1 /******************************************************************************
4 * Device for accessing (in user-space) pages that have been granted by other
7 * Copyright (c) 2006-2007, D G Murray.
8 * (c) 2009 Gerd Hoffmann <kraxel@redhat.com>
9 * (c) 2018 Oleksandr Andrushchenko, EPAM Systems Inc.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 #define pr_fmt(fmt) "xen:" KBUILD_MODNAME ": " fmt
25 #include <linux/module.h>
26 #include <linux/kernel.h>
27 #include <linux/init.h>
28 #include <linux/miscdevice.h>
30 #include <linux/uaccess.h>
31 #include <linux/sched.h>
32 #include <linux/sched/mm.h>
33 #include <linux/spinlock.h>
34 #include <linux/slab.h>
35 #include <linux/highmem.h>
36 #include <linux/refcount.h>
37 #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
38 #include <linux/of_device.h>
42 #include <xen/grant_table.h>
43 #include <xen/balloon.h>
44 #include <xen/gntdev.h>
45 #include <xen/events.h>
47 #include <asm/xen/hypervisor.h>
48 #include <asm/xen/hypercall.h>
50 #include "gntdev-common.h"
51 #ifdef CONFIG_XEN_GNTDEV_DMABUF
52 #include "gntdev-dmabuf.h"
55 MODULE_LICENSE("GPL");
56 MODULE_AUTHOR("Derek G. Murray <Derek.Murray@cl.cam.ac.uk>, "
57 "Gerd Hoffmann <kraxel@redhat.com>");
58 MODULE_DESCRIPTION("User-space granted page access driver");
60 static int limit = 1024*1024;
61 module_param(limit, int, 0644);
62 MODULE_PARM_DESC(limit, "Maximum number of grants that may be mapped by "
65 static atomic_t pages_mapped = ATOMIC_INIT(0);
67 /* True in PV mode, false otherwise */
68 static int use_ptemod;
69 #define populate_freeable_maps use_ptemod
71 static void unmap_grant_pages(struct gntdev_grant_map *map,
72 int offset, int pages);
74 static struct miscdevice gntdev_miscdev;
76 /* ------------------------------------------------------------------ */
78 bool gntdev_account_mapped_pages(int count)
80 return atomic_add_return(count, &pages_mapped) > limit;
83 static void gntdev_print_maps(struct gntdev_priv *priv,
84 char *text, int text_index)
87 struct gntdev_grant_map *map;
89 pr_debug("%s: maps list (priv %p)\n", __func__, priv);
90 list_for_each_entry(map, &priv->maps, next)
91 pr_debug(" index %2d, count %2d %s\n",
92 map->index, map->count,
93 map->index == text_index && text ? text : "");
97 static void gntdev_free_map(struct gntdev_grant_map *map)
102 #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
103 if (map->dma_vaddr) {
104 struct gnttab_dma_alloc_args args;
106 args.dev = map->dma_dev;
107 args.coherent = !!(map->dma_flags & GNTDEV_DMA_FLAG_COHERENT);
108 args.nr_pages = map->count;
109 args.pages = map->pages;
110 args.frames = map->frames;
111 args.vaddr = map->dma_vaddr;
112 args.dev_bus_addr = map->dma_bus_addr;
114 gnttab_dma_free_pages(&args);
118 gnttab_free_pages(map->count, map->pages);
120 #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
126 kfree(map->unmap_ops);
127 kfree(map->kmap_ops);
128 kfree(map->kunmap_ops);
129 kfree(map->being_removed);
133 struct gntdev_grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count,
136 struct gntdev_grant_map *add;
139 add = kzalloc(sizeof(*add), GFP_KERNEL);
143 add->grants = kcalloc(count, sizeof(add->grants[0]), GFP_KERNEL);
144 add->map_ops = kcalloc(count, sizeof(add->map_ops[0]), GFP_KERNEL);
145 add->unmap_ops = kcalloc(count, sizeof(add->unmap_ops[0]), GFP_KERNEL);
146 add->kmap_ops = kcalloc(count, sizeof(add->kmap_ops[0]), GFP_KERNEL);
147 add->kunmap_ops = kcalloc(count, sizeof(add->kunmap_ops[0]), GFP_KERNEL);
148 add->pages = kcalloc(count, sizeof(add->pages[0]), GFP_KERNEL);
150 kcalloc(count, sizeof(add->being_removed[0]), GFP_KERNEL);
151 if (NULL == add->grants ||
152 NULL == add->map_ops ||
153 NULL == add->unmap_ops ||
154 NULL == add->kmap_ops ||
155 NULL == add->kunmap_ops ||
