xref: /linux/drivers/iommu/iommufd/device.c (revision c532de5a67a70f8533d495f8f2aaa9a0491c3ad0)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES
3  */
4 #include <linux/iommu.h>
5 #include <linux/iommufd.h>
6 #include <linux/slab.h>
7 #include <uapi/linux/iommufd.h>
8 
9 #include "../iommu-priv.h"
10 #include "io_pagetable.h"
11 #include "iommufd_private.h"
12 
13 static bool allow_unsafe_interrupts;
14 module_param(allow_unsafe_interrupts, bool, S_IRUGO | S_IWUSR);
15 MODULE_PARM_DESC(
16 	allow_unsafe_interrupts,
17 	"Allow IOMMUFD to bind to devices even if the platform cannot isolate "
18 	"the MSI interrupt window. Enabling this is a security weakness.");
19 
20 static void iommufd_group_release(struct kref *kref)
21 {
22 	struct iommufd_group *igroup =
23 		container_of(kref, struct iommufd_group, ref);
24 
25 	WARN_ON(igroup->hwpt || !list_empty(&igroup->device_list));
26 
27 	xa_cmpxchg(&igroup->ictx->groups, iommu_group_id(igroup->group), igroup,
28 		   NULL, GFP_KERNEL);
29 	iommu_group_put(igroup->group);
30 	mutex_destroy(&igroup->lock);
31 	kfree(igroup);
32 }
33 
34 static void iommufd_put_group(struct iommufd_group *group)
35 {
36 	kref_put(&group->ref, iommufd_group_release);
37 }
38 
39 static bool iommufd_group_try_get(struct iommufd_group *igroup,
40 				  struct iommu_group *group)
41 {
42 	if (!igroup)
43 		return false;
44 	/*
45 	 * group ID's cannot be re-used until the group is put back which does
46 	 * not happen if we could get an igroup pointer under the xa_lock.
47 	 */
48 	if (WARN_ON(igroup->group != group))
49 		return false;
50 	return kref_get_unless_zero(&igroup->ref);
51 }
52 
53 /*
54  * iommufd needs to store some more data for each iommu_group, we keep a
55  * parallel xarray indexed by iommu_group id to hold this instead of putting it
56  * in the core structure. To keep things simple the iommufd_group memory is
57  * unique within the iommufd_ctx. This makes it easy to check there are no
58  * memory leaks.
59  */
60 static struct iommufd_group *iommufd_get_group(struct iommufd_ctx *ictx,
61 					       struct device *dev)
62 {
63 	struct iommufd_group *new_igroup;
64 	struct iommufd_group *cur_igroup;
65 	struct iommufd_group *igroup;
66 	struct iommu_group *group;
67 	unsigned int id;
68 
69 	group = iommu_group_get(dev);
70 	if (!group)
71 		return ERR_PTR(-ENODEV);
72 
73 	id = iommu_group_id(group);
74 
75 	xa_lock(&ictx->groups);
76 	igroup = xa_load(&ictx->groups, id);
77 	if (iommufd_group_try_get(igroup, group)) {
78 		xa_unlock(&ictx->groups);
79 		iommu_group_put(group);
80 		return igroup;
81 	}
82 	xa_unlock(&ictx->groups);
83 
84 	new_igroup = kzalloc(sizeof(*new_igroup), GFP_KERNEL);
85 	if (!new_igroup) {
86 		iommu_group_put(group);
87 		return ERR_PTR(-ENOMEM);
88 	}
89 
90 	kref_init(&new_igroup->ref);
91 	mutex_init(&new_igroup->lock);
92 	INIT_LIST_HEAD(&new_igroup->device_list);
93 	new_igroup->sw_msi_start = PHYS_ADDR_MAX;
94 	/* group reference moves into new_igroup */
95 	new_igroup->group = group;
96 
97 	/*
98 	 * The ictx is not additionally refcounted here becase all objects using
99 	 * an igroup must put it before their destroy completes.
100 	 */
101 	new_igroup->ictx = ictx;
102 
103 	/*
104 	 * We dropped the lock so igroup is invalid. NULL is a safe and likely
105 	 * value to assume for the xa_cmpxchg algorithm.
106 	 */
107 	cur_igroup = NULL;
108 	xa_lock(&ictx->groups);
109 	while (true) {
110 		igroup = __xa_cmpxchg(&ictx->groups, id, cur_igroup, new_igroup,
111 				      GFP_KERNEL);
112 		if (xa_is_err(igroup)) {
113 			xa_unlock(&ictx->groups);
114 			iommufd_put_group(new_igroup);
115 			return ERR_PTR(xa_err(igroup));
116 		}
117 
118 		/* new_group was successfully installed */
119 		if (cur_igroup == igroup) {
120 			xa_unlock(&ictx->groups);
121 			return new_igroup;
122 		}
123 
124 		/* Check again if the current group is any good */
125 		if (iommufd_group_try_get(igroup, group)) {
126 			xa_unlock(&ictx->groups);
127 			iommufd_put_group(new_igroup);
128 			return igroup;
129 		}
130 		cur_igroup = igroup;
131 	}
132 }
133 
134 void iommufd_device_destroy(struct iommufd_object *obj)
135 {
136 	struct iommufd_device *idev =
137 		container_of(obj, struct iommufd_device, obj);
138 
139 	iommu_device_release_dma_owner(idev->dev);
140 	iommufd_put_group(idev->igroup);
141 	if (!iommufd_selftest_is_mock_dev(idev->dev))
142 		iommufd_ctx_put(idev->ictx);
143 }
144 
145 /**
146  * iommufd_device_bind - Bind a physical device to an iommu fd
147  * @ictx: iommufd file descriptor
148  * @dev: Pointer to a physical device struct
149  * @id: Output ID number to return to userspace for this device
150  *
151  * A successful bind establishes an ownership over the device and returns
152  * struct iommufd_device pointer, otherwise returns error pointer.
153  *
154  * A driver using this API must set driver_managed_dma and must not touch
155  * the device until this routine succeeds and establishes ownership.
156  *
157  * Binding a PCI device places the entire RID under iommufd control.
