2 * VFIO: IOMMU DMA mapping support for Type1 IOMMU
4 * Copyright (C) 2012 Red Hat, Inc. All rights reserved.
5 * Author: Alex Williamson <alex.williamson@redhat.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * Derived from original vfio:
12 * Copyright 2010 Cisco Systems, Inc. All rights reserved.
13 * Author: Tom Lyon, pugs@cisco.com
15 * We arbitrarily define a Type1 IOMMU as one matching the below code.
16 * It could be called the x86 IOMMU as it's designed for AMD-Vi & Intel
17 * VT-d, but that makes it harder to re-use as theoretically anyone
18 * implementing a similar IOMMU could make use of this. We expect the
19 * IOMMU to support the IOMMU API and have few to no restrictions around
20 * the IOVA range that can be mapped. The Type1 IOMMU is currently
21 * optimized for relatively static mappings of a userspace process with
22 * userpsace pages pinned into memory. We also assume devices and IOMMU
23 * domains are PCI based as the IOMMU API is still centered around a
24 * device/bus interface rather than a group interface.
27 #include <linux/compat.h>
28 #include <linux/device.h>
30 #include <linux/iommu.h>
31 #include <linux/module.h>
33 #include <linux/rbtree.h>
34 #include <linux/sched/signal.h>
35 #include <linux/sched/mm.h>
36 #include <linux/slab.h>
37 #include <linux/uaccess.h>
38 #include <linux/vfio.h>
39 #include <linux/workqueue.h>
40 #include <linux/mdev.h>
41 #include <linux/notifier.h>
42 #include <linux/dma-iommu.h>
43 #include <linux/irqdomain.h>
45 #define DRIVER_VERSION "0.2"
46 #define DRIVER_AUTHOR "Alex Williamson <alex.williamson@redhat.com>"
47 #define DRIVER_DESC "Type1 IOMMU driver for VFIO"
49 static bool allow_unsafe_interrupts;
50 module_param_named(allow_unsafe_interrupts,
51 allow_unsafe_interrupts, bool, S_IRUGO | S_IWUSR);
52 MODULE_PARM_DESC(allow_unsafe_interrupts,
53 "Enable VFIO IOMMU support for on platforms without interrupt remapping support.");
55 static bool disable_hugepages;
56 module_param_named(disable_hugepages,
57 disable_hugepages, bool, S_IRUGO | S_IWUSR);
58 MODULE_PARM_DESC(disable_hugepages,
59 "Disable VFIO IOMMU support for IOMMU hugepages.");
62 struct list_head domain_list;
63 struct vfio_domain *external_domain; /* domain for external user */
65 struct rb_root dma_list;
66 struct blocking_notifier_head notifier;
72 struct iommu_domain *domain;
73 struct list_head next;
74 struct list_head group_list;
75 int prot; /* IOMMU_CACHE */
76 bool fgsp; /* Fine-grained super pages */
81 dma_addr_t iova; /* Device address */
82 unsigned long vaddr; /* Process virtual addr */
83 size_t size; /* Map size (bytes) */
84 int prot; /* IOMMU_READ/WRITE */
86 struct task_struct *task;
87 struct rb_root pfn_list; /* Ex-user pinned pfn list */
91 struct iommu_group *iommu_group;
92 struct list_head next;
96 * Guest RAM pinning working set or DMA target
100 dma_addr_t iova; /* Device address */
101 unsigned long pfn; /* Host pfn */
105 struct vfio_regions {
106 struct list_head list;
112 #define IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu) \
113 (!list_empty(&iommu->domain_list))
115 static int put_pfn(unsigned long pfn, int prot);
118 * This code handles mapping and unmapping of user data buffers
119 * into DMA'ble space using the IOMMU
122 static struct vfio_dma *vfio_find_dma(struct vfio_iommu *iommu,
123 dma_addr_t start, size_t size)
125 struct rb_node *node = iommu->dma_list.rb_node;
128 struct vfio_dma *dma = rb_entry(node, struct vfio_dma, node);
130 if (start + size <= dma->iova)
131 node = node->rb_left;
132 else if (start >= dma->iova + dma->size)
133 node = node->rb_right;
141 static void vfio_link_dma(struct vfio_iommu *iommu, struct vfio_dma *new)
143 struct rb_node **link = &iommu->dma_list.rb_node, *parent = NULL;
144 struct vfio_dma *dma;
148 dma = rb_entry(parent, struct vfio_dma, node);
150 if (new->iova + new->size <= dma->iova)
151 link = &(*link)->rb_left;
153 link = &(*link)->rb_right;
156 rb_link_node(&new->node, parent, link);
157 rb_insert_color(&new->node, &iommu->dma_list);
160 static void vfio_unlink_dma(struct vfio_iommu *iommu, struct vfio_dma *old)
162 rb_erase(&old->node, &iommu->dma_list);
166 * Helper Functions for host iova-pfn list
168 static struct vfio_pfn *vfio_find_vpfn(struct vfio_dma *dma, dma_addr_t iova)
170 struct vfio_pfn *vpfn;
171 struct rb_node *node = dma->pfn_list.rb_node;
174 vpfn = rb_entry(node, struct vfio_pfn, node);
176 if (iova < vpfn->iova)
177 node = node->rb_left;
178 else if (iova > vpfn->iova)
