommu_driver;
68 struct vfio_unbound_dev {
70 struct list_head unbound_next;
76 atomic_t container_users;
77 struct iommu_group *iommu_group;
78 struct vfio_container *container;
79 struct list_head device_list;
80 struct mutex device_lock;
82 struct notifier_block nb;
83 struct list_head vfio_next;
84 struct list_head container_next;
85 struct list_head unbound_list;
86 struct mutex unbound_lock;
94 const struct vfio_device_ops *ops;
95 struct vfio_group *group;
96 struct list_head group_next;
100 #ifdef CONFIG_VFIO_NOIOMMU
101 static bool noiommu __read_mostly;
102 module_param_named(enable_unsafe_noiommu_mode,
103 noiommu, bool, S_IRUGO | S_IWUSR);
104 MODULE_PARM_DESC(enable_unsafe_noiommu_mode, "Enable UNSAFE, no-IOMMU mode. This mode provides no device isolation, no DMA translation, no host kernel protection, cannot be used for device assignment to virtual machines, requires RAWIO permissions, and will taint the kernel. If you do not know what this is for, step away. (default: false)");
108 * vfio_iommu_group_{get,put} are only intended for VFIO bus driver probe
109 * and remove functions, any use cases other than acquiring the first
110 * reference for the purpose of calling vfio_add_group_dev() or removing
111 * that symmetric reference after vfio_del_group_dev() should use the raw
112 * iommu_group_{get,put} functions. In particular, vfio_iommu_group_put()
113 * removes the device from the dummy group and cannot be nested.
115 struct iommu_group *vfio_iommu_group_get(struct device *dev)
117 struct iommu_group *group;
118 int __maybe_unused ret;
120 group = iommu_group_get(dev);
122 #ifdef CONFIG_VFIO_NOIOMMU
124 * With noiommu enabled, an IOMMU group will be created for a device
125 * that doesn't already have one and doesn't have an iommu_ops on their
126 * bus. We set iommudata simply to be able to identify these groups
127 * as special use and for reclamation later.
129 if (group || !noiommu || iommu_present(dev->bus))
132 group = iommu_group_alloc();
136 iommu_group_set_name(group, "vfio-noiommu");
137 iommu_group_set_iommudata(group, &noiommu, NULL);
138 ret = iommu_group_add_device(group, dev);
139 iommu_group_put(group);
144 * Where to taint? At this point we've added an IOMMU group for a
145 * device that is not backed by iommu_ops, therefore any iommu_
146 * callback using iommu_ops can legitimately Oops. So, while we may
147 * be about to give a DMA capable device to a user without IOMMU
148 * protection, which is clearly taint-worthy, let's go ahead and do
151 add_taint(TAINT_USER, LOCKDEP_STILL_OK);
152 dev_warn(dev, "Adding kernel taint for vfio-noiommu group on device\n");
157 EXPORT_SYMBOL_GPL(vfio_iommu_group_get);
159 void vfio_iommu_group_put(struct iommu_group *group, struct device *dev)
161 #ifdef CONFIG_VFIO_NOIOMMU
162 if (iommu_group_get_iommudata(group) == &noiommu)
163 iommu_group_remove_device(dev);
166 iommu_group_put(group);
168 EXPORT_SYMBOL_GPL(vfio_iommu_group_put);
170 #ifdef CONFIG_VFIO_NOIOMMU
171 static void *vfio_noiommu_open(unsigned long arg)
173 if (arg != VFIO_NOIOMMU_IOMMU)
174 return ERR_PTR(-EINVAL);
175 if (!capable(CAP_SYS_RAWIO))
176 return ERR_PTR(-EPERM);
181 static void vfio_noiommu_release(void *iommu_data)
185 static long vfio_noiommu_ioctl(void *iommu_data,
186 unsigned int cmd, unsigned long arg)
188 if (cmd == VFIO_CHECK_EXTENSION)
189 return noiommu && (arg == VFIO_NOIOMMU_IOMMU) ? 1 : 0;
194 static int vfio_noiommu_attach_group(void *iommu_data,
195 struct iommu_group *iommu_group)
197 return iommu_group_get_iommudata(iommu_group) == &noiommu ? 0 : -EINVAL;
200 static void vfio_noiommu_detach_group(void *iommu_data,
201 struct iommu_group *iommu_group)
205 static const struct vfio_iommu_driver_ops vfio_noiommu_ops = {
206 .name = "vfio-noiommu",
207 .owner = THIS_MODULE,
208 .open = vfio_noiommu_open,
209 .release = vfio_noiommu_release,
210 .ioctl = vfio_noiommu_ioctl,
211 .attach_group = vfio_noiommu_attach_group,
212 .detach_group = vfio_noiommu_detach_group,
218 * IOMMU driver registration
220 int vfio_register_iommu_driver(const struct vfio_iommu_driver_ops *ops)
222 struct vfio_iommu_driver *driver, *tmp;
224 driver = kzalloc(sizeof(*driver), GFP_KERNEL);
230 mutex_lock(&vfio.iommu_drivers_lock);
232 /* Check for duplicates */
233 list_for_each_entry(tmp, &vfio.iommu_drivers_list, vfio_next) {
234 if (tmp->ops == ops) {
235 mutex_unlock(&vfio.iommu_drivers_lock);
241 list_add(&driver->vfio_next, &vfio.iommu_drivers_list);
243 mutex_unlock(&vfio.iommu_drivers_lock);
247 EXPORT_SYMBOL_GPL(vfio_register_iommu_driver);
249 void vfio_unregister_iommu_driver(const struct vfio_iommu_driver_ops *ops)
251 struct vfio_iommu_driver *driver;
253 mutex_lock(&vfio.iommu_drivers_lock);
254 list_for_each_entry(driver, &vfio.iommu_drivers_list, vfio_next) {
255 if (driver->ops == ops) {
256 list_del(&driver->vfio_next);
257 mutex_unlock(&vfio.iommu_drivers_lock);
262 mutex_unlock(&vfio.iommu_drivers_lock);
264 EXPORT_SYMBOL_GPL(vfio_unregister_iommu_driver);
267 * Group minor allocation/free - both called with vfio.group_lock held
269 static int vfio_alloc_group_minor(struct vfio_group *group)
271 return idr_alloc(&vfio.group_idr, group, 0, MINORMASK + 1, GFP_KERNEL);
274 static void vfio_free_group_minor(int minor)
276 idr_remove(&vfio.group_idr, minor);
279 static int vfio_iommu_group_notifier(struct notifier_block *nb,
280 unsigned long action, void *data);
281 static void vfio_group_get(struct vfio_group *group);
284 * Container objects - containers are created when /dev/vfio/vfio is
285 * opened, but their lifecycle extends until the last user is done, so
286 * it's freed via kref. Must support container/group/device being
287 * closed in any order.