158  *
159  * The caller must undo this with iommufd_device_unbind()
160  */
161 struct iommufd_device *iommufd_device_bind(struct iommufd_ctx *ictx,
162 					   struct device *dev, u32 *id)
163 {
164 	struct iommufd_device *idev;
165 	struct iommufd_group *igroup;
166 	int rc;
167 
168 	/*
169 	 * iommufd always sets IOMMU_CACHE because we offer no way for userspace
170 	 * to restore cache coherency.
171 	 */
172 	if (!device_iommu_capable(dev, IOMMU_CAP_CACHE_COHERENCY))
173 		return ERR_PTR(-EINVAL);
174 
175 	igroup = iommufd_get_group(ictx, dev);
176 	if (IS_ERR(igroup))
177 		return ERR_CAST(igroup);
178 
179 	/*
180 	 * For historical compat with VFIO the insecure interrupt path is
181 	 * allowed if the module parameter is set. Secure/Isolated means that a
182 	 * MemWr operation from the device (eg a simple DMA) cannot trigger an
183 	 * interrupt outside this iommufd context.
184 	 */
185 	if (!iommufd_selftest_is_mock_dev(dev) &&
186 	    !iommu_group_has_isolated_msi(igroup->group)) {
187 		if (!allow_unsafe_interrupts) {
188 			rc = -EPERM;
189 			goto out_group_put;
190 		}
191 
192 		dev_warn(
193 			dev,
194 			"MSI interrupts are not secure, they cannot be isolated by the platform. "
195 			"Check that platform features like interrupt remapping are enabled. "
196 			"Use the \"allow_unsafe_interrupts\" module parameter to override\n");
197 	}
198 
199 	rc = iommu_device_claim_dma_owner(dev, ictx);
200 	if (rc)
201 		goto out_group_put;
202 
203 	idev = iommufd_object_alloc(ictx, idev, IOMMUFD_OBJ_DEVICE);
204 	if (IS_ERR(idev)) {
205 		rc = PTR_ERR(idev);
206 		goto out_release_owner;
207 	}
208 	idev->ictx = ictx;
209 	if (!iommufd_selftest_is_mock_dev(dev))
210 		iommufd_ctx_get(ictx);
211 	idev->dev = dev;
212 	idev->enforce_cache_coherency =
213 		device_iommu_capable(dev, IOMMU_CAP_ENFORCE_CACHE_COHERENCY);
214 	/* The calling driver is a user until iommufd_device_unbind() */
215 	refcount_inc(&idev->obj.users);
216 	/* igroup refcount moves into iommufd_device */
217 	idev->igroup = igroup;
218 	mutex_init(&idev->iopf_lock);
219 
220 	/*
221 	 * If the caller fails after this success it must call
222 	 * iommufd_unbind_device() which is safe since we hold this refcount.
223 	 * This also means the device is a leaf in the graph and no other object
224 	 * can take a reference on it.
225 	 */
226 	iommufd_object_finalize(ictx, &idev->obj);
227 	*id = idev->obj.id;
228 	return idev;
229 
230 out_release_owner:
231 	iommu_device_release_dma_owner(dev);
232 out_group_put:
233 	iommufd_put_group(igroup);
234 	return ERR_PTR(rc);
235 }
236 EXPORT_SYMBOL_NS_GPL(iommufd_device_bind, IOMMUFD);
237 
238 /**
239  * iommufd_ctx_has_group - True if any device within the group is bound
240  *                         to the ictx
241  * @ictx: iommufd file descriptor
242  * @group: Pointer to a physical iommu_group struct
243  *
244  * True if any device within the group has been bound to this ictx, ex. via
245  * iommufd_device_bind(), therefore implying ictx ownership of the group.
246  */
247 bool iommufd_ctx_has_group(struct iommufd_ctx *ictx, struct iommu_group *group)
248 {
249 	struct iommufd_object *obj;
250 	unsigned long index;
251 
252 	if (!ictx || !group)
253 		return false;
254 
255 	xa_lock(&ictx->objects);
256 	xa_for_each(&ictx->objects, index, obj) {
257 		if (obj->type == IOMMUFD_OBJ_DEVICE &&
258 		    container_of(obj, struct iommufd_device, obj)
259 				    ->igroup->group == group) {
260 			xa_unlock(&ictx->objects);
261 			return true;
262 		}
263 	}
264 	xa_unlock(&ictx->objects);
265 	return false;
266 }
267 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_has_group, IOMMUFD);
268 
269 /**
270  * iommufd_device_unbind - Undo iommufd_device_bind()
271  * @idev: Device returned by iommufd_device_bind()
272  *
273  * Release the device from iommufd control. The DMA ownership will return back
274  * to unowned with DMA controlled by the DMA API. This invalidates the
275  * iommufd_device pointer, other APIs that consume it must not be called
276  * concurrently.
277  */
278 void iommufd_device_unbind(struct iommufd_device *idev)
279 {
280 	iommufd_object_destroy_user(idev->ictx, &idev->obj);
281 }
282 EXPORT_SYMBOL_NS_GPL(iommufd_device_unbind, IOMMUFD);
283 
284 struct iommufd_ctx *iommufd_device_to_ictx(struct iommufd_device *idev)
285 {
286 	return idev->ictx;
287 }
288 EXPORT_SYMBOL_NS_GPL(iommufd_device_to_ictx, IOMMUFD);
289 
290 u32 iommufd_device_to_id(struct iommufd_device *idev)
291 {
292 	return idev->obj.id;
293 }
294 EXPORT_SYMBOL_NS_GPL(iommufd_device_to_id, IOMMUFD);
295 
296 static int iommufd_group_setup_msi(struct iommufd_group *igroup,
297 				   struct iommufd_hwpt_paging *hwpt_paging)
298 {
299 	phys_addr_t sw_msi_start = igroup->sw_msi_start;
300 	int rc;
301 
302 	/*
303 	 * If the IOMMU driver gives a IOMMU_RESV_SW_MSI then it is asking us to
304 	 * call iommu_get_msi_cookie() on its behalf. This is necessary to setup
305 	 * the MSI window so iommu_dma_prepare_msi() can install pages into our
306 	 * domain after request_irq(). If it is not done interrupts will not
307 	 * work on this domain.
308 	 *
309 	 * FIXME: This is conceptually broken for iommufd since we want to allow
310 	 * userspace to change the domains, eg switch from an identity IOAS to a
311 	 * DMA IOAS. There is currently no way to create a MSI window that
312 	 * matches what the IRQ layer actually expects in a newly created
313 	 * domain.