179 node = node->rb_right;
186 static void vfio_link_pfn(struct vfio_dma *dma,
187 struct vfio_pfn *new)
189 struct rb_node **link, *parent = NULL;
190 struct vfio_pfn *vpfn;
192 link = &dma->pfn_list.rb_node;
195 vpfn = rb_entry(parent, struct vfio_pfn, node);
197 if (new->iova < vpfn->iova)
198 link = &(*link)->rb_left;
200 link = &(*link)->rb_right;
203 rb_link_node(&new->node, parent, link);
204 rb_insert_color(&new->node, &dma->pfn_list);
207 static void vfio_unlink_pfn(struct vfio_dma *dma, struct vfio_pfn *old)
209 rb_erase(&old->node, &dma->pfn_list);
212 static int vfio_add_to_pfn_list(struct vfio_dma *dma, dma_addr_t iova,
215 struct vfio_pfn *vpfn;
217 vpfn = kzalloc(sizeof(*vpfn), GFP_KERNEL);
223 atomic_set(&vpfn->ref_count, 1);
224 vfio_link_pfn(dma, vpfn);
228 static void vfio_remove_from_pfn_list(struct vfio_dma *dma,
229 struct vfio_pfn *vpfn)
231 vfio_unlink_pfn(dma, vpfn);
235 static struct vfio_pfn *vfio_iova_get_vfio_pfn(struct vfio_dma *dma,
238 struct vfio_pfn *vpfn = vfio_find_vpfn(dma, iova);
241 atomic_inc(&vpfn->ref_count);
245 static int vfio_iova_put_vfio_pfn(struct vfio_dma *dma, struct vfio_pfn *vpfn)
249 if (atomic_dec_and_test(&vpfn->ref_count)) {
250 ret = put_pfn(vpfn->pfn, dma->prot);
251 vfio_remove_from_pfn_list(dma, vpfn);
256 static int vfio_lock_acct(struct task_struct *task, long npage, bool *lock_cap)
258 struct mm_struct *mm;
265 is_current = (task->mm == current->mm);
267 mm = is_current ? task->mm : get_task_mm(task);
269 return -ESRCH; /* process exited */
271 ret = down_write_killable(&mm->mmap_sem);
274 if (lock_cap ? !*lock_cap :
275 !has_capability(task, CAP_IPC_LOCK)) {
278 limit = task_rlimit(task,
279 RLIMIT_MEMLOCK) >> PAGE_SHIFT;
281 if (mm->locked_vm + npage > limit)
287 mm->locked_vm += npage;
289 up_write(&mm->mmap_sem);
299 * Some mappings aren't backed by a struct page, for example an mmap'd
300 * MMIO range for our own or another device. These use a different
301 * pfn conversion and shouldn't be tracked as locked pages.
303 static bool is_invalid_reserved_pfn(unsigned long pfn)
305 if (pfn_valid(pfn)) {
307 struct page *tail = pfn_to_page(pfn);
308 struct page *head = compound_head(tail);
309 reserved = !!(PageReserved(head));
312 * "head" is not a dangling pointer
313 * (compound_head takes care of that)
314 * but the hugepage may have been split
315 * from under us (and we may not hold a
316 * reference count on the head page so it can
317 * be reused before we run PageReferenced), so
318 * we've to check PageTail before returning
325 return PageReserved(tail);
331 static int put_pfn(unsigned long pfn, int prot)
333 if (!is_invalid_reserved_pfn(pfn)) {
334 struct page *page = pfn_to_page(pfn);
335 if (prot & IOMMU_WRITE)
343 static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
344 int prot, unsigned long *pfn)
346 struct page *page[1];
347 struct vm_area_struct *vma;
348 struct vm_area_struct *vmas[1];
351 if (mm == current->mm) {
352 ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE),
355 unsigned int flags = 0;
357 if (prot & IOMMU_WRITE)
360 down_read(&mm->mmap_sem);
361 ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page,
364 * The lifetime of a vaddr_get_pfn() page pin is
365 * userspace-controlled. In the fs-dax case this could
366 * lead to indefinite stalls in filesystem operations.
367 * Disallow attempts to pin fs-dax pages via this
370 if (ret > 0 && vma_is_fsdax(vmas[0])) {
374 up_read(&mm->mmap_sem);
378 *pfn = page_to_pfn(page[0]);
382 down_read(&mm->mmap_sem);
384 vma = find_vma_intersection(mm, vaddr, vaddr + 1);
386 if (vma && vma->vm_flags & VM_PFNMAP) {
387 *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
388 if (is_invalid_reserved_pfn(*pfn))
392 up_read(&mm->mmap_sem);
397 * Attempt to pin pages. We really don't want to track all the pfns and
398 * the iommu can only map chunks of consecutive pfns anyway, so get the
399 * first page and all consecutive pages with the same locking.
401 static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
402 long npage, unsigned long *pfn_base,
403 bool lock_cap, unsigned long limit)
405 unsigned long pfn = 0;
406 long ret, pinned = 0, lock_acct = 0;
408 dma_addr_t iova = vaddr - dma->vaddr + dma->iova;
410 /* This code path is only user initiated */
414 ret = vaddr_get_pfn(current->mm, vaddr, dma->prot, pfn_base);
419 rsvd = is_invalid_reserved_pfn(*pfn_base);
422 * Reserved pages aren't counted against the user, externally pinned
423 * pages are already counted against the user.
