search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace...
[drm/drm-misc.git] / drivers / iommu / iommufd / device.c
blob5fd3dd42029015ffd158b9f82971eb2cb870b7e0
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES
3 */
4 #include <linux/iommu.h>
5 #include <linux/iommufd.h>
6 #include <linux/slab.h>
7 #include <uapi/linux/iommufd.h>
8
9 #include "../iommu-priv.h"
10 #include "io_pagetable.h"
11 #include "iommufd_private.h"
12
13 static bool allow_unsafe_interrupts;
14 module_param(allow_unsafe_interrupts, bool, S_IRUGO | S_IWUSR);
15 MODULE_PARM_DESC(
16 allow_unsafe_interrupts,
17 "Allow IOMMUFD to bind to devices even if the platform cannot isolate "
18 "the MSI interrupt window. Enabling this is a security weakness.");
19
20 static void iommufd_group_release(struct kref *kref)
21 {
22 struct iommufd_group *igroup =
23 container_of(kref, struct iommufd_group, ref);
24
25 WARN_ON(igroup->hwpt || !list_empty(&igroup->device_list));
26
27 xa_cmpxchg(&igroup->ictx->groups, iommu_group_id(igroup->group), igroup,
28 NULL, GFP_KERNEL);
29 iommu_group_put(igroup->group);
30 mutex_destroy(&igroup->lock);
31 kfree(igroup);
32 }
33
34 static void iommufd_put_group(struct iommufd_group *group)
35 {
36 kref_put(&group->ref, iommufd_group_release);
37 }
38
39 static bool iommufd_group_try_get(struct iommufd_group *igroup,
40 struct iommu_group *group)
41 {
42 if (!igroup)
43 return false;
44 /*
45 * group ID's cannot be re-used until the group is put back which does
46 * not happen if we could get an igroup pointer under the xa_lock.
47 */
48 if (WARN_ON(igroup->group != group))
49 return false;
50 return kref_get_unless_zero(&igroup->ref);
51 }
52
53 /*
54 * iommufd needs to store some more data for each iommu_group, we keep a
55 * parallel xarray indexed by iommu_group id to hold this instead of putting it
56 * in the core structure. To keep things simple the iommufd_group memory is
57 * unique within the iommufd_ctx. This makes it easy to check there are no
58 * memory leaks.
59 */
60 static struct iommufd_group *iommufd_get_group(struct iommufd_ctx *ictx,
61 struct device *dev)
62 {
63 struct iommufd_group *new_igroup;
64 struct iommufd_group *cur_igroup;
65 struct iommufd_group *igroup;
66 struct iommu_group *group;
67 unsigned int id;
68
69 group = iommu_group_get(dev);
70 if (!group)
71 return ERR_PTR(-ENODEV);
72
73 id = iommu_group_id(group);
74
75 xa_lock(&ictx->groups);
76 igroup = xa_load(&ictx->groups, id);
77 if (iommufd_group_try_get(igroup, group)) {
78 xa_unlock(&ictx->groups);
79 iommu_group_put(group);
80 return igroup;
81 }
82 xa_unlock(&ictx->groups);
83
84 new_igroup = kzalloc(sizeof(*new_igroup), GFP_KERNEL);
85 if (!new_igroup) {
86 iommu_group_put(group);
87 return ERR_PTR(-ENOMEM);
88 }
89
90 kref_init(&new_igroup->ref);
91 mutex_init(&new_igroup->lock);
92 INIT_LIST_HEAD(&new_igroup->device_list);
93 new_igroup->sw_msi_start = PHYS_ADDR_MAX;
94 /* group reference moves into new_igroup */
95 new_igroup->group = group;
96
97 /*
98 * The ictx is not additionally refcounted here becase all objects using
99 * an igroup must put it before their destroy completes.
100 */
101 new_igroup->ictx = ictx;
102
103 /*
104 * We dropped the lock so igroup is invalid. NULL is a safe and likely
105 * value to assume for the xa_cmpxchg algorithm.
106 */
107 cur_igroup = NULL;
108 xa_lock(&ictx->groups);
109 while (true) {
110 igroup = __xa_cmpxchg(&ictx->groups, id, cur_igroup, new_igroup,
111 GFP_KERNEL);
112 if (xa_is_err(igroup)) {
113 xa_unlock(&ictx->groups);
114 iommufd_put_group(new_igroup);
115 return ERR_PTR(xa_err(igroup));
116 }
117
118 /* new_group was successfully installed */
119 if (cur_igroup == igroup) {
120 xa_unlock(&ictx->groups);
121 return new_igroup;
122 }
123
124 /* Check again if the current group is any good */
125 if (iommufd_group_try_get(igroup, group)) {
126 xa_unlock(&ictx->groups);
127 iommufd_put_group(new_igroup);
128 return igroup;
129 }
130 cur_igroup = igroup;
131 }
132 }
133
134 void iommufd_device_destroy(struct iommufd_object *obj)
135 {
136 struct iommufd_device *idev =
137 container_of(obj, struct iommufd_device, obj);
138
139 iommu_device_release_dma_owner(idev->dev);
140 iommufd_put_group(idev->igroup);
141 if (!iommufd_selftest_is_mock_dev(idev->dev))
142 iommufd_ctx_put(idev->ictx);
143 }
144
145 /**
146 * iommufd_device_bind - Bind a physical device to an iommu fd
147 * @ictx: iommufd file descriptor
148 * @dev: Pointer to a physical device struct
149 * @id: Output ID number to return to userspace for this device
150 *
151 * A successful bind establishes an ownership over the device and returns
152 * struct iommufd_device pointer, otherwise returns error pointer.
153 *
154 * A driver using this API must set driver_managed_dma and must not touch
155 * the device until this routine succeeds and establishes ownership.
156 *
157 * Binding a PCI device places the entire RID under iommufd control.
