xref: /linux/drivers/vhost/net.c (revision 110e6f26af80dfd90b6e5c645b1aed7228aa580d)
1 /* Copyright (C) 2009 Red Hat, Inc.
2  * Author: Michael S. Tsirkin <mst@redhat.com>
3  *
4  * This work is licensed under the terms of the GNU GPL, version 2.
5  *
6  * virtio-net server in host kernel.
7  */
8 
9 #include <linux/compat.h>
10 #include <linux/eventfd.h>
11 #include <linux/vhost.h>
12 #include <linux/virtio_net.h>
13 #include <linux/miscdevice.h>
14 #include <linux/module.h>
15 #include <linux/moduleparam.h>
16 #include <linux/mutex.h>
17 #include <linux/workqueue.h>
18 #include <linux/file.h>
19 #include <linux/slab.h>
20 #include <linux/vmalloc.h>
21 
22 #include <linux/net.h>
23 #include <linux/if_packet.h>
24 #include <linux/if_arp.h>
25 #include <linux/if_tun.h>
26 #include <linux/if_macvlan.h>
27 #include <linux/if_vlan.h>
28 
29 #include <net/sock.h>
30 
31 #include "vhost.h"
32 
33 static int experimental_zcopytx = 1;
34 module_param(experimental_zcopytx, int, 0444);
35 MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
36 		                       " 1 -Enable; 0 - Disable");
37 
38 /* Max number of bytes transferred before requeueing the job.
39  * Using this limit prevents one virtqueue from starving others. */
40 #define VHOST_NET_WEIGHT 0x80000
41 
42 /* MAX number of TX used buffers for outstanding zerocopy */
43 #define VHOST_MAX_PEND 128
44 #define VHOST_GOODCOPY_LEN 256
45 
46 /*
47  * For transmit, used buffer len is unused; we override it to track buffer
48  * status internally; used for zerocopy tx only.
49  */
50 /* Lower device DMA failed */
51 #define VHOST_DMA_FAILED_LEN	((__force __virtio32)3)
52 /* Lower device DMA done */
53 #define VHOST_DMA_DONE_LEN	((__force __virtio32)2)
54 /* Lower device DMA in progress */
55 #define VHOST_DMA_IN_PROGRESS	((__force __virtio32)1)
56 /* Buffer unused */
57 #define VHOST_DMA_CLEAR_LEN	((__force __virtio32)0)
58 
59 #define VHOST_DMA_IS_DONE(len) ((__force u32)(len) >= (__force u32)VHOST_DMA_DONE_LEN)
60 
61 enum {
62 	VHOST_NET_FEATURES = VHOST_FEATURES |
63 			 (1ULL << VHOST_NET_F_VIRTIO_NET_HDR) |
64 			 (1ULL << VIRTIO_NET_F_MRG_RXBUF)
65 };
66 
67 enum {
68 	VHOST_NET_VQ_RX = 0,
69 	VHOST_NET_VQ_TX = 1,
70 	VHOST_NET_VQ_MAX = 2,
71 };
72 
73 struct vhost_net_ubuf_ref {
74 	/* refcount follows semantics similar to kref:
75 	 *  0: object is released
76 	 *  1: no outstanding ubufs
77 	 * >1: outstanding ubufs
78 	 */
79 	atomic_t refcount;
80 	wait_queue_head_t wait;
81 	struct vhost_virtqueue *vq;
82 };
83 
84 struct vhost_net_virtqueue {
85 	struct vhost_virtqueue vq;
86 	size_t vhost_hlen;
87 	size_t sock_hlen;
88 	/* vhost zerocopy support fields below: */
89 	/* last used idx for outstanding DMA zerocopy buffers */
90 	int upend_idx;
91 	/* first used idx for DMA done zerocopy buffers */
92 	int done_idx;
93 	/* an array of userspace buffers info */
94 	struct ubuf_info *ubuf_info;
95 	/* Reference counting for outstanding ubufs.