425 if (!rsvd && !vfio_find_vpfn(dma, iova)) {
426 if (!lock_cap && current->mm->locked_vm + 1 > limit) {
427 put_pfn(*pfn_base, dma->prot);
428 pr_warn("%s: RLIMIT_MEMLOCK (%ld) exceeded\n", __func__,
429 limit << PAGE_SHIFT);
435 if (unlikely(disable_hugepages))
438 /* Lock all the consecutive pages from pfn_base */
439 for (vaddr += PAGE_SIZE, iova += PAGE_SIZE; pinned < npage;
440 pinned++, vaddr += PAGE_SIZE, iova += PAGE_SIZE) {
441 ret = vaddr_get_pfn(current->mm, vaddr, dma->prot, &pfn);
445 if (pfn != *pfn_base + pinned ||
446 rsvd != is_invalid_reserved_pfn(pfn)) {
447 put_pfn(pfn, dma->prot);
451 if (!rsvd && !vfio_find_vpfn(dma, iova)) {
453 current->mm->locked_vm + lock_acct + 1 > limit) {
454 put_pfn(pfn, dma->prot);
455 pr_warn("%s: RLIMIT_MEMLOCK (%ld) exceeded\n",
456 __func__, limit << PAGE_SHIFT);
465 ret = vfio_lock_acct(current, lock_acct, &lock_cap);
470 for (pfn = *pfn_base ; pinned ; pfn++, pinned--)
471 put_pfn(pfn, dma->prot);
480 static long vfio_unpin_pages_remote(struct vfio_dma *dma, dma_addr_t iova,
481 unsigned long pfn, long npage,
484 long unlocked = 0, locked = 0;
487 for (i = 0; i < npage; i++, iova += PAGE_SIZE) {
488 if (put_pfn(pfn++, dma->prot)) {
490 if (vfio_find_vpfn(dma, iova))
496 vfio_lock_acct(dma->task, locked - unlocked, NULL);
501 static int vfio_pin_page_external(struct vfio_dma *dma, unsigned long vaddr,
502 unsigned long *pfn_base, bool do_accounting)
504 struct mm_struct *mm;
507 mm = get_task_mm(dma->task);
511 ret = vaddr_get_pfn(mm, vaddr, dma->prot, pfn_base);
512 if (!ret && do_accounting && !is_invalid_reserved_pfn(*pfn_base)) {
513 ret = vfio_lock_acct(dma->task, 1, NULL);
515 put_pfn(*pfn_base, dma->prot);
517 pr_warn("%s: Task %s (%d) RLIMIT_MEMLOCK "
518 "(%ld) exceeded\n", __func__,
519 dma->task->comm, task_pid_nr(dma->task),
520 task_rlimit(dma->task, RLIMIT_MEMLOCK));
528 static int vfio_unpin_page_external(struct vfio_dma *dma, dma_addr_t iova,
532 struct vfio_pfn *vpfn = vfio_find_vpfn(dma, iova);
537 unlocked = vfio_iova_put_vfio_pfn(dma, vpfn);
540 vfio_lock_acct(dma->task, -unlocked, NULL);
545 static int vfio_iommu_type1_pin_pages(void *iommu_data,
546 unsigned long *user_pfn,
548 unsigned long *phys_pfn)
550 struct vfio_iommu *iommu = iommu_data;
552 unsigned long remote_vaddr;
553 struct vfio_dma *dma;
556 if (!iommu || !user_pfn || !phys_pfn)
559 /* Supported for v2 version only */
563 mutex_lock(&iommu->lock);
565 /* Fail if notifier list is empty */
566 if ((!iommu->external_domain) || (!iommu->notifier.head)) {
572 * If iommu capable domain exist in the container then all pages are
573 * already pinned and accounted. Accouting should be done if there is no
574 * iommu capable domain in the container.
576 do_accounting = !IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu);
578 for (i = 0; i < npage; i++) {
580 struct vfio_pfn *vpfn;
582 iova = user_pfn[i] << PAGE_SHIFT;
583 dma = vfio_find_dma(iommu, iova, PAGE_SIZE);
589 if ((dma->prot & prot) != prot) {
594 vpfn = vfio_iova_get_vfio_pfn(dma, iova);
596 phys_pfn[i] = vpfn->pfn;
600 remote_vaddr = dma->vaddr + iova - dma->iova;
601 ret = vfio_pin_page_external(dma, remote_vaddr, &phys_pfn[i],
606 ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]);
608 vfio_unpin_page_external(dma, iova, do_accounting);
618 for (j = 0; j < i; j++) {
621 iova = user_pfn[j] << PAGE_SHIFT;
622 dma = vfio_find_dma(iommu, iova, PAGE_SIZE);
623 vfio_unpin_page_external(dma, iova, do_accounting);
627 mutex_unlock(&iommu->lock);
631 static int vfio_iommu_type1_unpin_pages(void *iommu_data,
632 unsigned long *user_pfn,
635 struct vfio_iommu *iommu = iommu_data;
639 if (!iommu || !user_pfn)
642 /* Supported for v2 version only */
646 mutex_lock(&iommu->lock);
648 if (!iommu->external_domain) {
649 mutex_unlock(&iommu->lock);
653 do_accounting = !IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu);
654 for (i = 0; i < npage; i++) {
655 struct vfio_dma *dma;
658 iova = user_pfn[i] << PAGE_SHIFT;
659 dma = vfio_find_dma(iommu, iova, PAGE_SIZE);
662 vfio_unpin_page_external(dma, iova, do_accounting);
666 mutex_unlock(&iommu->lock);
667 return i > npage ? npage : (i > 0 ? i : -EINVAL);
670 static long vfio_sync_unpin(struct vfio_dma *dma, struct vfio_domain *domain,
671 struct list_head *regions)
674 struct vfio_regions *entry, *next;
676 iommu_tlb_sync(domain->domain);
678 list_for_each_entry_safe(entry, next, regions, list) {
679 unlocked += vfio_unpin_pages_remote(dma,
681 entry->phys >> PAGE_SHIFT,
682 entry->len >> PAGE_SHIFT,
684 list_del(&entry->list);
694 * Generally, VFIO needs to unpin remote pages after each IOTLB flush.
695 * Therefore, when using IOTLB flush sync interface, VFIO need to keep track
696 * of these regions (currently using a list).
698 * This value specifies maximum number of regions for each IOTLB flush sync.
700 #define VFIO_IOMMU_TLB_SYNC_MAX 512
702 static size_t unmap_unpin_fast(struct vfio_domain *domain,
703 struct vfio_dma *dma, dma_addr_t *iova,
704 size_t len, phys_addr_t phys, long *unlocked,
705 struct list_head *unmapped_list,
709 struct vfio_regions *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
712 unmapped = iommu_unmap_fast(domain->domain, *iova, len);
717 iommu_tlb_range_add(domain->domain, *iova, unmapped);
720 entry->len = unmapped;
721 list_add_tail(&entry->list, unmapped_list);
729 * Sync if the number of fast-unmap regions hits the limit
730 * or in case of errors.
