1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES. 3 * 4 * Kernel side components to support tools/testing/selftests/iommu 5 */ 6 #include <linux/anon_inodes.h> 7 #include <linux/debugfs.h> 8 #include <linux/fault-inject.h> 9 #include <linux/file.h> 10 #include <linux/iommu.h> 11 #include <linux/platform_device.h> 12 #include <linux/slab.h> 13 #include <linux/xarray.h> 14 #include <uapi/linux/iommufd.h> 15 16 #include "../iommu-priv.h" 17 #include "io_pagetable.h" 18 #include "iommufd_private.h" 19 #include "iommufd_test.h" 20 21 static DECLARE_FAULT_ATTR(fail_iommufd); 22 static struct dentry *dbgfs_root; 23 static struct platform_device *selftest_iommu_dev; 24 static const struct iommu_ops mock_ops; 25 static struct iommu_domain_ops domain_nested_ops; 26 27 size_t iommufd_test_memory_limit = 65536; 28 29 struct mock_bus_type { 30 struct bus_type bus; 31 struct notifier_block nb; 32 }; 33 34 static struct mock_bus_type iommufd_mock_bus_type = { 35 .bus = { 36 .name = "iommufd_mock", 37 }, 38 }; 39 40 static DEFINE_IDA(mock_dev_ida); 41 42 enum { 43 MOCK_DIRTY_TRACK = 1, 44 MOCK_IO_PAGE_SIZE = PAGE_SIZE / 2, 45 MOCK_HUGE_PAGE_SIZE = 512 * MOCK_IO_PAGE_SIZE, 46 47 /* 48 * Like a real page table alignment requires the low bits of the address 49 * to be zero. xarray also requires the high bit to be zero, so we store 50 * the pfns shifted. The upper bits are used for metadata. 51 */ 52 MOCK_PFN_MASK = ULONG_MAX / MOCK_IO_PAGE_SIZE, 53 54 _MOCK_PFN_START = MOCK_PFN_MASK + 1, 55 MOCK_PFN_START_IOVA = _MOCK_PFN_START, 56 MOCK_PFN_LAST_IOVA = _MOCK_PFN_START, 57 MOCK_PFN_DIRTY_IOVA = _MOCK_PFN_START << 1, 58 MOCK_PFN_HUGE_IOVA = _MOCK_PFN_START << 2, 59 }; 60 61 /* 62 * Syzkaller has trouble randomizing the correct iova to use since it is linked 63 * to the map ioctl's output, and it has no ide about that. So, simplify things. 64 * In syzkaller mode the 64 bit IOVA is converted into an nth area and offset 65 * value. This has a much smaller randomization space and syzkaller can hit it. 66 */ 67 static unsigned long __iommufd_test_syz_conv_iova(struct io_pagetable *iopt, 68 u64 *iova) 69 { 70 struct syz_layout { 71 __u32 nth_area; 72 __u32 offset; 73 }; 74 struct syz_layout *syz = (void *)iova; 75 unsigned int nth = syz->nth_area; 76 struct iopt_area *area; 77 78 down_read(&iopt->iova_rwsem); 79 for (area = iopt_area_iter_first(iopt, 0, ULONG_MAX); area; 80 area = iopt_area_iter_next(area, 0, ULONG_MAX)) { 81 if (nth == 0) { 82 up_read(&iopt->iova_rwsem); 83 return iopt_area_iova(area) + syz->offset; 84 } 85 nth--; 86 } 87 up_read(&iopt->iova_rwsem); 88 89 return 0; 90 } 91 92 static unsigned long iommufd_test_syz_conv_iova(struct iommufd_access *access, 93 u64 *iova) 94 { 95 unsigned long ret; 96 97 mutex_lock(&access->ioas_lock); 98 if (!access->ioas) { 99 mutex_unlock(&access->ioas_lock); 100 return 0; 101 } 102 ret = __iommufd_test_syz_conv_iova(&access->ioas->iopt, iova); 103 mutex_unlock(&access->ioas_lock); 104 return ret; 105 } 106 107 void iommufd_test_syz_conv_iova_id(struct iommufd_ucmd *ucmd, 108 unsigned int ioas_id, u64 *iova, u32 *flags) 109 { 110 struct iommufd_ioas *ioas; 111 112 if (!(*flags & MOCK_FLAGS_ACCESS_SYZ)) 113 return; 114 *flags &= ~(u32)MOCK_FLAGS_ACCESS_SYZ; 115 116 ioas = iommufd_get_ioas(ucmd->ictx, ioas_id); 117 if (IS_ERR(ioas)) 118 return; 119 *iova = __iommufd_test_syz_conv_iova(&ioas->iopt, iova); 120 iommufd_put_object(ucmd->ictx, &ioas->obj); 121 } 122 123 struct mock_iommu_domain { 124 unsigned long flags; 125 struct iommu_domain domain; 126 struct xarray pfns; 127 }; 128 129 static inline struct mock_iommu_domain * 130 to_mock_domain(struct iommu_domain *domain) 131 { 132 return container_of(domain, struct mock_iommu_domain, domain); 133 } 134 135 struct mock_iommu_domain_nested { 136 struct iommu_domain domain; 137 struct mock_viommu *mock_viommu; 138 struct mock_iommu_domain *parent; 139 u32 iotlb[MOCK_NESTED_DOMAIN_IOTLB_NUM]; 140 }; 141 142 static inline struct mock_iommu_domain_nested * 143 to_mock_nested(struct iommu_domain *domain) 144 { 145 return container_of(domain, struct mock_iommu_domain_nested, domain); 146 } 147 148 struct mock_viommu { 149 struct iommufd_viommu core; 150 struct mock_iommu_domain *s2_parent; 151 }; 152 153 static inline struct mock_viommu *to_mock_viommu(struct iommufd_viommu *viommu) 154 { 155 return container_of(viommu, struct mock_viommu, core); 156 } 157 158 enum selftest_obj_type { 159 TYPE_IDEV, 160 }; 161 162 struct mock_dev { 163 struct device dev; 164 unsigned long flags; 165 int id; 166 u32 cache[MOCK_DEV_CACHE_NUM]; 167 }; 168 169 static inline struct mock_dev *to_mock_dev(struct device *dev) 170 { 171 return container_of(dev, struct mock_dev, dev); 172 } 173 174 struct selftest_obj { 175 struct iommufd_object obj; 176 enum selftest_obj_type type; 177 178 union { 179 struct { 180 struct iommufd_device *idev; 181 struct iommufd_ctx *ictx; 182 struct mock_dev *mock_dev; 183 } idev; 184 }; 185 }; 186 187 static inline struct selftest_obj *to_selftest_obj(struct iommufd_object *obj) 188 { 189 return container_of(obj, struct selftest_obj, obj); 190 } 191 192 static int mock_domain_nop_attach(struct iommu_domain *domain, 193 struct device *dev) 194 { 195 struct mock_dev *mdev = to_mock_dev(dev); 196 197 if (domain->dirty_ops && (mdev->flags & MOCK_FLAGS_DEVICE_NO_DIRTY)) 198 return -EINVAL; 199 200 return 0; 201 } 202 203 static const struct iommu_domain_ops mock_blocking_ops = { 204 .attach_dev = mock_domain_nop_attach, 205 }; 206 207 static struct iommu_domain mock_blocking_domain = { 208 .type = IOMMU_DOMAIN_BLOCKED, 209 .ops = &mock_blocking_ops, 210 }; 211 212 static void *mock_domain_hw_info(struct device *dev, u32 *length, u32 *type) 213 { 214 struct iommu_test_hw_info *info; 215 216 info = kzalloc(sizeof(*info), GFP_KERNEL); 217 if (!info) 218 return ERR_PTR(-ENOMEM); 219 220 info->test_reg = IOMMU_HW_INFO_SELFTEST_REGVAL; 221 *length = sizeof(*info); 222 *type = IOMMU_HW_INFO_TYPE_SELFTEST; 223 224 return info; 225 } 226 227 static int mock_domain_set_dirty_tracking(struct iommu_domain *domain, 228 bool enable) 229 { 230 struct mock_iommu_domain *mock = to_mock_domain(domain); 231 unsigned long flags = mock->flags; 232 233 if (enable && !domain->dirty_ops) 234 return -EINVAL; 235 236 /* No change? */ 237 if (!(enable ^ !!