96 	 * Protected by vq mutex. Writers must also take device mutex. */
97 	struct vhost_net_ubuf_ref *ubufs;
98 };
99 
100 struct vhost_net {
101 	struct vhost_dev dev;
102 	struct vhost_net_virtqueue vqs[VHOST_NET_VQ_MAX];
103 	struct vhost_poll poll[VHOST_NET_VQ_MAX];
104 	/* Number of TX recently submitted.
105 	 * Protected by tx vq lock. */
106 	unsigned tx_packets;
107 	/* Number of times zerocopy TX recently failed.
108 	 * Protected by tx vq lock. */
109 	unsigned tx_zcopy_err;
110 	/* Flush in progress. Protected by tx vq lock. */
111 	bool tx_flush;
112 };
113 
114 static unsigned vhost_net_zcopy_mask __read_mostly;
115 
116 static void vhost_net_enable_zcopy(int vq)
117 {
118 	vhost_net_zcopy_mask |= 0x1 << vq;
119 }
120 
121 static struct vhost_net_ubuf_ref *
122 vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy)
123 {
124 	struct vhost_net_ubuf_ref *ubufs;
125 	/* No zero copy backend? Nothing to count. */
126 	if (!zcopy)
127 		return NULL;
128 	ubufs = kmalloc(sizeof(*ubufs), GFP_KERNEL);
129 	if (!ubufs)
130 		return ERR_PTR(-ENOMEM);
131 	atomic_set(&ubufs->refcount, 1);
132 	init_waitqueue_head(&ubufs->wait);
133 	ubufs->vq = vq;
134 	return ubufs;
135 }
136 
137 static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
138 {
139 	int r = atomic_sub_return(1, &ubufs->refcount);
140 	if (unlikely(!r))
141 		wake_up(&ubufs->wait);
142 	return r;
143 }
144 
145 static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
146 {
147 	vhost_net_ubuf_put(ubufs);
148 	wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
149 }
150 
151 static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
152 {
153 	vhost_net_ubuf_put_and_wait(ubufs);
154 	kfree(ubufs);
155 }
156 
157 static void vhost_net_clear_ubuf_info(struct vhost_net *n)
158 {
159 	int i;
160 
161 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
162 		kfree(n->vqs[i].ubuf_info);
163 		n->vqs[i].ubuf_info = NULL;
164 	}
165 }
166 
167 static int vhost_net_set_ubuf_info(struct vhost_net *n)
168 {
169 	bool zcopy;
170 	int i;
171 
172 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
173 		zcopy = vhost_net_zcopy_mask & (0x1 << i);
174 		if (!zcopy)
175 			continue;
176 		n->vqs[i].ubuf_info = kmalloc(sizeof(*n->vqs[i].ubuf_info) *
177 					      UIO_MAXIOV, GFP_KERNEL);
178 		if  (!n->vqs[i].ubuf_info)
179 			goto err;
180 	}
181 	return 0;
182 
183 err:
184 	vhost_net_clear_ubuf_info(n);
185 	return -ENOMEM;
186 }
187 
188 static void vhost_net_vq_reset(struct vhost_net *n)
189 {
190 	int i;
191 
192 	vhost_net_clear_ubuf_info(n);
193 
194 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
195 		n->vqs[i].done_idx = 0;
196 		n->vqs[i].upend_idx = 0;
197 		n->vqs[i].ubufs = NULL;
198 		n->vqs[i].vhost_hlen = 0;
199 		n->vqs[i].sock_hlen = 0;
200 	}
201 
202 }
203 
204 static void vhost_net_tx_packet(struct vhost_net *net)
205 {
206 	++net->tx_packets;
207 	if (net->tx_packets < 1024)
208 		return;
209 	net->tx_packets = 0;
210 	net->tx_zcopy_err = 0;
211 }
212 
213 static void vhost_net_tx_err(struct vhost_net *net)
214 {
215 	++net->tx_zcopy_err;
216 }
217 
218 static bool vhost_net_tx_select_zcopy(struct vhost_net *net)
219 {
220 	/* TX flush waits for outstanding DMAs to be done.