732 if (*unmapped_cnt >= VFIO_IOMMU_TLB_SYNC_MAX || !unmapped) {
733 *unlocked += vfio_sync_unpin(dma, domain,
741 static size_t unmap_unpin_slow(struct vfio_domain *domain,
742 struct vfio_dma *dma, dma_addr_t *iova,
743 size_t len, phys_addr_t phys,
746 size_t unmapped = iommu_unmap(domain->domain, *iova, len);
749 *unlocked += vfio_unpin_pages_remote(dma, *iova,
751 unmapped >> PAGE_SHIFT,
759 static long vfio_unmap_unpin(struct vfio_iommu *iommu, struct vfio_dma *dma,
762 dma_addr_t iova = dma->iova, end = dma->iova + dma->size;
763 struct vfio_domain *domain, *d;
764 LIST_HEAD(unmapped_region_list);
765 int unmapped_region_cnt = 0;
771 if (!IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu))
775 * We use the IOMMU to track the physical addresses, otherwise we'd
776 * need a much more complicated tracking system. Unfortunately that
777 * means we need to use one of the iommu domains to figure out the
778 * pfns to unpin. The rest need to be unmapped in advance so we have
779 * no iommu translations remaining when the pages are unpinned.
781 domain = d = list_first_entry(&iommu->domain_list,
782 struct vfio_domain, next);
784 list_for_each_entry_continue(d, &iommu->domain_list, next) {
785 iommu_unmap(d->domain, dma->iova, dma->size);
790 size_t unmapped, len;
791 phys_addr_t phys, next;
793 phys = iommu_iova_to_phys(domain->domain, iova);
794 if (WARN_ON(!phys)) {
800 * To optimize for fewer iommu_unmap() calls, each of which
801 * may require hardware cache flushing, try to find the
802 * largest contiguous physical memory chunk to unmap.
804 for (len = PAGE_SIZE;
805 !domain->fgsp && iova + len < end; len += PAGE_SIZE) {
806 next = iommu_iova_to_phys(domain->domain, iova + len);
807 if (next != phys + len)
812 * First, try to use fast unmap/unpin. In case of failure,
813 * switch to slow unmap/unpin path.
815 unmapped = unmap_unpin_fast(domain, dma, &iova, len, phys,
816 &unlocked, &unmapped_region_list,
817 &unmapped_region_cnt);
819 unmapped = unmap_unpin_slow(domain, dma, &iova, len,
821 if (WARN_ON(!unmapped))
826 dma->iommu_mapped = false;
828 if (unmapped_region_cnt)
829 unlocked += vfio_sync_unpin(dma, domain, &unmapped_region_list);
832 vfio_lock_acct(dma->task, -unlocked, NULL);
838 static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
840 vfio_unmap_unpin(iommu, dma, true);
841 vfio_unlink_dma(iommu, dma);
842 put_task_struct(dma->task);
846 static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
848 struct vfio_domain *domain;
849 unsigned long bitmap = ULONG_MAX;
851 mutex_lock(&iommu->lock);
852 list_for_each_entry(domain, &iommu->domain_list, next)
853 bitmap &= domain->domain->pgsize_bitmap;
854 mutex_unlock(&iommu->lock);
857 * In case the IOMMU supports page sizes smaller than PAGE_SIZE
858 * we pretend PAGE_SIZE is supported and hide sub-PAGE_SIZE sizes.
859 * That way the user will be able to map/unmap buffers whose size/
860 * start address is aligned with PAGE_SIZE. Pinning code uses that
861 * granularity while iommu driver can use the sub-PAGE_SIZE size
864 if (bitmap & ~PAGE_MASK) {
872 static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
873 struct vfio_iommu_type1_dma_unmap *unmap)
876 struct vfio_dma *dma, *dma_last = NULL;
878 int ret = 0, retries = 0;
880 mask = ((uint64_t)1 << __ffs(vfio_pgsize_bitmap(iommu))) - 1;
882 if (unmap->iova & mask)
884 if (!unmap->size || unmap->size & mask)
886 if (unmap->iova + unmap->size < unmap->iova ||
887 unmap->size > SIZE_MAX)
890 WARN_ON(mask & PAGE_MASK);
892 mutex_lock(&iommu->lock);
895 * vfio-iommu-type1 (v1) - User mappings were coalesced together to
896 * avoid tracking individual mappings. This means that the granularity
897 * of the original mapping was lost and the user was allowed to attempt
898 * to unmap any range. Depending on the contiguousness of physical
899 * memory and page sizes supported by the IOMMU, arbitrary unmaps may
900 * or may not have worked. We only guaranteed unmap granularity
901 * matching the original mapping; even though it was untracked here,
902 * the original mappings are reflected in IOMMU mappings. This
903 * resulted in a couple unusual behaviors. First, if a range is not
904 * able to be unmapped, ex. a set of 4k pages that was mapped as a
905 * 2M hugepage into the IOMMU, the unmap ioctl returns success but with
906 * a zero sized unmap. Also, if an unmap request overlaps the first
907 * address of a hugepage, the IOMMU will unmap the entire hugepage.
908 * This also returns success and the returned unmap size reflects the
909 * actual size unmapped.
911 * We attempt to maintain compatibility with this "v1" interface, but
912 * we take control out of the hands of the IOMMU. Therefore, an unmap
913 * request offset from the beginning of the original mapping will
914 * return success with zero sized unmap. And an unmap request covering
915 * the first iova of mapping will unmap the entire range.
917 * The v2 version of this interface intends to be more deterministic.
918 * Unmap requests must fully cover previous mappings. Multiple
919 * mappings may still be unmaped by specifying large ranges, but there
920 * must not be any previous mappings bisected by the range. An error
921 * will be returned if these conditions are not met. The v2 interface
922 * will only return success and a size of zero if there were no
923 * mappings within the range.