314 	 */
315 	if (sw_msi_start != PHYS_ADDR_MAX && !hwpt_paging->msi_cookie) {
316 		rc = iommu_get_msi_cookie(hwpt_paging->common.domain,
317 					  sw_msi_start);
318 		if (rc)
319 			return rc;
320 
321 		/*
322 		 * iommu_get_msi_cookie() can only be called once per domain,
323 		 * it returns -EBUSY on later calls.
324 		 */
325 		hwpt_paging->msi_cookie = true;
326 	}
327 	return 0;
328 }
329 
330 static int
331 iommufd_device_attach_reserved_iova(struct iommufd_device *idev,
332 				    struct iommufd_hwpt_paging *hwpt_paging)
333 {
334 	int rc;
335 
336 	lockdep_assert_held(&idev->igroup->lock);
337 
338 	rc = iopt_table_enforce_dev_resv_regions(&hwpt_paging->ioas->iopt,
339 						 idev->dev,
340 						 &idev->igroup->sw_msi_start);
341 	if (rc)
342 		return rc;
343 
344 	if (list_empty(&idev->igroup->device_list)) {
345 		rc = iommufd_group_setup_msi(idev->igroup, hwpt_paging);
346 		if (rc) {
347 			iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt,
348 						  idev->dev);
349 			return rc;
350 		}
351 	}
352 	return 0;
353 }
354 
355 int iommufd_hw_pagetable_attach(struct iommufd_hw_pagetable *hwpt,
356 				struct iommufd_device *idev)
357 {
358 	struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
359 	int rc;
360 
361 	mutex_lock(&idev->igroup->lock);
362 
363 	if (idev->igroup->hwpt != NULL && idev->igroup->hwpt != hwpt) {
364 		rc = -EINVAL;
365 		goto err_unlock;
366 	}
367 
368 	if (hwpt_paging) {
369 		rc = iommufd_device_attach_reserved_iova(idev, hwpt_paging);
370 		if (rc)
371 			goto err_unlock;
372 	}
373 
374 	/*
375 	 * Only attach to the group once for the first device that is in the
376 	 * group. All the other devices will follow this attachment. The user
377 	 * should attach every device individually to the hwpt as the per-device
378 	 * reserved regions are only updated during individual device
379 	 * attachment.
380 	 */
381 	if (list_empty(&idev->igroup->device_list)) {
382 		rc = iommufd_hwpt_attach_device(hwpt, idev);
383 		if (rc)
384 			goto err_unresv;
385 		idev->igroup->hwpt = hwpt;
386 	}
387 	refcount_inc(&hwpt->obj.users);
388 	list_add_tail(&idev->group_item, &idev->igroup->device_list);
389 	mutex_unlock(&idev->igroup->lock);
390 	return 0;
391 err_unresv:
392 	if (hwpt_paging)
393 		iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, idev->dev);
394 err_unlock:
395 	mutex_unlock(&idev->igroup->lock);
396 	return rc;
397 }
398 
399 struct iommufd_hw_pagetable *
400 iommufd_hw_pagetable_detach(struct iommufd_device *idev)
401 {
402 	struct iommufd_hw_pagetable *hwpt = idev->igroup->hwpt;
403 	struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
404 
405 	mutex_lock(&idev->igroup->lock);
406 	list_del(&idev->group_item);
407 	if (list_empty(&idev->igroup->device_list)) {
408 		iommufd_hwpt_detach_device(hwpt, idev);
409 		idev->igroup->hwpt = NULL;
410 	}
411 	if (hwpt_paging)
412 		iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, idev->dev);
413 	mutex_unlock(&idev->igroup->lock);
414 
415 	/* Caller must destroy hwpt */
416 	return hwpt;
417 }
418 
419 static struct iommufd_hw_pagetable *
420 iommufd_device_do_attach(struct iommufd_device *idev,
421 			 struct iommufd_hw_pagetable *hwpt)
422 {
423 	int rc;
424 
425 	rc = iommufd_hw_pagetable_attach(hwpt, idev);
426 	if (rc)
427 		return ERR_PTR(rc);
428 	return NULL;
429 }
430 
431 static void
432 iommufd_group_remove_reserved_iova(struct iommufd_group *igroup,
433 				   struct iommufd_hwpt_paging *hwpt_paging)
434 {
435 	struct iommufd_device *cur;
436 
437 	lockdep_assert_held(&igroup->lock);
438 
439 	list_for_each_entry(cur, &igroup->device_list, group_item)
440 		iopt_remove_reserved_iova(&hwpt_paging->ioas->iopt, cur->dev);
441 }
442 
443 static int
444 iommufd_group_do_replace_reserved_iova(struct iommufd_group *igroup,
445 				       struct iommufd_hwpt_paging *hwpt_paging)
446 {
447 	struct iommufd_hwpt_paging *old_hwpt_paging;
448 	struct iommufd_device *cur;
449 	int rc;
450 
451 	lockdep_assert_held(&igroup->lock);
452 
453 	old_hwpt_paging = find_hwpt_paging(igroup->hwpt);
454 	if (!old_hwpt_paging || hwpt_paging->ioas != old_hwpt_paging->ioas) {
455 		list_for_each_entry(cur, &igroup->device_list, group_item) {
456 			rc = iopt_table_enforce_dev_resv_regions(
457 				&hwpt_paging->ioas->iopt, cur->dev, NULL);
458 			if (rc)
459 				goto err_unresv;
460 		}
461 	}
462 
463 	rc = iommufd_group_setup_msi(igroup, hwpt_paging);
464 	if (rc)
465 		goto err_unresv;
466 	return 0;
467 
468 err_unresv:
469 	iommufd_group_remove_reserved_iova(igroup, hwpt_paging);
470 	return rc;
471 }
472 
473 static struct iommufd_hw_pagetable *
474 iommufd_device_do_replace(struct iommufd_device *idev,
475 			  struct iommufd_hw_pagetable *hwpt)
476 {
477 	struct iommufd_hwpt_paging *hwpt_paging = find_hwpt_paging(hwpt);
478 	struct iommufd_hwpt_paging *old_hwpt_paging;
479 	struct iommufd_group *igroup = idev->igroup;
480 	struct iommufd_hw_pagetable *old_hwpt;
481 	unsigned int num_devices;
482 	int rc;
483 
484 	mutex_lock(&idev->igroup->lock);
485 
486 	if (igroup->hwpt == NULL) {
487 		rc = -EINVAL;
488 		goto err_unlock;
489 	}
490 
491 	if (hwpt == igroup->hwpt) {
492 		mutex_unlock(&idev->igroup->lock);
493 		return NULL;
494 	}
495 
496 	old_hwpt = igroup->hwpt;
497 	if (hwpt_paging) {
498 		rc = iommufd_group_do_replace_reserved_iova(igroup, hwpt_paging);
499 		if (rc)
500 			goto err_unlock;
501 	}
502 
503 	rc = iommufd_hwpt_replace_device(idev, hwpt, old_hwpt);
504 	if (rc)
505 		goto err_unresv;
506 
507 	old_hwpt_paging = find_hwpt_paging(old_hwpt);
508 	if (old_hwpt_paging &&
509 	    (!hwpt_paging || hwpt_paging->ioas != old_hwpt_paging->ioas))
510 		iommufd_group_remove_reserved_iova(igroup, old_hwpt_paging);
511 
512 	igroup->hwpt = hwpt;
513 
514 	num_devices = list_count_nodes(&igroup->device_list);
515 	/*
516 	 * Move the refcounts held by the device_list to the new hwpt. Retain a
517 	 * refcount for this thread as the caller will free it.
