xref: /linux/drivers/iommu/iommufd/main.c (revision e18655cf35a5958fbf4ae9ca3ebf28871a3a1801)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2021 Intel Corporation
3  * Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES
4  *
5  * iommufd provides control over the IOMMU HW objects created by IOMMU kernel
6  * drivers. IOMMU HW objects revolve around IO page tables that map incoming DMA
7  * addresses (IOVA) to CPU addresses.
8  */
9 #define pr_fmt(fmt) "iommufd: " fmt
10 
11 #include <linux/bug.h>
12 #include <linux/file.h>
13 #include <linux/fs.h>
14 #include <linux/iommufd.h>
15 #include <linux/miscdevice.h>
16 #include <linux/module.h>
17 #include <linux/mutex.h>
18 #include <linux/slab.h>
19 #include <uapi/linux/iommufd.h>
20 
21 #include "io_pagetable.h"
22 #include "iommufd_private.h"
23 #include "iommufd_test.h"
24 
25 struct iommufd_object_ops {
26 	void (*destroy)(struct iommufd_object *obj);
27 	void (*abort)(struct iommufd_object *obj);
28 };
29 static const struct iommufd_object_ops iommufd_object_ops[];
30 static struct miscdevice vfio_misc_dev;
31 
32 /*
33  * Allow concurrent access to the object.
34  *
35  * Once another thread can see the object pointer it can prevent object
36  * destruction. Expect for special kernel-only objects there is no in-kernel way
37  * to reliably destroy a single object. Thus all APIs that are creating objects
38  * must use iommufd_object_abort() to handle their errors and only call
39  * iommufd_object_finalize() once object creation cannot fail.
40  */
41 void iommufd_object_finalize(struct iommufd_ctx *ictx,
42 			     struct iommufd_object *obj)
43 {
44 	XA_STATE(xas, &ictx->objects, obj->id);
45 	void *old;
46 
47 	xa_lock(&ictx->objects);
48 	old = xas_store(&xas, obj);
49 	xa_unlock(&ictx->objects);
50 	/* obj->id was returned from xa_alloc() so the xas_store() cannot fail */
51 	WARN_ON(old != XA_ZERO_ENTRY);
52 }
53 
54 /* Undo _iommufd_object_alloc() if iommufd_object_finalize() was not called */
55 void iommufd_object_abort(struct iommufd_ctx *ictx, struct iommufd_object *obj)
56 {
57 	XA_STATE(xas, &ictx->objects, obj->id);
58 	void *old;
59 
60 	xa_lock(&ictx->objects);
61 	old = xas_store(&xas, NULL);
62 	xa_unlock(&ictx->objects);
63 	WARN_ON(old != XA_ZERO_ENTRY);
64 	kfree(obj);
65 }
66 
67 /*
68  * Abort an object that has been fully initialized and needs destroy, but has
69  * not been finalized.
70  */
71 void iommufd_object_abort_and_destroy(struct iommufd_ctx *ictx,
72 				      struct iommufd_object *obj)
73 {
74 	if (iommufd_object_ops[obj->type].abort)
75 		iommufd_object_ops[obj->type].abort(obj);
76 	else
77 		iommufd_object_ops[obj->type].destroy(obj);
78 	iommufd_object_abort(ictx, obj);
79 }
80 
81 struct iommufd_object *iommufd_get_object(struct iommufd_ctx *ictx, u32 id,
82 					  enum iommufd_object_type type)
83 {
84 	struct iommufd_object *obj;
85 
86 	if (iommufd_should_fail())
87 		return ERR_PTR(-ENOENT);
88 
89 	xa_lock(&ictx->objects);
90 	obj = xa_load(&ictx->objects, id);
91 	if (!obj || (type != IOMMUFD_OBJ_ANY && obj->type != type) ||
92 	    !iommufd_lock_obj(obj))
93 		obj = ERR_PTR(-ENOENT);
94 	xa_unlock(&ictx->objects);
95 	return obj;
96 }
97 
98 static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
99 					     struct iommufd_object *to_destroy)
100 {
101 	if (refcount_dec_and_test(&to_destroy->shortterm_users))
102 		return 0;
103 
104 	if (wait_event_timeout(ictx->destroy_wait,
105 				refcount_read(&to_destroy->shortterm_users) ==
106 					0,
107 				msecs_to_jiffies(10000)))
108 		return 0;
109 
110 	pr_crit("Time out waiting for iommufd object to become free\n");
111 	refcount_inc(&to_destroy->shortterm_users);
112 	return -EBUSY;
113 }
114 
115 /*
116  * Remove the given object id from the xarray if the only reference to the
117  * object is held by the xarray.