289 static void vfio_container_get(struct vfio_container *container)
291 kref_get(&container->kref);
294 static void vfio_container_release(struct kref *kref)
296 struct vfio_container *container;
297 container = container_of(kref, struct vfio_container, kref);
302 static void vfio_container_put(struct vfio_container *container)
304 kref_put(&container->kref, vfio_container_release);
307 static void vfio_group_unlock_and_free(struct vfio_group *group)
309 mutex_unlock(&vfio.group_lock);
311 * Unregister outside of lock. A spurious callback is harmless now
312 * that the group is no longer in vfio.group_list.
314 iommu_group_unregister_notifier(group->iommu_group, &group->nb);
319 * Group objects - create, release, get, put, search
321 static struct vfio_group *vfio_create_group(struct iommu_group *iommu_group)
323 struct vfio_group *group, *tmp;
327 group = kzalloc(sizeof(*group), GFP_KERNEL);
329 return ERR_PTR(-ENOMEM);
331 kref_init(&group->kref);
332 INIT_LIST_HEAD(&group->device_list);
333 mutex_init(&group->device_lock);
334 INIT_LIST_HEAD(&group->unbound_list);
335 mutex_init(&group->unbound_lock);
336 atomic_set(&group->container_users, 0);
337 atomic_set(&group->opened, 0);
338 group->iommu_group = iommu_group;
339 #ifdef CONFIG_VFIO_NOIOMMU
340 group->noiommu = (iommu_group_get_iommudata(iommu_group) == &noiommu);
343 group->nb.notifier_call = vfio_iommu_group_notifier;
346 * blocking notifiers acquire a rwsem around registering and hold
347 * it around callback. Therefore, need to register outside of
348 * vfio.group_lock to avoid A-B/B-A contention. Our callback won't
349 * do anything unless it can find the group in vfio.group_list, so
350 * no harm in registering early.
352 ret = iommu_group_register_notifier(iommu_group, &group->nb);
358 mutex_lock(&vfio.group_lock);
360 /* Did we race creating this group? */
361 list_for_each_entry(tmp, &vfio.group_list, vfio_next) {
362 if (tmp->iommu_group == iommu_group) {
364 vfio_group_unlock_and_free(group);
369 minor = vfio_alloc_group_minor(group);
371 vfio_group_unlock_and_free(group);
372 return ERR_PTR(minor);
375 dev = device_create(vfio.class, NULL,
376 MKDEV(MAJOR(vfio.group_devt), minor),
377 group, "%s%d", group->noiommu ? "noiommu-" : "",
378 iommu_group_id(iommu_group));
380 vfio_free_group_minor(minor);
381 vfio_group_unlock_and_free(group);
382 return (struct vfio_group *)dev; /* ERR_PTR */
385 group->minor = minor;
388 list_add(&group->vfio_next, &vfio.group_list);
390 mutex_unlock(&vfio.group_lock);
395 /* called with vfio.group_lock held */
396 static void vfio_group_release(struct kref *kref)
398 struct vfio_group *group = container_of(kref, struct vfio_group, kref);
399 struct vfio_unbound_dev *unbound, *tmp;
400 struct iommu_group *iommu_group = group->iommu_group;
402 WARN_ON(!list_empty(&group->device_list));
404 list_for_each_entry_safe(unbound, tmp,
405 &group->unbound_list, unbound_next) {
406 list_del(&unbound->unbound_next);
410 device_destroy(vfio.class, MKDEV(MAJOR(vfio.group_devt), group->minor));
411 list_del(&group->vfio_next);
412 vfio_free_group_minor(group->minor);
413 vfio_group_unlock_and_free(group);
414 iommu_group_put(iommu_group);
417 static void vfio_group_put(struct vfio_group *group)
419 kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
422 /* Assume group_lock or group reference is held */
423 static void vfio_group_get(struct vfio_group *group)
425 kref_get(&group->kref);
429 * Not really a try as we will sleep for mutex, but we need to make
430 * sure the group pointer is valid under lock and get a reference.