(flags & MOCK_DIRTY_TRACK))) 238 return 0; 239 240 flags = (enable ? flags | MOCK_DIRTY_TRACK : flags & ~MOCK_DIRTY_TRACK); 241 242 mock->flags = flags; 243 return 0; 244 } 245 246 static bool mock_test_and_clear_dirty(struct mock_iommu_domain *mock, 247 unsigned long iova, size_t page_size, 248 unsigned long flags) 249 { 250 unsigned long cur, end = iova + page_size - 1; 251 bool dirty = false; 252 void *ent, *old; 253 254 for (cur = iova; cur < end; cur += MOCK_IO_PAGE_SIZE) { 255 ent = xa_load(&mock->pfns, cur / MOCK_IO_PAGE_SIZE); 256 if (!ent || !(xa_to_value(ent) & MOCK_PFN_DIRTY_IOVA)) 257 continue; 258 259 dirty = true; 260 /* Clear dirty */ 261 if (!(flags & IOMMU_DIRTY_NO_CLEAR)) { 262 unsigned long val; 263 264 val = xa_to_value(ent) & ~MOCK_PFN_DIRTY_IOVA; 265 old = xa_store(&mock->pfns, cur / MOCK_IO_PAGE_SIZE, 266 xa_mk_value(val), GFP_KERNEL); 267 WARN_ON_ONCE(ent != old); 268 } 269 } 270 271 return dirty; 272 } 273 274 static int mock_domain_read_and_clear_dirty(struct iommu_domain *domain, 275 unsigned long iova, size_t size, 276 unsigned long flags, 277 struct iommu_dirty_bitmap *dirty) 278 { 279 struct mock_iommu_domain *mock = to_mock_domain(domain); 280 unsigned long end = iova + size; 281 void *ent; 282 283 if (!(mock->flags & MOCK_DIRTY_TRACK) && dirty->bitmap) 284 return -EINVAL; 285 286 do { 287 unsigned long pgsize = MOCK_IO_PAGE_SIZE; 288 unsigned long head; 289 290 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 291 if (!ent) { 292 iova += pgsize; 293 continue; 294 } 295 296 if (xa_to_value(ent) & MOCK_PFN_HUGE_IOVA) 297 pgsize = MOCK_HUGE_PAGE_SIZE; 298 head = iova & ~(pgsize - 1); 299 300 /* Clear dirty */ 301 if (mock_test_and_clear_dirty(mock, head, pgsize, flags)) 302 iommu_dirty_bitmap_record(dirty, iova, pgsize); 303 iova += pgsize; 304 } while (iova < end); 305 306 return 0; 307 } 308 309 static const struct iommu_dirty_ops dirty_ops = { 310 .set_dirty_tracking = mock_domain_set_dirty_tracking, 311 .read_and_clear_dirty = mock_domain_read_and_clear_dirty, 312 }; 313 314 static struct iommu_domain *mock_domain_alloc_paging(struct device *dev) 315 { 316 struct mock_dev *mdev = to_mock_dev(dev); 317 struct mock_iommu_domain *mock; 318 319 mock = kzalloc(sizeof(*mock), GFP_KERNEL); 320 if (!mock) 321 return NULL; 322 mock->domain.geometry.aperture_start = MOCK_APERTURE_START; 323 mock->domain.geometry.aperture_end = MOCK_APERTURE_LAST; 324 mock->domain.pgsize_bitmap = MOCK_IO_PAGE_SIZE; 325 if (dev && mdev->flags & MOCK_FLAGS_DEVICE_HUGE_IOVA) 326 mock->domain.pgsize_bitmap |= MOCK_HUGE_PAGE_SIZE; 327 mock->domain.ops = mock_ops.default_domain_ops; 328 mock->domain.type = IOMMU_DOMAIN_UNMANAGED; 329 xa_init(&mock->pfns); 330 return &mock->domain; 331 } 332 333 static struct mock_iommu_domain_nested * 334 __mock_domain_alloc_nested(const struct iommu_user_data *user_data) 335 { 336 struct mock_iommu_domain_nested *mock_nested; 337 struct iommu_hwpt_selftest user_cfg; 338 int rc, i; 339 340 if (user_data->type != IOMMU_HWPT_DATA_SELFTEST) 341 return ERR_PTR(-EOPNOTSUPP); 342 343 rc = iommu_copy_struct_from_user(&user_cfg, user_data, 344 IOMMU_HWPT_DATA_SELFTEST, iotlb); 345 if (rc) 346 return ERR_PTR(rc); 347 348 mock_nested = kzalloc(sizeof(*mock_nested), GFP_KERNEL); 349 if (!mock_nested) 350 return ERR_PTR(-ENOMEM); 351 mock_nested->domain.ops = &domain_nested_ops; 352 mock_nested->domain.type = IOMMU_DOMAIN_NESTED; 353 for (i = 0; i < MOCK_NESTED_DOMAIN_IOTLB_NUM; i++) 354 mock_nested->iotlb[i] = user_cfg.iotlb; 355 return mock_nested; 356 } 357 358 static struct iommu_domain * 359 mock_domain_alloc_nested(struct iommu_domain *parent, u32 flags, 360 const struct iommu_user_data *user_data) 361 { 362 struct mock_iommu_domain_nested *mock_nested; 363 struct mock_iommu_domain *mock_parent; 364 365 if (flags) 366 return ERR_PTR(-EOPNOTSUPP); 367 if (!parent || parent->ops != mock_ops.default_domain_ops) 368 return ERR_PTR(-EINVAL); 369 370 mock_parent = to_mock_domain(parent); 371 if (!mock_parent) 372 return ERR_PTR(-EINVAL); 373 374 mock_nested = __mock_domain_alloc_nested(user_data); 375 if (IS_ERR(mock_nested)) 376 return ERR_CAST(mock_nested); 377 mock_nested->parent = mock_parent; 378 return &mock_nested->domain; 379 } 380 381 static struct iommu_domain * 382 mock_domain_alloc_user(struct device *dev, u32 flags, 383 struct iommu_domain *parent, 384 const struct iommu_user_data *user_data) 385 { 386 bool has_dirty_flag = flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING; 387 const u32 PAGING_FLAGS = IOMMU_HWPT_ALLOC_DIRTY_TRACKING | 388 IOMMU_HWPT_ALLOC_NEST_PARENT; 389 bool no_dirty_ops = to_mock_dev(dev)->flags & 390 MOCK_FLAGS_DEVICE_NO_DIRTY; 391 struct iommu_domain *domain; 392 393 if (parent) 394 return mock_domain_alloc_nested(parent, flags, user_data); 395 396 if (user_data) 397 return ERR_PTR(-EOPNOTSUPP); 398 if ((flags & ~PAGING_FLAGS) || (has_dirty_flag && no_dirty_ops)) 399 return ERR_PTR(-EOPNOTSUPP); 400 401 domain = mock_domain_alloc_paging(dev); 402 if (!domain) 403 return ERR_PTR(-ENOMEM); 404 if (has_dirty_flag) 405 domain->dirty_ops = &dirty_ops; 406 return domain; 407 } 408 409 static void mock_domain_free(struct iommu_domain *domain) 410 { 411 struct mock_iommu_domain *mock = to_mock_domain(domain); 412 413 WARN_ON(!xa_empty(&mock->pfns)); 414 kfree(mock); 415 } 416 417 static int mock_domain_map_pages(struct iommu_domain *domain, 418 unsigned long iova, phys_addr_t paddr, 419 size_t pgsize, size_t pgcount, int prot, 420 gfp_t gfp, size_t *mapped) 421 { 422 struct mock_iommu_domain *mock = to_mock_domain(domain); 423 unsigned long flags = MOCK_PFN_START_IOVA; 424 unsigned long start_iova = iova; 425 426 /* 427 * xarray does not reliably work with fault injection because it does a 428 * retry allocation, so put our own failure point. 