158 *
159 * The caller must undo this with iommufd_device_unbind()
160 */
161 struct iommufd_device *iommufd_device_bind(struct iommufd_ctx *ictx,
162 struct device *dev, u32 *id)
163 {
164 struct iommufd_device *idev;
165 struct iommufd_group *igroup;
166 int rc;
167
168 /*
169 * iommufd always sets IOMMU_CACHE because we offer no way for userspace
170 * to restore cache coherency.
171 */
172 if (!device_iommu_capable(dev, IOMMU_CAP_CACHE_COHERENCY))
173 return ERR_PTR(-EINVAL);
174
175 igroup = iommufd_get_group(ictx, dev);
176 if (IS_ERR(igroup))
177 return ERR_CAST(igroup);
178
179 /*
180 * For historical compat with VFIO the insecure interrupt path is
181 * allowed if the module parameter is set. Secure/Isolated means that a
182 * MemWr operation from the device (eg a simple DMA) cannot trigger an
183 * interrupt outside this iommufd context.
184 */
185 if (!iommufd_selftest_is_mock_dev(dev) &&
186 !iommu_group_has_isolated_msi(igroup->group)) {
187 if (!allow_unsafe_interrupts) {
188 rc = -EPERM;
189 goto out_group_put;
190 }
191
192 dev_warn(
193 dev,
194 "MSI interrupts are not secure, they cannot be isolated by the platform. "
195 "Check that platform features like interrupt remapping are enabled. "
196 "Use the \"allow_unsafe_interrupts\" module parameter to override\n");
197 }
198
199 rc = iommu_device_claim_dma_owner(dev, ictx);
200 if (rc)
201 goto out_group_put;
202
203 idev = iommufd_object_alloc(ictx, idev, IOMMUFD_OBJ_DEVICE);
204 if (IS_ERR(idev)) {
205 rc = PTR_ERR(idev);
206 goto out_release_owner;
207 }
208 idev->ictx = ictx;
209 if (!iommufd_selftest_is_mock_dev(dev))
210 iommufd_ctx_get(ictx);
211 idev->dev = dev;
212 idev->enforce_cache_coherency =
213 device_iommu_capable(dev, IOMMU_CAP_ENFORCE_CACHE_COHERENCY);
214 /* The calling driver is a user until iommufd_device_unbind() */
215 refcount_inc(&idev->obj.users);
216 /* igroup refcount moves into iommufd_device */
217 idev->igroup = igroup;
218 mutex_init(&idev->iopf_lock);
219
220 /*
221 * If the caller fails after this success it must call
222 * iommufd_unbind_device() which is safe since we hold this refcount.
223 * This also means the device is a leaf in the graph and no other object
224 * can take a reference on it.
225 */
226 iommufd_object_finalize(ictx, &idev->obj);
227 *id = idev->obj.id;
228 return idev;
229
230 out_release_owner:
231 iommu_device_release_dma_owner(dev);
232 out_group_put:
233 iommufd_put_group(igroup);
234 return ERR_PTR(rc);
235 }
236 EXPORT_SYMBOL_NS_GPL(iommufd_device_bind, IOMMUFD);
237
238 /**
239 * iommufd_ctx_has_group - True if any device within the group is bound
240 * to the ictx
241 * @ictx: iommufd file descriptor
242 * @group: Pointer to a physical iommu_group struct
243 *
244 * True if any device within the group has been bound to this ictx, ex. via
245 * iommufd_device_bind(), therefore implying ictx ownership of the group.
246 */
247 bool iommufd_ctx_has_group(struct iommufd_ctx *ictx, struct iommu_group *group)
248 {
249 struct iommufd_object *obj;
250 unsigned long index;
251
252 if (!ictx || !group)
253 return false;
254
255 xa_lock(&ictx->objects);
256 xa_for_each(&ictx->objects, index, obj) {
257 if (obj->type == IOMMUFD_OBJ_DEVICE &&
258 container_of(obj, struct iommufd_device, obj)
259 ->igroup->group == group) {
260 xa_unlock(&ictx->objects);
261 return true;
262 }
263 }
264 xa_unlock(&ictx->objects);
265 return false;
266 }
267 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_has_group, IOMMUFD);
268
269 /**
270 * iommufd_device_unbind - Undo iommufd_device_bind()
271 * @idev: Device returned by iommufd_device_bind()
272 *
273 * Release the device from iommufd control. The DMA ownership will return back
274 * to unowned with DMA controlled by the DMA API. This invalidates the
275 * iommufd_device pointer, other APIs that consume it must not be called
276 * concurrently.
277 */
278 void iommufd_device_unbind(struct iommufd_device *idev)
279 {
280 iommufd_object_destroy_user(idev->ictx, &idev->obj);
281 }
282 EXPORT_SYMBOL_NS_GPL(iommufd_device_unbind, IOMMUFD);
283
284 struct iommufd_ctx *iommufd_device_to_ictx(struct iommufd_device *idev)
285 {
286 return idev->ictx;
287 }
288 EXPORT_SYMBOL_NS_GPL(iommufd_device_to_ictx, IOMMUFD);
289
290 u32 iommufd_device_to_id(struct iommufd_device *idev)
291 {
292 return idev->obj.id;
293 }
294 EXPORT_SYMBOL_NS_GPL(iommufd_device_to_id, IOMMUFD);
295
296 static int iommufd_group_setup_msi(struct iommufd_group *igroup,
297 struct iommufd_hwpt_paging *hwpt_paging)
298 {
299 phys_addr_t sw_msi_start = igroup->sw_msi_start;
300 int rc;
301
302 /*
303 * If the IOMMU driver gives a IOMMU_RESV_SW_MSI then it is asking us to
304 * call iommu_get_msi_cookie() on its behalf. This is necessary to setup
305 * the MSI window so iommu_dma_prepare_msi() can install pages into our
306 * domain after request_irq(). If it is not done interrupts will not
307 * work on this domain.