156 NULL == add->pages ||
157 NULL == add->being_removed)
160 #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
161 add->dma_flags = dma_flags;
164 * Check if this mapping is requested to be backed
167 if (dma_flags & (GNTDEV_DMA_FLAG_WC | GNTDEV_DMA_FLAG_COHERENT)) {
168 struct gnttab_dma_alloc_args args;
170 add->frames = kcalloc(count, sizeof(add->frames[0]),
175 /* Remember the device, so we can free DMA memory. */
176 add->dma_dev = priv->dma_dev;
178 args.dev = priv->dma_dev;
179 args.coherent = !!(dma_flags & GNTDEV_DMA_FLAG_COHERENT);
180 args.nr_pages = count;
181 args.pages = add->pages;
182 args.frames = add->frames;
184 if (gnttab_dma_alloc_pages(&args))
187 add->dma_vaddr = args.vaddr;
188 add->dma_bus_addr = args.dev_bus_addr;
191 if (gnttab_alloc_pages(count, add->pages))
194 for (i = 0; i < count; i++) {
195 add->map_ops[i].handle = -1;
196 add->unmap_ops[i].handle = -1;
197 add->kmap_ops[i].handle = -1;
198 add->kunmap_ops[i].handle = -1;
203 refcount_set(&add->users, 1);
208 gntdev_free_map(add);
212 void gntdev_add_map(struct gntdev_priv *priv, struct gntdev_grant_map *add)
214 struct gntdev_grant_map *map;
216 list_for_each_entry(map, &priv->maps, next) {
217 if (add->index + add->count < map->index) {
218 list_add_tail(&add->next, &map->next);
221 add->index = map->index + map->count;
223 list_add_tail(&add->next, &priv->maps);
226 gntdev_print_maps(priv, "[new]", add->index);
229 static struct gntdev_grant_map *gntdev_find_map_index(struct gntdev_priv *priv,
230 int index, int count)
232 struct gntdev_grant_map *map;
234 list_for_each_entry(map, &priv->maps, next) {
235 if (map->index != index)
237 if (count && map->count != count)
244 void gntdev_put_map(struct gntdev_priv *priv, struct gntdev_grant_map *map)
249 if (!refcount_dec_and_test(&map->users))
252 atomic_sub(map->count, &pages_mapped);
253 if (map->pages && !use_ptemod) {
255 * Increment the reference count. This ensures that the
256 * subsequent call to unmap_grant_pages() will not wind up
257 * re-entering itself. It *can* wind up calling
258 * gntdev_put_map() recursively, but such calls will be with a
259 * reference count greater than 1, so they will return before
260 * this code is reached. The recursion depth is thus limited to
261 * 1. Do NOT use refcount_inc() here, as it will detect that
262 * the reference count is zero and WARN().
264 refcount_set(&map->users, 1);
267 * Unmap the grants. This may or may not be asynchronous, so it
268 * is possible that the reference count is 1 on return, but it
269 * could also be greater than 1.
271 unmap_grant_pages(map, 0, map->count);
273 /* Check if the memory now needs to be freed */
274 if (!refcount_dec_and_test(&map->users))
278 * All pages have been returned to the hypervisor, so free the
283 if (map->notify.flags & UNMAP_NOTIFY_SEND_EVENT) {
284 notify_remote_via_evtchn(map->notify.event);
285 evtchn_put(map->notify.event);
288 if (populate_freeable_maps && priv) {
289 mutex_lock(&priv->lock);
290 list_del(&map->next);
291 mutex_unlock(&priv->lock);
294 if (map->pages && !use_ptemod)
295 unmap_grant_pages(map, 0, map->count);
296 gntdev_free_map(map);
299 /* ------------------------------------------------------------------ */
301 static int find_grant_ptes(pte_t *pte, pgtable_t token,
302 unsigned long addr, void *data)
304 struct gntdev_grant_map *map = data;
305 unsigned int pgnr = (addr - map->vma->vm_start) >> PAGE_SHIFT;
306 int flags = map->flags | GNTMAP_application_map | GNTMAP_contains_pte;
309 BUG_ON(pgnr >= map->count);
310 pte_maddr = arbitrary_virt_to_machine(pte).maddr;
313 * Set the PTE as special to force get_user_pages_fast() fall
314 * back to the slow path. If this is not supported as part of
315 * the grant map, it will be done afterwards.