432 static struct vfio_group *vfio_group_try_get(struct vfio_group *group)
434 struct vfio_group *target = group;
436 mutex_lock(&vfio.group_lock);
437 list_for_each_entry(group, &vfio.group_list, vfio_next) {
438 if (group == target) {
439 vfio_group_get(group);
440 mutex_unlock(&vfio.group_lock);
444 mutex_unlock(&vfio.group_lock);
450 struct vfio_group *vfio_group_get_from_iommu(struct iommu_group *iommu_group)
452 struct vfio_group *group;
454 mutex_lock(&vfio.group_lock);
455 list_for_each_entry(group, &vfio.group_list, vfio_next) {
456 if (group->iommu_group == iommu_group) {
457 vfio_group_get(group);
458 mutex_unlock(&vfio.group_lock);
462 mutex_unlock(&vfio.group_lock);
467 static struct vfio_group *vfio_group_get_from_minor(int minor)
469 struct vfio_group *group;
471 mutex_lock(&vfio.group_lock);
472 group = idr_find(&vfio.group_idr, minor);
474 mutex_unlock(&vfio.group_lock);
477 vfio_group_get(group);
478 mutex_unlock(&vfio.group_lock);
484 * Device objects - create, release, get, put, search
487 struct vfio_device *vfio_group_create_device(struct vfio_group *group,
489 const struct vfio_device_ops *ops,
492 struct vfio_device *device;
494 device = kzalloc(sizeof(*device), GFP_KERNEL);
496 return ERR_PTR(-ENOMEM);
498 kref_init(&device->kref);
500 device->group = group;
502 device->device_data = device_data;
503 dev_set_drvdata(dev, device);
505 /* No need to get group_lock, caller has group reference */
506 vfio_group_get(group);
508 mutex_lock(&group->device_lock);
509 list_add(&device->group_next, &group->device_list);
510 mutex_unlock(&group->device_lock);
515 static void vfio_device_release(struct kref *kref)
517 struct vfio_device *device = container_of(kref,
518 struct vfio_device, kref);
519 struct vfio_group *group = device->group;
521 list_del(&device->group_next);
522 mutex_unlock(&group->device_lock);
524 dev_set_drvdata(device->dev, NULL);
528 /* vfio_del_group_dev may be waiting for this device */
529 wake_up(&vfio.release_q);
532 /* Device reference always implies a group reference */
533 void vfio_device_put(struct vfio_device *device)
535 struct vfio_group *group = device->group;
536 kref_put_mutex(&device->kref, vfio_device_release, &group->device_lock);
537 vfio_group_put(group);
539 EXPORT_SYMBOL_GPL(vfio_device_put);
541 static void vfio_device_get(struct vfio_device *device)
543 vfio_group_get(device->group);
544 kref_get(&device->kref);
547 static struct vfio_device *vfio_group_get_device(struct vfio_group *group,
550 struct vfio_device *device;
552 mutex_lock(&group->device_lock);
553 list_for_each_entry(device, &group->device_list, group_next) {
554 if (device->dev == dev) {
555 vfio_device_get(device);
556 mutex_unlock(&group->device_lock);
560 mutex_unlock(&group->device_lock);
565 * Some drivers, like pci-stub, are only used to prevent other drivers from
566 * claiming a device and are therefore perfectly legitimate for a user owned
567 * group. The pci-stub driver has no dependencies on DMA or the IOVA mapping
568 * of the device, but it does prevent the user from having direct access to
569 * the device, which is useful in some circumstances.
571 * We also assume that we can include PCI interconnect devices, ie. bridges.
572 * IOMMU grouping on PCI necessitates that if we lack isolation on a bridge
573 * then all of the downstream devices will be part of the same IOMMU group as
574 * the bridge. Thus, if placing the bridge into the user owned IOVA space
575 * breaks anything, it only does so for user owned devices downstream. Note
576 * that error notification via MSI can be affected for platforms that handle
577 * MSI within the same IOVA space as DMA.
579 static const char * const vfio_driver_whitelist[] = { "pci-stub" };
581 static bool vfio_dev_whitelisted(struct device *dev, struct device_driver *drv)
585 if (dev_is_pci(dev)) {
586 struct pci_dev *pdev = to_pci_dev(dev);
588 if (pdev->hdr_type != PCI_HEADER_TYPE_NORMAL)
592 for (i = 0; i < ARRAY_SIZE(vfio_driver_whitelist); i++) {
593 if (!strcmp(drv->name, vfio_driver_whitelist[i]))
601 * A vfio group is viable for use by userspace if all devices are in
602 * one of the following states:
604 * - bound to a vfio driver
605 * - bound to a whitelisted driver
606 * - a PCI interconnect device
608 * We use two methods to determine whether a device is bound to a vfio
609 * driver. The first is to test whether the device exists in the vfio
610 * group. The second is to test if the device exists on the group
611 * unbound_list, indicating it's in the middle of transitioning from
612 * a vfio driver to driver-less.
614 static int vfio_dev_viable(struct device *dev, void *data)
616 struct vfio_group *group = data;
617 struct vfio_device *device;
618 struct device_driver *drv = ACCESS_ONCE(dev->driver);
619 struct vfio_unbound_dev *unbound;
622 mutex_lock(&group->unbound_lock);
623 list_for_each_entry(unbound, &group->unbound_list, unbound_next) {
624 if (dev == unbound->dev) {
629 mutex_unlock(&group->unbound_lock);
631 if (!ret || !drv || vfio_dev_whitelisted(dev, drv))
634 device = vfio_group_get_device(group, dev);
636 vfio_device_put(device);
644 * Async device support
646 static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev)
648 struct vfio_device *device;
650 /* Do we already know about it? We shouldn't */
651 device = vfio_group_get_device(group, dev);
652 if (WARN_ON_ONCE(device)) {
653 vfio_device_put(device);
657 /* Nothing to do for idle groups */
658 if (!atomic_read(&group->container_users))
661 /* TODO Prevent device auto probing */
662 WARN(1, "Device %s added to live group %d!\n", dev_name(dev),
663 iommu_group_id(group->iommu_group));
668 static int vfio_group_nb_verify(struct vfio_group *group, struct device *dev)
670 /* We don't care what happens when the group isn't in use */
671 if (!atomic_read(&group->container_users))
674 return vfio_dev_viable(dev, group);
677 static int vfio_iommu_group_notifier(struct notifier_block *nb,
678 unsigned long action, void *data)
680 struct vfio_group *group = container_of(nb, struct vfio_group, nb);
681 struct device *dev = data;
682 struct vfio_unbound_dev *unbound;
685 * Need to go through a group_lock lookup to get a reference or we
686 * risk racing a group being removed. Ignore spurious notifies.
688 group = vfio_group_try_get(group);
693 case IOMMU_GROUP_NOTIFY_ADD_DEVICE:
694 vfio_group_nb_add_dev(group, dev);
696 case IOMMU_GROUP_NOTIFY_DEL_DEVICE:
698 * Nothing to do here. If the device is in use, then the
699 * vfio sub-driver should block the remove callback until
700 * it is unused. If the device is unused or attached to a
701 * stub driver, then it should be released and we don't
702 * care that it will be going away.