926 dma = vfio_find_dma(iommu, unmap->iova, 1);
927 if (dma && dma->iova != unmap->iova) {
931 dma = vfio_find_dma(iommu, unmap->iova + unmap->size - 1, 0);
932 if (dma && dma->iova + dma->size != unmap->iova + unmap->size) {
938 while ((dma = vfio_find_dma(iommu, unmap->iova, unmap->size))) {
939 if (!iommu->v2 && unmap->iova > dma->iova)
942 * Task with same address space who mapped this iova range is
943 * allowed to unmap the iova range.
945 if (dma->task->mm != current->mm)
948 if (!RB_EMPTY_ROOT(&dma->pfn_list)) {
949 struct vfio_iommu_type1_dma_unmap nb_unmap;
951 if (dma_last == dma) {
952 BUG_ON(++retries > 10);
958 nb_unmap.iova = dma->iova;
959 nb_unmap.size = dma->size;
962 * Notify anyone (mdev vendor drivers) to invalidate and
963 * unmap iovas within the range we're about to unmap.
964 * Vendor drivers MUST unpin pages in response to an
967 mutex_unlock(&iommu->lock);
968 blocking_notifier_call_chain(&iommu->notifier,
969 VFIO_IOMMU_NOTIFY_DMA_UNMAP,
973 unmapped += dma->size;
974 vfio_remove_dma(iommu, dma);
978 mutex_unlock(&iommu->lock);
980 /* Report how much was unmapped */
981 unmap->size = unmapped;
987 * Turns out AMD IOMMU has a page table bug where it won't map large pages
988 * to a region that previously mapped smaller pages. This should be fixed
989 * soon, so this is just a temporary workaround to break mappings down into
990 * PAGE_SIZE. Better to map smaller pages than nothing.
992 static int map_try_harder(struct vfio_domain *domain, dma_addr_t iova,
993 unsigned long pfn, long npage, int prot)
998 for (i = 0; i < npage; i++, pfn++, iova += PAGE_SIZE) {
999 ret = iommu_map(domain->domain, iova,
1000 (phys_addr_t)pfn << PAGE_SHIFT,
1001 PAGE_SIZE, prot | domain->prot);
1006 for (; i < npage && i > 0; i--, iova -= PAGE_SIZE)
1007 iommu_unmap(domain->domain, iova, PAGE_SIZE);
1012 static int vfio_iommu_map(struct vfio_iommu *iommu, dma_addr_t iova,
1013 unsigned long pfn, long npage, int prot)
1015 struct vfio_domain *d;
1018 list_for_each_entry(d, &iommu->domain_list, next) {
1019 ret = iommu_map(d->domain, iova, (phys_addr_t)pfn << PAGE_SHIFT,
1020 npage << PAGE_SHIFT, prot | d->prot);
1022 if (ret != -EBUSY ||
1023 map_try_harder(d, iova, pfn, npage, prot))
1033 list_for_each_entry_continue_reverse(d, &iommu->domain_list, next)
1034 iommu_unmap(d->domain, iova, npage << PAGE_SHIFT);
1039 static int vfio_pin_map_dma(struct vfio_iommu *iommu, struct vfio_dma *dma,
1042 dma_addr_t iova = dma->iova;
1043 unsigned long vaddr = dma->vaddr;
1044 size_t size = map_size;
1046 unsigned long pfn, limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
1047 bool lock_cap = capable(CAP_IPC_LOCK);
1051 /* Pin a contiguous chunk of memory */
1052 npage = vfio_pin_pages_remote(dma, vaddr + dma->size,
1053 size >> PAGE_SHIFT, &pfn,
1062 ret = vfio_iommu_map(iommu, iova + dma->size, pfn, npage,
1065 vfio_unpin_pages_remote(dma, iova + dma->size, pfn,
1070 size -= npage << PAGE_SHIFT;
1071 dma->size += npage << PAGE_SHIFT;
1074 dma->iommu_mapped = true;
1077 vfio_remove_dma(iommu, dma);
1082 static int vfio_dma_do_map(struct vfio_iommu *iommu,
1083 struct vfio_iommu_type1_dma_map *map)
1085 dma_addr_t iova = map->iova;
1086 unsigned long vaddr = map->vaddr;
1087 size_t size = map->size;
1088 int ret = 0, prot = 0;
1090 struct vfio_dma *dma;
1092 /* Verify that none of our __u64 fields overflow */
1093 if (map->size != size || map->vaddr != vaddr || map->iova != iova)
1096 mask = ((uint64_t)1 << __ffs(vfio_pgsize_bitmap(iommu))) - 1;
1098 WARN_ON(mask & PAGE_MASK);
1100 /* READ/WRITE from device perspective */
1101 if (map->flags & VFIO_DMA_MAP_FLAG_WRITE)
1102 prot |= IOMMU_WRITE;
1103 if (map->flags & VFIO_DMA_MAP_FLAG_READ)
1106 if (!prot || !size || (size | iova | vaddr) & mask)
1109 /* Don't allow IOVA or virtual address wrap */
1110 if (iova + size - 1 < iova || vaddr + size - 1 < vaddr)
1113 mutex_lock(&iommu->lock);
1115 if (vfio_find_dma(iommu, iova, size)) {
1120 dma = kzalloc(sizeof(*dma), GFP_KERNEL);
1129 get_task_struct(current);
1130 dma->task = current;
1131 dma->pfn_list = RB_ROOT;
1133 /* Insert zero-sized and grow as we map chunks of it */
1134 vfio_link_dma(iommu, dma);
1136 /* Don't pin and map if container doesn't contain IOMMU capable domain*/
1137 if (!IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu))
1140 ret = vfio_pin_map_dma(iommu, dma, size);
1143 mutex_unlock(&iommu->lock);
1147 static int vfio_bus_type(struct device *dev, void *data)
1149 struct bus_type **bus = data;
1151 if (*bus && *bus != dev->bus)
1159 static int vfio_iommu_replay(struct vfio_iommu *iommu,
1160 struct vfio_domain *domain)
1162 struct vfio_domain *d;
1164 unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
1165 bool lock_cap = capable(CAP_IPC_LOCK);
1168 /* Arbitrarily pick the first domain in the list for lookups */
1169 d = list_first_entry(&iommu->domain_list, struct vfio_domain, next);
1170 n = rb_first(&iommu->dma_list);
1172 for (; n; n = rb_next(n)) {
1173 struct vfio_dma *dma;