317 if (xen_feature(XENFEAT_gnttab_map_avail_bits))
318 flags |= (1 << _GNTMAP_guest_avail0);
320 gnttab_set_map_op(&map->map_ops[pgnr], pte_maddr, flags,
321 map->grants[pgnr].ref,
322 map->grants[pgnr].domid);
323 gnttab_set_unmap_op(&map->unmap_ops[pgnr], pte_maddr, flags,
329 static int set_grant_ptes_as_special(pte_t *pte, pgtable_t token,
330 unsigned long addr, void *data)
332 set_pte_at(current->mm, addr, pte, pte_mkspecial(*pte));
337 int gntdev_map_grant_pages(struct gntdev_grant_map *map)
343 /* Note: it could already be mapped */
344 if (map->map_ops[0].handle != -1)
346 for (i = 0; i < map->count; i++) {
347 unsigned long addr = (unsigned long)
348 pfn_to_kaddr(page_to_pfn(map->pages[i]));
349 gnttab_set_map_op(&map->map_ops[i], addr, map->flags,
351 map->grants[i].domid);
352 gnttab_set_unmap_op(&map->unmap_ops[i], addr,
353 map->flags, -1 /* handle */);
357 * Setup the map_ops corresponding to the pte entries pointing
358 * to the kernel linear addresses of the struct pages.
359 * These ptes are completely different from the user ptes dealt
360 * with find_grant_ptes.
361 * Note that GNTMAP_device_map isn't needed here: The
362 * dev_bus_addr output field gets consumed only from ->map_ops,
363 * and by not requesting it when mapping we also avoid needing
364 * to mirror dev_bus_addr into ->unmap_ops (and holding an extra
365 * reference to the page in the hypervisor).
367 unsigned int flags = (map->flags & ~GNTMAP_device_map) |
370 for (i = 0; i < map->count; i++) {
371 unsigned long address = (unsigned long)
372 pfn_to_kaddr(page_to_pfn(map->pages[i]));
373 BUG_ON(PageHighMem(map->pages[i]));
375 gnttab_set_map_op(&map->kmap_ops[i], address, flags,
377 map->grants[i].domid);
378 gnttab_set_unmap_op(&map->kunmap_ops[i], address,
383 pr_debug("map %d+%d\n", map->index, map->count);
384 err = gnttab_map_refs(map->map_ops, use_ptemod ? map->kmap_ops : NULL,
385 map->pages, map->count);
387 for (i = 0; i < map->count; i++) {
388 if (map->map_ops[i].status == GNTST_okay) {
389 map->unmap_ops[i].handle = map->map_ops[i].handle;
394 if (map->flags & GNTMAP_device_map)
395 map->unmap_ops[i].dev_bus_addr = map->map_ops[i].dev_bus_addr;
398 if (map->kmap_ops[i].status == GNTST_okay) {
400 map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
405 atomic_add(alloced, &map->live_grants);
409 static void __unmap_grant_pages_done(int result,
410 struct gntab_unmap_queue_data *data)
413 struct gntdev_grant_map *map = data->data;
414 unsigned int offset = data->unmap_ops - map->unmap_ops;
415 int successful_unmaps = 0;
418 for (i = 0; i < data->count; i++) {
419 if (map->unmap_ops[offset + i].status == GNTST_okay &&
420 map->unmap_ops[offset + i].handle != -1)
423 WARN_ON(map->unmap_ops[offset+i].status &&
424 map->unmap_ops[offset+i].handle != -1);
425 pr_debug("unmap handle=%d st=%d\n",
426 map->unmap_ops[offset+i].handle,
427 map->unmap_ops[offset+i].status);
428 map->unmap_ops[offset+i].handle = -1;
430 if (map->kunmap_ops[offset + i].status == GNTST_okay &&
431 map->kunmap_ops[offset + i].handle != -1)
434 WARN_ON(map->kunmap_ops[offset+i].status &&
435 map->kunmap_ops[offset+i].handle != -1);
436 pr_debug("kunmap handle=%u st=%d\n",
437 map->kunmap_ops[offset+i].handle,
438 map->kunmap_ops[offset+i].status);
439 map->kunmap_ops[offset+i].handle = -1;
444 * Decrease the live-grant counter. This must happen after the loop to
445 * prevent premature reuse of the grants by gnttab_mmap().