221 	 * Don't start new DMAs.
222 	 */
223 	return !net->tx_flush &&
224 		net->tx_packets / 64 >= net->tx_zcopy_err;
225 }
226 
227 static bool vhost_sock_zcopy(struct socket *sock)
228 {
229 	return unlikely(experimental_zcopytx) &&
230 		sock_flag(sock->sk, SOCK_ZEROCOPY);
231 }
232 
233 /* In case of DMA done not in order in lower device driver for some reason.
234  * upend_idx is used to track end of used idx, done_idx is used to track head
235  * of used idx. Once lower device DMA done contiguously, we will signal KVM
236  * guest used idx.
237  */
238 static void vhost_zerocopy_signal_used(struct vhost_net *net,
239 				       struct vhost_virtqueue *vq)
240 {
241 	struct vhost_net_virtqueue *nvq =
242 		container_of(vq, struct vhost_net_virtqueue, vq);
243 	int i, add;
244 	int j = 0;
245 
246 	for (i = nvq->done_idx; i != nvq->upend_idx; i = (i + 1) % UIO_MAXIOV) {
247 		if (vq->heads[i].len == VHOST_DMA_FAILED_LEN)
248 			vhost_net_tx_err(net);
249 		if (VHOST_DMA_IS_DONE(vq->heads[i].len)) {
250 			vq->heads[i].len = VHOST_DMA_CLEAR_LEN;
251 			++j;
252 		} else
253 			break;
254 	}
255 	while (j) {
256 		add = min(UIO_MAXIOV - nvq->done_idx, j);
257 		vhost_add_used_and_signal_n(vq->dev, vq,
258 					    &vq->heads[nvq->done_idx], add);
259 		nvq->done_idx = (nvq->done_idx + add) % UIO_MAXIOV;
260 		j -= add;
261 	}
262 }
263 
264 static void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool success)
265 {
266 	struct vhost_net_ubuf_ref *ubufs = ubuf->ctx;
267 	struct vhost_virtqueue *vq = ubufs->vq;
268 	int cnt;
269 
270 	rcu_read_lock_bh();
271 
272 	/* set len to mark this desc buffers done DMA */
273 	vq->heads[ubuf->desc].len = success ?
274 		VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN;
275 	cnt = vhost_net_ubuf_put(ubufs);
276 
277 	/*
278 	 * Trigger polling thread if guest stopped submitting new buffers:
279 	 * in this case, the refcount after decrement will eventually reach 1.
280 	 * We also trigger polling periodically after each 16 packets
281 	 * (the value 16 here is more or less arbitrary, it's tuned to trigger
282 	 * less than 10% of times).
283 	 */
284 	if (cnt <= 1 || !(cnt % 16))
285 		vhost_poll_queue(&vq->poll);
286 
287 	rcu_read_unlock_bh();
288 }
289 
290 static inline unsigned long busy_clock(void)
291 {
292 	return local_clock() >> 10;
293 }
294 
295 static bool vhost_can_busy_poll(struct vhost_dev *dev,
296 				unsigned long endtime)
297 {
298 	return likely(!need_resched()) &&
299 	       likely(!time_after(busy_clock(), endtime)) &&
300 	       likely(!signal_pending(current)) &&
301 	       !vhost_has_work(dev);
302 }
303 
304 static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
305 				    struct vhost_virtqueue *vq,
306 				    struct iovec iov[], unsigned int iov_size,
307 				    unsigned int *out_num, unsigned int *in_num)
308 {
309 	unsigned long uninitialized_var(endtime);
310 	int r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),
311 				    out_num, in_num, NULL, NULL);
312 
313 	if (r == vq->num && vq->busyloop_timeout) {
314 		preempt_disable();
315 		endtime = busy_clock() + vq->busyloop_timeout;
316 		while (vhost_can_busy_poll(vq->dev, endtime) &&
317 		       vhost_vq_avail_empty(vq->dev, vq))