1176 dma = rb_entry(n, struct vfio_dma, node);
1179 while (iova < dma->iova + dma->size) {
1183 if (dma->iommu_mapped) {
1187 phys = iommu_iova_to_phys(d->domain, iova);
1189 if (WARN_ON(!phys)) {
1197 while (i < dma->iova + dma->size &&
1198 p == iommu_iova_to_phys(d->domain, i)) {
1205 unsigned long vaddr = dma->vaddr +
1207 size_t n = dma->iova + dma->size - iova;
1210 npage = vfio_pin_pages_remote(dma, vaddr,
1220 phys = pfn << PAGE_SHIFT;
1221 size = npage << PAGE_SHIFT;
1224 ret = iommu_map(domain->domain, iova, phys,
1225 size, dma->prot | domain->prot);
1231 dma->iommu_mapped = true;
1237 * We change our unmap behavior slightly depending on whether the IOMMU
1238 * supports fine-grained superpages. IOMMUs like AMD-Vi will use a superpage
1239 * for practically any contiguous power-of-two mapping we give it. This means
1240 * we don't need to look for contiguous chunks ourselves to make unmapping
1241 * more efficient. On IOMMUs with coarse-grained super pages, like Intel VT-d
1242 * with discrete 2M/1G/512G/1T superpages, identifying contiguous chunks
1243 * significantly boosts non-hugetlbfs mappings and doesn't seem to hurt when
1244 * hugetlbfs is in use.
1246 static void vfio_test_domain_fgsp(struct vfio_domain *domain)
1249 int ret, order = get_order(PAGE_SIZE * 2);
1251 pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
1255 ret = iommu_map(domain->domain, 0, page_to_phys(pages), PAGE_SIZE * 2,
1256 IOMMU_READ | IOMMU_WRITE | domain->prot);
1258 size_t unmapped = iommu_unmap(domain->domain, 0, PAGE_SIZE);
1260 if (unmapped == PAGE_SIZE)
1261 iommu_unmap(domain->domain, PAGE_SIZE, PAGE_SIZE);
1263 domain->fgsp = true;
1266 __free_pages(pages, order);
1269 static struct vfio_group *find_iommu_group(struct vfio_domain *domain,
1270 struct iommu_group *iommu_group)
1272 struct vfio_group *g;
1274 list_for_each_entry(g, &domain->group_list, next) {
1275 if (g->iommu_group == iommu_group)
1282 static bool vfio_iommu_has_sw_msi(struct iommu_group *group, phys_addr_t *base)
1284 struct list_head group_resv_regions;
1285 struct iommu_resv_region *region, *next;
1288 INIT_LIST_HEAD(&group_resv_regions);
1289 iommu_get_group_resv_regions(group, &group_resv_regions);
1290 list_for_each_entry(region, &group_resv_regions, list) {
1292 * The presence of any 'real' MSI regions should take
1293 * precedence over the software-managed one if the
1294 * IOMMU driver happens to advertise both types.
1296 if (region->type == IOMMU_RESV_MSI) {
1301 if (region->type == IOMMU_RESV_SW_MSI) {
1302 *base = region->start;
1306 list_for_each_entry_safe(region, next, &group_resv_regions, list)
1311 static int vfio_iommu_type1_attach_group(void *iommu_data,
1312 struct iommu_group *iommu_group)
1314 struct vfio_iommu *iommu = iommu_data;
1315 struct vfio_group *group;
1316 struct vfio_domain *domain, *d;
1317 struct bus_type *bus = NULL, *mdev_bus;
1319 bool resv_msi, msi_remap;
1320 phys_addr_t resv_msi_base;
1322 mutex_lock(&iommu->lock);
1324 list_for_each_entry(d, &iommu->domain_list, next) {
1325 if (find_iommu_group(d, iommu_group)) {
1326 mutex_unlock(&iommu->lock);
1331 if (iommu->external_domain) {
1332 if (find_iommu_group(iommu->external_domain, iommu_group)) {
1333 mutex_unlock(&iommu->lock);
1338 group = kzalloc(sizeof(*group), GFP_KERNEL);
1339 domain = kzalloc(sizeof(*domain), GFP_KERNEL);
1340 if (!group || !domain) {
1345 group->iommu_group = iommu_group;
1347 /* Determine bus_type in order to allocate a domain */
1348 ret = iommu_group_for_each_dev(iommu_group, &bus, vfio_bus_type);
1352 mdev_bus = symbol_get(mdev_bus_type);
1355 if ((bus == mdev_bus) && !iommu_present(bus)) {
1356 symbol_put(mdev_bus_type);
1357 if (!iommu->external_domain) {
1358 INIT_LIST_HEAD(&domain->group_list);
1359 iommu->external_domain = domain;
1363 list_add(&group->next,
1364 &iommu->external_domain->group_list);
1365 mutex_unlock(&iommu->lock);
1368 symbol_put(mdev_bus_type);
1371 domain->domain = iommu_domain_alloc(bus);
1372 if (!domain->domain) {
1377 if (iommu->nesting) {
1380 ret = iommu_domain_set_attr(domain->domain, DOMAIN_ATTR_NESTING,
1386 ret = iommu_attach_group(domain->domain, iommu_group);
1390 resv_msi = vfio_iommu_has_sw_msi(iommu_group, &resv_msi_base);
1392 INIT_LIST_HEAD(&domain->group_list);
1393 list_add(&group->next, &domain->group_list);
1395 msi_remap = irq_domain_check_msi_remap() ||
1396 iommu_capable(bus, IOMMU_CAP_INTR_REMAP);
1398 if (!allow_unsafe_interrupts && !msi_remap) {
1399 pr_warn("%s: No interrupt remapping support. Use the module param \"allow_unsafe_interrupts\" to enable VFIO IOMMU support on this platform\n",
1405 if (iommu_capable(bus, IOMMU_CAP_CACHE_COHERENCY))
1406 domain->prot |= IOMMU_CACHE;
1409 * Try to match an existing compatible domain. We don't want to
1410 * preclude an IOMMU driver supporting multiple bus_types and being
1411 * able to include different bus_types in the same IOMMU domain, so
1412 * we test whether the domains use the same iommu_ops rather than
1413 * testing if they're on the same bus_type.