308 *
309 * FIXME: This is conceptually broken for iommufd since we want to allow
310 * userspace to change the domains, eg switch from an identity IOAS to a
311 * DMA IOAS. There is currently no way to create a MSI window that
312 * matches what the IRQ layer actually expects in a newly created
313 * domain.
314 */
315 if (sw_msi_start != PHYS_ADDR_MAX && !hwpt_paging->msi_cookie) {
316 rc = iommu_get_msi_cookie(hwpt_paging->common.domain,
317 sw_msi_start);
318 if (rc)
319 return rc;
320
321 /*
322 * iommu_get_msi_cookie() can only be called once per domain,
323 * it returns -EBUSY on later calls.
324 */
325 hwpt_paging->msi_cookie = true;
326 }
327 return 0;
328 }
329
330 static int
331 iommufd_device_attach_reserved_iova(struct iommufd_device *idev,
332 struct iommufd_hwpt_paging *hwpt_paging)
333 {
334 int rc;
335
336 lockdep_assert_held(&idev->igroup->lock);
337
338 rc = iopt_table_enforce_dev_resv_regions(&hwpt_paging->ioas->iopt,
339 idev->dev,
340 &idev->igroup->sw_msi_start);
341 if (rc)
342 return rc;
343
344 if (list_empty(&idev->igroup->device_list)) {
345 rc = iommufd_group_setup_msi(idev->igroup, hwpt_paging);
346 if (rc) {
347 iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt,
348 idev->dev);
349 return rc;
350 }
351 }
352 return 0;
353 }
354
355 int iommufd_hw_pagetable_attach(struct iommufd_hw_pagetable *hwpt,
356 struct iommufd_device *idev)
357 {
358 struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
359 int rc;
360
361 mutex_lock(&idev->igroup->lock);
362
363 if (idev->igroup->hwpt != NULL && idev->igroup->hwpt != hwpt) {
364 rc = -EINVAL;
365 goto err_unlock;
366 }
367
368 if (hwpt_paging) {
369 rc = iommufd_device_attach_reserved_iova(idev, hwpt_paging);
370 if (rc)
371 goto err_unlock;
372 }
373
374 /*
375 * Only attach to the group once for the first device that is in the
376 * group. All the other devices will follow this attachment. The user
377 * should attach every device individually to the hwpt as the per-device
378 * reserved regions are only updated during individual device
379 * attachment.
380 */
381 if (list_empty(&idev->igroup->device_list)) {
382 rc = iommufd_hwpt_attach_device(hwpt, idev);
383 if (rc)
384 goto err_unresv;
385 idev->igroup->hwpt = hwpt;
386 }
387 refcount_inc(&hwpt->obj.users);
388 list_add_tail(&idev->group_item, &idev->igroup->device_list);
389 mutex_unlock(&idev->igroup->lock);
390 return 0;
391 err_unresv:
392 if (hwpt_paging)
393 iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, idev->dev);
394 err_unlock:
395 mutex_unlock(&idev->igroup->lock);
396 return rc;
397 }
398
399 struct iommufd_hw_pagetable *
400 iommufd_hw_pagetable_detach(struct iommufd_device *idev)
401 {
402 struct iommufd_hw_pagetable *hwpt = idev->igroup->hwpt;
403 struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
404
405 mutex_lock(&idev->igroup->lock);
406 list_del(&idev->group_item);
407 if (list_empty(&idev->igroup->device_list)) {
408 iommufd_hwpt_detach_device(hwpt, idev);
409 idev->igroup->hwpt = NULL;
410 }
411 if (hwpt_paging)
412 iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, idev->dev);
413 mutex_unlock(&idev->igroup->lock);
414
415 /* Caller must destroy hwpt */
416 return hwpt;
417 }
418
419 static struct iommufd_hw_pagetable *
420 iommufd_device_do_attach(struct iommufd_device *idev,
421 struct iommufd_hw_pagetable *hwpt)
422 {
423 int rc;
424
425 rc = iommufd_hw_pagetable_attach(hwpt, idev);
426 if (rc)
427 return ERR_PTR(rc);
428 return NULL;
429 }
430
431 static void
432 iommufd_group_remove_reserved_iova(struct iommufd_group *igroup,
433 struct iommufd_hwpt_paging *hwpt_paging)
434 {
435 struct iommufd_device *cur;
436
437 lockdep_assert_held(&igroup->lock);
438
439 list_for_each_entry(cur, &igroup->device_list, group_item)
440 iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, cur->dev);
441 }
442
443 static int
444 iommufd_group_do_replace_reserved_iova(struct iommufd_group *igroup,
445 struct iommufd_hwpt_paging *hwpt_paging)
446 {
447 struct iommufd_hwpt_paging *old_hwpt_paging;
448 struct iommufd_device *cur;
449 int rc;
450
451 lockdep_assert_held(&igroup->lock);
452
453 old_hwpt_paging = find_hwpt_paging(igroup->hwpt);
454 if (!old_hwpt_paging || hwpt_paging->ioas != old_hwpt_paging->ioas) {
455 list_for_each_entry(cur, &igroup->device_list, group_item) {
456 rc = iopt_table_enforce_dev_resv_regions(
457 &hwpt_paging->ioas->iopt, cur->dev, NULL);
458 if (rc)
459 goto err_unresv;
460 }
461 }
462
463 rc = iommufd_group_setup_msi(igroup, hwpt_paging);
464 if (rc)
465 goto err_unresv;
466 return 0;
467
468 err_unresv:
469 iommufd_group_remove_reserved_iova(igroup, hwpt_paging);
470 return rc;
471 }
472
473 static struct iommufd_hw_pagetable *
474 iommufd_device_do_replace(struct iommufd_device *idev,
475 struct iommufd_hw_pagetable *hwpt)
476 {
477 struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
478 struct iommufd_hwpt_paging *old_hwpt_paging;
479 struct iommufd_group *igroup = idev->igroup;
480 struct iommufd_hw_pagetable *old_hwpt;
481 unsigned int num_devices;
482 int rc;
483
484 mutex_lock(&idev->igroup->lock);
485
486 if (igroup->hwpt == NULL) {
487 rc = -EINVAL;
488 goto err_unlock;
489 }
490
491 if (hwpt == igroup->hwpt) {
492 mutex_unlock(&idev->igroup->lock);
493 return NULL;
494 }
495
496 old_hwpt = igroup->hwpt;
497 if (hwpt_paging) {
498 rc = iommufd_group_do_replace_reserved_iova(igroup, hwpt_paging);
499 if (rc)
500 goto err_unlock;
501 }
502
503 rc = iommufd_hwpt_replace_device(idev, hwpt, old_hwpt);
504 if (rc)
505 goto err_unresv;
506
507 old_hwpt_paging = find_hwpt_paging(old_hwpt);
508 if (old_hwpt_paging &&
509 (!hwpt_paging || hwpt_paging->ioas != old_hwpt_paging->ioas))
510 iommufd_group_remove_reserved_iova(igroup, old_hwpt_paging);
511
512 igroup->hwpt = hwpt;
513
514 num_devices = list_count_nodes(&igroup->device_list);
515 /*
516 * Move the refcounts held by the device_list to the new hwpt. Retain a
517 * refcount for this thread as the caller will free it.