518 	 */
519 	refcount_add(num_devices, &hwpt->obj.users);
520 	if (num_devices > 1)
521 		WARN_ON(refcount_sub_and_test(num_devices - 1,
522 					      &old_hwpt->obj.users));
523 	mutex_unlock(&idev->igroup->lock);
524 
525 	/* Caller must destroy old_hwpt */
526 	return old_hwpt;
527 err_unresv:
528 	if (hwpt_paging)
529 		iommufd_group_remove_reserved_iova(igroup, hwpt_paging);
530 err_unlock:
531 	mutex_unlock(&idev->igroup->lock);
532 	return ERR_PTR(rc);
533 }
534 
535 typedef struct iommufd_hw_pagetable *(*attach_fn)(
536 	struct iommufd_device *idev, struct iommufd_hw_pagetable *hwpt);
537 
538 /*
539  * When automatically managing the domains we search for a compatible domain in
540  * the iopt and if one is found use it, otherwise create a new domain.
541  * Automatic domain selection will never pick a manually created domain.
542  */
543 static struct iommufd_hw_pagetable *
544 iommufd_device_auto_get_domain(struct iommufd_device *idev,
545 			       struct iommufd_ioas *ioas, u32 *pt_id,
546 			       attach_fn do_attach)
547 {
548 	/*
549 	 * iommufd_hw_pagetable_attach() is called by
550 	 * iommufd_hw_pagetable_alloc() in immediate attachment mode, same as
551 	 * iommufd_device_do_attach(). So if we are in this mode then we prefer
552 	 * to use the immediate_attach path as it supports drivers that can't
553 	 * directly allocate a domain.
554 	 */
555 	bool immediate_attach = do_attach == iommufd_device_do_attach;
556 	struct iommufd_hw_pagetable *destroy_hwpt;
557 	struct iommufd_hwpt_paging *hwpt_paging;
558 	struct iommufd_hw_pagetable *hwpt;
559 
560 	/*
561 	 * There is no differentiation when domains are allocated, so any domain
562 	 * that is willing to attach to the device is interchangeable with any
563 	 * other.
564 	 */
565 	mutex_lock(&ioas->mutex);
566 	list_for_each_entry(hwpt_paging, &ioas->hwpt_list, hwpt_item) {
567 		if (!hwpt_paging->auto_domain)
568 			continue;
569 
570 		hwpt = &hwpt_paging->common;
571 		if (!iommufd_lock_obj(&hwpt->obj))
572 			continue;
573 		destroy_hwpt = (*do_attach)(idev, hwpt);
574 		if (IS_ERR(destroy_hwpt)) {
575 			iommufd_put_object(idev->ictx, &hwpt->obj);
576 			/*
577 			 * -EINVAL means the domain is incompatible with the
578 			 * device. Other error codes should propagate to
579 			 * userspace as failure. Success means the domain is
580 			 * attached.
581 			 */
582 			if (PTR_ERR(destroy_hwpt) == -EINVAL)
583 				continue;
584 			goto out_unlock;
585 		}
586 		*pt_id = hwpt->obj.id;
587 		iommufd_put_object(idev->ictx, &hwpt->obj);
588 		goto out_unlock;
589 	}
590 
591 	hwpt_paging = iommufd_hwpt_paging_alloc(idev->ictx, ioas, idev, 0,
592 						immediate_attach, NULL);
593 	if (IS_ERR(hwpt_paging)) {
594 		destroy_hwpt = ERR_CAST(hwpt_paging);
595 		goto out_unlock;
596 	}
597 	hwpt = &hwpt_paging->common;
598 
599 	if (!immediate_attach) {
600 		destroy_hwpt = (*do_attach)(idev, hwpt);
601 		if (IS_ERR(destroy_hwpt))
602 			goto out_abort;
603 	} else {
604 		destroy_hwpt = NULL;
605 	}
606 
607 	hwpt_paging->auto_domain = true;
608 	*pt_id = hwpt->obj.id;
609 
610 	iommufd_object_finalize(idev->ictx, &hwpt->obj);
611 	mutex_unlock(&ioas->mutex);
612 	return destroy_hwpt;
613 
614 out_abort:
615 	iommufd_object_abort_and_destroy(idev->ictx, &hwpt->obj);
616 out_unlock:
617 	mutex_unlock(&ioas->mutex);
618 	return destroy_hwpt;
619 }
620 
621 static int iommufd_device_change_pt(struct iommufd_device *idev, u32 *pt_id,
622 				    attach_fn do_attach)
623 {
624 	struct iommufd_hw_pagetable *destroy_hwpt;
625 	struct iommufd_object *pt_obj;
626 
627 	pt_obj = iommufd_get_object(idev->ictx, *pt_id, IOMMUFD_OBJ_ANY);
628 	if (IS_ERR(pt_obj))
629 		return PTR_ERR(pt_obj);
630 
631 	switch (pt_obj->type) {
632 	case IOMMUFD_OBJ_HWPT_NESTED:
633 	case IOMMUFD_OBJ_HWPT_PAGING: {
634 		struct iommufd_hw_pagetable *hwpt =
635 			container_of(pt_obj, struct iommufd_hw_pagetable, obj);
636 
637 		destroy_hwpt = (*do_attach)(idev, hwpt);
638 		if (IS_ERR(destroy_hwpt))
639 			goto out_put_pt_obj;
640 		break;