1415 list_for_each_entry(d, &iommu->domain_list, next) {
1416 if (d->domain->ops == domain->domain->ops &&
1417 d->prot == domain->prot) {
1418 iommu_detach_group(domain->domain, iommu_group);
1419 if (!iommu_attach_group(d->domain, iommu_group)) {
1420 list_add(&group->next, &d->group_list);
1421 iommu_domain_free(domain->domain);
1423 mutex_unlock(&iommu->lock);
1427 ret = iommu_attach_group(domain->domain, iommu_group);
1433 vfio_test_domain_fgsp(domain);
1435 /* replay mappings on new domains */
1436 ret = vfio_iommu_replay(iommu, domain);
1441 ret = iommu_get_msi_cookie(domain->domain, resv_msi_base);
1446 list_add(&domain->next, &iommu->domain_list);
1448 mutex_unlock(&iommu->lock);
1453 iommu_detach_group(domain->domain, iommu_group);
1455 iommu_domain_free(domain->domain);
1459 mutex_unlock(&iommu->lock);
1463 static void vfio_iommu_unmap_unpin_all(struct vfio_iommu *iommu)
1465 struct rb_node *node;
1467 while ((node = rb_first(&iommu->dma_list)))
1468 vfio_remove_dma(iommu, rb_entry(node, struct vfio_dma, node));
1471 static void vfio_iommu_unmap_unpin_reaccount(struct vfio_iommu *iommu)
1473 struct rb_node *n, *p;
1475 n = rb_first(&iommu->dma_list);
1476 for (; n; n = rb_next(n)) {
1477 struct vfio_dma *dma;
1478 long locked = 0, unlocked = 0;
1480 dma = rb_entry(n, struct vfio_dma, node);
1481 unlocked += vfio_unmap_unpin(iommu, dma, false);
1482 p = rb_first(&dma->pfn_list);
1483 for (; p; p = rb_next(p)) {
1484 struct vfio_pfn *vpfn = rb_entry(p, struct vfio_pfn,
1487 if (!is_invalid_reserved_pfn(vpfn->pfn))
1490 vfio_lock_acct(dma->task, locked - unlocked, NULL);
1494 static void vfio_sanity_check_pfn_list(struct vfio_iommu *iommu)
1498 n = rb_first(&iommu->dma_list);
1499 for (; n; n = rb_next(n)) {
1500 struct vfio_dma *dma;
1502 dma = rb_entry(n, struct vfio_dma, node);
1504 if (WARN_ON(!RB_EMPTY_ROOT(&dma->pfn_list)))
1507 /* mdev vendor driver must unregister notifier */
1508 WARN_ON(iommu->notifier.head);
1511 static void vfio_iommu_type1_detach_group(void *iommu_data,
1512 struct iommu_group *iommu_group)
1514 struct vfio_iommu *iommu = iommu_data;
1515 struct vfio_domain *domain;
1516 struct vfio_group *group;
1518 mutex_lock(&iommu->lock);
1520 if (iommu->external_domain) {
1521 group = find_iommu_group(iommu->external_domain, iommu_group);
1523 list_del(&group->next);
1526 if (list_empty(&iommu->external_domain->group_list)) {
1527 vfio_sanity_check_pfn_list(iommu);
1529 if (!IS_IOMMU_CAP_DOMAIN_IN_CONTAINER(iommu))
1530 vfio_iommu_unmap_unpin_all(iommu);
1532 kfree(iommu->external_domain);
1533 iommu->external_domain = NULL;
1535 goto detach_group_done;
1539 list_for_each_entry(domain, &iommu->domain_list, next) {
1540 group = find_iommu_group(domain, iommu_group);
1544 iommu_detach_group(domain->domain, iommu_group);
1545 list_del(&group->next);
1548 * Group ownership provides privilege, if the group list is
1549 * empty, the domain goes away. If it's the last domain with
1550 * iommu and external domain doesn't exist, then all the
1551 * mappings go away too. If it's the last domain with iommu and
1552 * external domain exist, update accounting
1554 if (list_empty(&domain->group_list)) {
1555 if (list_is_singular(&iommu->domain_list)) {
1556 if (!iommu->external_domain)
1557 vfio_iommu_unmap_unpin_all(iommu);
1559 vfio_iommu_unmap_unpin_reaccount(iommu);
1561 iommu_domain_free(domain->domain);
1562 list_del(&domain->next);
1569 mutex_unlock(&iommu->lock);
1572 static void *vfio_iommu_type1_open(unsigned long arg)
1574 struct vfio_iommu *iommu;
1576 iommu = kzalloc(sizeof(*iommu), GFP_KERNEL);
1578 return ERR_PTR(-ENOMEM);
1581 case VFIO_TYPE1_IOMMU:
1583 case VFIO_TYPE1_NESTING_IOMMU:
1584 iommu->nesting = true;
1585 case VFIO_TYPE1v2_IOMMU:
1590 return ERR_PTR(-EINVAL);
1593 INIT_LIST_HEAD(&iommu->domain_list);
1594 iommu->dma_list = RB_ROOT;
1595 mutex_init(&iommu->lock);
1596 BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
1601 static void vfio_release_domain(struct vfio_domain *domain, bool external)
1603 struct vfio_group *group, *group_tmp;
1605 list_for_each_entry_safe(group, group_tmp,
1606 &domain->group_list, next) {