429 */ 430 if (iommufd_should_fail()) 431 return -ENOENT; 432 433 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 434 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE); 435 for (; pgcount; pgcount--) { 436 size_t cur; 437 438 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) { 439 void *old; 440 441 if (pgcount == 1 && cur + MOCK_IO_PAGE_SIZE == pgsize) 442 flags = MOCK_PFN_LAST_IOVA; 443 if (pgsize != MOCK_IO_PAGE_SIZE) { 444 flags |= MOCK_PFN_HUGE_IOVA; 445 } 446 old = xa_store(&mock->pfns, iova / MOCK_IO_PAGE_SIZE, 447 xa_mk_value((paddr / MOCK_IO_PAGE_SIZE) | 448 flags), 449 gfp); 450 if (xa_is_err(old)) { 451 for (; start_iova != iova; 452 start_iova += MOCK_IO_PAGE_SIZE) 453 xa_erase(&mock->pfns, 454 start_iova / 455 MOCK_IO_PAGE_SIZE); 456 return xa_err(old); 457 } 458 WARN_ON(old); 459 iova += MOCK_IO_PAGE_SIZE; 460 paddr += MOCK_IO_PAGE_SIZE; 461 *mapped += MOCK_IO_PAGE_SIZE; 462 flags = 0; 463 } 464 } 465 return 0; 466 } 467 468 static size_t mock_domain_unmap_pages(struct iommu_domain *domain, 469 unsigned long iova, size_t pgsize, 470 size_t pgcount, 471 struct iommu_iotlb_gather *iotlb_gather) 472 { 473 struct mock_iommu_domain *mock = to_mock_domain(domain); 474 bool first = true; 475 size_t ret = 0; 476 void *ent; 477 478 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 479 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE); 480 481 for (; pgcount; pgcount--) { 482 size_t cur; 483 484 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) { 485 ent = xa_erase(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 486 487 /* 488 * iommufd generates unmaps that must be a strict 489 * superset of the map's performend So every 490 * starting/ending IOVA should have been an iova passed 491 * to map. 492 * 493 * This simple logic doesn't work when the HUGE_PAGE is 494 * turned on since the core code will automatically 495 * switch between the two page sizes creating a break in 496 * the unmap calls. The break can land in the middle of 497 * contiguous IOVA. 498 */ 499 if (!(domain->pgsize_bitmap & MOCK_HUGE_PAGE_SIZE)) { 500 if (first) { 501 WARN_ON(ent && !(xa_to_value(ent) & 502 MOCK_PFN_START_IOVA)); 503 first = false; 504 } 505 if (pgcount == 1 && 506 cur + MOCK_IO_PAGE_SIZE == pgsize) 507 WARN_ON(ent && !(xa_to_value(ent) & 508 MOCK_PFN_LAST_IOVA)); 509 } 510 511 iova += MOCK_IO_PAGE_SIZE; 512 ret += MOCK_IO_PAGE_SIZE; 513 } 514 } 515 return ret; 516 } 517 518 static phys_addr_t mock_domain_iova_to_phys(struct iommu_domain *domain, 519 dma_addr_t iova) 520 { 521 struct mock_iommu_domain *mock = to_mock_domain(domain); 522 void *ent; 523 524 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 525 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 526 WARN_ON(!ent); 527 return (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE; 528 } 529 530 static bool mock_domain_capable(struct device *dev, enum iommu_cap cap) 531 { 532 struct mock_dev *mdev = to_mock_dev(dev); 533 534 switch (cap) { 535 case IOMMU_CAP_CACHE_COHERENCY: 536 return true; 537 case IOMMU_CAP_DIRTY_TRACKING: 538 return !(mdev->flags & MOCK_FLAGS_DEVICE_NO_DIRTY); 539 default: 540 break; 541 } 542 543 return false; 544 } 545 546 static struct iopf_queue *mock_iommu_iopf_queue; 547 548 static struct mock_iommu_device { 549 struct iommu_device iommu_dev; 550 struct completion complete; 551 refcount_t users; 552 } mock_iommu; 553 554 static struct iommu_device *mock_probe_device(struct device *dev) 555 { 556 if (dev->bus != &iommufd_mock_bus_type.bus) 557 return ERR_PTR(-ENODEV); 558 return &mock_iommu.iommu_dev; 559 } 560 561 static void mock_domain_page_response(struct device *dev, struct iopf_fault *evt, 562 struct iommu_page_response *msg) 563 { 564 } 565 566 static int mock_dev_enable_feat(struct device *dev, enum iommu_dev_features feat) 567 { 568 if (feat != IOMMU_DEV_FEAT_IOPF || !mock_iommu_iopf_queue) 569 return -ENODEV; 570 571 return iopf_queue_add_device(mock_iommu_iopf_queue, dev); 572 } 573 574 static int mock_dev_disable_feat(struct device *dev, enum iommu_dev_features feat) 575 { 576 if (feat != IOMMU_DEV_FEAT_IOPF || !mock_iommu_iopf_queue) 577 return -ENODEV; 578 579 iopf_queue_remove_device(mock_iommu_iopf_queue, dev); 580 581 return 0; 582 } 583 584 static void mock_viommu_destroy(struct iommufd_viommu *viommu) 585 { 586 struct mock_iommu_device *mock_iommu = container_of( 587 viommu->iommu_dev, struct mock_iommu_device, iommu_dev); 588 589 if (refcount_dec_and_test(&mock_iommu->users)) 590 complete(&mock_iommu->complete); 591 592 /* iommufd core frees mock_viommu and viommu */ 593 } 594 595 static struct iommu_domain * 596 mock_viommu_alloc_domain_nested(struct iommufd_viommu *viommu, u32 flags, 597 const struct iommu_user_data *user_data) 598 { 599 struct mock_viommu *mock_viommu = to_mock_viommu(viommu); 600 struct mock_iommu_domain_nested *mock_nested; 601 602 if (flags & ~IOMMU_HWPT_FAULT_ID_VALID) 603 return ERR_PTR(-EOPNOTSUPP); 604 605 mock_nested = __mock_domain_alloc_nested(user_data); 606 if (IS_ERR(mock_nested)) 607 return ERR_CAST(mock_nested); 608 mock_nested->mock_viommu = mock_viommu; 609 mock_nested->parent = mock_viommu->s2_parent; 610 return &mock_nested->domain; 611 } 612 613 static int mock_viommu_cache_invalidate(struct iommufd_viommu *viommu, 614 struct iommu_user_data_array *array) 615 { 616 struct iommu_viommu_invalidate_selftest *cmds; 617 struct iommu_viommu_invalidate_selftest *cur; 618 struct iommu_viommu_invalidate_selftest *end; 619 int rc; 620 621 /* A zero-length array is allowed to validate the array type */ 622 if (array->entry_num == 0 && 623 array->type == IOMMU_VIOMMU_INVALIDATE_DATA_SELFTEST) { 624 array->entry_num = 0; 625 return 0; 626 } 627 628 cmds = kcalloc(array->entry_num, sizeof(*cmds), GFP_KERNEL); 629 if (!cmds) 630 return -ENOMEM; 631 cur = cmds; 632 end = cmds + array->entry_num; 633 634 static_assert(sizeof(*cmds) == 3 * sizeof(u32)); 635 rc = iommu_copy_struct_from_full_user_array( 636 cmds, sizeof(*cmds), array, 637 IOMMU_VIOMMU_INVALIDATE_DATA_SELFTEST); 638 if (rc) 639 goto out; 640 641 while (cur != end) { 642 struct mock_dev *mdev; 643 struct device *dev; 644 int i; 645 646 if (cur->flags & ~IOMMU_TEST_INVALIDATE_FLAG_ALL) { 647 rc = -EOPNOTSUPP; 648 goto out; 649 } 650 651 if (cur->cache_id > MOCK_DEV_CACHE_ID_MAX) { 652 rc = -EINVAL; 653 goto out; 654 } 655 656 xa_lock(&viommu->vdevs); 657 dev = iommufd_viommu_find_dev(viommu, 658 (unsigned long)cur->vdev_id); 659 if (!dev) { 660 xa_unlock(&viommu->vdevs); 661 rc = -EINVAL; 662 goto out; 663 } 664 mdev = container_of(dev, struct mock_dev, dev); 665 666 if (cur->flags & IOMMU_TEST_INVALIDATE_FLAG_ALL) { 667 /* Invalidate all cache entries and ignore cache_id */ 668 for (i = 0; i < MOCK_DEV_CACHE_NUM; i++) 669 mdev->cache[i] = 0; 670 } else { 671 mdev->cache[cur->cache_id] = 0; 672 } 673 xa_unlock(&viommu->vdevs); 674 675 cur++; 676 } 677 out: 678 array->entry_num = cur - cmds; 679 kfree(cmds); 680 return rc; 681 } 682 683 static struct