118  */
119 int iommufd_object_remove(struct iommufd_ctx *ictx,
120 			  struct iommufd_object *to_destroy, u32 id,
121 			  unsigned int flags)
122 {
123 	struct iommufd_object *obj;
124 	XA_STATE(xas, &ictx->objects, id);
125 	bool zerod_shortterm = false;
126 	int ret;
127 
128 	/*
129 	 * The purpose of the shortterm_users is to ensure deterministic
130 	 * destruction of objects used by external drivers and destroyed by this
131 	 * function. Any temporary increment of the refcount must increment
132 	 * shortterm_users, such as during ioctl execution.
133 	 */
134 	if (flags & REMOVE_WAIT_SHORTTERM) {
135 		ret = iommufd_object_dec_wait_shortterm(ictx, to_destroy);
136 		if (ret) {
137 			/*
138 			 * We have a bug. Put back the callers reference and
139 			 * defer cleaning this object until close.
140 			 */
141 			refcount_dec(&to_destroy->users);
142 			return ret;
143 		}
144 		zerod_shortterm = true;
145 	}
146 
147 	xa_lock(&ictx->objects);
148 	obj = xas_load(&xas);
149 	if (to_destroy) {
150 		/*
151 		 * If the caller is holding a ref on obj we put it here under
152 		 * the spinlock.
153 		 */
154 		refcount_dec(&obj->users);
155 
156 		if (WARN_ON(obj != to_destroy)) {
157 			ret = -ENOENT;
158 			goto err_xa;
159 		}
160 	} else if (xa_is_zero(obj) || !obj) {
161 		ret = -ENOENT;
162 		goto err_xa;
163 	}
164 
165 	if (!refcount_dec_if_one(&obj->users)) {
166 		ret = -EBUSY;
167 		goto err_xa;
168 	}
169 
170 	xas_store(&xas, NULL);
171 	if (ictx->vfio_ioas == container_of(obj, struct iommufd_ioas, obj))
172 		ictx->vfio_ioas = NULL;
173 	xa_unlock(&ictx->objects);
174 
175 	/*
176 	 * Since users is zero any positive users_shortterm must be racing
177 	 * iommufd_put_object(), or we have a bug.
178 	 */
179 	if (!zerod_shortterm) {
180 		ret = iommufd_object_dec_wait_shortterm(ictx, obj);
181 		if (WARN_ON(ret))
182 			return ret;
183 	}
184 
185 	iommufd_object_ops[obj->type].destroy(obj);
186 	kfree(obj);
187 	return 0;
188 
189 err_xa:
190 	if (zerod_shortterm) {
191 		/* Restore the xarray owned reference */
192 		refcount_set(&obj->shortterm_users, 1);
193 	}
194 	xa_unlock(&ictx->objects);
195 
196 	/* The returned object reference count is zero */
197 	return ret;
198 }
199 
200 static int iommufd_destroy(struct iommufd_ucmd *ucmd)
201 {
202 	struct iommu_destroy *cmd = ucmd->cmd;
203 
204 	return iommufd_object_remove(ucmd->ictx, NULL, cmd->id, 0);
205 }
206 
207 static int iommufd_fops_open(struct inode *inode, struct file *filp)
208 {
209 	struct iommufd_ctx *ictx;
210 
211 	ictx = kzalloc(sizeof(*ictx), GFP_KERNEL_ACCOUNT);
212 	if (!ictx)
213 		return -ENOMEM;
214 
215 	/*
216 	 * For compatibility with VFIO when /dev/vfio/vfio is opened we default
217 	 * to the same rlimit accounting as vfio uses.