518 */
519 refcount_add(num_devices, &hwpt->obj.users);
520 if (num_devices > 1)
521 WARN_ON(refcount_sub_and_test(num_devices - 1,
522 &old_hwpt->obj.users));
523 mutex_unlock(&idev->igroup->lock);
524
525 /* Caller must destroy old_hwpt */
526 return old_hwpt;
527 err_unresv:
528 if (hwpt_paging)
529 iommufd_group_remove_reserved_iova(igroup, hwpt_paging);
530 err_unlock:
531 mutex_unlock(&idev->igroup->lock);
532 return ERR_PTR(rc);
533 }
534
535 typedef struct iommufd_hw_pagetable *(*attach_fn)(
536 struct iommufd_device *idev, struct iommufd_hw_pagetable *hwpt);
537
538 /*
539 * When automatically managing the domains we search for a compatible domain in
540 * the iopt and if one is found use it, otherwise create a new domain.
541 * Automatic domain selection will never pick a manually created domain.
542 */
543 static struct iommufd_hw_pagetable *
544 iommufd_device_auto_get_domain(struct iommufd_device *idev,
545 struct iommufd_ioas *ioas, u32 *pt_id,
546 attach_fn do_attach)
547 {
548 /*
549 * iommufd_hw_pagetable_attach() is called by
550 * iommufd_hw_pagetable_alloc() in immediate attachment mode, same as
551 * iommufd_device_do_attach(). So if we are in this mode then we prefer
552 * to use the immediate_attach path as it supports drivers that can't
553 * directly allocate a domain.
554 */
555 bool immediate_attach = do_attach == iommufd_device_do_attach;
556 struct iommufd_hw_pagetable *destroy_hwpt;
557 struct iommufd_hwpt_paging *hwpt_paging;
558 struct iommufd_hw_pagetable *hwpt;
559
560 /*
561 * There is no differentiation when domains are allocated, so any domain
562 * that is willing to attach to the device is interchangeable with any
563 * other.
564 */
565 mutex_lock(&ioas->mutex);
566 list_for_each_entry(hwpt_paging, &ioas->hwpt_list, hwpt_item) {
567 if (!hwpt_paging->auto_domain)
568 continue;
569
570 hwpt = &hwpt_paging->common;
571 if (!iommufd_lock_obj(&hwpt->obj))
572 continue;
573 destroy_hwpt = (*do_attach)(idev, hwpt);
574 if (IS_ERR(destroy_hwpt)) {
575 iommufd_put_object(idev->ictx, &hwpt->obj);
576 /*
577 * -EINVAL means the domain is incompatible with the
578 * device. Other error codes should propagate to
579 * userspace as failure. Success means the domain is
580 * attached.
581 */
582 if (PTR_ERR(destroy_hwpt) == -EINVAL)
583 continue;
584 goto out_unlock;
585 }
586 *pt_id = hwpt->obj.id;
587 iommufd_put_object(idev->ictx, &hwpt->obj);
588 goto out_unlock;
589 }
590
591 hwpt_paging = iommufd_hwpt_paging_alloc(idev->ictx, ioas, idev, 0,
592 immediate_attach, NULL);
593 if (IS_ERR(hwpt_paging)) {
594 destroy_hwpt = ERR_CAST(hwpt_paging);
595 goto out_unlock;
596 }
597 hwpt = &hwpt_paging->common;
598
599 if (!immediate_attach) {
600 destroy_hwpt = (*do_attach)(idev, hwpt);
601 if (IS_ERR(destroy_hwpt))
602 goto out_abort;
603 } else {
604 destroy_hwpt = NULL;
605 }
606
607 hwpt_paging->auto_domain = true;
608 *pt_id = hwpt->obj.id;
609
610 iommufd_object_finalize(idev->ictx, &hwpt->obj);
611 mutex_unlock(&ioas->mutex);
612 return destroy_hwpt;
613
614 out_abort:
615 iommufd_object_abort_and_destroy(idev->ictx, &hwpt->obj);
616 out_unlock:
617 mutex_unlock(&ioas->mutex);
618 return destroy_hwpt;
619 }
620
621 static int iommufd_device_change_pt(struct iommufd_device *idev, u32 *pt_id,
622 attach_fn do_attach)
623 {
624 struct iommufd_hw_pagetable *destroy_hwpt;
625 struct iommufd_object *pt_obj;
626
627 pt_obj = iommufd_get_object(idev->ictx, *pt_id, IOMMUFD_OBJ_ANY);
628 if (IS_ERR(pt_obj))
629 return PTR_ERR(pt_obj);
630
631 switch (pt_obj->type) {
632 case IOMMUFD_OBJ_HWPT_NESTED:
633 case IOMMUFD_OBJ_HWPT_PAGING: {
634 struct iommufd_hw_pagetable *hwpt =
635 container_of(pt_obj, struct iommufd_hw_pagetable, obj);
636
637 destroy_hwpt = (*do_attach)(idev, hwpt);
638 if (IS_ERR(destroy_hwpt))
639 goto out_put_pt_obj;
640 break;
641 }
642 case IOMMUFD_OBJ_IOAS: {
643 struct iommufd_ioas *ioas =
644 container_of(pt_obj, struct iommufd_ioas, obj);
645
646 destroy_hwpt = iommufd_device_auto_get_domain(idev, ioas, pt_id,
647 do_attach);
648 if (IS_ERR(destroy_hwpt))
649 goto out_put_pt_obj;
650 break;
651 }
652 default:
653 destroy_hwpt = ERR_PTR(-EINVAL);
654 goto out_put_pt_obj;
655 }
656 iommufd_put_object(idev->ictx, pt_obj);
657
658 /* This destruction has to be after we unlock everything */
659 if (destroy_hwpt)
660 iommufd_hw_pagetable_put(idev->ictx, destroy_hwpt);
661 return 0;
662
663 out_put_pt_obj:
664 iommufd_put_object(idev->ictx, pt_obj);
665 return PTR_ERR(destroy_hwpt);
666 }
667
668 /**
669 * iommufd_device_attach - Connect a device to an iommu_domain
670 * @idev: device to attach
671 * @pt_id: Input a IOMMUFD_OBJ_IOAS, or IOMMUFD_OBJ_HWPT_PAGING
672 * Output the IOMMUFD_OBJ_HWPT_PAGING ID
673 *
674 * This connects the device to an iommu_domain, either automatically or manually
675 * selected. Once this completes the device could do DMA.