318 			cpu_relax_lowlatency();
319 		preempt_enable();
320 		r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),
321 					out_num, in_num, NULL, NULL);
322 	}
323 
324 	return r;
325 }
326 
327 /* Expects to be always run from workqueue - which acts as
328  * read-size critical section for our kind of RCU. */
329 static void handle_tx(struct vhost_net *net)
330 {
331 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
332 	struct vhost_virtqueue *vq = &nvq->vq;
333 	unsigned out, in;
334 	int head;
335 	struct msghdr msg = {
336 		.msg_name = NULL,
337 		.msg_namelen = 0,
338 		.msg_control = NULL,
339 		.msg_controllen = 0,
340 		.msg_flags = MSG_DONTWAIT,
341 	};
342 	size_t len, total_len = 0;
343 	int err;
344 	size_t hdr_size;
345 	struct socket *sock;
346 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
347 	bool zcopy, zcopy_used;
348 
349 	mutex_lock(&vq->mutex);
350 	sock = vq->private_data;
351 	if (!sock)
352 		goto out;
353 
354 	vhost_disable_notify(&net->dev, vq);
355 
356 	hdr_size = nvq->vhost_hlen;
357 	zcopy = nvq->ubufs;
358 
359 	for (;;) {
360 		/* Release DMAs done buffers first */
361 		if (zcopy)
362 			vhost_zerocopy_signal_used(net, vq);
363 
364 		/* If more outstanding DMAs, queue the work.
365 		 * Handle upend_idx wrap around
366 		 */
367 		if (unlikely((nvq->upend_idx + vq->num - VHOST_MAX_PEND)
368 			      % UIO_MAXIOV == nvq->done_idx))
369 			break;
370 
371 		head = vhost_net_tx_get_vq_desc(net, vq, vq->iov,
372 						ARRAY_SIZE(vq->iov),
373 						&out, &in);
374 		/* On error, stop handling until the next kick. */
375 		if (unlikely(head < 0))
376 			break;
377 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
378 		if (head == vq->num) {
379 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {
380 				vhost_disable_notify(&net->dev, vq);
381 				continue;
382 			}
383 			break;
384 		}
385 		if (in) {
386 			vq_err(vq, "Unexpected descriptor format for TX: "
387 			       "out %d, int %d\n", out, in);
388 			break;
389 		}
390 		/* Skip header. TODO: support TSO. */
391 		len = iov_length(vq->iov, out);
392 		iov_iter_init(&msg.msg_iter, WRITE, vq->iov, out, len);
393 		iov_iter_advance(&msg.msg_iter, hdr_size);
394 		/* Sanity check */
395 		if (!msg_data_left(&msg)) {
396 			vq_err(vq, "Unexpected header len for TX: "
397 			       "%zd expected %zd\n",
398 			       len, hdr_size);
399 			break;
400 		}
401 		len = msg_data_left(&msg);
402 
403 		zcopy_used = zcopy && len >= VHOST_GOODCOPY_LEN
404 				   && (nvq->upend_idx + 1) % UIO_MAXIOV !=
405 				      nvq->done_idx
406 				   && vhost_net_tx_select_zcopy(net);
407 
408 		/* use msg_control to pass vhost zerocopy ubuf info to skb */
409 		if (zcopy_used) {
410 			struct ubuf_info *ubuf;
411 			ubuf = nvq->ubuf_info + nvq->upend_idx;
412 
413 			vq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head);
414 			vq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS;
415 			ubuf->callback = vhost_zerocopy_callback;
416 			ubuf->ctx = nvq->ubufs;
417 			ubuf->desc = nvq->upend_idx;
418 			msg.msg_control = ubuf;
419 			msg.msg_controllen = sizeof(ubuf);
420 			ubufs = nvq->ubufs;
421 			atomic_inc(&ubufs->refcount);