218 	 */
219 	if (IS_ENABLED(CONFIG_IOMMUFD_VFIO_CONTAINER) &&
220 	    filp->private_data == &vfio_misc_dev) {
221 		ictx->account_mode = IOPT_PAGES_ACCOUNT_MM;
222 		pr_info_once("IOMMUFD is providing /dev/vfio/vfio, not VFIO.\n");
223 	}
224 
225 	init_rwsem(&ictx->ioas_creation_lock);
226 	xa_init_flags(&ictx->objects, XA_FLAGS_ALLOC1 | XA_FLAGS_ACCOUNT);
227 	xa_init(&ictx->groups);
228 	ictx->file = filp;
229 	init_waitqueue_head(&ictx->destroy_wait);
230 	filp->private_data = ictx;
231 	return 0;
232 }
233 
234 static int iommufd_fops_release(struct inode *inode, struct file *filp)
235 {
236 	struct iommufd_ctx *ictx = filp->private_data;
237 	struct iommufd_object *obj;
238 
239 	/*
240 	 * The objects in the xarray form a graph of "users" counts, and we have
241 	 * to destroy them in a depth first manner. Leaf objects will reduce the
242 	 * users count of interior objects when they are destroyed.
243 	 *
244 	 * Repeatedly destroying all the "1 users" leaf objects will progress
245 	 * until the entire list is destroyed. If this can't progress then there
246 	 * is some bug related to object refcounting.
247 	 */
248 	while (!xa_empty(&ictx->objects)) {
249 		unsigned int destroyed = 0;
250 		unsigned long index;
251 
252 		xa_for_each(&ictx->objects, index, obj) {
253 			if (!refcount_dec_if_one(&obj->users))
254 				continue;
255 			destroyed++;
256 			xa_erase(&ictx->objects, index);
257 			iommufd_object_ops[obj->type].destroy(obj);
258 			kfree(obj);
259 		}
260 		/* Bug related to users refcount */
261 		if (WARN_ON(!destroyed))
262 			break;
263 	}
264 	WARN_ON(!xa_empty(&ictx->groups));
265 	kfree(ictx);
266 	return 0;
267 }
268 
269 static int iommufd_option(struct iommufd_ucmd *ucmd)
270 {
271 	struct iommu_option *cmd = ucmd->cmd;
272 	int rc;
273 
274 	if (cmd->__reserved)
275 		return -EOPNOTSUPP;
276 
277 	switch (cmd->option_id) {
278 	case IOMMU_OPTION_RLIMIT_MODE:
279 		rc = iommufd_option_rlimit_mode(cmd, ucmd->ictx);
280 		break;
281 	case IOMMU_OPTION_HUGE_PAGES:
282 		rc = iommufd_ioas_option(ucmd);
283 		break;
284 	default:
285 		return -EOPNOTSUPP;
286 	}
287 	if (rc)
288 		return rc;
289 	if (copy_to_user(&((struct iommu_option __user *)ucmd->ubuffer)->val64,
290 			 &cmd->val64, sizeof(cmd->val64)))
291 		return -EFAULT;
292 	return 0;
293 }
294 
295 union ucmd_buffer {
296 	struct iommu_destroy destroy;
297 	struct iommu_fault_alloc fault;
298 	struct iommu_hw_info info;
299 	struct iommu_hwpt_alloc hwpt;
300 	struct iommu_hwpt_get_dirty_bitmap get_dirty_bitmap;
301 	struct iommu_hwpt_invalidate cache;
302 	struct iommu_hwpt_set_dirty_tracking set_dirty_tracking;
303 	struct iommu_ioas_alloc alloc;
304 	struct iommu_ioas_allow_iovas allow_iovas;
305 	struct iommu_ioas_copy ioas_copy;
306 	struct iommu_ioas_iova_ranges iova_ranges;
307 	struct iommu_ioas_map map;