447 live_grants = atomic_sub_return(successful_unmaps, &map->live_grants);
448 if (WARN_ON(live_grants < 0))
449 pr_err("%s: live_grants became negative (%d) after unmapping %d pages!\n",
450 __func__, live_grants, successful_unmaps);
452 /* Release reference taken by __unmap_grant_pages */
453 gntdev_put_map(NULL, map);
456 static void __unmap_grant_pages(struct gntdev_grant_map *map, int offset,
459 if (map->notify.flags & UNMAP_NOTIFY_CLEAR_BYTE) {
460 int pgno = (map->notify.addr >> PAGE_SHIFT);
462 if (pgno >= offset && pgno < offset + pages) {
463 /* No need for kmap, pages are in lowmem */
464 uint8_t *tmp = pfn_to_kaddr(page_to_pfn(map->pages[pgno]));
466 tmp[map->notify.addr & (PAGE_SIZE-1)] = 0;
467 map->notify.flags &= ~UNMAP_NOTIFY_CLEAR_BYTE;
471 map->unmap_data.unmap_ops = map->unmap_ops + offset;
472 map->unmap_data.kunmap_ops = use_ptemod ? map->kunmap_ops + offset : NULL;
473 map->unmap_data.pages = map->pages + offset;
474 map->unmap_data.count = pages;
475 map->unmap_data.done = __unmap_grant_pages_done;
476 map->unmap_data.data = map;
477 refcount_inc(&map->users); /* to keep map alive during async call below */
479 gnttab_unmap_refs_async(&map->unmap_data);
482 static void unmap_grant_pages(struct gntdev_grant_map *map, int offset,
487 if (atomic_read(&map->live_grants) == 0)
488 return; /* Nothing to do */
490 pr_debug("unmap %d+%d [%d+%d]\n", map->index, map->count, offset, pages);
492 /* It is possible the requested range will have a "hole" where we
493 * already unmapped some of the grants. Only unmap valid ranges.
496 while (pages && map->being_removed[offset]) {
501 while (range < pages) {
502 if (map->being_removed[offset + range])
504 map->being_removed[offset + range] = true;
508 __unmap_grant_pages(map, offset, range);
514 /* ------------------------------------------------------------------ */
516 static void gntdev_vma_open(struct vm_area_struct *vma)
518 struct gntdev_grant_map *map = vma->vm_private_data;
520 pr_debug("gntdev_vma_open %p\n", vma);
521 refcount_inc(&map->users);
524 static void gntdev_vma_close(struct vm_area_struct *vma)
526 struct gntdev_grant_map *map = vma->vm_private_data;
527 struct file *file = vma->vm_file;
528 struct gntdev_priv *priv = file->private_data;
530 pr_debug("gntdev_vma_close %p\n", vma);
532 /* It is possible that an mmu notifier could be running
533 * concurrently, so take priv->lock to ensure that the vma won't
534 * vanishing during the unmap_grant_pages call, since we will
535 * spin here until that completes. Such a concurrent call will
536 * not do any unmapping, since that has been done prior to
537 * closing the vma, but it may still iterate the unmap_ops list.
539 mutex_lock(&priv->lock);
541 mutex_unlock(&priv->lock);
543 vma->vm_private_data = NULL;
544 gntdev_put_map(priv, map);
547 static struct page *gntdev_vma_find_special_page(struct vm_area_struct *vma,
550 struct gntdev_grant_map *map = vma->vm_private_data;
552 return map->pages[(addr - map->pages_vm_start) >> PAGE_SHIFT];
555 static const struct vm_operations_struct gntdev_vmops = {
556 .open = gntdev_vma_open,
557 .close = gntdev_vma_close,
558 .find_special_page = gntdev_vma_find_special_page,
561 /* ------------------------------------------------------------------ */
563 static bool in_range(struct gntdev_grant_map *map,
564 unsigned long start, unsigned long end)
568 if (map->vma->vm_start >= end)
570 if (map->vma->vm_end <= start)
576 static int unmap_if_in_range(struct gntdev_grant_map *map,
577 unsigned long start, unsigned long end,
580 unsigned long mstart, mend;
582 if (!in_range(map, start, end))
588 mstart = max(start, map->vma->vm_start);
589 mend = min(end, map->vma->vm_end);
590 pr_debug("map %d+%d (%lx %lx), range %lx %lx, mrange %lx %lx\n",
591 map->index, map->count,
592 map->vma->vm_start, map->vma->vm_end,
593 start, end, mstart, mend);
594 unmap_grant_pages(map,
595 (mstart - map->vma->vm_start) >> PAGE_SHIFT,