641 	}
642 	case IOMMUFD_OBJ_IOAS: {
643 		struct iommufd_ioas *ioas =
644 			container_of(pt_obj, struct iommufd_ioas, obj);
645 
646 		destroy_hwpt = iommufd_device_auto_get_domain(idev, ioas, pt_id,
647 							      do_attach);
648 		if (IS_ERR(destroy_hwpt))
649 			goto out_put_pt_obj;
650 		break;
651 	}
652 	default:
653 		destroy_hwpt = ERR_PTR(-EINVAL);
654 		goto out_put_pt_obj;
655 	}
656 	iommufd_put_object(idev->ictx, pt_obj);
657 
658 	/* This destruction has to be after we unlock everything */
659 	if (destroy_hwpt)
660 		iommufd_hw_pagetable_put(idev->ictx, destroy_hwpt);
661 	return 0;
662 
663 out_put_pt_obj:
664 	iommufd_put_object(idev->ictx, pt_obj);
665 	return PTR_ERR(destroy_hwpt);
666 }
667 
668 /**
669  * iommufd_device_attach - Connect a device to an iommu_domain
670  * @idev: device to attach
671  * @pt_id: Input a IOMMUFD_OBJ_IOAS, or IOMMUFD_OBJ_HWPT_PAGING
672  *         Output the IOMMUFD_OBJ_HWPT_PAGING ID
673  *
674  * This connects the device to an iommu_domain, either automatically or manually
675  * selected. Once this completes the device could do DMA.
676  *
677  * The caller should return the resulting pt_id back to userspace.
678  * This function is undone by calling iommufd_device_detach().
679  */
680 int iommufd_device_attach(struct iommufd_device *idev, u32 *pt_id)
681 {
682 	int rc;
683 
684 	rc = iommufd_device_change_pt(idev, pt_id, &iommufd_device_do_attach);
685 	if (rc)
686 		return rc;
687 
688 	/*
689 	 * Pairs with iommufd_device_detach() - catches caller bugs attempting
690 	 * to destroy a device with an attachment.
691 	 */
692 	refcount_inc(&idev->obj.users);
693 	return 0;
694 }
695 EXPORT_SYMBOL_NS_GPL(iommufd_device_attach, IOMMUFD);
696 
697 /**
698  * iommufd_device_replace - Change the device's iommu_domain
699  * @idev: device to change
700  * @pt_id: Input a IOMMUFD_OBJ_IOAS, or IOMMUFD_OBJ_HWPT_PAGING
701  *         Output the IOMMUFD_OBJ_HWPT_PAGING ID
702  *
703  * This is the same as::
704  *
705  *   iommufd_device_detach();
706  *   iommufd_device_attach();
707  *
708  * If it fails then no change is made to the attachment. The iommu driver may
709  * implement this so there is no disruption in translation. This can only be
710  * called if iommufd_device_attach() has already succeeded.
711  */
712 int iommufd_device_replace(struct iommufd_device *idev, u32 *pt_id)
713 {
714 	return iommufd_device_change_pt(idev, pt_id,
715 					&iommufd_device_do_replace);
716 }
717 EXPORT_SYMBOL_NS_GPL(iommufd_device_replace, IOMMUFD);
718 
719 /**
720  * iommufd_device_detach - Disconnect a device to an iommu_domain
721  * @idev: device to detach
722  *
723  * Undo iommufd_device_attach(). This disconnects the idev from the previously
724  * attached pt_id. The device returns back to a blocked DMA translation.
725  */
726 void iommufd_device_detach(struct iommufd_device *idev)
727 {
728 	struct iommufd_hw_pagetable *hwpt;
729 
730 	hwpt = iommufd_hw_pagetable_detach(idev);
731 	iommufd_hw_pagetable_put(idev->ictx, hwpt);
732 	refcount_dec(&idev->obj.users);
733 }
734 EXPORT_SYMBOL_NS_GPL(iommufd_device_detach, IOMMUFD);
735 
736 /*
737  * On success, it will refcount_inc() at a valid new_ioas and refcount_dec() at
738  * a valid cur_ioas (access->ioas). A caller passing in a valid new_ioas should
739  * call iommufd_put_object() if it does an iommufd_get_object() for a new_ioas.
740  */
741 static int iommufd_access_change_ioas(struct iommufd_access *access,
742 				      struct iommufd_ioas *new_ioas)
743 {
744 	u32 iopt_access_list_id = access->iopt_access_list_id;
745 	struct iommufd_ioas *cur_ioas = access->ioas;
746 	int rc;
747 
748 	lockdep_assert_held(&access->ioas_lock);
749 
750 	/* We are racing with a concurrent detach, bail */
751 	if (cur_ioas != access->ioas_unpin)
752 		return -EBUSY;
753 
754 	if (cur_ioas == new_ioas)
755 		return 0;
756 
757 	/*
758 	 * Set ioas to NULL to block any further iommufd_access_pin_pages().
759 	 * iommufd_access_unpin_pages() can continue using access->ioas_unpin.