676 *
677 * The caller should return the resulting pt_id back to userspace.
678 * This function is undone by calling iommufd_device_detach().
679 */
680 int iommufd_device_attach(struct iommufd_device *idev, u32 *pt_id)
681 {
682 int rc;
683
684 rc = iommufd_device_change_pt(idev, pt_id, &iommufd_device_do_attach);
685 if (rc)
686 return rc;
687
688 /*
689 * Pairs with iommufd_device_detach() - catches caller bugs attempting
690 * to destroy a device with an attachment.
691 */
692 refcount_inc(&idev->obj.users);
693 return 0;
694 }
695 EXPORT_SYMBOL_NS_GPL(iommufd_device_attach, IOMMUFD);
696
697 /**
698 * iommufd_device_replace - Change the device's iommu_domain
699 * @idev: device to change
700 * @pt_id: Input a IOMMUFD_OBJ_IOAS, or IOMMUFD_OBJ_HWPT_PAGING
701 * Output the IOMMUFD_OBJ_HWPT_PAGING ID
702 *
703 * This is the same as::
704 *
705 * iommufd_device_detach();
706 * iommufd_device_attach();
707 *
708 * If it fails then no change is made to the attachment. The iommu driver may
709 * implement this so there is no disruption in translation. This can only be
710 * called if iommufd_device_attach() has already succeeded.
711 */
712 int iommufd_device_replace(struct iommufd_device *idev, u32 *pt_id)
713 {
714 return iommufd_device_change_pt(idev, pt_id,
715 &iommufd_device_do_replace);
716 }
717 EXPORT_SYMBOL_NS_GPL(iommufd_device_replace, IOMMUFD);
718
719 /**
720 * iommufd_device_detach - Disconnect a device to an iommu_domain
721 * @idev: device to detach
722 *
723 * Undo iommufd_device_attach(). This disconnects the idev from the previously
724 * attached pt_id. The device returns back to a blocked DMA translation.
725 */
726 void iommufd_device_detach(struct iommufd_device *idev)
727 {
728 struct iommufd_hw_pagetable *hwpt;
729
730 hwpt = iommufd_hw_pagetable_detach(idev);
731 iommufd_hw_pagetable_put(idev->ictx, hwpt);
732 refcount_dec(&idev->obj.users);
733 }
734 EXPORT_SYMBOL_NS_GPL(iommufd_device_detach, IOMMUFD);
735
736 /*
737 * On success, it will refcount_inc() at a valid new_ioas and refcount_dec() at
738 * a valid cur_ioas (access->ioas). A caller passing in a valid new_ioas should
739 * call iommufd_put_object() if it does an iommufd_get_object() for a new_ioas.
740 */
741 static int iommufd_access_change_ioas(struct iommufd_access *access,
742 struct iommufd_ioas *new_ioas)
743 {
744 u32 iopt_access_list_id = access->iopt_access_list_id;
745 struct iommufd_ioas *cur_ioas = access->ioas;
746 int rc;
747
748 lockdep_assert_held(&access->ioas_lock);
749
750 /* We are racing with a concurrent detach, bail */
751 if (cur_ioas != access->ioas_unpin)
752 return -EBUSY;
753
754 if (cur_ioas == new_ioas)
755 return 0;
756
757 /*
758 * Set ioas to NULL to block any further iommufd_access_pin_pages().
759 * iommufd_access_unpin_pages() can continue using access->ioas_unpin.