705 case IOMMU_GROUP_NOTIFY_BIND_DRIVER:
706 pr_debug("%s: Device %s, group %d binding to driver\n",
707 __func__, dev_name(dev),
708 iommu_group_id(group->iommu_group));
710 case IOMMU_GROUP_NOTIFY_BOUND_DRIVER:
711 pr_debug("%s: Device %s, group %d bound to driver %s\n",
712 __func__, dev_name(dev),
713 iommu_group_id(group->iommu_group), dev->driver->name);
714 BUG_ON(vfio_group_nb_verify(group, dev));
716 case IOMMU_GROUP_NOTIFY_UNBIND_DRIVER:
717 pr_debug("%s: Device %s, group %d unbinding from driver %s\n",
718 __func__, dev_name(dev),
719 iommu_group_id(group->iommu_group), dev->driver->name);
721 case IOMMU_GROUP_NOTIFY_UNBOUND_DRIVER:
722 pr_debug("%s: Device %s, group %d unbound from driver\n",
723 __func__, dev_name(dev),
724 iommu_group_id(group->iommu_group));
726 * XXX An unbound device in a live group is ok, but we'd
727 * really like to avoid the above BUG_ON by preventing other
728 * drivers from binding to it. Once that occurs, we have to
729 * stop the system to maintain isolation. At a minimum, we'd
730 * want a toggle to disable driver auto probe for this device.
733 mutex_lock(&group->unbound_lock);
734 list_for_each_entry(unbound,
735 &group->unbound_list, unbound_next) {
736 if (dev == unbound->dev) {
737 list_del(&unbound->unbound_next);
742 mutex_unlock(&group->unbound_lock);
746 vfio_group_put(group);
753 int vfio_add_group_dev(struct device *dev,
754 const struct vfio_device_ops *ops, void *device_data)
756 struct iommu_group *iommu_group;
757 struct vfio_group *group;
758 struct vfio_device *device;
760 iommu_group = iommu_group_get(dev);
764 group = vfio_group_get_from_iommu(iommu_group);
766 group = vfio_create_group(iommu_group);
768 iommu_group_put(iommu_group);
769 return PTR_ERR(group);
773 * A found vfio_group already holds a reference to the
774 * iommu_group. A created vfio_group keeps the reference.
776 iommu_group_put(iommu_group);
779 device = vfio_group_get_device(group, dev);
781 WARN(1, "Device %s already exists on group %d\n",
782 dev_name(dev), iommu_group_id(iommu_group));
783 vfio_device_put(device);
784 vfio_group_put(group);
788 device = vfio_group_create_device(group, dev, ops, device_data);
789 if (IS_ERR(device)) {
790 vfio_group_put(group);
791 return PTR_ERR(device);
795 * Drop all but the vfio_device reference. The vfio_device holds
796 * a reference to the vfio_group, which holds a reference to the
799 vfio_group_put(group);
803 EXPORT_SYMBOL_GPL(vfio_add_group_dev);
806 * Get a reference to the vfio_device for a device. Even if the
807 * caller thinks they own the device, they could be racing with a
808 * release call path, so we can't trust drvdata for the shortcut.
809 * Go the long way around, from the iommu_group to the vfio_group
810 * to the vfio_device.
812 struct vfio_device *vfio_device_get_from_dev(struct device *dev)
814 struct iommu_group *iommu_group;
815 struct vfio_group *group;
816 struct vfio_device *device;
818 iommu_group = iommu_group_get(dev);
822 group = vfio_group_get_from_iommu(iommu_group);
823 iommu_group_put(iommu_group);
827 device = vfio_group_get_device(group, dev);
828 vfio_group_put(group);
832 EXPORT_SYMBOL_GPL(vfio_device_get_from_dev);
834 static struct vfio_device *vfio_device_get_from_name(struct vfio_group *group,
837 struct vfio_device *it, *device = NULL;
839 mutex_lock(&group->device_lock);
840 list_for_each_entry(it, &group->device_list, group_next) {
841 if (!strcmp(dev_name(it->dev), buf)) {
843 vfio_device_get(device);
847 mutex_unlock(&group->device_lock);
853 * Caller must hold a reference to the vfio_device
855 void *vfio_device_data(struct vfio_device *device)
857 return device->device_data;
859 EXPORT_SYMBOL_GPL(vfio_device_data);
861 /* Given a referenced group, check if it contains the device */
862 static bool vfio_dev_present(struct vfio_group *group, struct device *dev)
864 struct vfio_device *device;
866 device = vfio_group_get_device(group, dev);
870 vfio_device_put(device);
875 * Decrement the device reference count and wait for the device to be
876 * removed. Open file descriptors for the device... */
877 void *vfio_del_group_dev(struct device *dev)
879 struct vfio_device *device = dev_get_drvdata(dev);
880 struct vfio_group *group = device->group;
881 void *device_data = device->device_data;
882 struct vfio_unbound_dev *unbound;
885 bool interrupted = false;
888 * The group exists so long as we have a device reference. Get
889 * a group reference and use it to scan for the device going away.
891 vfio_group_get(group);
894 * When the device is removed from the group, the group suddenly
895 * becomes non-viable; the device has a driver (until the unbind
896 * completes), but it's not present in the group. This is bad news
897 * for any external users that need to re-acquire a group reference
898 * in order to match and release their existing reference. To
899 * solve this, we track such devices on the unbound_list to bridge
900 * the gap until they're fully unbound.
902 unbound = kzalloc(sizeof(*unbound), GFP_KERNEL);
905 mutex_lock(&group->unbound_lock);
906 list_add(&unbound->unbound_next, &group->unbound_list);
907 mutex_unlock(&group->unbound_lock);
911 vfio_device_put(device);
914 * If the device is still present in the group after the above
915 * 'put', then it is in use and we need to request it from the
916 * bus driver. The driver may in turn need to request the
917 * device from the user. We send the request on an arbitrary
918 * interval with counter to allow the driver to take escalating
919 * measures to release the device if it has the ability to do so.