1608 iommu_detach_group(domain->domain, group->iommu_group);
1609 list_del(&group->next);
1614 iommu_domain_free(domain->domain);
1617 static void vfio_iommu_type1_release(void *iommu_data)
1619 struct vfio_iommu *iommu = iommu_data;
1620 struct vfio_domain *domain, *domain_tmp;
1622 if (iommu->external_domain) {
1623 vfio_release_domain(iommu->external_domain, true);
1624 vfio_sanity_check_pfn_list(iommu);
1625 kfree(iommu->external_domain);
1628 vfio_iommu_unmap_unpin_all(iommu);
1630 list_for_each_entry_safe(domain, domain_tmp,
1631 &iommu->domain_list, next) {
1632 vfio_release_domain(domain, false);
1633 list_del(&domain->next);
1639 static int vfio_domains_have_iommu_cache(struct vfio_iommu *iommu)
1641 struct vfio_domain *domain;
1644 mutex_lock(&iommu->lock);
1645 list_for_each_entry(domain, &iommu->domain_list, next) {
1646 if (!(domain->prot & IOMMU_CACHE)) {
1651 mutex_unlock(&iommu->lock);
1656 static long vfio_iommu_type1_ioctl(void *iommu_data,
1657 unsigned int cmd, unsigned long arg)
1659 struct vfio_iommu *iommu = iommu_data;
1660 unsigned long minsz;
1662 if (cmd == VFIO_CHECK_EXTENSION) {
1664 case VFIO_TYPE1_IOMMU:
1665 case VFIO_TYPE1v2_IOMMU:
1666 case VFIO_TYPE1_NESTING_IOMMU:
1668 case VFIO_DMA_CC_IOMMU:
1671 return vfio_domains_have_iommu_cache(iommu);
1675 } else if (cmd == VFIO_IOMMU_GET_INFO) {
1676 struct vfio_iommu_type1_info info;
1678 minsz = offsetofend(struct vfio_iommu_type1_info, iova_pgsizes);
1680 if (copy_from_user(&info, (void __user *)arg, minsz))
1683 if (info.argsz < minsz)
1686 info.flags = VFIO_IOMMU_INFO_PGSIZES;
1688 info.iova_pgsizes = vfio_pgsize_bitmap(iommu);
1690 return copy_to_user((void __user *)arg, &info, minsz) ?
1693 } else if (cmd == VFIO_IOMMU_MAP_DMA) {
1694 struct vfio_iommu_type1_dma_map map;
1695 uint32_t mask = VFIO_DMA_MAP_FLAG_READ |
1696 VFIO_DMA_MAP_FLAG_WRITE;
1698 minsz = offsetofend(struct vfio_iommu_type1_dma_map, size);
1700 if (copy_from_user(&map, (void __user *)arg, minsz))
1703 if (map.argsz < minsz || map.flags & ~mask)
1706 return vfio_dma_do_map(iommu, &map);
1708 } else if (cmd == VFIO_IOMMU_UNMAP_DMA) {
1709 struct vfio_iommu_type1_dma_unmap unmap;
1712 minsz = offsetofend(struct vfio_iommu_type1_dma_unmap, size);
1714 if (copy_from_user(&unmap, (void __user *)arg, minsz))
1717 if (unmap.argsz < minsz || unmap.flags)
1720 ret = vfio_dma_do_unmap(iommu, &unmap);
1724 return copy_to_user((void __user *)arg, &unmap, minsz) ?
1731 static int vfio_iommu_type1_register_notifier(void *iommu_data,
1732 unsigned long *events,
1733 struct notifier_block *nb)
1735 struct vfio_iommu *iommu = iommu_data;
1737 /* clear known events */
1738 *events &= ~VFIO_IOMMU_NOTIFY_DMA_UNMAP;
1740 /* refuse to register if still events remaining */
1744 return blocking_notifier_chain_register(&iommu->notifier, nb);
1747 static int vfio_iommu_type1_unregister_notifier(void *iommu_data,
1748 struct notifier_block *nb)
1750 struct vfio_iommu *iommu = iommu_data;
1752 return blocking_notifier_chain_unregister(&iommu->notifier, nb);
1755 static const struct vfio_iommu_driver_ops vfio_iommu_driver_ops_type1 = {
1756 .name = "vfio-iommu-type1",
1757 .owner = THIS_MODULE,
1758 .open = vfio_iommu_type1_open,
1759 .release = vfio_iommu_type1_release,
1760 .ioctl = vfio_iommu_type1_ioctl,
1761 .attach_group = vfio_iommu_type1_attach_group,
1762 .detach_group = vfio_iommu_type1_detach_group,
1763 .pin_pages = vfio_iommu_type1_pin_pages,
1764 .unpin_pages = vfio_iommu_type1_unpin_pages,
1765 .register_notifier = vfio_iommu_type1_register_notifier,
1766 .unregister_notifier = vfio_iommu_type1_unregister_notifier,
1769 static int __init vfio_iommu_type1_init(void)
1771 return vfio_register_iommu_driver(&vfio_iommu_driver_ops_type1);
1774 static void __exit vfio_iommu_type1_cleanup(void)
1776 vfio_unregister_iommu_driver(&vfio_iommu_driver_ops_type1);
1779 module_init(vfio_iommu_type1_init);
1780 module_exit(vfio_iommu_type1_cleanup);
1782 MODULE_VERSION(DRIVER_VERSION);
1783 MODULE_LICENSE("GPL v2");
1784 MODULE_AUTHOR(DRIVER_AUTHOR);
1785 MODULE_DESCRIPTION(DRIVER_DESC);
projects / linux-2.6-block.git / blob