596 (mend - mstart) >> PAGE_SHIFT);
601 static int mn_invl_range_start(struct mmu_notifier *mn,
602 struct mm_struct *mm,
603 unsigned long start, unsigned long end,
606 struct gntdev_priv *priv = container_of(mn, struct gntdev_priv, mn);
607 struct gntdev_grant_map *map;
611 mutex_lock(&priv->lock);
612 else if (!mutex_trylock(&priv->lock))
615 list_for_each_entry(map, &priv->maps, next) {
616 ret = unmap_if_in_range(map, start, end, blockable);
620 list_for_each_entry(map, &priv->freeable_maps, next) {
621 ret = unmap_if_in_range(map, start, end, blockable);
627 mutex_unlock(&priv->lock);
632 static void mn_release(struct mmu_notifier *mn,
633 struct mm_struct *mm)
635 struct gntdev_priv *priv = container_of(mn, struct gntdev_priv, mn);
636 struct gntdev_grant_map *map;
638 mutex_lock(&priv->lock);
639 list_for_each_entry(map, &priv->maps, next) {
642 pr_debug("map %d+%d (%lx %lx)\n",
643 map->index, map->count,
644 map->vma->vm_start, map->vma->vm_end);
645 unmap_grant_pages(map, /* offset */ 0, map->count);
647 list_for_each_entry(map, &priv->freeable_maps, next) {
650 pr_debug("map %d+%d (%lx %lx)\n",
651 map->index, map->count,
652 map->vma->vm_start, map->vma->vm_end);
653 unmap_grant_pages(map, /* offset */ 0, map->count);
655 mutex_unlock(&priv->lock);
658 static const struct mmu_notifier_ops gntdev_mmu_ops = {
659 .release = mn_release,
660 .invalidate_range_start = mn_invl_range_start,
663 /* ------------------------------------------------------------------ */
665 static int gntdev_open(struct inode *inode, struct file *flip)
667 struct gntdev_priv *priv;
670 priv = kzalloc(sizeof(*priv), GFP_KERNEL);
674 INIT_LIST_HEAD(&priv->maps);
675 INIT_LIST_HEAD(&priv->freeable_maps);
676 mutex_init(&priv->lock);
678 #ifdef CONFIG_XEN_GNTDEV_DMABUF
679 priv->dmabuf_priv = gntdev_dmabuf_init(flip);
680 if (IS_ERR(priv->dmabuf_priv)) {
681 ret = PTR_ERR(priv->dmabuf_priv);
688 priv->mm = get_task_mm(current);
693 priv->mn.ops = &gntdev_mmu_ops;
694 ret = mmu_notifier_register(&priv->mn, priv->mm);
703 flip->private_data = priv;
704 #ifdef CONFIG_XEN_GRANT_DMA_ALLOC
705 priv->dma_dev = gntdev_miscdev.this_device;
708 * The device is not spawn from a device tree, so arch_setup_dma_ops
709 * is not called, thus leaving the device with dummy DMA ops.
710 * Fix this by calling of_dma_configure() with a NULL node to set
713 of_dma_configure(priv->dma_dev, NULL, true);
715 pr_debug("priv %p\n", priv);
720 static int gntdev_release(struct inode *inode, struct file *flip)
722 struct gntdev_priv *priv = flip->private_data;
723 struct gntdev_grant_map *map;
725 pr_debug("priv %p\n", priv);
727 mutex_lock(&priv->lock);
728 while (!list_empty(&priv->maps)) {
729 map = list_entry(priv->maps.next,
730 struct gntdev_grant_map, next);
731 list_del(&map->next);
732 gntdev_put_map(NULL /* already removed */, map);
734 WARN_ON(!list_empty(&priv->freeable_maps));
735 mutex_unlock(&priv->lock);
737 #ifdef CONFIG_XEN_GNTDEV_DMABUF
738 gntdev_dmabuf_fini(priv->dmabuf_priv);
742 mmu_notifier_unregister(&priv->mn, priv->mm);
748 static long gntdev_ioctl_map_grant_ref(struct gntdev_priv *priv,
749 struct ioctl_gntdev_map_grant_ref __user *u)
751 struct ioctl_gntdev_map_grant_ref op;
752 struct gntdev_grant_map *map;
755 if (copy_from_user(&op, u, sizeof(op)) != 0)
757 pr_debug("priv %p, add %d\n", priv, op.count);
758 if (unlikely(op.count <= 0))
762 map = gntdev_alloc_map(priv, op.count, 0 /* This is not a dma-buf. */);
766 if (unlikely(gntdev_account_mapped_pages(op.count))) {
767 pr_debug("can't map: over limit\n");
768 gntdev_put_map(NULL, map);
772 if (copy_from_user(map->grants, &u->refs,
773 sizeof(map->grants[0]) * op.count) != 0) {
774 gntdev_put_map(NULL, map);
778 mutex_lock(&priv->lock);
779 gntdev_add_map(priv, map);
780 op.index = map->index << PAGE_SHIFT;
781 mutex_unlock(&priv->lock);
783 if (copy_to_user(u, &op, sizeof(op)) != 0)