922 device = vfio_group_get_device(group, dev);
926 if (device->ops->request)
927 device->ops->request(device_data, i++);
929 vfio_device_put(device);
932 ret = wait_event_timeout(vfio.release_q,
933 !vfio_dev_present(group, dev), HZ * 10);
935 ret = wait_event_interruptible_timeout(vfio.release_q,
936 !vfio_dev_present(group, dev), HZ * 10);
937 if (ret == -ERESTARTSYS) {
940 "Device is currently in use, task"
942 "blocked until device is released",
943 current->comm, task_pid_nr(current));
948 vfio_group_put(group);
952 EXPORT_SYMBOL_GPL(vfio_del_group_dev);
955 * VFIO base fd, /dev/vfio/vfio
957 static long vfio_ioctl_check_extension(struct vfio_container *container,
960 struct vfio_iommu_driver *driver;
963 down_read(&container->group_lock);
965 driver = container->iommu_driver;
968 /* No base extensions yet */
971 * If no driver is set, poll all registered drivers for
972 * extensions and return the first positive result. If
973 * a driver is already set, further queries will be passed
974 * only to that driver.
977 mutex_lock(&vfio.iommu_drivers_lock);
978 list_for_each_entry(driver, &vfio.iommu_drivers_list,
981 #ifdef CONFIG_VFIO_NOIOMMU
982 if (!list_empty(&container->group_list) &&
983 (container->noiommu !=
984 (driver->ops == &vfio_noiommu_ops)))
988 if (!try_module_get(driver->ops->owner))
991 ret = driver->ops->ioctl(NULL,
992 VFIO_CHECK_EXTENSION,
994 module_put(driver->ops->owner);
998 mutex_unlock(&vfio.iommu_drivers_lock);
1000 ret = driver->ops->ioctl(container->iommu_data,
1001 VFIO_CHECK_EXTENSION, arg);
1004 up_read(&container->group_lock);
1009 /* hold write lock on container->group_lock */
1010 static int __vfio_container_attach_groups(struct vfio_container *container,
1011 struct vfio_iommu_driver *driver,
1014 struct vfio_group *group;
1017 list_for_each_entry(group, &container->group_list, container_next) {
1018 ret = driver->ops->attach_group(data, group->iommu_group);
1026 list_for_each_entry_continue_reverse(group, &container->group_list,
1028 driver->ops->detach_group(data, group->iommu_group);
1034 static long vfio_ioctl_set_iommu(struct vfio_container *container,
1037 struct vfio_iommu_driver *driver;
1040 down_write(&container->group_lock);
1043 * The container is designed to be an unprivileged interface while
1044 * the group can be assigned to specific users. Therefore, only by
1045 * adding a group to a container does the user get the privilege of
1046 * enabling the iommu, which may allocate finite resources. There
1047 * is no unset_iommu, but by removing all the groups from a container,
1048 * the container is deprivileged and returns to an unset state.
1050 if (list_empty(&container->group_list) || container->iommu_driver) {
1051 up_write(&container->group_lock);
1055 mutex_lock(&vfio.iommu_drivers_lock);
1056 list_for_each_entry(driver, &vfio.iommu_drivers_list, vfio_next) {
1059 #ifdef CONFIG_VFIO_NOIOMMU
1061 * Only noiommu containers can use vfio-noiommu and noiommu
1062 * containers can only use vfio-noiommu.
1064 if (container->noiommu != (driver->ops == &vfio_noiommu_ops))
1068 if (!try_module_get(driver->ops->owner))
1072 * The arg magic for SET_IOMMU is the same as CHECK_EXTENSION,
1073 * so test which iommu driver reported support for this
1074 * extension and call open on them. We also pass them the
1075 * magic, allowing a single driver to support multiple
1076 * interfaces if they'd like.
1078 if (driver->ops->ioctl(NULL, VFIO_CHECK_EXTENSION, arg) <= 0) {
1079 module_put(driver->ops->owner);
1083 /* module reference holds the driver we're working on */
1084 mutex_unlock(&vfio.iommu_drivers_lock);
1086 data = driver->ops->open(arg);
1088 ret = PTR_ERR(data);
1089 module_put(driver->ops->owner);
1090 goto skip_drivers_unlock;
1093 ret = __vfio_container_attach_groups(container, driver, data);
1095 container->iommu_driver = driver;
1096 container->iommu_data = data;
1098 driver->ops->release(data);
1099 module_put(driver->ops->owner);
1102 goto skip_drivers_unlock;
1105 mutex_unlock(&vfio.iommu_drivers_lock);
1106 skip_drivers_unlock:
1107 up_write(&container->group_lock);
1112 static long vfio_fops_unl_ioctl(struct file *filep,
1113 unsigned int cmd, unsigned long arg)
1115 struct vfio_container *container = filep->private_data;
1116 struct vfio_iommu_driver *driver;
1124 case VFIO_GET_API_VERSION:
1125 ret = VFIO_API_VERSION;
1127 case VFIO_CHECK_EXTENSION:
1128 ret = vfio_ioctl_check_extension(container, arg);
1130 case VFIO_SET_IOMMU:
1131 ret = vfio_ioctl_set_iommu(container, arg);
1134 down_read(&container->group_lock);
1136 driver = container->iommu_driver;
1137 data = container->iommu_data;
1139 if (driver) /* passthrough all unrecognized ioctls */
1140 ret = driver->ops->ioctl(data, cmd, arg);
1142 up_read(&container->group_lock);
1148 #ifdef CONFIG_COMPAT
1149 static long vfio_fops_compat_ioctl(struct file *filep,
1150 unsigned int cmd, unsigned long arg)
1152 arg = (unsigned long)compat_ptr(arg);
1153 return vfio_fops_unl_ioctl(filep, cmd, arg);
1155 #endif /* CONFIG_COMPAT */
1157 static int vfio_fops_open(struct inode *inode, struct file *filep)
1159 struct vfio_container *container;
1161 container = kzalloc(sizeof(*container), GFP_KERNEL);
1165 INIT_LIST_HEAD(&container->group_list);
1166 init_rwsem(&container->group_lock);
1167 kref_init(&container->kref);
1169 filep->private_data = container;
1174 static int vfio_fops_release(struct inode *inode, struct file *filep)
1176 struct vfio_container *container = filep->private_data;
1178 filep->private_data = NULL;
1180 vfio_container_put(container);
1186 * Once an iommu driver is set, we optionally pass read/write/mmap
1187 * on to the driver, allowing management interfaces beyond ioctl.