308 	struct iommu_ioas_unmap unmap;
309 	struct iommu_option option;
310 	struct iommu_vfio_ioas vfio_ioas;
311 	struct iommu_viommu_alloc viommu;
312 	struct iommu_vdevice_alloc vdev;
313 #ifdef CONFIG_IOMMUFD_TEST
314 	struct iommu_test_cmd test;
315 #endif
316 };
317 
318 struct iommufd_ioctl_op {
319 	unsigned int size;
320 	unsigned int min_size;
321 	unsigned int ioctl_num;
322 	int (*execute)(struct iommufd_ucmd *ucmd);
323 };
324 
325 #define IOCTL_OP(_ioctl, _fn, _struct, _last)                                  \
326 	[_IOC_NR(_ioctl) - IOMMUFD_CMD_BASE] = {                               \
327 		.size = sizeof(_struct) +                                      \
328 			BUILD_BUG_ON_ZERO(sizeof(union ucmd_buffer) <          \
329 					  sizeof(_struct)),                    \
330 		.min_size = offsetofend(_struct, _last),                       \
331 		.ioctl_num = _ioctl,                                           \
332 		.execute = _fn,                                                \
333 	}
334 static const struct iommufd_ioctl_op iommufd_ioctl_ops[] = {
335 	IOCTL_OP(IOMMU_DESTROY, iommufd_destroy, struct iommu_destroy, id),
336 	IOCTL_OP(IOMMU_FAULT_QUEUE_ALLOC, iommufd_fault_alloc, struct iommu_fault_alloc,
337 		 out_fault_fd),
338 	IOCTL_OP(IOMMU_GET_HW_INFO, iommufd_get_hw_info, struct iommu_hw_info,
339 		 __reserved),
340 	IOCTL_OP(IOMMU_HWPT_ALLOC, iommufd_hwpt_alloc, struct iommu_hwpt_alloc,
341 		 __reserved),
342 	IOCTL_OP(IOMMU_HWPT_GET_DIRTY_BITMAP, iommufd_hwpt_get_dirty_bitmap,
343 		 struct iommu_hwpt_get_dirty_bitmap, data),
344 	IOCTL_OP(IOMMU_HWPT_INVALIDATE, iommufd_hwpt_invalidate,
345 		 struct iommu_hwpt_invalidate, __reserved),
346 	IOCTL_OP(IOMMU_HWPT_SET_DIRTY_TRACKING, iommufd_hwpt_set_dirty_tracking,
347 		 struct iommu_hwpt_set_dirty_tracking, __reserved),
348 	IOCTL_OP(IOMMU_IOAS_ALLOC, iommufd_ioas_alloc_ioctl,
349 		 struct iommu_ioas_alloc, out_ioas_id),
350 	IOCTL_OP(IOMMU_IOAS_ALLOW_IOVAS, iommufd_ioas_allow_iovas,
351 		 struct iommu_ioas_allow_iovas, allowed_iovas),
352 	IOCTL_OP(IOMMU_IOAS_CHANGE_PROCESS, iommufd_ioas_change_process,
353 		 struct iommu_ioas_change_process, __reserved),
354 	IOCTL_OP(IOMMU_IOAS_COPY, iommufd_ioas_copy, struct iommu_ioas_copy,
355 		 src_iova),
356 	IOCTL_OP(IOMMU_IOAS_IOVA_RANGES, iommufd_ioas_iova_ranges,
357 		 struct iommu_ioas_iova_ranges, out_iova_alignment),
358 	IOCTL_OP(IOMMU_IOAS_MAP, iommufd_ioas_map, struct iommu_ioas_map,
359 		 iova),
360 	IOCTL_OP(IOMMU_IOAS_MAP_FILE, iommufd_ioas_map_file,
361 		 struct iommu_ioas_map_file, iova),
362 	IOCTL_OP(IOMMU_IOAS_UNMAP, iommufd_ioas_unmap, struct iommu_ioas_unmap,
363 		 length),
364 	IOCTL_OP(IOMMU_OPTION, iommufd_option, struct iommu_option,
365 		 val64),
366 	IOCTL_OP(IOMMU_VFIO_IOAS, iommufd_vfio_ioas, struct iommu_vfio_ioas,
367 		 __reserved),
368 	IOCTL_OP(IOMMU_VIOMMU_ALLOC, iommufd_viommu_alloc_ioctl,