422 			nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
423 		} else {
424 			msg.msg_control = NULL;
425 			ubufs = NULL;
426 		}
427 		/* TODO: Check specific error and bomb out unless ENOBUFS? */
428 		err = sock->ops->sendmsg(sock, &msg, len);
429 		if (unlikely(err < 0)) {
430 			if (zcopy_used) {
431 				vhost_net_ubuf_put(ubufs);
432 				nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
433 					% UIO_MAXIOV;
434 			}
435 			vhost_discard_vq_desc(vq, 1);
436 			break;
437 		}
438 		if (err != len)
439 			pr_debug("Truncated TX packet: "
440 				 " len %d != %zd\n", err, len);
441 		if (!zcopy_used)
442 			vhost_add_used_and_signal(&net->dev, vq, head, 0);
443 		else
444 			vhost_zerocopy_signal_used(net, vq);
445 		total_len += len;
446 		vhost_net_tx_packet(net);
447 		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
448 			vhost_poll_queue(&vq->poll);
449 			break;
450 		}
451 	}
452 out:
453 	mutex_unlock(&vq->mutex);
454 }
455 
456 static int peek_head_len(struct sock *sk)
457 {
458 	struct sk_buff *head;
459 	int len = 0;
460 	unsigned long flags;
461 
462 	spin_lock_irqsave(&sk->sk_receive_queue.lock, flags);
463 	head = skb_peek(&sk->sk_receive_queue);
464 	if (likely(head)) {
465 		len = head->len;
466 		if (skb_vlan_tag_present(head))
467 			len += VLAN_HLEN;
468 	}
469 
470 	spin_unlock_irqrestore(&sk->sk_receive_queue.lock, flags);
471 	return len;
472 }
473 
474 static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk)
475 {
476 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
477 	struct vhost_virtqueue *vq = &nvq->vq;
478 	unsigned long uninitialized_var(endtime);
479 	int len = peek_head_len(sk);
480 
481 	if (!len && vq->busyloop_timeout) {
482 		/* Both tx vq and rx socket were polled here */
483 		mutex_lock(&vq->mutex);
484 		vhost_disable_notify(&net->dev, vq);
485 
486 		preempt_disable();
487 		endtime = busy_clock() + vq->busyloop_timeout;
488 
489 		while (vhost_can_busy_poll(&net->dev, endtime) &&
490 		       skb_queue_empty(&sk->sk_receive_queue) &&
491 		       vhost_vq_avail_empty(&net->dev, vq))
492 			cpu_relax_lowlatency();
493 
494 		preempt_enable();
495 
496 		if (vhost_enable_notify(&net->dev, vq))
497 			vhost_poll_queue(&vq->poll);
498 		mutex_unlock(&vq->mutex);
499 
500 		len = peek_head_len(sk);
501 	}
502 
503 	return len;
504 }
505 
506 /* This is a multi-buffer version of vhost_get_desc, that works if
507  *	vq has read descriptors only.
508  * @vq		- the relevant virtqueue
509  * @datalen	- data length we'll be reading
510  * @iovcount	- returned count of io vectors we fill
511  * @log		- vhost log
512  * @log_num	- log offset
513  * @quota       - headcount quota, 1 for big buffer
514  *	returns number of buffer heads allocated, negative on error
515  */
516 static int get_rx_bufs(struct vhost_virtqueue *vq,
517 		       struct vring_used_elem *heads,
518 		       int datalen,
519 		       unsigned *iovcount,
520 		       struct vhost_log *log,
521 		       unsigned *log_num,
522 		       unsigned int quota)
523 {
524 	unsigned int out, in;
525 	int seg = 0;
526 	int headcount = 0;
527 	unsigned d;
528 	int r, nlogs = 0;
529 	/* len is always initialized before use since we are always called with
530 	 * datalen > 0.