760 	 */
761 	access->ioas = NULL;
762 
763 	if (new_ioas) {
764 		rc = iopt_add_access(&new_ioas->iopt, access);
765 		if (rc) {
766 			access->ioas = cur_ioas;
767 			return rc;
768 		}
769 		refcount_inc(&new_ioas->obj.users);
770 	}
771 
772 	if (cur_ioas) {
773 		if (access->ops->unmap) {
774 			mutex_unlock(&access->ioas_lock);
775 			access->ops->unmap(access->data, 0, ULONG_MAX);
776 			mutex_lock(&access->ioas_lock);
777 		}
778 		iopt_remove_access(&cur_ioas->iopt, access, iopt_access_list_id);
779 		refcount_dec(&cur_ioas->obj.users);
780 	}
781 
782 	access->ioas = new_ioas;
783 	access->ioas_unpin = new_ioas;
784 
785 	return 0;
786 }
787 
788 static int iommufd_access_change_ioas_id(struct iommufd_access *access, u32 id)
789 {
790 	struct iommufd_ioas *ioas = iommufd_get_ioas(access->ictx, id);
791 	int rc;
792 
793 	if (IS_ERR(ioas))
794 		return PTR_ERR(ioas);
795 	rc = iommufd_access_change_ioas(access, ioas);
796 	iommufd_put_object(access->ictx, &ioas->obj);
797 	return rc;
798 }
799 
800 void iommufd_access_destroy_object(struct iommufd_object *obj)
801 {
802 	struct iommufd_access *access =
803 		container_of(obj, struct iommufd_access, obj);
804 
805 	mutex_lock(&access->ioas_lock);
806 	if (access->ioas)
807 		WARN_ON(iommufd_access_change_ioas(access, NULL));
808 	mutex_unlock(&access->ioas_lock);
809 	iommufd_ctx_put(access->ictx);
810 }
811 
812 /**
813  * iommufd_access_create - Create an iommufd_access
814  * @ictx: iommufd file descriptor
815  * @ops: Driver's ops to associate with the access
816  * @data: Opaque data to pass into ops functions
817  * @id: Output ID number to return to userspace for this access
818  *
819  * An iommufd_access allows a driver to read/write to the IOAS without using
820  * DMA. The underlying CPU memory can be accessed using the
821  * iommufd_access_pin_pages() or iommufd_access_rw() functions.
822  *
823  * The provided ops are required to use iommufd_access_pin_pages().
824  */
825 struct iommufd_access *
826 iommufd_access_create(struct iommufd_ctx *ictx,
827 		      const struct iommufd_access_ops *ops, void *data, u32 *id)
828 {
829 	struct iommufd_access *access;
830 
831 	/*
832 	 * There is no uAPI for the access object, but to keep things symmetric
833 	 * use the object infrastructure anyhow.
834 	 */
835 	access = iommufd_object_alloc(ictx, access, IOMMUFD_OBJ_ACCESS);
836 	if (IS_ERR(access))
837 		return access;
838 
839 	access->data = data;
840 	access->ops = ops;
841 
842 	if (ops->needs_pin_pages)
843 		access->iova_alignment = PAGE_SIZE;
844 	else
845 		access->iova_alignment = 1;
846 
847 	/* The calling driver is a user until iommufd_access_destroy() */
848 	refcount_inc(&access->obj.users);
849 	access->ictx = ictx;
850 	iommufd_ctx_get(ictx);
851 	iommufd_object_finalize(ictx, &access->obj);
852 	*id = access->obj.id;
853 	mutex_init(&access->ioas_lock);
854 	return access;
855 }
856 EXPORT_SYMBOL_NS_GPL(iommufd_access_create, IOMMUFD);
857 
858 /**
859  * iommufd_access_destroy - Destroy an iommufd_access
860  * @access: The access to destroy
861  *
862  * The caller must stop using the access before destroying it.
863  */
864 void iommufd_access_destroy(struct iommufd_access *access)
865 {
866 	iommufd_object_destroy_user(access->ictx, &access->obj);
867 }
868 EXPORT_SYMBOL_NS_GPL(iommufd_access_destroy, IOMMUFD);
869 
870 void iommufd_access_detach(struct iommufd_access *access)
871 {
872 	mutex_lock(&access->ioas_lock);
873 	if (WARN_ON(!access->ioas)) {
874 		mutex_unlock(&access->ioas_lock);
875 		return;
876 	}
877 	WARN_ON(iommufd_access_change_ioas(access, NULL));
878 	mutex_unlock(&access->ioas_lock);
879 }
880 EXPORT_SYMBOL_NS_GPL(iommufd_access_detach, IOMMUFD);
881 
882 int iommufd_access_attach(struct iommufd_access *access, u32 ioas_id)
883 {
884 	int rc;
885 
886 	mutex_lock(&access->ioas_lock);
887 	if (WARN_ON(access->ioas)) {
888 		mutex_unlock(&access->ioas_lock);
889 		return -EINVAL;
890 	}
891 
892 	rc = iommufd_access_change_ioas_id(access, ioas_id);
893 	mutex_unlock(&access->ioas_lock);
894 	return rc;
895 }
896 EXPORT_SYMBOL_NS_GPL(iommufd_access_attach, IOMMUFD);
897 
898 int iommufd_access_replace(struct iommufd_access *access, u32 ioas_id)
899 {
900 	int rc;
901 
902 	mutex_lock(&access->ioas_lock);
903 	if (!access->ioas) {
904 		mutex_unlock(&access->ioas_lock);
905 		return -ENOENT;
906 	}
907 	rc = iommufd_access_change_ioas_id(access, ioas_id);
908 	mutex_unlock(&access->ioas_lock);
909 	return rc;
910 }
911 EXPORT_SYMBOL_NS_GPL(iommufd_access_replace, IOMMUFD);
912 
913 /**
914  * iommufd_access_notify_unmap - Notify users of an iopt to stop using it
915  * @iopt: iopt to work on
916  * @iova: Starting iova in the iopt
917  * @length: Number of bytes
918  *
919  * After this function returns there should be no users attached to the pages
920  * linked to this iopt that intersect with iova,length. Anyone that has attached
921  * a user through iopt_access_pages() needs to detach it through
922  * iommufd_access_unpin_pages() before this function returns.
923  *
924  * iommufd_access_destroy() will wait for any outstanding unmap callback to
925  * complete. Once iommufd_access_destroy() no unmap ops are running or will
926  * run in the future. Due to this a driver must not create locking that prevents
927  * unmap to complete while iommufd_access_destroy() is running.