iommufd_viommu_ops mock_viommu_ops = { 684 .destroy = mock_viommu_destroy, 685 .alloc_domain_nested = mock_viommu_alloc_domain_nested, 686 .cache_invalidate = mock_viommu_cache_invalidate, 687 }; 688 689 static struct iommufd_viommu *mock_viommu_alloc(struct device *dev, 690 struct iommu_domain *domain, 691 struct iommufd_ctx *ictx, 692 unsigned int viommu_type) 693 { 694 struct mock_iommu_device *mock_iommu = 695 iommu_get_iommu_dev(dev, struct mock_iommu_device, iommu_dev); 696 struct mock_viommu *mock_viommu; 697 698 if (viommu_type != IOMMU_VIOMMU_TYPE_SELFTEST) 699 return ERR_PTR(-EOPNOTSUPP); 700 701 mock_viommu = iommufd_viommu_alloc(ictx, struct mock_viommu, core, 702 &mock_viommu_ops); 703 if (IS_ERR(mock_viommu)) 704 return ERR_CAST(mock_viommu); 705 706 refcount_inc(&mock_iommu->users); 707 return &mock_viommu->core; 708 } 709 710 static const struct iommu_ops mock_ops = { 711 /* 712 * IOMMU_DOMAIN_BLOCKED cannot be returned from def_domain_type() 713 * because it is zero. 714 */ 715 .default_domain = &mock_blocking_domain, 716 .blocked_domain = &mock_blocking_domain, 717 .owner = THIS_MODULE, 718 .pgsize_bitmap = MOCK_IO_PAGE_SIZE, 719 .hw_info = mock_domain_hw_info, 720 .domain_alloc_paging = mock_domain_alloc_paging, 721 .domain_alloc_user = mock_domain_alloc_user, 722 .capable = mock_domain_capable, 723 .device_group = generic_device_group, 724 .probe_device = mock_probe_device, 725 .page_response = mock_domain_page_response, 726 .dev_enable_feat = mock_dev_enable_feat, 727 .dev_disable_feat = mock_dev_disable_feat, 728 .user_pasid_table = true, 729 .viommu_alloc = mock_viommu_alloc, 730 .default_domain_ops = 731 &(struct iommu_domain_ops){ 732 .free = mock_domain_free, 733 .attach_dev = mock_domain_nop_attach, 734 .map_pages = mock_domain_map_pages, 735 .unmap_pages = mock_domain_unmap_pages, 736 .iova_to_phys = mock_domain_iova_to_phys, 737 }, 738 }; 739 740 static void mock_domain_free_nested(struct iommu_domain *domain) 741 { 742 kfree(to_mock_nested(domain)); 743 } 744 745 static int 746 mock_domain_cache_invalidate_user(struct iommu_domain *domain, 747 struct iommu_user_data_array *array) 748 { 749 struct mock_iommu_domain_nested *mock_nested = to_mock_nested(domain); 750 struct iommu_hwpt_invalidate_selftest inv; 751 u32 processed = 0; 752 int i = 0, j; 753 int rc = 0; 754 755 if (array->type != IOMMU_HWPT_INVALIDATE_DATA_SELFTEST) { 756 rc = -EINVAL; 757 goto out; 758 } 759 760 for ( ; i < array->entry_num; i++) { 761 rc = iommu_copy_struct_from_user_array(&inv, array, 762 IOMMU_HWPT_INVALIDATE_DATA_SELFTEST, 763 i, iotlb_id); 764 if (rc) 765 break; 766 767 if (inv.flags & ~IOMMU_TEST_INVALIDATE_FLAG_ALL) { 768 rc = -EOPNOTSUPP; 769 break; 770 } 771 772 if (inv.iotlb_id > MOCK_NESTED_DOMAIN_IOTLB_ID_MAX) { 773 rc = -EINVAL; 774 break; 775 } 776 777 if (inv.flags & IOMMU_TEST_INVALIDATE_FLAG_ALL) { 778 /* Invalidate all mock iotlb entries and ignore iotlb_id */ 779 for (j = 0; j < MOCK_NESTED_DOMAIN_IOTLB_NUM; j++) 780 mock_nested->iotlb[j] = 0; 781 } else { 782 mock_nested->iotlb[inv.iotlb_id] = 0; 783 } 784 785 processed++; 786 } 787 788 out: 789 array->entry_num = processed; 790 return rc; 791 } 792 793 static struct iommu_domain_ops domain_nested_ops = { 794 .free = mock_domain_free_nested, 795 .attach_dev = mock_domain_nop_attach, 796 .cache_invalidate_user = mock_domain_cache_invalidate_user, 797 }; 798 799 static inline struct iommufd_hw_pagetable * 800 __get_md_pagetable(struct iommufd_ucmd *ucmd, u32 mockpt_id, u32 hwpt_type) 801 { 802 struct iommufd_object *obj; 803 804 obj = iommufd_get_object(ucmd->ictx, mockpt_id, hwpt_type); 805 if (IS_ERR(obj)) 806 return ERR_CAST(obj); 807 return container_of(obj, struct iommufd_hw_pagetable, obj); 808 } 809 810 static inline struct iommufd_hw_pagetable * 811 get_md_pagetable(struct iommufd_ucmd *ucmd, u32 mockpt_id, 812 struct mock_iommu_domain **mock) 813 { 814 struct iommufd_hw_pagetable *hwpt; 815 816 hwpt = __get_md_pagetable(ucmd, mockpt_id, IOMMUFD_OBJ_HWPT_PAGING); 817 if (IS_ERR(hwpt)) 818 return hwpt; 819 if (hwpt->domain->type != IOMMU_DOMAIN_UNMANAGED || 820 hwpt->domain->ops != mock_ops.default_domain_ops) { 821 iommufd_put_object(ucmd->ictx, &hwpt->obj); 822 return ERR_PTR(-EINVAL); 823 } 824 *mock = to_mock_domain(hwpt->domain); 825 return hwpt; 826 } 827 828 static inline struct iommufd_hw_pagetable * 829 get_md_pagetable_nested(struct iommufd_ucmd *ucmd, u32 mockpt_id, 830 struct mock_iommu_domain_nested **mock_nested) 831 { 832 struct iommufd_hw_pagetable *hwpt; 833 834 hwpt = __get_md_pagetable(ucmd, mockpt_id, IOMMUFD_OBJ_HWPT_NESTED); 835 if (IS_ERR(hwpt)) 836 return hwpt; 837 if (hwpt->domain->type != IOMMU_DOMAIN_NESTED || 838 hwpt->domain->ops != &domain_nested_ops) { 839 iommufd_put_object(ucmd->ictx, &hwpt->obj); 840 return ERR_PTR(-EINVAL); 841 } 842 *mock_nested = to_mock_nested(hwpt->domain); 843 return hwpt; 844 } 845 846 static void mock_dev_release(struct device *dev) 847 { 848 struct mock_dev *mdev = to_mock_dev(dev); 849 850 ida_free(&mock_dev_ida, mdev->id); 851 kfree(mdev); 852 } 853 854 static struct mock_dev *mock_dev_create(unsigned long dev_flags) 855 { 856 struct mock_dev *mdev; 857 int rc, i; 858 859 if (dev_flags & 860 ~(MOCK_FLAGS_DEVICE_NO_DIRTY | MOCK_FLAGS_DEVICE_HUGE_IOVA)) 861 return ERR_PTR(-EINVAL); 862 863 mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); 864 if (!mdev) 865 return ERR_PTR(-ENOMEM); 866 867 device_initialize(&mdev->dev); 868 mdev->flags = dev_flags; 869 mdev->dev.release = mock_dev_release; 870 mdev->dev.bus = &iommufd_mock_bus_type.bus; 871 for (i = 0; i < MOCK_DEV_CACHE_NUM; i++) 872 mdev->cache[i] = IOMMU_TEST_DEV_CACHE_DEFAULT; 873 874 rc = ida_alloc(&mock_dev_ida, GFP_KERNEL); 875 if (rc < 0) 876 goto err_put; 877 mdev->id = rc; 878 879 rc = dev_set_name(&mdev->dev, "iommufd_mock%u", mdev->id); 880 if (rc) 881 goto err_put; 882 883 rc = device_add(&mdev->dev); 884 if (rc) 885 goto err_put; 886 return mdev; 887 888 err_put: 889 put_device(&mdev->dev); 890 return ERR_PTR(rc); 891 } 892 893 static void mock_dev_destroy(struct mock_dev *mdev) 894 { 895 device_unregister(&mdev->dev); 896 } 897 898 bool iommufd_selftest_is_mock_dev(struct device *dev) 899 { 900 return dev->release == mock_dev_release; 901 } 902 903 /* Create an hw_pagetable with the mock domain so we can test the domain ops */ 904 static int