531 	 */
532 	u32 uninitialized_var(len);
533 
534 	while (datalen > 0 && headcount < quota) {
535 		if (unlikely(seg >= UIO_MAXIOV)) {
536 			r = -ENOBUFS;
537 			goto err;
538 		}
539 		r = vhost_get_vq_desc(vq, vq->iov + seg,
540 				      ARRAY_SIZE(vq->iov) - seg, &out,
541 				      &in, log, log_num);
542 		if (unlikely(r < 0))
543 			goto err;
544 
545 		d = r;
546 		if (d == vq->num) {
547 			r = 0;
548 			goto err;
549 		}
550 		if (unlikely(out || in <= 0)) {
551 			vq_err(vq, "unexpected descriptor format for RX: "
552 				"out %d, in %d\n", out, in);
553 			r = -EINVAL;
554 			goto err;
555 		}
556 		if (unlikely(log)) {
557 			nlogs += *log_num;
558 			log += *log_num;
559 		}
560 		heads[headcount].id = cpu_to_vhost32(vq, d);
561 		len = iov_length(vq->iov + seg, in);
562 		heads[headcount].len = cpu_to_vhost32(vq, len);
563 		datalen -= len;
564 		++headcount;
565 		seg += in;
566 	}
567 	heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
568 	*iovcount = seg;
569 	if (unlikely(log))
570 		*log_num = nlogs;
571 
572 	/* Detect overrun */
573 	if (unlikely(datalen > 0)) {
574 		r = UIO_MAXIOV + 1;
575 		goto err;
576 	}
577 	return headcount;
578 err:
579 	vhost_discard_vq_desc(vq, headcount);
580 	return r;
581 }
582 
583 /* Expects to be always run from workqueue - which acts as
584  * read-size critical section for our kind of RCU. */
585 static void handle_rx(struct vhost_net *net)
586 {
587 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];
588 	struct vhost_virtqueue *vq = &nvq->vq;
589 	unsigned uninitialized_var(in), log;
590 	struct vhost_log *vq_log;
591 	struct msghdr msg = {
592 		.msg_name = NULL,
593 		.msg_namelen = 0,
594 		.msg_control = NULL, /* FIXME: get and handle RX aux data. */
595 		.msg_controllen = 0,
596 		.msg_flags = MSG_DONTWAIT,
597 	};
598 	struct virtio_net_hdr hdr = {
599 		.flags = 0,
600 		.gso_type = VIRTIO_NET_HDR_GSO_NONE
601 	};
602 	size_t total_len = 0;
603 	int err, mergeable;
604 	s16 headcount;
605 	size_t vhost_hlen, sock_hlen;
606 	size_t vhost_len, sock_len;
607 	struct socket *sock;
608 	struct iov_iter fixup;
609 	__virtio16 num_buffers;
610 
611 	mutex_lock(&vq->mutex);
612 	sock = vq->private_data;
613 	if (!sock)
614 		goto out;
615 	vhost_disable_notify(&net->dev, vq);
616 
617 	vhost_hlen = nvq->vhost_hlen;
618 	sock_hlen = nvq->sock_hlen;
619 
620 	vq_log = unlikely(vhost_has_feature(vq, VHOST_F_LOG_ALL)) ?
621 		vq->log : NULL;
622 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
623 
624 	while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk))) {
625 		sock_len += sock_hlen;
626 		vhost_len = sock_len + vhost_hlen;
627 		headcount = get_rx_bufs(vq, vq->heads, vhost_len,
628 					&in, vq_log, &log,
629 					likely(mergeable) ? UIO_MAXIOV : 1);
630 		/* On error, stop handling until the next kick. */
631 		if (unlikely(headcount < 0))
632 			break;
633 		/* On overrun, truncate and discard */
634 		if (unlikely(headcount > UIO_MAXIOV)) {
635 			iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
636 			err = sock->ops->recvmsg(sock, &msg,
637 						 1, MSG_DONTWAIT | MSG_TRUNC);
638 			pr_debug("Discarded rx packet: len %zd\n", sock_len);
639 			continue;
640 		}
641 		/* OK, now we need to know about added descriptors. */
642 		if (!headcount) {
643 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {
644 				/* They have slipped one in as we were
645 				 * doing that: check again. */
646 				vhost_disable_notify(&net->dev, vq);
647 				continue;
648 			}
649 			/* Nothing new?  Wait for eventfd to tell us
650 			 * they refilled. */
651 			break;
652 		}
653 		/* We don't need to be notified again. */
654 		iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
655 		fixup = msg.msg_iter;
656 		if (unlikely((vhost_hlen))) {
657 			/* We will supply the header ourselves
658 			 * TODO: support TSO.