928  */
929 void iommufd_access_notify_unmap(struct io_pagetable *iopt, unsigned long iova,
930 				 unsigned long length)
931 {
932 	struct iommufd_ioas *ioas =
933 		container_of(iopt, struct iommufd_ioas, iopt);
934 	struct iommufd_access *access;
935 	unsigned long index;
936 
937 	xa_lock(&ioas->iopt.access_list);
938 	xa_for_each(&ioas->iopt.access_list, index, access) {
939 		if (!iommufd_lock_obj(&access->obj))
940 			continue;
941 		xa_unlock(&ioas->iopt.access_list);
942 
943 		access->ops->unmap(access->data, iova, length);
944 
945 		iommufd_put_object(access->ictx, &access->obj);
946 		xa_lock(&ioas->iopt.access_list);
947 	}
948 	xa_unlock(&ioas->iopt.access_list);
949 }
950 
951 /**
952  * iommufd_access_unpin_pages() - Undo iommufd_access_pin_pages
953  * @access: IOAS access to act on
954  * @iova: Starting IOVA
955  * @length: Number of bytes to access
956  *
957  * Return the struct page's. The caller must stop accessing them before calling
958  * this. The iova/length must exactly match the one provided to access_pages.
959  */
960 void iommufd_access_unpin_pages(struct iommufd_access *access,
961 				unsigned long iova, unsigned long length)
962 {
963 	struct iopt_area_contig_iter iter;
964 	struct io_pagetable *iopt;
965 	unsigned long last_iova;
966 	struct iopt_area *area;
967 
968 	if (WARN_ON(!length) ||
969 	    WARN_ON(check_add_overflow(iova, length - 1, &last_iova)))
970 		return;
971 
972 	mutex_lock(&access->ioas_lock);
973 	/*
974 	 * The driver must be doing something wrong if it calls this before an
975 	 * iommufd_access_attach() or after an iommufd_access_detach().
976 	 */
977 	if (WARN_ON(!access->ioas_unpin)) {
978 		mutex_unlock(&access->ioas_lock);
979 		return;
980 	}
981 	iopt = &access->ioas_unpin->iopt;
982 
983 	down_read(&iopt->iova_rwsem);
984 	iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
985 		iopt_area_remove_access(
986 			area, iopt_area_iova_to_index(area, iter.cur_iova),
987 			iopt_area_iova_to_index(
988 				area,
989 				min(last_iova, iopt_area_last_iova(area))));
990 	WARN_ON(!iopt_area_contig_done(&iter));
991 	up_read(&iopt->iova_rwsem);
992 	mutex_unlock(&access->ioas_lock);
993 }
994 EXPORT_SYMBOL_NS_GPL(iommufd_access_unpin_pages, IOMMUFD);
995 
996 static bool iopt_area_contig_is_aligned(struct iopt_area_contig_iter *iter)
997 {
998 	if (iopt_area_start_byte(iter->area, iter->cur_iova) % PAGE_SIZE)
999 		return false;
1000 
1001 	if (!iopt_area_contig_done(iter) &&
1002 	    (iopt_area_start_byte(iter->area, iopt_area_last_iova(iter->area)) %
1003 	     PAGE_SIZE) != (PAGE_SIZE - 1))
1004 		return false;
1005 	return true;
1006 }
1007 
1008 static bool check_area_prot(struct iopt_area *area, unsigned int flags)
1009 {
1010 	if (flags & IOMMUFD_ACCESS_RW_WRITE)
1011 		return area->iommu_prot & IOMMU_WRITE;
1012 	return area->iommu_prot & IOMMU_READ;
1013 }
1014 
1015 /**
1016  * iommufd_access_pin_pages() - Return a list of pages under the iova
1017  * @access: IOAS access to act on
1018  * @iova: Starting IOVA
1019  * @length: Number of bytes to access
1020  * @out_pages: Output page list
1021  * @flags: IOPMMUFD_ACCESS_RW_* flags
1022  *
1023  * Reads @length bytes starting at iova and returns the struct page * pointers.
1024  * These can be kmap'd by the caller for CPU access.
1025  *
1026  * The caller must perform iommufd_access_unpin_pages() when done to balance
1027  * this.
1028  *
1029  * This API always requires a page aligned iova. This happens naturally if the
1030  * ioas alignment is >= PAGE_SIZE and the iova is PAGE_SIZE aligned. However
1031  * smaller alignments have corner cases where this API can fail on otherwise
1032  * aligned iova.
1033  */
1034 int iommufd_access_pin_pages(struct iommufd_access *access, unsigned long iova,
1035 			     unsigned long length, struct page **out_pages,
1036 			     unsigned int flags)
1037 {
1038 	struct iopt_area_contig_iter iter;
1039 	struct io_pagetable *iopt;
1040 	unsigned long last_iova;
1041 	struct iopt_area *area;
1042 	int rc;
1043 
1044 	/* Driver's ops don't support pin_pages */
1045 	if (IS_ENABLED(CONFIG_IOMMUFD_TEST) &&
1046 	    WARN_ON(access->iova_alignment != PAGE_SIZE || !access->ops->unmap))
1047 		return -EINVAL;
1048 
1049 	if (!length)
1050 		return -EINVAL;
1051 	if (check_add_overflow(iova, length - 1, &last_iova))
1052 		return -EOVERFLOW;
1053 
1054 	mutex_lock(&access->ioas_lock);
1055 	if (!access->ioas) {
1056 		mutex_unlock(&access->ioas_lock);
1057 		return -ENOENT;
1058 	}
1059 	iopt = &access->ioas->iopt;
1060 
1061 	down_read(&iopt->iova_rwsem);
1062 	iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {
1063 		unsigned long last = min(last_iova, iopt_area_last_iova(area));
1064 		unsigned long last_index = iopt_area_iova_to_index(area, last);
1065 		unsigned long index =
1066 			iopt_area_iova_to_index(area, iter.cur_iova);
1067 
1068 		if (area->prevent_access ||
1069 		    !iopt_area_contig_is_aligned(&iter)) {
1070 			rc = -EINVAL;
1071 			goto err_remove;
1072 		}
1073 
1074 		if (!check_area_prot(area, flags)) {
1075 			rc = -EPERM;
1076 			goto err_remove;
1077 		}
1078 
1079 		rc = iopt_area_add_access(area, index, last_index, out_pages,
1080 					  flags);
1081 		if (rc)
1082 			goto err_remove;
1083 		out_pages += last_index - index + 1;
1084 	}
1085 	if (!iopt_area_contig_done(&iter)) {
1086 		rc = -ENOENT;
1087 		goto err_remove;
1088 	}
1089 
1090 	up_read(&iopt->iova_rwsem);
1091 	mutex_unlock(&access->ioas_lock);
1092 	return 0;
1093 
1094 err_remove:
1095 	if (iova < iter.cur_iova) {
1096 		last_iova = iter.cur_iova - 1;
1097 		iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
1098 			iopt_area_remove_access(
1099 				area,
1100 				iopt_area_iova_to_index(area, iter.cur_iova),
1101 				iopt_area_iova_to_index(
1102 					area, min(last_iova,
1103 						  iopt_area_last_iova(area))));
1104 	}
1105 	up_read(&iopt->iova_rwsem);
1106 	mutex_unlock(&access->ioas_lock);
1107 	return rc;
1108 }
1109 EXPORT_SYMBOL_NS_GPL(iommufd_access_pin_pages, IOMMUFD);
1110 
1111 /**
1112  * iommufd_access_rw - Read or write data under the iova
1113  * @access: IOAS access to act on
1114  * @iova: Starting IOVA
1115  * @data: Kernel buffer to copy to/from
1116  * @length: Number of bytes to access
1117  * @flags: IOMMUFD_ACCESS_RW_* flags
1118  *
1119  * Copy kernel to/from data into the range given by IOVA/length. If flags
1120  * indicates IOMMUFD_ACCESS_RW_KTHREAD then a large copy can be optimized
1121  * by changing it into copy_to/from_user().