760 */
761 access->ioas = NULL;
762
763 if (new_ioas) {
764 rc = iopt_add_access(&new_ioas->iopt, access);
765 if (rc) {
766 access->ioas = cur_ioas;
767 return rc;
768 }
769 refcount_inc(&new_ioas->obj.users);
770 }
771
772 if (cur_ioas) {
773 if (access->ops->unmap) {
774 mutex_unlock(&access->ioas_lock);
775 access->ops->unmap(access->data, 0, ULONG_MAX);
776 mutex_lock(&access->ioas_lock);
777 }
778 iopt_remove_access(&cur_ioas->iopt, access, iopt_access_list_id);
779 refcount_dec(&cur_ioas->obj.users);
780 }
781
782 access->ioas = new_ioas;
783 access->ioas_unpin = new_ioas;
784
785 return 0;
786 }
787
788 static int iommufd_access_change_ioas_id(struct iommufd_access *access, u32 id)
789 {
790 struct iommufd_ioas *ioas = iommufd_get_ioas(access->ictx, id);
791 int rc;
792
793 if (IS_ERR(ioas))
794 return PTR_ERR(ioas);
795 rc = iommufd_access_change_ioas(access, ioas);
796 iommufd_put_object(access->ictx, &ioas->obj);
797 return rc;
798 }
799
800 void iommufd_access_destroy_object(struct iommufd_object *obj)
801 {
802 struct iommufd_access *access =
803 container_of(obj, struct iommufd_access, obj);
804
805 mutex_lock(&access->ioas_lock);
806 if (access->ioas)
807 WARN_ON(iommufd_access_change_ioas(access, NULL));
808 mutex_unlock(&access->ioas_lock);
809 iommufd_ctx_put(access->ictx);
810 }
811
812 /**
813 * iommufd_access_create - Create an iommufd_access
814 * @ictx: iommufd file descriptor
815 * @ops: Driver's ops to associate with the access
816 * @data: Opaque data to pass into ops functions
817 * @id: Output ID number to return to userspace for this access
818 *
819 * An iommufd_access allows a driver to read/write to the IOAS without using
820 * DMA. The underlying CPU memory can be accessed using the
821 * iommufd_access_pin_pages() or iommufd_access_rw() functions.
822 *
823 * The provided ops are required to use iommufd_access_pin_pages().
824 */
825 struct iommufd_access *
826 iommufd_access_create(struct iommufd_ctx *ictx,
827 const struct iommufd_access_ops *ops, void *data, u32 *id)
828 {
829 struct iommufd_access *access;
830
831 /*
832 * There is no uAPI for the access object, but to keep things symmetric
833 * use the object infrastructure anyhow.
834 */
835 access = iommufd_object_alloc(ictx, access, IOMMUFD_OBJ_ACCESS);
836 if (IS_ERR(access))
837 return access;
838
839 access->data = data;
840 access->ops = ops;
841
842 if (ops->needs_pin_pages)
843 access->iova_alignment = PAGE_SIZE;
844 else
845 access->iova_alignment = 1;
846
847 /* The calling driver is a user until iommufd_access_destroy() */
848 refcount_inc(&access->obj.users);
849 access->ictx = ictx;
850 iommufd_ctx_get(ictx);
851 iommufd_object_finalize(ictx, &access->obj);
852 *id = access->obj.id;
853 mutex_init(&access->ioas_lock);
854 return access;
855 }
856 EXPORT_SYMBOL_NS_GPL(iommufd_access_create, IOMMUFD);
857
858 /**
859 * iommufd_access_destroy - Destroy an iommufd_access
860 * @access: The access to destroy
861 *
862 * The caller must stop using the access before destroying it.
863 */
864 void iommufd_access_destroy(struct iommufd_access *access)
865 {
866 iommufd_object_destroy_user(access->ictx, &access->obj);
867 }
868 EXPORT_SYMBOL_NS_GPL(iommufd_access_destroy, IOMMUFD);
869
870 void iommufd_access_detach(struct iommufd_access *access)
871 {
872 mutex_lock(&access->ioas_lock);
873 if (WARN_ON(!access->ioas)) {
874 mutex_unlock(&access->ioas_lock);
875 return;
876 }
877 WARN_ON(iommufd_access_change_ioas(access, NULL));
878 mutex_unlock(&access->ioas_lock);
879 }
880 EXPORT_SYMBOL_NS_GPL(iommufd_access_detach, IOMMUFD);
881
882 int iommufd_access_attach(struct iommufd_access *access, u32 ioas_id)
883 {
884 int rc;
885
886 mutex_lock(&access->ioas_lock);
887 if (WARN_ON(access->ioas)) {
888 mutex_unlock(&access->ioas_lock);
889 return -EINVAL;
890 }
891
892 rc = iommufd_access_change_ioas_id(access, ioas_id);
893 mutex_unlock(&access->ioas_lock);
894 return rc;
895 }
896 EXPORT_SYMBOL_NS_GPL(iommufd_access_attach, IOMMUFD);
897
898 int iommufd_access_replace(struct iommufd_access *access, u32 ioas_id)
899 {
900 int rc;
901
902 mutex_lock(&access->ioas_lock);
903 if (!access->ioas) {
904 mutex_unlock(&access->ioas_lock);
905 return -ENOENT;
906 }
907 rc = iommufd_access_change_ioas_id(access, ioas_id);
908 mutex_unlock(&access->ioas_lock);
909 return rc;
910 }
911 EXPORT_SYMBOL_NS_GPL(iommufd_access_replace, IOMMUFD);
912
913 /**
914 * iommufd_access_notify_unmap - Notify users of an iopt to stop using it
915 * @iopt: iopt to work on
916 * @iova: Starting iova in the iopt
917 * @length: Number of bytes
918 *
919 * After this function returns there should be no users attached to the pages
920 * linked to this iopt that intersect with iova,length. Anyone that has attached
921 * a user through iopt_access_pages() needs to detach it through
922 * iommufd_access_unpin_pages() before this function returns.
923 *
924 * iommufd_access_destroy() will wait for any outstanding unmap callback to
925 * complete. Once iommufd_access_destroy() no unmap ops are running or will
926 * run in the future. Due to this a driver must not create locking that prevents
927 * unmap to complete while iommufd_access_destroy() is running.