789 static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
790 struct ioctl_gntdev_unmap_grant_ref __user *u)
792 struct ioctl_gntdev_unmap_grant_ref op;
793 struct gntdev_grant_map *map;
796 if (copy_from_user(&op, u, sizeof(op)) != 0)
798 pr_debug("priv %p, del %d+%d\n", priv, (int)op.index, (int)op.count);
800 mutex_lock(&priv->lock);
801 map = gntdev_find_map_index(priv, op.index >> PAGE_SHIFT, op.count);
803 list_del(&map->next);
804 if (populate_freeable_maps)
805 list_add_tail(&map->next, &priv->freeable_maps);
808 mutex_unlock(&priv->lock);
810 gntdev_put_map(priv, map);
814 static long gntdev_ioctl_get_offset_for_vaddr(struct gntdev_priv *priv,
815 struct ioctl_gntdev_get_offset_for_vaddr __user *u)
817 struct ioctl_gntdev_get_offset_for_vaddr op;
818 struct vm_area_struct *vma;
819 struct gntdev_grant_map *map;
822 if (copy_from_user(&op, u, sizeof(op)) != 0)
824 pr_debug("priv %p, offset for vaddr %lx\n", priv, (unsigned long)op.vaddr);
826 down_read(¤t->mm->mmap_sem);
827 vma = find_vma(current->mm, op.vaddr);
828 if (!vma || vma->vm_ops != &gntdev_vmops)
831 map = vma->vm_private_data;
835 op.offset = map->index << PAGE_SHIFT;
836 op.count = map->count;
840 up_read(¤t->mm->mmap_sem);
842 if (rv == 0 && copy_to_user(u, &op, sizeof(op)) != 0)
847 static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
849 struct ioctl_gntdev_unmap_notify op;
850 struct gntdev_grant_map *map;
853 unsigned int out_event;
855 if (copy_from_user(&op, u, sizeof(op)))
858 if (op.action & ~(UNMAP_NOTIFY_CLEAR_BYTE|UNMAP_NOTIFY_SEND_EVENT))
861 /* We need to grab a reference to the event channel we are going to use
862 * to send the notify before releasing the reference we may already have
863 * (if someone has called this ioctl twice). This is required so that
864 * it is possible to change the clear_byte part of the notification
865 * without disturbing the event channel part, which may now be the last
866 * reference to that event channel.
868 if (op.action & UNMAP_NOTIFY_SEND_EVENT) {
869 if (evtchn_get(op.event_channel_port))
873 out_flags = op.action;
874 out_event = op.event_channel_port;
876 mutex_lock(&priv->lock);
878 list_for_each_entry(map, &priv->maps, next) {
879 uint64_t begin = map->index << PAGE_SHIFT;
880 uint64_t end = (map->index + map->count) << PAGE_SHIFT;
881 if (op.index >= begin && op.index < end)
888 if ((op.action & UNMAP_NOTIFY_CLEAR_BYTE) &&
889 (map->flags & GNTMAP_readonly)) {
894 out_flags = map->notify.flags;
895 out_event = map->notify.event;
897 map->notify.flags = op.action;
898 map->notify.addr = op.index - (map->index << PAGE_SHIFT);
899 map->notify.event = op.event_channel_port;
904 mutex_unlock(&priv->lock);
906 /* Drop the reference to the event channel we did not save in the map */
907 if (out_flags & UNMAP_NOTIFY_SEND_EVENT)
908 evtchn_put(out_event);
913 #define GNTDEV_COPY_BATCH 16
915 struct gntdev_copy_batch {
916 struct gnttab_copy ops[GNTDEV_COPY_BATCH];
917 struct page *pages[GNTDEV_COPY_BATCH];
918 s16 __user *status[GNTDEV_COPY_BATCH];
920 unsigned int nr_pages;
924 static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt,
927 unsigned long addr = (unsigned long)virt;
929 unsigned long xen_pfn;
932 ret = get_user_pages_fast(addr, 1, batch->writeable, &page);
936 batch->pages[batch->nr_pages++] = page;
938 xen_pfn = page_to_xen_pfn(page) + XEN_PFN_DOWN(addr & ~PAGE_MASK);
939 *gfn = pfn_to_gfn(xen_pfn);
944 static void gntdev_put_pages(struct gntdev_copy_batch *batch)
948 for (i = 0; i < batch->nr_pages; i++) {
949 if (batch->writeable && !PageDirty(batch->pages[i]))
950 set_page_dirty_lock(batch->pages[i]);
951 put_page(batch->pages[i]);
954 batch->writeable = false;
957 static int gntdev_copy(struct gntdev_copy_batch *batch)
961 gnttab_batch_copy(batch->ops, batch->nr_ops);
962 gntdev_put_pages(batch);
965 * For each completed op, update the status if the op failed
966 * and all previous ops for the segment were successful.