1189 static ssize_t vfio_fops_read(struct file *filep, char __user *buf,
1190 size_t count, loff_t *ppos)
1192 struct vfio_container *container = filep->private_data;
1193 struct vfio_iommu_driver *driver;
1194 ssize_t ret = -EINVAL;
1196 down_read(&container->group_lock);
1198 driver = container->iommu_driver;
1199 if (likely(driver && driver->ops->read))
1200 ret = driver->ops->read(container->iommu_data,
1203 up_read(&container->group_lock);
1208 static ssize_t vfio_fops_write(struct file *filep, const char __user *buf,
1209 size_t count, loff_t *ppos)
1211 struct vfio_container *container = filep->private_data;
1212 struct vfio_iommu_driver *driver;
1213 ssize_t ret = -EINVAL;
1215 down_read(&container->group_lock);
1217 driver = container->iommu_driver;
1218 if (likely(driver && driver->ops->write))
1219 ret = driver->ops->write(container->iommu_data,
1222 up_read(&container->group_lock);
1227 static int vfio_fops_mmap(struct file *filep, struct vm_area_struct *vma)
1229 struct vfio_container *container = filep->private_data;
1230 struct vfio_iommu_driver *driver;
1233 down_read(&container->group_lock);
1235 driver = container->iommu_driver;
1236 if (likely(driver && driver->ops->mmap))
1237 ret = driver->ops->mmap(container->iommu_data, vma);
1239 up_read(&container->group_lock);
1244 static const struct file_operations vfio_fops = {
1245 .owner = THIS_MODULE,
1246 .open = vfio_fops_open,
1247 .release = vfio_fops_release,
1248 .read = vfio_fops_read,
1249 .write = vfio_fops_write,
1250 .unlocked_ioctl = vfio_fops_unl_ioctl,
1251 #ifdef CONFIG_COMPAT
1252 .compat_ioctl = vfio_fops_compat_ioctl,
1254 .mmap = vfio_fops_mmap,
1258 * VFIO Group fd, /dev/vfio/$GROUP
1260 static void __vfio_group_unset_container(struct vfio_group *group)
1262 struct vfio_container *container = group->container;
1263 struct vfio_iommu_driver *driver;
1265 down_write(&container->group_lock);
1267 driver = container->iommu_driver;
1269 driver->ops->detach_group(container->iommu_data,
1270 group->iommu_group);
1272 group->container = NULL;
1273 list_del(&group->container_next);
1275 /* Detaching the last group deprivileges a container, remove iommu */
1276 if (driver && list_empty(&container->group_list)) {
1277 driver->ops->release(container->iommu_data);
1278 module_put(driver->ops->owner);
1279 container->iommu_driver = NULL;
1280 container->iommu_data = NULL;
1283 up_write(&container->group_lock);
1285 vfio_container_put(container);
1289 * VFIO_GROUP_UNSET_CONTAINER should fail if there are other users or
1290 * if there was no container to unset. Since the ioctl is called on
1291 * the group, we know that still exists, therefore the only valid
1292 * transition here is 1->0.
1294 static int vfio_group_unset_container(struct vfio_group *group)
1296 int users = atomic_cmpxchg(&group->container_users, 1, 0);
1303 __vfio_group_unset_container(group);
1309 * When removing container users, anything that removes the last user
1310 * implicitly removes the group from the container. That is, if the
1311 * group file descriptor is closed, as well as any device file descriptors,
1312 * the group is free.
1314 static void vfio_group_try_dissolve_container(struct vfio_group *group)
1316 if (0 == atomic_dec_if_positive(&group->container_users))
1317 __vfio_group_unset_container(group);
1320 static int vfio_group_set_container(struct vfio_group *group, int container_fd)
1323 struct vfio_container *container;
1324 struct vfio_iommu_driver *driver;
1327 if (atomic_read(&group->container_users))
1330 if (group->noiommu && !capable(CAP_SYS_RAWIO))
1333 f = fdget(container_fd);
1337 /* Sanity check, is this really our fd? */
1338 if (f.file->f_op != &vfio_fops) {
1343 container = f.file->private_data;
1344 WARN_ON(!container); /* fget ensures we don't race vfio_release */
1346 down_write(&container->group_lock);
1348 /* Real groups and fake groups cannot mix */
1349 if (!list_empty(&container->group_list) &&
1350 container->noiommu != group->noiommu) {
1355 driver = container->iommu_driver;
1357 ret = driver->ops->attach_group(container->iommu_data,
1358 group->iommu_group);
1363 group->container = container;
1364 container->noiommu = group->noiommu;
1365 list_add(&group->container_next, &container->group_list);
1367 /* Get a reference on the container and mark a user within the group */
1368 vfio_container_get(container);
1369 atomic_inc(&group->container_users);
1372 up_write(&container->group_lock);
1377 static bool vfio_group_viable(struct vfio_group *group)
1379 return (iommu_group_for_each_dev(group->iommu_group,
1380 group, vfio_dev_viable) == 0);
1383 static const struct file_operations vfio_device_fops;
1385 static int vfio_group_get_device_fd(struct vfio_group *group, char *buf)
1387 struct vfio_device *device;
1391 if (0 == atomic_read(&group->container_users) ||
1392 !group->container->iommu_driver || !vfio_group_viable(group))
1395 if (group->noiommu && !capable(CAP_SYS_RAWIO))
1398 device = vfio_device_get_from_name(group, buf);
1402 ret = device->ops->open(device->device_data);
1404 vfio_device_put(device);
1409 * We can't use anon_inode_getfd() because we need to modify
1410 * the f_mode flags directly to allow more than just ioctls
1412 ret = get_unused_fd_flags(O_CLOEXEC);
1414 device->ops->release(device->device_data);
1415 vfio_device_put(device);
1419 filep = anon_inode_getfile("[vfio-device]", &vfio_device_fops,
1421 if (IS_ERR(filep)) {
1423 ret = PTR_ERR(filep);
1424 device->ops->release(device->device_data);
1425 vfio_device_put(device);
1430 * TODO: add an anon_inode interface to do this.