928 */
929 void iommufd_access_notify_unmap(struct io_pagetable *iopt, unsigned long iova,
930 unsigned long length)
931 {
932 struct iommufd_ioas *ioas =
933 container_of(iopt, struct iommufd_ioas, iopt);
934 struct iommufd_access *access;
935 unsigned long index;
936
937 xa_lock(&ioas->iopt.access_list);
938 xa_for_each(&ioas->iopt.access_list, index, access) {
939 if (!iommufd_lock_obj(&access->obj))
940 continue;
941 xa_unlock(&ioas->iopt.access_list);
942
943 access->ops->unmap(access->data, iova, length);
944
945 iommufd_put_object(access->ictx, &access->obj);
946 xa_lock(&ioas->iopt.access_list);
947 }
948 xa_unlock(&ioas->iopt.access_list);
949 }
950
951 /**
952 * iommufd_access_unpin_pages() - Undo iommufd_access_pin_pages
953 * @access: IOAS access to act on
954 * @iova: Starting IOVA
955 * @length: Number of bytes to access
956 *
957 * Return the struct page's. The caller must stop accessing them before calling
958 * this. The iova/length must exactly match the one provided to access_pages.
959 */
960 void iommufd_access_unpin_pages(struct iommufd_access *access,
961 unsigned long iova, unsigned long length)
962 {
963 struct iopt_area_contig_iter iter;
964 struct io_pagetable *iopt;
965 unsigned long last_iova;
966 struct iopt_area *area;
967
968 if (WARN_ON(!length) ||
969 WARN_ON(check_add_overflow(iova, length - 1, &last_iova)))
970 return;
971
972 mutex_lock(&access->ioas_lock);
973 /*
974 * The driver must be doing something wrong if it calls this before an
975 * iommufd_access_attach() or after an iommufd_access_detach().
976 */
977 if (WARN_ON(!access->ioas_unpin)) {
978 mutex_unlock(&access->ioas_lock);
979 return;
980 }
981 iopt = &access->ioas_unpin->iopt;
982
983 down_read(&iopt->iova_rwsem);
984 iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
985 iopt_area_remove_access(
986 area, iopt_area_iova_to_index(area, iter.cur_iova),
987 iopt_area_iova_to_index(
988 area,
989 min(last_iova, iopt_area_last_iova(area))));
990 WARN_ON(!iopt_area_contig_done(&iter));
991 up_read(&iopt->iova_rwsem);
992 mutex_unlock(&access->ioas_lock);
993 }
994 EXPORT_SYMBOL_NS_GPL(iommufd_access_unpin_pages, IOMMUFD);
995
996 static bool iopt_area_contig_is_aligned(struct iopt_area_contig_iter *iter)
997 {
998 if (iopt_area_start_byte(iter->area, iter->cur_iova) % PAGE_SIZE)
999 return false;
1000
1001 if (!iopt_area_contig_done(iter) &&
1002 (iopt_area_start_byte(iter->area, iopt_area_last_iova(iter->area)) %
1003 PAGE_SIZE) != (PAGE_SIZE - 1))
1004 return false;
1005 return true;
1006 }
1007
1008 static bool check_area_prot(struct iopt_area *area, unsigned int flags)
1009 {
1010 if (flags & IOMMUFD_ACCESS_RW_WRITE)
1011 return area->iommu_prot & IOMMU_WRITE;
1012 return area->iommu_prot & IOMMU_READ;
1013 }
1014
1015 /**
1016 * iommufd_access_pin_pages() - Return a list of pages under the iova
1017 * @access: IOAS access to act on
1018 * @iova: Starting IOVA
1019 * @length: Number of bytes to access
1020 * @out_pages: Output page list
1021 * @flags: IOPMMUFD_ACCESS_RW_* flags
1022 *
1023 * Reads @length bytes starting at iova and returns the struct page * pointers.
1024 * These can be kmap'd by the caller for CPU access.
1025 *
1026 * The caller must perform iommufd_access_unpin_pages() when done to balance
1027 * this.
1028 *
1029 * This API always requires a page aligned iova. This happens naturally if the
1030 * ioas alignment is >= PAGE_SIZE and the iova is PAGE_SIZE aligned. However
1031 * smaller alignments have corner cases where this API can fail on otherwise
1032 * aligned iova.
1033 */
1034 int iommufd_access_pin_pages(struct iommufd_access *access, unsigned long iova,
1035 unsigned long length, struct page **out_pages,
1036 unsigned int flags)
1037 {
1038 struct iopt_area_contig_iter iter;
1039 struct io_pagetable *iopt;
1040 unsigned long last_iova;
1041 struct iopt_area *area;
1042 int rc;
1043
1044 /* Driver's ops don't support pin_pages */
1045 if (IS_ENABLED(CONFIG_IOMMUFD_TEST) &&
1046 WARN_ON(access->iova_alignment != PAGE_SIZE || !access->ops->unmap))
1047 return -EINVAL;
1048
1049 if (!length)
1050 return -EINVAL;
1051 if (check_add_overflow(iova, length - 1, &last_iova))
1052 return -EOVERFLOW;
1053
1054 mutex_lock(&access->ioas_lock);
1055 if (!access->ioas) {
1056 mutex_unlock(&access->ioas_lock);
1057 return -ENOENT;
1058 }
1059 iopt = &access->ioas->iopt;
1060
1061 down_read(&iopt->iova_rwsem);
1062 iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {
1063 unsigned long last = min(last_iova, iopt_area_last_iova(area));
1064 unsigned long last_index = iopt_area_iova_to_index(area, last);
1065 unsigned long index =
1066 iopt_area_iova_to_index(area, iter.cur_iova);
1067
1068 if (area->prevent_access ||
1069 !iopt_area_contig_is_aligned(&iter)) {
1070 rc = -EINVAL;
1071 goto err_remove;
1072 }
1073
1074 if (!check_area_prot(area, flags)) {
1075 rc = -EPERM;
1076 goto err_remove;
1077 }
1078
1079 rc = iopt_area_add_access(area, index, last_index, out_pages,
1080 flags);
1081 if (rc)
1082 goto err_remove;
1083 out_pages += last_index - index + 1;
1084 }
1085 if (!iopt_area_contig_done(&iter)) {
1086 rc = -ENOENT;
1087 goto err_remove;
1088 }
1089
1090 up_read(&iopt->iova_rwsem);
1091 mutex_unlock(&access->ioas_lock);
1092 return 0;
1093
1094 err_remove:
1095 if (iova < iter.cur_iova) {
1096 last_iova = iter.cur_iova - 1;
1097 iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
1098 iopt_area_remove_access(
1099 area,
1100 iopt_area_iova_to_index(area, iter.cur_iova),
1101 iopt_area_iova_to_index(
1102 area, min(last_iova,
1103 iopt_area_last_iova(area))));
1104 }
1105 up_read(&iopt->iova_rwsem);
1106 mutex_unlock(&access->ioas_lock);
1107 return rc;
1108 }
1109 EXPORT_SYMBOL_NS_GPL(iommufd_access_pin_pages, IOMMUFD);
1110
1111 /**
1112 * iommufd_access_rw - Read or write data under the iova
1113 * @access: IOAS access to act on
1114 * @iova: Starting IOVA
1115 * @data: Kernel buffer to copy to/from
1116 * @length: Number of bytes to access
1117 * @flags: IOMMUFD_ACCESS_RW_* flags
1118 *
1119 * Copy kernel to/from data into the range given by IOVA/length. If flags
1120 * indicates IOMMUFD_ACCESS_RW_KTHREAD then a large copy can be optimized
1121 * by changing it into copy_to/from_user().