968 for (i = 0; i < batch->nr_ops; i++) {
969 s16 status = batch->ops[i].status;
972 if (status == GNTST_okay)
975 if (__get_user(old_status, batch->status[i]))
978 if (old_status != GNTST_okay)
981 if (__put_user(status, batch->status[i]))
989 static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch,
990 struct gntdev_grant_copy_segment *seg,
996 * Disallow local -> local copies since there is only space in
997 * batch->pages for one page per-op and this would be a very
998 * expensive memcpy().
1000 if (!(seg->flags & (GNTCOPY_source_gref | GNTCOPY_dest_gref)))
1003 /* Can't cross page if source/dest is a grant ref. */
1004 if (seg->flags & GNTCOPY_source_gref) {
1005 if (seg->source.foreign.offset + seg->len > XEN_PAGE_SIZE)
1008 if (seg->flags & GNTCOPY_dest_gref) {
1009 if (seg->dest.foreign.offset + seg->len > XEN_PAGE_SIZE)
1013 if (put_user(GNTST_okay, status))
1016 while (copied < seg->len) {
1017 struct gnttab_copy *op;
1023 if (batch->nr_ops >= GNTDEV_COPY_BATCH) {
1024 ret = gntdev_copy(batch);
1029 len = seg->len - copied;
1031 op = &batch->ops[batch->nr_ops];
1034 if (seg->flags & GNTCOPY_source_gref) {
1035 op->source.u.ref = seg->source.foreign.ref;
1036 op->source.domid = seg->source.foreign.domid;
1037 op->source.offset = seg->source.foreign.offset + copied;
1038 op->flags |= GNTCOPY_source_gref;
1040 virt = seg->source.virt + copied;
1041 off = (unsigned long)virt & ~XEN_PAGE_MASK;
1042 len = min(len, (size_t)XEN_PAGE_SIZE - off);
1043 batch->writeable = false;
1045 ret = gntdev_get_page(batch, virt, &gfn);
1049 op->source.u.gmfn = gfn;
1050 op->source.domid = DOMID_SELF;
1051 op->source.offset = off;
1054 if (seg->flags & GNTCOPY_dest_gref) {
1055 op->dest.u.ref = seg->dest.foreign.ref;
1056 op->dest.domid = seg->dest.foreign.domid;
1057 op->dest.offset = seg->dest.foreign.offset + copied;
1058 op->flags |= GNTCOPY_dest_gref;
1060 virt = seg->dest.virt + copied;
1061 off = (unsigned long)virt & ~XEN_PAGE_MASK;
1062 len = min(len, (size_t)XEN_PAGE_SIZE - off);
1063 batch->writeable = true;
1065 ret = gntdev_get_page(batch, virt, &gfn);
1069 op->dest.u.gmfn = gfn;
1070 op->dest.domid = DOMID_SELF;
1071 op->dest.offset = off;
1077 batch->status[batch->nr_ops] = status;
1084 static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u)
1086 struct ioctl_gntdev_grant_copy copy;
1087 struct gntdev_copy_batch batch;
1091 if (copy_from_user(©, u, sizeof(copy)))
1097 for (i = 0; i < copy.count; i++) {
1098 struct gntdev_grant_copy_segment seg;
1100 if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) {
1105 ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status);
1112 ret = gntdev_copy(&batch);
1116 gntdev_put_pages(&batch);
1120 static long gntdev_ioctl(struct file *flip,
1121 unsigned int cmd, unsigned long arg)
1123 struct gntdev_priv *priv = flip->private_data;
1124 void __user *ptr = (void __user *)arg;
1127 case IOCTL_GNTDEV_MAP_GRANT_REF:
1128 return gntdev_ioctl_map_grant_ref(priv, ptr);
1130 case IOCTL_GNTDEV_UNMAP_GRANT_REF:
1131 return gntdev_ioctl_unmap_grant_ref(priv, ptr);
1133 case IOCTL_GNTDEV_GET_OFFSET_FOR_VADDR:
1134 return gntdev_ioctl_get_offset_for_vaddr(priv, ptr);
1136 case IOCTL_GNTDEV_SET_UNMAP_NOTIFY:
1137 return gntdev_ioctl_notify(priv, ptr);
1139 case IOCTL_GNTDEV_GRANT_COPY:
1140 return gntdev_ioctl_grant_copy(priv, ptr);
1142 #ifdef CONFIG_XEN_GNTDEV_DMABUF