1122  */
1123 int iommufd_access_rw(struct iommufd_access *access, unsigned long iova,
1124 		      void *data, size_t length, unsigned int flags)
1125 {
1126 	struct iopt_area_contig_iter iter;
1127 	struct io_pagetable *iopt;
1128 	struct iopt_area *area;
1129 	unsigned long last_iova;
1130 	int rc;
1131 
1132 	if (!length)
1133 		return -EINVAL;
1134 	if (check_add_overflow(iova, length - 1, &last_iova))
1135 		return -EOVERFLOW;
1136 
1137 	mutex_lock(&access->ioas_lock);
1138 	if (!access->ioas) {
1139 		mutex_unlock(&access->ioas_lock);
1140 		return -ENOENT;
1141 	}
1142 	iopt = &access->ioas->iopt;
1143 
1144 	down_read(&iopt->iova_rwsem);
1145 	iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {
1146 		unsigned long last = min(last_iova, iopt_area_last_iova(area));
1147 		unsigned long bytes = (last - iter.cur_iova) + 1;
1148 
1149 		if (area->prevent_access) {
1150 			rc = -EINVAL;
1151 			goto err_out;
1152 		}
1153 
1154 		if (!check_area_prot(area, flags)) {
1155 			rc = -EPERM;
1156 			goto err_out;
1157 		}
1158 
1159 		rc = iopt_pages_rw_access(
1160 			area->pages, iopt_area_start_byte(area, iter.cur_iova),
1161 			data, bytes, flags);
1162 		if (rc)
1163 			goto err_out;
1164 		data += bytes;
1165 	}
1166 	if (!iopt_area_contig_done(&iter))
1167 		rc = -ENOENT;
1168 err_out:
1169 	up_read(&iopt->iova_rwsem);
1170 	mutex_unlock(&access->ioas_lock);
1171 	return rc;
1172 }
1173 EXPORT_SYMBOL_NS_GPL(iommufd_access_rw, IOMMUFD);
1174 
1175 int iommufd_get_hw_info(struct iommufd_ucmd *ucmd)
1176 {
1177 	struct iommu_hw_info *cmd = ucmd->cmd;
1178 	void __user *user_ptr = u64_to_user_ptr(cmd->data_uptr);
1179 	const struct iommu_ops *ops;
1180 	struct iommufd_device *idev;
1181 	unsigned int data_len;
1182 	unsigned int copy_len;
1183 	void *data;
1184 	int rc;
1185 
1186 	if (cmd->flags || cmd->__reserved)
1187 		return -EOPNOTSUPP;
1188 
1189 	idev = iommufd_get_device(ucmd, cmd->dev_id);
1190 	if (IS_ERR(idev))
1191 		return PTR_ERR(idev);
1192 
1193 	ops = dev_iommu_ops(idev->dev);
1194 	if (ops->hw_info) {
1195 		data = ops->hw_info(idev->dev, &data_len, &cmd->out_data_type);
1196 		if (IS_ERR(data)) {
1197 			rc = PTR_ERR(data);
1198 			goto out_put;
1199 		}
1200 
1201 		/*
1202 		 * drivers that have hw_info callback should have a unique
1203 		 * iommu_hw_info_type.
1204 		 */
1205 		if (WARN_ON_ONCE(cmd->out_data_type ==
1206 				 IOMMU_HW_INFO_TYPE_NONE)) {
1207 			rc = -ENODEV;
1208 			goto out_free;
1209 		}
1210 	} else {
1211 		cmd->out_data_type = IOMMU_HW_INFO_TYPE_NONE;
1212 		data_len = 0;
1213 		data = NULL;
1214 	}
1215 
1216 	copy_len = min(cmd->data_len, data_len);
1217 	if (copy_to_user(user_ptr, data, copy_len)) {
1218 		rc = -EFAULT;
1219 		goto out_free;
1220 	}
1221 
1222 	/*
1223 	 * Zero the trailing bytes if the user buffer is bigger than the
1224 	 * data size kernel actually has.
1225 	 */
1226 	if (copy_len < cmd->data_len) {
1227 		if (clear_user(user_ptr + copy_len, cmd->data_len - copy_len)) {
1228 			rc = -EFAULT;
1229 			goto out_free;
1230 		}
1231 	}
1232 
1233 	/*
1234 	 * We return the length the kernel supports so userspace may know what
1235 	 * the kernel capability is. It could be larger than the input buffer.
1236 	 */
1237 	cmd->data_len = data_len;
1238 
1239 	cmd->out_capabilities = 0;
1240 	if (device_iommu_capable(idev->dev, IOMMU_CAP_DIRTY_TRACKING))
1241 		cmd->out_capabilities |= IOMMU_HW_CAP_DIRTY_TRACKING;
1242 
1243 	rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
1244 out_free:
1245 	kfree(data);
1246 out_put:
1247 	iommufd_put_object(ucmd->ictx, &idev->obj);
1248 	return rc;
1249 }
1250