1122 */
1123 int iommufd_access_rw(struct iommufd_access *access, unsigned long iova,
1124 void *data, size_t length, unsigned int flags)
1125 {
1126 struct iopt_area_contig_iter iter;
1127 struct io_pagetable *iopt;
1128 struct iopt_area *area;
1129 unsigned long last_iova;
1130 int rc;
1131
1132 if (!length)
1133 return -EINVAL;
1134 if (check_add_overflow(iova, length - 1, &last_iova))
1135 return -EOVERFLOW;
1136
1137 mutex_lock(&access->ioas_lock);
1138 if (!access->ioas) {
1139 mutex_unlock(&access->ioas_lock);
1140 return -ENOENT;
1141 }
1142 iopt = &access->ioas->iopt;
1143
1144 down_read(&iopt->iova_rwsem);
1145 iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {
1146 unsigned long last = min(last_iova, iopt_area_last_iova(area));
1147 unsigned long bytes = (last - iter.cur_iova) + 1;
1148
1149 if (area->prevent_access) {
1150 rc = -EINVAL;
1151 goto err_out;
1152 }
1153
1154 if (!check_area_prot(area, flags)) {
1155 rc = -EPERM;
1156 goto err_out;
1157 }
1158
1159 rc = iopt_pages_rw_access(
1160 area->pages, iopt_area_start_byte(area, iter.cur_iova),
1161 data, bytes, flags);
1162 if (rc)
1163 goto err_out;
1164 data += bytes;
1165 }
1166 if (!iopt_area_contig_done(&iter))
1167 rc = -ENOENT;
1168 err_out:
1169 up_read(&iopt->iova_rwsem);
1170 mutex_unlock(&access->ioas_lock);
1171 return rc;
1172 }
1173 EXPORT_SYMBOL_NS_GPL(iommufd_access_rw, IOMMUFD);
1174
1175 int iommufd_get_hw_info(struct iommufd_ucmd *ucmd)
1176 {
1177 struct iommu_hw_info *cmd = ucmd->cmd;
1178 void __user *user_ptr = u64_to_user_ptr(cmd->data_uptr);
1179 const struct iommu_ops *ops;
1180 struct iommufd_device *idev;
1181 unsigned int data_len;
1182 unsigned int copy_len;
1183 void *data;
1184 int rc;
1185
1186 if (cmd->flags || cmd->__reserved)
1187 return -EOPNOTSUPP;
1188
1189 idev = iommufd_get_device(ucmd, cmd->dev_id);
1190 if (IS_ERR(idev))
1191 return PTR_ERR(idev);
1192
1193 ops = dev_iommu_ops(idev->dev);
1194 if (ops->hw_info) {
1195 data = ops->hw_info(idev->dev, &data_len, &cmd->out_data_type);
1196 if (IS_ERR(data)) {
1197 rc = PTR_ERR(data);
1198 goto out_put;
1199 }
1200
1201 /*
1202 * drivers that have hw_info callback should have a unique
1203 * iommu_hw_info_type.
1204 */
1205 if (WARN_ON_ONCE(cmd->out_data_type ==
1206 IOMMU_HW_INFO_TYPE_NONE)) {
1207 rc = -ENODEV;
1208 goto out_free;
1209 }
1210 } else {
1211 cmd->out_data_type = IOMMU_HW_INFO_TYPE_NONE;
1212 data_len = 0;
1213 data = NULL;
1214 }
1215
1216 copy_len = min(cmd->data_len, data_len);
1217 if (copy_to_user(user_ptr, data, copy_len)) {
1218 rc = -EFAULT;
1219 goto out_free;
1220 }
1221
1222 /*
1223 * Zero the trailing bytes if the user buffer is bigger than the
1224 * data size kernel actually has.
1225 */
1226 if (copy_len < cmd->data_len) {
1227 if (clear_user(user_ptr + copy_len, cmd->data_len - copy_len)) {
1228 rc = -EFAULT;
1229 goto out_free;
1230 }
1231 }
1232
1233 /*
1234 * We return the length the kernel supports so userspace may know what
1235 * the kernel capability is. It could be larger than the input buffer.
1236 */
1237 cmd->data_len = data_len;
1238
1239 cmd->out_capabilities = 0;
1240 if (device_iommu_capable(idev->dev, IOMMU_CAP_DIRTY_TRACKING))
1241 cmd->out_capabilities |= IOMMU_HW_CAP_DIRTY_TRACKING;
1242
1243 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
1244 out_free:
1245 kfree(data);
1246 out_put:
1247 iommufd_put_object(ucmd->ictx, &idev->obj);
1248 return rc;
1249 }
Kernel DRM miscellaneous fixes and cross-tree changes