iommufd_test_mock_domain(struct iommufd_ucmd *ucmd, 905 struct iommu_test_cmd *cmd) 906 { 907 struct iommufd_device *idev; 908 struct selftest_obj *sobj; 909 u32 pt_id = cmd->id; 910 u32 dev_flags = 0; 911 u32 idev_id; 912 int rc; 913 914 sobj = iommufd_object_alloc(ucmd->ictx, sobj, IOMMUFD_OBJ_SELFTEST); 915 if (IS_ERR(sobj)) 916 return PTR_ERR(sobj); 917 918 sobj->idev.ictx = ucmd->ictx; 919 sobj->type = TYPE_IDEV; 920 921 if (cmd->op == IOMMU_TEST_OP_MOCK_DOMAIN_FLAGS) 922 dev_flags = cmd->mock_domain_flags.dev_flags; 923 924 sobj->idev.mock_dev = mock_dev_create(dev_flags); 925 if (IS_ERR(sobj->idev.mock_dev)) { 926 rc = PTR_ERR(sobj->idev.mock_dev); 927 goto out_sobj; 928 } 929 930 idev = iommufd_device_bind(ucmd->ictx, &sobj->idev.mock_dev->dev, 931 &idev_id); 932 if (IS_ERR(idev)) { 933 rc = PTR_ERR(idev); 934 goto out_mdev; 935 } 936 sobj->idev.idev = idev; 937 938 rc = iommufd_device_attach(idev, &pt_id); 939 if (rc) 940 goto out_unbind; 941 942 /* Userspace must destroy the device_id to destroy the object */ 943 cmd->mock_domain.out_hwpt_id = pt_id; 944 cmd->mock_domain.out_stdev_id = sobj->obj.id; 945 cmd->mock_domain.out_idev_id = idev_id; 946 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 947 if (rc) 948 goto out_detach; 949 iommufd_object_finalize(ucmd->ictx, &sobj->obj); 950 return 0; 951 952 out_detach: 953 iommufd_device_detach(idev); 954 out_unbind: 955 iommufd_device_unbind(idev); 956 out_mdev: 957 mock_dev_destroy(sobj->idev.mock_dev); 958 out_sobj: 959 iommufd_object_abort(ucmd->ictx, &sobj->obj); 960 return rc; 961 } 962 963 /* Replace the mock domain with a manually allocated hw_pagetable */ 964 static int iommufd_test_mock_domain_replace(struct iommufd_ucmd *ucmd, 965 unsigned int device_id, u32 pt_id, 966 struct iommu_test_cmd *cmd) 967 { 968 struct iommufd_object *dev_obj; 969 struct selftest_obj *sobj; 970 int rc; 971 972 /* 973 * Prefer to use the OBJ_SELFTEST because the destroy_rwsem will ensure 974 * it doesn't race with detach, which is not allowed. 975 */ 976 dev_obj = 977 iommufd_get_object(ucmd->ictx, device_id, IOMMUFD_OBJ_SELFTEST); 978 if (IS_ERR(dev_obj)) 979 return PTR_ERR(dev_obj); 980 981 sobj = to_selftest_obj(dev_obj); 982 if (sobj->type != TYPE_IDEV) { 983 rc = -EINVAL; 984 goto out_dev_obj; 985 } 986 987 rc = iommufd_device_replace(sobj->idev.idev, &pt_id); 988 if (rc) 989 goto out_dev_obj; 990 991 cmd->mock_domain_replace.pt_id = pt_id; 992 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 993 994 out_dev_obj: 995 iommufd_put_object(ucmd->ictx, dev_obj); 996 return rc; 997 } 998 999 /* Add an additional reserved IOVA to the IOAS */ 1000 static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd, 1001 unsigned int mockpt_id, 1002 unsigned long start, size_t length) 1003 { 1004 struct iommufd_ioas *ioas; 1005 int rc; 1006 1007 ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id); 1008 if (IS_ERR(ioas)) 1009 return PTR_ERR(ioas); 1010 down_write(&ioas->iopt.iova_rwsem); 1011 rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL); 1012 up_write(&ioas->iopt.iova_rwsem); 1013 iommufd_put_object(ucmd->ictx, &ioas->obj); 1014 return rc; 1015 } 1016 1017 /* Check that every pfn under each iova matches the pfn under a user VA */ 1018 static int iommufd_test_md_check_pa(struct iommufd_ucmd *ucmd, 1019 unsigned int mockpt_id, unsigned long iova, 1020 size_t length, void __user *uptr) 1021 { 1022 struct iommufd_hw_pagetable *hwpt; 1023 struct mock_iommu_domain *mock; 1024 uintptr_t end; 1025 int rc; 1026 1027 if (iova % MOCK_IO_PAGE_SIZE || length % MOCK_IO_PAGE_SIZE || 1028 (uintptr_t)uptr % MOCK_IO_PAGE_SIZE || 1029 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end)) 1030 return -EINVAL; 1031 1032 hwpt = get_md_pagetable(ucmd, mockpt_id, &mock); 1033 if (IS_ERR(hwpt)) 1034 return PTR_ERR(hwpt); 1035 1036 for (; length; length -= MOCK_IO_PAGE_SIZE) { 1037 struct page *pages[1]; 1038 unsigned long pfn; 1039 long npages; 1040 void *ent; 1041 1042 npages = get_user_pages_fast((uintptr_t)uptr & PAGE_MASK, 1, 0, 1043 pages); 1044 if (npages < 0) { 1045 rc = npages; 1046 goto out_put; 1047 } 1048 if (WARN_ON(npages != 1)) { 1049 rc = -EFAULT; 1050 goto out_put; 1051 } 1052 pfn = page_to_pfn(pages[0]); 1053 put_page(pages[0]); 1054 1055 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 1056 if (!ent || 1057 (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE != 1058 pfn * PAGE_SIZE + ((uintptr_t)uptr % PAGE_SIZE)) { 1059 rc = -EINVAL; 1060 goto out_put; 1061 } 1062 iova += MOCK_IO_PAGE_SIZE; 1063 uptr += MOCK_IO_PAGE_SIZE; 1064 } 1065 rc = 0; 1066 1067 out_put: 1068 iommufd_put_object(ucmd->ictx, &hwpt->obj); 1069 return rc; 1070 } 1071 1072 /* Check that the page ref count matches, to look for missing pin/unpins */ 1073 static int iommufd_test_md_check_refs(struct iommufd_ucmd *ucmd, 1074 void __user *uptr, size_t length, 1075 unsigned int refs) 1076 { 1077 uintptr_t end; 1078 1079 if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE || 1080 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end)) 1081 return -EINVAL; 1082 1083 for (; length; length -= PAGE_SIZE) { 1084 struct page *pages[1]; 1085 long npages; 1086 1087 npages = get_user_pages_fast((uintptr_t)uptr, 1, 0, pages); 1088 if (npages < 0) 1089 return npages; 1090 if (WARN_ON(npages != 1)) 1091 return -EFAULT; 1092 if (!PageCompound(pages[0])) { 1093 unsigned int count; 1094 1095 count = page_ref_count(pages[0]); 1096 if (count / GUP_PIN_COUNTING_BIAS != refs) { 1097 put_page(pages[0]); 1098 return -EIO; 1099 } 1100 } 1101 put_page(pages[0]); 1102 uptr += PAGE_SIZE; 1103 } 1104 return 0; 1105 } 1106 1107 static int iommufd_test_md_check_iotlb(struct iommufd_ucmd *ucmd, 1108 u32 mockpt_id, unsigned int iotlb_id, 1109 u32 iotlb) 1110 { 1111 struct mock_iommu_domain_nested *mock_nested; 1112 struct iommufd_hw_pagetable *hwpt; 1113 int rc = 0; 1114 1115 hwpt = get_md_pagetable_nested(ucmd, mockpt_id, &mock_nested); 1116 if (IS_ERR(hwpt)) 1117 return PTR_ERR(hwpt); 1118 1119 mock_nested = to_mock_nested(hwpt->domain); 1120 1121 if (iotlb_id > MOCK_NESTED_DOMAIN_IOTLB_ID_MAX || 1122 mock_nested->iotlb[iotlb_id] != iotlb) 1123 rc = -EINVAL; 1124 iommufd_put_object(ucmd->ictx, &hwpt->obj); 1125 return rc; 1126 } 1127 1128 static int iommufd_test_dev_check_cache(struct iommufd_ucmd *ucmd, u32 idev_id, 1129 unsigned int cache_id, u32 cache) 1130 { 1131 