1431 * Appears to be missing by lack of need rather than
1432 * explicitly prevented. Now there's need.
1434 filep->f_mode |= (FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE);
1436 atomic_inc(&group->container_users);
1438 fd_install(ret, filep);
1441 dev_warn(device->dev, "vfio-noiommu device opened by user "
1442 "(%s:%d)\n", current->comm, task_pid_nr(current));
1447 static long vfio_group_fops_unl_ioctl(struct file *filep,
1448 unsigned int cmd, unsigned long arg)
1450 struct vfio_group *group = filep->private_data;
1454 case VFIO_GROUP_GET_STATUS:
1456 struct vfio_group_status status;
1457 unsigned long minsz;
1459 minsz = offsetofend(struct vfio_group_status, flags);
1461 if (copy_from_user(&status, (void __user *)arg, minsz))
1464 if (status.argsz < minsz)
1469 if (vfio_group_viable(group))
1470 status.flags |= VFIO_GROUP_FLAGS_VIABLE;
1472 if (group->container)
1473 status.flags |= VFIO_GROUP_FLAGS_CONTAINER_SET;
1475 if (copy_to_user((void __user *)arg, &status, minsz))
1481 case VFIO_GROUP_SET_CONTAINER:
1485 if (get_user(fd, (int __user *)arg))
1491 ret = vfio_group_set_container(group, fd);
1494 case VFIO_GROUP_UNSET_CONTAINER:
1495 ret = vfio_group_unset_container(group);
1497 case VFIO_GROUP_GET_DEVICE_FD:
1501 buf = strndup_user((const char __user *)arg, PAGE_SIZE);
1503 return PTR_ERR(buf);
1505 ret = vfio_group_get_device_fd(group, buf);
1514 #ifdef CONFIG_COMPAT
1515 static long vfio_group_fops_compat_ioctl(struct file *filep,
1516 unsigned int cmd, unsigned long arg)
1518 arg = (unsigned long)compat_ptr(arg);
1519 return vfio_group_fops_unl_ioctl(filep, cmd, arg);
1521 #endif /* CONFIG_COMPAT */
1523 static int vfio_group_fops_open(struct inode *inode, struct file *filep)
1525 struct vfio_group *group;
1528 group = vfio_group_get_from_minor(iminor(inode));
1532 if (group->noiommu && !capable(CAP_SYS_RAWIO)) {
1533 vfio_group_put(group);
1537 /* Do we need multiple instances of the group open? Seems not. */
1538 opened = atomic_cmpxchg(&group->opened, 0, 1);
1540 vfio_group_put(group);
1544 /* Is something still in use from a previous open? */
1545 if (group->container) {
1546 atomic_dec(&group->opened);
1547 vfio_group_put(group);
1551 filep->private_data = group;
1556 static int vfio_group_fops_release(struct inode *inode, struct file *filep)
1558 struct vfio_group *group = filep->private_data;
1560 filep->private_data = NULL;
1562 vfio_group_try_dissolve_container(group);
1564 atomic_dec(&group->opened);
1566 vfio_group_put(group);
1571 static const struct file_operations vfio_group_fops = {
1572 .owner = THIS_MODULE,
1573 .unlocked_ioctl = vfio_group_fops_unl_ioctl,
1574 #ifdef CONFIG_COMPAT
1575 .compat_ioctl = vfio_group_fops_compat_ioctl,
1577 .open = vfio_group_fops_open,
1578 .release = vfio_group_fops_release,
1584 static int vfio_device_fops_release(struct inode *inode, struct file *filep)
1586 struct vfio_device *device = filep->private_data;
1588 device->ops->release(device->device_data);
1590 vfio_group_try_dissolve_container(device->group);
1592 vfio_device_put(device);
1597 static long vfio_device_fops_unl_ioctl(struct file *filep,
1598 unsigned int cmd, unsigned long arg)
1600 struct vfio_device *device = filep->private_data;
1602 if (unlikely(!device->ops->ioctl))
1605 return device->ops->ioctl(device->device_data, cmd, arg);
1608 static ssize_t vfio_device_fops_read(struct file *filep, char __user *buf,
1609 size_t count, loff_t *ppos)
1611 struct vfio_device *device = filep->private_data;
1613 if (unlikely(!device->ops->read))
1616 return device->ops->read(device->device_data, buf, count, ppos);
1619 static ssize_t vfio_device_fops_write(struct file *filep,
1620 const char __user *buf,
1621 size_t count, loff_t *ppos)
1623 struct vfio_device *device = filep->private_data;
1625 if (unlikely(!device->ops->write))
1628 return device->ops->write(device->device_data, buf, count, ppos);
1631 static int vfio_device_fops_mmap(struct file *filep, struct vm_area_struct *vma)
1633 struct vfio_device *device = filep->private_data;
1635 if (unlikely(!device->ops->mmap))
1638 return device->ops->mmap(device->device_data, vma);
1641 #ifdef CONFIG_COMPAT
1642 static long vfio_device_fops_compat_ioctl(struct file *filep,
1643 unsigned int cmd, unsigned long arg)
1645 arg = (unsigned long)compat_ptr(arg);
1646 return vfio_device_fops_unl_ioctl(filep, cmd, arg);
1648 #endif /* CONFIG_COMPAT */
1650 static const struct file_operations vfio_device_fops = {
1651 .owner = THIS_MODULE,
1652 .release = vfio_device_fops_release,
1653 .read = vfio_device_fops_read,
1654 .write = vfio_device_fops_write,
1655 .unlocked_ioctl = vfio_device_fops_unl_ioctl,
1656 #ifdef CONFIG_COMPAT
1657 .compat_ioctl = vfio_device_fops_compat_ioctl,
1659 .mmap = vfio_device_fops_mmap,
1663 * External user API, exported by symbols to be linked dynamically.