369 		 struct iommu_viommu_alloc, out_viommu_id),
370 	IOCTL_OP(IOMMU_VDEVICE_ALLOC, iommufd_vdevice_alloc_ioctl,
371 		 struct iommu_vdevice_alloc, virt_id),
372 #ifdef CONFIG_IOMMUFD_TEST
373 	IOCTL_OP(IOMMU_TEST_CMD, iommufd_test, struct iommu_test_cmd, last),
374 #endif
375 };
376 
377 static long iommufd_fops_ioctl(struct file *filp, unsigned int cmd,
378 			       unsigned long arg)
379 {
380 	struct iommufd_ctx *ictx = filp->private_data;
381 	const struct iommufd_ioctl_op *op;
382 	struct iommufd_ucmd ucmd = {};
383 	union ucmd_buffer buf;
384 	unsigned int nr;
385 	int ret;
386 
387 	nr = _IOC_NR(cmd);
388 	if (nr < IOMMUFD_CMD_BASE ||
389 	    (nr - IOMMUFD_CMD_BASE) >= ARRAY_SIZE(iommufd_ioctl_ops))
390 		return iommufd_vfio_ioctl(ictx, cmd, arg);
391 
392 	ucmd.ictx = ictx;
393 	ucmd.ubuffer = (void __user *)arg;
394 	ret = get_user(ucmd.user_size, (u32 __user *)ucmd.ubuffer);
395 	if (ret)
396 		return ret;
397 
398 	op = &iommufd_ioctl_ops[nr - IOMMUFD_CMD_BASE];
399 	if (op->ioctl_num != cmd)
400 		return -ENOIOCTLCMD;
401 	if (ucmd.user_size < op->min_size)
402 		return -EINVAL;
403 
404 	ucmd.cmd = &buf;
405 	ret = copy_struct_from_user(ucmd.cmd, op->size, ucmd.ubuffer,
406 				    ucmd.user_size);
407 	if (ret)
408 		return ret;
409 	ret = op->execute(&ucmd);
410 	return ret;
411 }
412 
413 static const struct file_operations iommufd_fops = {
414 	.owner = THIS_MODULE,
415 	.open = iommufd_fops_open,
416 	.release = iommufd_fops_release,
417 	.unlocked_ioctl = iommufd_fops_ioctl,
418 };
419 
420 /**
421  * iommufd_ctx_get - Get a context reference
422  * @ictx: Context to get
423  *
424  * The caller must already hold a valid reference to ictx.
425  */
426 void iommufd_ctx_get(struct iommufd_ctx *ictx)
427 {
428 	get_file(ictx->file);
429 }
430 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_get, IOMMUFD);
431 
432 /**
433  * iommufd_ctx_from_file - Acquires a reference to the iommufd context
434  * @file: File to obtain the reference from
435  *
436  * Returns a pointer to the iommufd_ctx, otherwise ERR_PTR. The struct file
437  * remains owned by the caller and the caller must still do fput. On success
438  * the caller is responsible to call iommufd_ctx_put().
439  */
440 struct iommufd_ctx *iommufd_ctx_from_file(struct file *file)
441 {
442 	struct iommufd_ctx *ictx;
443 
444 	if (file->f_op != &iommufd_fops)
445 		return ERR_PTR(-EBADFD);
446 	ictx = file->private_data;
447 	iommufd_ctx_get(ictx);
448 	return ictx;
449 }
450 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_from_file, IOMMUFD);
451 
452 /**
453  * iommufd_ctx_from_fd - Acquires a reference to the iommufd context
454  * @fd: File descriptor to obtain the reference from
455  *
456  * Returns a pointer to the iommufd_ctx, otherwise ERR_PTR. On success
457  * the caller is responsible to call iommufd_ctx_put().