1143 case IOCTL_GNTDEV_DMABUF_EXP_FROM_REFS:
1144 return gntdev_ioctl_dmabuf_exp_from_refs(priv, use_ptemod, ptr);
1146 case IOCTL_GNTDEV_DMABUF_EXP_WAIT_RELEASED:
1147 return gntdev_ioctl_dmabuf_exp_wait_released(priv, ptr);
1149 case IOCTL_GNTDEV_DMABUF_IMP_TO_REFS:
1150 return gntdev_ioctl_dmabuf_imp_to_refs(priv, ptr);
1152 case IOCTL_GNTDEV_DMABUF_IMP_RELEASE:
1153 return gntdev_ioctl_dmabuf_imp_release(priv, ptr);
1157 pr_debug("priv %p, unknown cmd %x\n", priv, cmd);
1158 return -ENOIOCTLCMD;
1164 static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
1166 struct gntdev_priv *priv = flip->private_data;
1167 int index = vma->vm_pgoff;
1168 int count = vma_pages(vma);
1169 struct gntdev_grant_map *map;
1170 int i, err = -EINVAL;
1172 if ((vma->vm_flags & VM_WRITE) && !(vma->vm_flags & VM_SHARED))
1175 pr_debug("map %d+%d at %lx (pgoff %lx)\n",
1176 index, count, vma->vm_start, vma->vm_pgoff);
1178 mutex_lock(&priv->lock);
1179 map = gntdev_find_map_index(priv, index, count);
1182 if (use_ptemod && map->vma)
1184 if (use_ptemod && priv->mm != vma->vm_mm) {
1185 pr_warn("Huh? Other mm?\n");
1189 if (atomic_read(&map->live_grants)) {
1193 refcount_inc(&map->users);
1195 vma->vm_ops = &gntdev_vmops;
1197 vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_MIXEDMAP;
1200 vma->vm_flags |= VM_DONTCOPY;
1202 vma->vm_private_data = map;
1208 if ((vma->vm_flags & VM_WRITE) &&
1209 (map->flags & GNTMAP_readonly))
1210 goto out_unlock_put;
1212 map->flags = GNTMAP_host_map;
1213 if (!(vma->vm_flags & VM_WRITE))
1214 map->flags |= GNTMAP_readonly;
1217 mutex_unlock(&priv->lock);
1220 map->pages_vm_start = vma->vm_start;
1221 err = apply_to_page_range(vma->vm_mm, vma->vm_start,
1222 vma->vm_end - vma->vm_start,
1223 find_grant_ptes, map);
1225 pr_warn("find_grant_ptes() failure.\n");
1230 err = gntdev_map_grant_pages(map);
1235 for (i = 0; i < count; i++) {
1236 err = vm_insert_page(vma, vma->vm_start + i*PAGE_SIZE,
1244 * If the PTEs were not made special by the grant map
1245 * hypercall, do so here.
1247 * This is racy since the mapping is already visible
1248 * to userspace but userspace should be well-behaved
1249 * enough to not touch it until the mmap() call
1252 if (!xen_feature(XENFEAT_gnttab_map_avail_bits)) {
1253 apply_to_page_range(vma->vm_mm, vma->vm_start,
1254 vma->vm_end - vma->vm_start,
1255 set_grant_ptes_as_special, NULL);
1263 mutex_unlock(&priv->lock);
1267 mutex_unlock(&priv->lock);
1271 unmap_grant_pages(map, 0, map->count);
1273 gntdev_put_map(priv, map);
1277 static const struct file_operations gntdev_fops = {
1278 .owner = THIS_MODULE,
1279 .open = gntdev_open,
1280 .release = gntdev_release,
1281 .mmap = gntdev_mmap,
1282 .unlocked_ioctl = gntdev_ioctl
1285 static struct miscdevice gntdev_miscdev = {
1286 .minor = MISC_DYNAMIC_MINOR,
1287 .name = "xen/gntdev",
1288 .fops = &gntdev_fops,
1291 /* ------------------------------------------------------------------ */
1293 static int __init gntdev_init(void)
1300 use_ptemod = !xen_feature(XENFEAT_auto_translated_physmap);
1302 err = misc_register(&gntdev_miscdev);
1304 pr_err("Could not register gntdev device\n");
1310 static void __exit gntdev_exit(void)
1312 misc_deregister(&gntdev_miscdev);
1315 module_init(gntdev_init);
1316 module_exit(gntdev_exit);
1318 /* ------------------------------------------------------------------ */
projects / releases.git / blob