1665 * The protocol includes:
1666 * 1. do normal VFIO init operation:
1667 * - opening a new container;
1668 * - attaching group(s) to it;
1669 * - setting an IOMMU driver for a container.
1670 * When IOMMU is set for a container, all groups in it are
1671 * considered ready to use by an external user.
1673 * 2. User space passes a group fd to an external user.
1674 * The external user calls vfio_group_get_external_user()
1676 * - the group is initialized;
1677 * - IOMMU is set for it.
1678 * If both checks passed, vfio_group_get_external_user()
1679 * increments the container user counter to prevent
1680 * the VFIO group from disposal before KVM exits.
1682 * 3. The external user calls vfio_external_user_iommu_id()
1683 * to know an IOMMU ID.
1685 * 4. When the external KVM finishes, it calls
1686 * vfio_group_put_external_user() to release the VFIO group.
1687 * This call decrements the container user counter.
1689 struct vfio_group *vfio_group_get_external_user(struct file *filep)
1691 struct vfio_group *group = filep->private_data;
1693 if (filep->f_op != &vfio_group_fops)
1694 return ERR_PTR(-EINVAL);
1696 if (!atomic_inc_not_zero(&group->container_users))
1697 return ERR_PTR(-EINVAL);
1699 if (group->noiommu) {
1700 atomic_dec(&group->container_users);
1701 return ERR_PTR(-EPERM);
1704 if (!group->container->iommu_driver ||
1705 !vfio_group_viable(group)) {
1706 atomic_dec(&group->container_users);
1707 return ERR_PTR(-EINVAL);
1710 vfio_group_get(group);
1714 EXPORT_SYMBOL_GPL(vfio_group_get_external_user);
1716 void vfio_group_put_external_user(struct vfio_group *group)
1718 vfio_group_put(group);
1719 vfio_group_try_dissolve_container(group);
1721 EXPORT_SYMBOL_GPL(vfio_group_put_external_user);
1723 int vfio_external_user_iommu_id(struct vfio_group *group)
1725 return iommu_group_id(group->iommu_group);
1727 EXPORT_SYMBOL_GPL(vfio_external_user_iommu_id);
1729 long vfio_external_check_extension(struct vfio_group *group, unsigned long arg)
1731 return vfio_ioctl_check_extension(group->container, arg);
1733 EXPORT_SYMBOL_GPL(vfio_external_check_extension);
1736 * Module/class support
1738 static char *vfio_devnode(struct device *dev, umode_t *mode)
1740 return kasprintf(GFP_KERNEL, "vfio/%s", dev_name(dev));
1743 static struct miscdevice vfio_dev = {
1744 .minor = VFIO_MINOR,
1747 .nodename = "vfio/vfio",
1748 .mode = S_IRUGO | S_IWUGO,
1751 static int __init vfio_init(void)
1755 idr_init(&vfio.group_idr);
1756 mutex_init(&vfio.group_lock);
1757 mutex_init(&vfio.iommu_drivers_lock);
1758 INIT_LIST_HEAD(&vfio.group_list);
1759 INIT_LIST_HEAD(&vfio.iommu_drivers_list);
1760 init_waitqueue_head(&vfio.release_q);
1762 ret = misc_register(&vfio_dev);
1764 pr_err("vfio: misc device register failed\n");
1768 /* /dev/vfio/$GROUP */
1769 vfio.class = class_create(THIS_MODULE, "vfio");
1770 if (IS_ERR(vfio.class)) {
1771 ret = PTR_ERR(vfio.class);
1775 vfio.class->devnode = vfio_devnode;
1777 ret = alloc_chrdev_region(&vfio.group_devt, 0, MINORMASK, "vfio");
1779 goto err_alloc_chrdev;
1781 cdev_init(&vfio.group_cdev, &vfio_group_fops);
1782 ret = cdev_add(&vfio.group_cdev, vfio.group_devt, MINORMASK);
1786 pr_info(DRIVER_DESC " version: " DRIVER_VERSION "\n");
1789 * Attempt to load known iommu-drivers. This gives us a working
1790 * environment without the user needing to explicitly load iommu
1793 request_module_nowait("vfio_iommu_type1");
1794 request_module_nowait("vfio_iommu_spapr_tce");
1796 #ifdef CONFIG_VFIO_NOIOMMU
1797 vfio_register_iommu_driver(&vfio_noiommu_ops);
1802 unregister_chrdev_region(vfio.group_devt, MINORMASK);
1804 class_destroy(vfio.class);
1807 misc_deregister(&vfio_dev);
1811 static void __exit vfio_cleanup(void)
1813 WARN_ON(!list_empty(&vfio.group_list));
1815 #ifdef CONFIG_VFIO_NOIOMMU
1816 vfio_unregister_iommu_driver(&vfio_noiommu_ops);
1818 idr_destroy(&vfio.group_idr);
1819 cdev_del(&vfio.group_cdev);
1820 unregister_chrdev_region(vfio.group_devt, MINORMASK);
1821 class_destroy(vfio.class);
1823 misc_deregister(&vfio_dev);
1826 module_init(vfio_init);
1827 module_exit(vfio_cleanup);
1829 MODULE_VERSION(DRIVER_VERSION);
1830 MODULE_LICENSE("GPL v2");
1831 MODULE_AUTHOR(DRIVER_AUTHOR);
1832 MODULE_DESCRIPTION(DRIVER_DESC);
1833 MODULE_ALIAS_MISCDEV(VFIO_MINOR);
1834 MODULE_ALIAS("devname:vfio/vfio");
projects / cascardo / linux.git / blob