struct iommufd_device *idev; 1132 struct mock_dev *mdev; 1133 int rc = 0; 1134 1135 idev = iommufd_get_device(ucmd, idev_id); 1136 if (IS_ERR(idev)) 1137 return PTR_ERR(idev); 1138 mdev = container_of(idev->dev, struct mock_dev, dev); 1139 1140 if (cache_id > MOCK_DEV_CACHE_ID_MAX || mdev->cache[cache_id] != cache) 1141 rc = -EINVAL; 1142 iommufd_put_object(ucmd->ictx, &idev->obj); 1143 return rc; 1144 } 1145 1146 struct selftest_access { 1147 struct iommufd_access *access; 1148 struct file *file; 1149 struct mutex lock; 1150 struct list_head items; 1151 unsigned int next_id; 1152 bool destroying; 1153 }; 1154 1155 struct selftest_access_item { 1156 struct list_head items_elm; 1157 unsigned long iova; 1158 size_t length; 1159 unsigned int id; 1160 }; 1161 1162 static const struct file_operations iommfd_test_staccess_fops; 1163 1164 static struct selftest_access *iommufd_access_get(int fd) 1165 { 1166 struct file *file; 1167 1168 file = fget(fd); 1169 if (!file) 1170 return ERR_PTR(-EBADFD); 1171 1172 if (file->f_op != &iommfd_test_staccess_fops) { 1173 fput(file); 1174 return ERR_PTR(-EBADFD); 1175 } 1176 return file->private_data; 1177 } 1178 1179 static void iommufd_test_access_unmap(void *data, unsigned long iova, 1180 unsigned long length) 1181 { 1182 unsigned long iova_last = iova + length - 1; 1183 struct selftest_access *staccess = data; 1184 struct selftest_access_item *item; 1185 struct selftest_access_item *tmp; 1186 1187 mutex_lock(&staccess->lock); 1188 list_for_each_entry_safe(item, tmp, &staccess->items, items_elm) { 1189 if (iova > item->iova + item->length - 1 || 1190 iova_last < item->iova) 1191 continue; 1192 list_del(&item->items_elm); 1193 iommufd_access_unpin_pages(staccess->access, item->iova, 1194 item->length); 1195 kfree(item); 1196 } 1197 mutex_unlock(&staccess->lock); 1198 } 1199 1200 static int iommufd_test_access_item_destroy(struct iommufd_ucmd *ucmd, 1201 unsigned int access_id, 1202 unsigned int item_id) 1203 { 1204 struct selftest_access_item *item; 1205 struct selftest_access *staccess; 1206 1207 staccess = iommufd_access_get(access_id); 1208 if (IS_ERR(staccess)) 1209 return PTR_ERR(staccess); 1210 1211 mutex_lock(&staccess->lock); 1212 list_for_each_entry(item, &staccess->items, items_elm) { 1213 if (item->id == item_id) { 1214 list_del(&item->items_elm); 1215 iommufd_access_unpin_pages(staccess->access, item->iova, 1216 item->length); 1217 mutex_unlock(&staccess->lock); 1218 kfree(item); 1219 fput(staccess->file); 1220 return 0; 1221 } 1222 } 1223 mutex_unlock(&staccess->lock); 1224 fput(staccess->file); 1225 return -ENOENT; 1226 } 1227 1228 static int iommufd_test_staccess_release(struct inode *inode, 1229 struct file *filep) 1230 { 1231 struct selftest_access *staccess = filep->private_data; 1232 1233 if (staccess->access) { 1234 iommufd_test_access_unmap(staccess, 0, ULONG_MAX); 1235 iommufd_access_destroy(staccess->access); 1236 } 1237 mutex_destroy(&staccess->lock); 1238 kfree(staccess); 1239 return 0; 1240 } 1241 1242 static const struct iommufd_access_ops selftest_access_ops_pin = { 1243 .needs_pin_pages = 1, 1244 .unmap = iommufd_test_access_unmap, 1245 }; 1246 1247 static const struct iommufd_access_ops selftest_access_ops = { 1248 .unmap = iommufd_test_access_unmap, 1249 }; 1250 1251 static const struct file_operations iommfd_test_staccess_fops = { 1252 .release = iommufd_test_staccess_release, 1253 }; 1254 1255 static struct selftest_access *iommufd_test_alloc_access(void) 1256 { 1257 struct selftest_access *staccess; 1258 struct file *filep; 1259 1260 staccess = kzalloc(sizeof(*staccess), GFP_KERNEL_ACCOUNT); 1261 if (!staccess) 1262 return ERR_PTR(-ENOMEM); 1263 INIT_LIST_HEAD(&staccess->items); 1264 mutex_init(&staccess->lock); 1265 1266 filep = anon_inode_getfile("[iommufd_test_staccess]", 1267 &iommfd_test_staccess_fops, staccess, 1268 O_RDWR); 1269 if (IS_ERR(filep)) { 1270 kfree(staccess); 1271 return ERR_CAST(filep); 1272 } 1273 staccess->file = filep; 1274 return staccess; 1275 } 1276 1277 static int iommufd_test_create_access(struct iommufd_ucmd *ucmd, 1278 unsigned int ioas_id, unsigned int flags) 1279 { 1280 struct iommu_test_cmd *cmd = ucmd->cmd; 1281 struct selftest_access *staccess; 1282 struct iommufd_access *access; 1283 u32 id; 1284 int fdno; 1285 int rc; 1286 1287 if (flags & ~MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES) 1288 return -EOPNOTSUPP; 1289 1290 staccess = iommufd_test_alloc_access(); 1291 if (IS_ERR(staccess)) 1292 return PTR_ERR(staccess); 1293 1294 fdno = get_unused_fd_flags(O_CLOEXEC); 1295 if (fdno < 0) { 1296 rc = -ENOMEM; 1297 goto out_free_staccess; 1298 } 1299 1300 access = iommufd_access_create( 1301 ucmd->ictx, 1302 (flags & MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES) ? 1303 &selftest_access_ops_pin : 1304 &selftest_access_ops, 1305 staccess, &id); 1306 if (IS_ERR(access)) { 1307 rc = PTR_ERR(access); 1308 goto out_put_fdno; 1309 } 1310 rc = iommufd_access_attach(access, ioas_id); 1311 if (rc) 1312 goto out_destroy; 1313 cmd->create_access.out_access_fd = fdno; 1314 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 1315 if (rc) 1316 goto out_destroy; 1317 1318 staccess->access = access; 1319 fd_install(fdno, staccess->file); 1320 return 0; 1321 1322 out_destroy: 1323 iommufd_access_destroy(access); 1324 out_put_fdno: 1325 put_unused_fd(fdno); 1326 out_free_staccess: 1327 fput(staccess->file); 1328 return rc; 1329 } 1330 1331 static int iommufd_test_access_replace_ioas(struct iommufd_ucmd *ucmd, 1332 unsigned int access_id, 1333 unsigned int ioas_id) 1334 { 1335 struct selftest_access *staccess; 1336 int rc; 1337 1338 staccess = iommufd_access_get(access_id); 1339 if (IS_ERR(staccess)) 1340 return PTR_ERR(staccess); 1341 1342 rc = iommufd_access_replace(staccess->access, ioas_id); 1343 fput(staccess->file); 1344 return rc; 1345 } 1346 1347 /* Check that the pages in a page array match the pages in the user VA */ 1348 static int iommufd_test_check_pages(void __user *uptr, struct page **pages, 1349 size_t npages) 1350 { 1351 for (; npages; npages--) { 1352 struct page *tmp_pages[1]; 1353 long rc; 1354 1355 rc = get_user_pages_fast((uintptr_t)uptr, 1, 0, tmp_pages); 1356 if (rc < 0) 1357 return rc; 1358 if (WARN_ON(rc != 1)) 1359 return -EFAULT; 1360 put_page(tmp_pages[0]); 1361 if (tmp_pages[0] != *pages) 1362 return -EBADE; 1363 pages++; 1364 uptr += PAGE_SIZE; 1365 } 1366 return 0; 1367 } 1368 1369 static int iommufd_test_access_pages(struct iommufd_ucmd *ucmd, 1370 unsigned int access_id, unsigned long iova, 1371 size_t length, void __user *uptr, 1372 u32 flags) 1373 { 1374 struct iommu_test_cmd *cmd = ucmd->cmd; 1375 struct selftest_access_item *item; 1376 struct selftest_access *staccess; 1377 struct page **pages; 1378 size_t npages; 1379 int rc; 1380 1381 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */ 1382 if (length > 16*1024*1024) 1383 return -ENOMEM; 1384 1385 if (flags & ~(MOCK_FLAGS_ACCESS_WRITE | MOCK_FLAGS_ACCESS_SYZ)) 1386 return -EOPNOTSUPP; 1387 1388 staccess = iommufd_access_get(access_id); 1389 if (IS_ERR(staccess)) 1390 return PTR_ERR(staccess); 1391 1392 if (staccess->access->ops != &selftest_access_ops_pin) { 1393 rc = -EOPNOTSUPP; 1394 goto out_put; 1395 } 1396 1397 if (flags & MOCK_FLAGS_ACCESS_SYZ) 1398 iova = iommufd_test_syz_conv_iova(staccess->access, 1399 &cmd->access_pages.iova); 1400 1401 npages = (ALIGN(iova + length, PAGE_SIZE) - 1402 ALIGN_DOWN(iova, PAGE_SIZE)) / 1403 PAGE_SIZE; 1404 pages = kvcalloc(npages, sizeof(*pages), GFP_KERNEL_ACCOUNT); 1405 if (!pages) { 1406 rc = -ENOMEM; 1407 goto out_put; 1408 } 1409 1410 /* 1411 * Drivers will need to think very carefully about this locking. The 1412 * core code can do multiple unmaps instantaneously after 1413 * iommufd_access_pin_pages() and *all* the unmaps must not return until 1414 * the range is unpinned. This simple implementation puts a global lock 1415 * around the pin, which may not suit drivers that want this to be a 1416 * performance path. drivers that get this wrong will trigger WARN_ON 1417 * races and cause EDEADLOCK failures to userspace. 1418 */ 1419 mutex_lock(&staccess->lock); 1420 rc = iommufd_access_pin_pages(staccess->access, iova, length, pages, 1421 flags & MOCK_FLAGS_ACCESS_WRITE); 1422 if (rc) 1423 goto out_unlock; 1424 1425 /* For syzkaller allow uptr to be NULL to skip this check */ 1426 if (uptr) { 1427 rc = iommufd_test_check_pages( 1428 uptr - (iova - ALIGN_DOWN(iova, PAGE_SIZE)), pages, 1429 npages); 1430 if (rc) 1431 goto out_unaccess; 1432 } 1433 1434 item = kzalloc(sizeof(*item), GFP_KERNEL_ACCOUNT); 1435 if (!item) { 1436 rc = -ENOMEM; 1437 goto out_unaccess; 1438 } 1439 1440 item->iova = iova; 1441 item->length = length; 1442 item->id = staccess->next_id++; 1443 list_add_tail(&item->items_elm, &staccess->items); 1444 1445 cmd->access_pages.out_access_pages_id = item->id; 1446 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 1447 if (rc) 1448 goto out_free_item; 1449 goto out_unlock; 1450 1451 out_free_item: 1452 list_del(&item->items_elm); 1453 kfree(item); 1454 out_unaccess: 1455 iommufd_access_unpin_pages(staccess->access, iova, length); 1456 out_unlock: 1457 mutex_unlock(&staccess->lock); 1458 kvfree(pages); 1459 out_put: 1460 fput(staccess->file); 1461 return rc; 1462 } 1463 1464 static int iommufd_test_access_rw(struct iommufd_ucmd *ucmd, 1465 unsigned int access_id, unsigned long iova, 1466 size_t length, void __user *ubuf, 1467 unsigned int flags) 1468 { 1469 struct iommu_test_cmd *cmd = ucmd->cmd; 1470 struct selftest_access *staccess; 1471 void *tmp; 1472 int rc; 1473 1474 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */ 1475 if (length > 16*1024*1024) 1476 return -ENOMEM; 1477 1478 if (flags & ~(MOCK_ACCESS_RW_WRITE | MOCK_ACCESS_RW_SLOW_PATH | 1479 MOCK_FLAGS_ACCESS_SYZ)) 1480 return -EOPNOTSUPP; 1481 1482 staccess = iommufd_access_get(access_id); 1483 if (IS_ERR(staccess)) 1484 return PTR_ERR(staccess); 1485 1486 tmp = kvzalloc(length, GFP_KERNEL_ACCOUNT); 1487 if (!tmp) { 1488 rc = -ENOMEM; 1489 goto out_put; 1490 } 1491 1492 if (flags & MOCK_ACCESS_RW_WRITE) { 1493 if (copy_from_user(tmp, ubuf, length)) { 1494 rc = -EFAULT; 1495 goto out_free; 1496 } 1497 } 1498 1499 if (flags & MOCK_FLAGS_ACCESS_SYZ) 1500 iova = iommufd_test_syz_conv_iova(staccess->access, 1501 &cmd->access_rw.iova); 1502 1503 rc = iommufd_access_rw(staccess->access, iova, tmp, length, flags); 1504 if (rc) 1505 goto out_free; 1506 if (!(flags & MOCK_ACCESS_RW_WRITE)) { 1507 if (copy_to_user(ubuf, tmp, length)) { 1508 rc = -EFAULT; 1509 goto out_free; 1510 } 1511 } 1512 1513 out_free: 1514 kvfree(tmp); 1515 out_put: 1516 fput(staccess->file); 1517 return rc; 1518 } 1519 static_assert((unsigned int)MOCK_ACCESS_RW_WRITE == IOMMUFD_ACCESS_RW_WRITE); 1520 static_assert((unsigned int)MOCK_ACCESS_RW_SLOW_PATH == 1521 __IOMMUFD_ACCESS_RW_SLOW_PATH); 1522 1523 static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id, 1524 unsigned long iova, size_t length, 1525 unsigned long page_size, void __user *uptr, 1526 u32 flags) 1527 { 1528 unsigned long i, max; 1529 struct iommu_test_cmd *cmd = ucmd->cmd; 1530 struct iommufd_hw_pagetable *hwpt; 1531 struct mock_iommu_domain *mock; 1532 int rc, count = 0; 1533 void *tmp; 1534 1535 if (!page_size || !length || iova % page_size || length % page_size || 1536 !uptr) 1537 return -EINVAL; 1538 1539 hwpt = get_md_pagetable(ucmd, mockpt_id, &mock); 1540 if (IS_ERR(hwpt)) 1541 return PTR_ERR(hwpt); 1542 1543 if (!(mock->flags & MOCK_DIRTY_TRACK)) { 1544 rc = -EINVAL; 1545 goto out_put; 1546 } 1547 1548 max = length / page_size; 1549 tmp = kvzalloc(DIV_ROUND_UP(max, BITS_PER_LONG) * sizeof(unsigned long), 1550 GFP_KERNEL_ACCOUNT); 1551 if (!tmp) { 1552 rc = -ENOMEM; 1553 goto out_put; 1554 } 1555 1556 if (copy_from_user(tmp, uptr,DIV_ROUND_UP(max, BITS_PER_BYTE))) { 1557 rc = -EFAULT; 1558 goto out_free; 1559 } 1560 1561 for (i = 0; i < max; i++) { 1562 unsigned long cur = iova + i * page_size; 1563 void *ent, *old; 1564 1565 if (!test_bit(i, (unsigned long *)tmp)) 1566 continue; 1567 1568 ent = xa_load(&mock->pfns, cur / page_size); 1569 if (ent) { 1570 unsigned long val; 1571 1572 val = xa_to_value(ent) | MOCK_PFN_DIRTY_IOVA; 1573 old = xa_store(&mock->pfns, cur / page_size, 1574 xa_mk_value(val), GFP_KERNEL); 1575 WARN_ON_ONCE(ent != old); 1576 count++; 1577 } 1578 } 1579 1580 cmd->dirty.out_nr_dirty = count; 1581 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 1582 out_free: 1583 kvfree(tmp); 1584 out_put: 1585 iommufd_put_object(ucmd->ictx, &hwpt->obj); 1586 return rc; 1587 } 1588 1589 static int iommufd_test_trigger_iopf(struct iommufd_ucmd *ucmd, 1590 struct iommu_test_cmd *cmd) 1591 { 1592 struct iopf_fault event = { }; 1593 struct iommufd_device *idev; 1594 1595 idev = iommufd_get_device(ucmd, cmd->trigger_iopf.dev_id); 1596 if (IS_ERR(idev)) 1597 return PTR_ERR(idev); 1598 1599 event.fault.prm.flags = IOMMU_FAULT_PAGE_REQUEST_LAST_PAGE; 1600 if (cmd->trigger_iopf.pasid != IOMMU_NO_PASID) 1601 event.fault.prm.flags |= IOMMU_FAULT_PAGE_REQUEST_PASID_VALID; 1602 event.fault.type = IOMMU_FAULT_PAGE_REQ; 1603 event.fault.prm.addr = cmd->trigger_iopf.addr; 1604 event.fault.prm.pasid = cmd->trigger_iopf.pasid; 1605 event.fault.prm.grpid = cmd->trigger_iopf.grpid; 1606 event.fault.prm.perm = cmd->trigger_iopf.perm; 1607 1608 iommu_report_device_fault(idev->dev, &event); 1609 iommufd_put_object(ucmd->ictx, &idev->obj); 1610 1611 return 0; 1612 } 1613 1614 void iommufd_selftest_destroy(struct iommufd_object *obj) 1615 { 1616 struct selftest_obj *sobj = to_selftest_obj(obj); 1617 1618 switch (sobj->type) { 1619 case TYPE_IDEV: 1620 iommufd_device_detach(sobj->idev.idev); 1621 iommufd_device_unbind(sobj->idev.idev); 1622 mock_dev_destroy(sobj->idev.mock_dev); 1623 break; 1624 } 1625 } 1626 1627 int iommufd_test(struct iommufd_ucmd *ucmd) 1628 { 1629 struct iommu_test_cmd *cmd = ucmd->cmd; 1630 1631 switch (cmd->op) { 1632 case IOMMU_TEST_OP_ADD_RESERVED: 1633 return iommufd_test_add_reserved(ucmd, cmd->id, 1634 cmd->add_reserved.start, 1635 cmd->add_reserved.length); 1636 case IOMMU_TEST_OP_MOCK_DOMAIN: 1637 case IOMMU_TEST_OP_MOCK_DOMAIN_FLAGS: 1638 return iommufd_test_mock_domain(ucmd, cmd); 1639 case IOMMU_TEST_OP_MOCK_DOMAIN_REPLACE: 1640 return iommufd_test_mock_domain_replace( 1641 ucmd, cmd->id, cmd->mock_domain_replace.pt_id, cmd); 1642 case IOMMU_TEST_OP_MD_CHECK_MAP: 1643 return iommufd_test_md_check_pa( 1644 ucmd, cmd->id, cmd->check_map.iova, 1645 cmd->check_map.length, 1646 u64_to_user_ptr(cmd->check_map.uptr)); 1647 case IOMMU_TEST_OP_MD_CHECK_REFS: 1648 return iommufd_test_md_check_refs( 1649 ucmd, u64_to_user_ptr(cmd->check_refs.uptr), 1650 cmd->check_refs.length, cmd->check_refs.refs); 1651 case IOMMU_TEST_OP_MD_CHECK_IOTLB: 1652 return iommufd_test_md_check_iotlb(ucmd, cmd->id, 1653 cmd->check_iotlb.id, 1654 cmd->check_iotlb.iotlb); 1655 case IOMMU_TEST_OP_DEV_CHECK_CACHE: 1656 return iommufd_test_dev_check_cache(ucmd, cmd->id, 1657 cmd->check_dev_cache.id, 1658 cmd->check_dev_cache.cache); 1659 case IOMMU_TEST_OP_CREATE_ACCESS: 1660 return iommufd_test_create_access(ucmd, cmd->id, 1661 cmd->create_access.flags); 1662 case IOMMU_TEST_OP_ACCESS_REPLACE_IOAS: 1663 return iommufd_test_access_replace_ioas( 1664 ucmd, cmd->id, cmd->access_replace_ioas.ioas_id); 1665 case IOMMU_TEST_OP_ACCESS_PAGES: 1666 return iommufd_test_access_pages( 1667 ucmd, cmd->id, cmd->access_pages.iova, 1668 cmd->access_pages.length, 1669 u64_to_user_ptr(cmd->access_pages.uptr), 1670 cmd->access_pages.flags); 1671 case IOMMU_TEST_OP_ACCESS_RW: 1672 return iommufd_test_access_rw( 1673 ucmd, cmd->id, cmd->access_rw.iova, 1674 cmd->access_rw.length, 1675 u64_to_user_ptr(cmd->access_rw.uptr), 1676 cmd->access_rw.flags); 1677 case IOMMU_TEST_OP_DESTROY_ACCESS_PAGES: 1678 return iommufd_test_access_item_destroy( 1679 ucmd, cmd->id, cmd->destroy_access_pages.access_pages_id); 1680 case IOMMU_TEST_OP_SET_TEMP_MEMORY_LIMIT: 1681 /* Protect _batch_init(), can not be less than elmsz */ 1682 if (cmd->memory_limit.limit < 1683 sizeof(unsigned long) + sizeof(u32)) 1684 return -EINVAL; 1685 iommufd_test_memory_limit = cmd->memory_limit.limit; 1686 return 0; 1687 case IOMMU_TEST_OP_DIRTY: 1688 return iommufd_test_dirty(ucmd, cmd->id, cmd->dirty.iova, 1689 cmd->dirty.length, 1690 cmd->dirty.page_size, 1691 u64_to_user_ptr(cmd->dirty.uptr), 1692 cmd->dirty.flags); 1693 case IOMMU_TEST_OP_TRIGGER_IOPF: 1694 return iommufd_test_trigger_iopf(ucmd, cmd); 1695 default: 1696 return -EOPNOTSUPP; 1697 } 1698 } 1699 1700 bool iommufd_should_fail(void) 1701 { 1702 return should_fail(&fail_iommufd, 1); 1703 } 1704 1705 int __init iommufd_test_init(void) 1706 { 1707 struct platform_device_info pdevinfo = { 1708 .name = "iommufd_selftest_iommu", 1709 }; 1710 int rc; 1711 1712 dbgfs_root = 1713 fault_create_debugfs_attr("fail_iommufd", NULL, &fail_iommufd); 1714 1715 selftest_iommu_dev = platform_device_register_full(&pdevinfo); 1716 if (IS_ERR(selftest_iommu_dev)) { 1717 rc = PTR_ERR(selftest_iommu_dev); 1718 goto err_dbgfs; 1719 } 1720 1721 rc = bus_register(&iommufd_mock_bus_type.bus); 1722 if (rc) 1723 goto err_platform; 1724 1725 rc = iommu_device_sysfs_add(&mock_iommu.iommu_dev, 1726 &selftest_iommu_dev->dev, NULL, "%s", 1727 dev_name(&selftest_iommu_dev->dev)); 1728 if (rc) 1729 goto err_bus; 1730 1731 rc = iommu_device_register_bus(&mock_iommu.iommu_dev, &mock_ops, 1732 &iommufd_mock_bus_type.bus, 1733 &iommufd_mock_bus_type.nb); 1734 if (rc) 1735 goto err_sysfs; 1736 1737 refcount_set(&mock_iommu.users, 1); 1738 init_completion(&mock_iommu.complete); 1739 1740 mock_iommu_iopf_queue = iopf_queue_alloc("mock-iopfq"); 1741 1742 return 0; 1743 1744 err_sysfs: 1745 iommu_device_sysfs_remove(&mock_iommu.iommu_dev); 1746 err_bus: 1747 bus_unregister(&iommufd_mock_bus_type.bus); 1748 err_platform: 1749 platform_device_unregister(selftest_iommu_dev); 1750 err_dbgfs: 1751 debugfs_remove_recursive(dbgfs_root); 1752 return rc; 1753 } 1754 1755 static void iommufd_test_wait_for_users(void) 1756 { 1757 if (refcount_dec_and_test(&mock_iommu.users)) 1758 return; 1759 /* 1760 * Time out waiting for iommu device user count to become 0. 1761 * 1762 * Note that this is just making an example here, since the selftest is 1763 * built into the iommufd module, i.e. it only unplugs the iommu device 1764 * when unloading the module. So, it is expected that this WARN_ON will 1765 * not trigger, as long as any iommufd FDs are open. 1766 */ 1767 WARN_ON(!wait_for_completion_timeout(&mock_iommu.complete, 1768 msecs_to_jiffies(10000))); 1769 } 1770 1771 void iommufd_test_exit(void) 1772 { 1773 if (mock_iommu_iopf_queue) { 1774 iopf_queue_free(mock_iommu_iopf_queue); 1775 mock_iommu_iopf_queue = NULL; 1776 } 1777 1778 iommufd_test_wait_for_users(); 1779 iommu_device_sysfs_remove(&mock_iommu.iommu_dev); 1780 iommu_device_unregister_bus(&mock_iommu.iommu_dev, 1781 &iommufd_mock_bus_type.bus, 1782 &iommufd_mock_bus_type.nb); 1783 bus_unregister(&iommufd_mock_bus_type.bus); 1784 platform_device_unregister(selftest_iommu_dev); 1785 debugfs_remove_recursive(dbgfs_root); 1786 } 1787