458  */
459 struct iommufd_ctx *iommufd_ctx_from_fd(int fd)
460 {
461 	struct file *file;
462 
463 	file = fget(fd);
464 	if (!file)
465 		return ERR_PTR(-EBADF);
466 
467 	if (file->f_op != &iommufd_fops) {
468 		fput(file);
469 		return ERR_PTR(-EBADFD);
470 	}
471 	/* fget is the same as iommufd_ctx_get() */
472 	return file->private_data;
473 }
474 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_from_fd, IOMMUFD);
475 
476 /**
477  * iommufd_ctx_put - Put back a reference
478  * @ictx: Context to put back
479  */
480 void iommufd_ctx_put(struct iommufd_ctx *ictx)
481 {
482 	fput(ictx->file);
483 }
484 EXPORT_SYMBOL_NS_GPL(iommufd_ctx_put, IOMMUFD);
485 
486 static const struct iommufd_object_ops iommufd_object_ops[] = {
487 	[IOMMUFD_OBJ_ACCESS] = {
488 		.destroy = iommufd_access_destroy_object,
489 	},
490 	[IOMMUFD_OBJ_DEVICE] = {
491 		.destroy = iommufd_device_destroy,
492 	},
493 	[IOMMUFD_OBJ_IOAS] = {
494 		.destroy = iommufd_ioas_destroy,
495 	},
496 	[IOMMUFD_OBJ_HWPT_PAGING] = {
497 		.destroy = iommufd_hwpt_paging_destroy,
498 		.abort = iommufd_hwpt_paging_abort,
499 	},
500 	[IOMMUFD_OBJ_HWPT_NESTED] = {
501 		.destroy = iommufd_hwpt_nested_destroy,
502 		.abort = iommufd_hwpt_nested_abort,
503 	},
504 	[IOMMUFD_OBJ_FAULT] = {
505 		.destroy = iommufd_fault_destroy,
506 	},
507 	[IOMMUFD_OBJ_VIOMMU] = {
508 		.destroy = iommufd_viommu_destroy,
509 	},
510 	[IOMMUFD_OBJ_VDEVICE] = {
511 		.destroy = iommufd_vdevice_destroy,
512 	},
513 #ifdef CONFIG_IOMMUFD_TEST
514 	[IOMMUFD_OBJ_SELFTEST] = {
515 		.destroy = iommufd_selftest_destroy,
516 	},
517 #endif
518 };
519 
520 static struct miscdevice iommu_misc_dev = {
521 	.minor = MISC_DYNAMIC_MINOR,
522 	.name = "iommu",
523 	.fops = &iommufd_fops,
524 	.nodename = "iommu",
525 	.mode = 0660,
526 };
527 
528 
529 static struct miscdevice vfio_misc_dev = {
530 	.minor = VFIO_MINOR,
531 	.name = "vfio",
532 	.fops = &iommufd_fops,
533 	.nodename = "vfio/vfio",
534 	.mode = 0666,
535 };
536 
537 static int __init iommufd_init(void)
538 {
539 	int ret;
540 
541 	ret = misc_register(&iommu_misc_dev);
542 	if (ret)
543 		return ret;
544 
545 	if (IS_ENABLED(CONFIG_IOMMUFD_VFIO_CONTAINER)) {
546 		ret = misc_register(&vfio_misc_dev);
547 		if (ret)
548 			goto err_misc;
549 	}
550 	ret = iommufd_test_init();
551 	if (ret)
552 		goto err_vfio_misc;
553 	return 0;
554 
555 err_vfio_misc:
556 	if (IS_ENABLED(CONFIG_IOMMUFD_VFIO_CONTAINER))
557 		misc_deregister(&vfio_misc_dev);
558 err_misc:
559 	misc_deregister(&iommu_misc_dev);
560 	return ret;
561 }
562 
563 static void __exit iommufd_exit(void)
564 {
565 	iommufd_test_exit();
566 	if (IS_ENABLED(CONFIG_IOMMUFD_VFIO_CONTAINER))
567 		misc_deregister(&vfio_misc_dev);
568 	misc_deregister(&iommu_misc_dev);
569 }
570 
571 module_init(iommufd_init);
572 module_exit(iommufd_exit);
573 
574 #if IS_ENABLED(CONFIG_IOMMUFD_VFIO_CONTAINER)
575 MODULE_ALIAS_MISCDEV(VFIO_MINOR);
576 MODULE_ALIAS("devname:vfio/vfio");
577 #endif
578 MODULE_IMPORT_NS(IOMMUFD_INTERNAL);
579 MODULE_IMPORT_NS(IOMMUFD);
580 MODULE_DESCRIPTION("I/O Address Space Management for passthrough devices");
581 MODULE_LICENSE("GPL");
582