659 			 */
660 			iov_iter_advance(&msg.msg_iter, vhost_hlen);
661 		}
662 		err = sock->ops->recvmsg(sock, &msg,
663 					 sock_len, MSG_DONTWAIT | MSG_TRUNC);
664 		/* Userspace might have consumed the packet meanwhile:
665 		 * it's not supposed to do this usually, but might be hard
666 		 * to prevent. Discard data we got (if any) and keep going. */
667 		if (unlikely(err != sock_len)) {
668 			pr_debug("Discarded rx packet: "
669 				 " len %d, expected %zd\n", err, sock_len);
670 			vhost_discard_vq_desc(vq, headcount);
671 			continue;
672 		}
673 		/* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */
674 		if (unlikely(vhost_hlen)) {
675 			if (copy_to_iter(&hdr, sizeof(hdr),
676 					 &fixup) != sizeof(hdr)) {
677 				vq_err(vq, "Unable to write vnet_hdr "
678 				       "at addr %p\n", vq->iov->iov_base);
679 				break;
680 			}
681 		} else {
682 			/* Header came from socket; we'll need to patch
683 			 * ->num_buffers over if VIRTIO_NET_F_MRG_RXBUF
684 			 */
685 			iov_iter_advance(&fixup, sizeof(hdr));
686 		}
687 		/* TODO: Should check and handle checksum. */
688 
689 		num_buffers = cpu_to_vhost16(vq, headcount);
690 		if (likely(mergeable) &&
691 		    copy_to_iter(&num_buffers, sizeof num_buffers,
692 				 &fixup) != sizeof num_buffers) {
693 			vq_err(vq, "Failed num_buffers write");
694 			vhost_discard_vq_desc(vq, headcount);
695 			break;
696 		}
697 		vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
698 					    headcount);
699 		if (unlikely(vq_log))
700 			vhost_log_write(vq, vq_log, log, vhost_len);
701 		total_len += vhost_len;
702 		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
703 			vhost_poll_queue(&vq->poll);
704 			break;
705 		}
706 	}
707 out:
708 	mutex_unlock(&vq->mutex);
709 }
710 
711 static void handle_tx_kick(struct vhost_work *work)
712 {
713 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
714 						  poll.work);
715 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
716 
717 	handle_tx(net);
718 }
719 
720 static void handle_rx_kick(struct vhost_work *work)
721 {
722 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
723 						  poll.work);
724 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
725 
726 	handle_rx(net);
727 }
728 
729 static void handle_tx_net(struct vhost_work *work)
730 {
731 	struct vhost_net *net = container_of(work, struct vhost_net,
732 					     poll[VHOST_NET_VQ_TX].work);
733 	handle_tx(net);
734 }
735 
736 static void handle_rx_net(struct vhost_work *work)
737 {
738 	struct vhost_net *net = container_of(work, struct vhost_net,
739 					     poll[VHOST_NET_VQ_RX].work);
740 	handle_rx(net);
741 }
742 
743 static int vhost_net_open(struct inode *inode, struct file *f)
744 {
745 	struct vhost_net *n;
746 	struct vhost_dev *dev;
747 	struct vhost_virtqueue **vqs;
748 	int i;
749 
750 	n = kmalloc(sizeof *n, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
751 	if (!n) {
752 		n = vmalloc(sizeof *n);
753 		if (!n)
754 			return -ENOMEM;
755 	}
756 	vqs = kmalloc(VHOST_NET_VQ_MAX * sizeof(*vqs), GFP_KERNEL);
757 	if (!vqs) {
758 		kvfree(n);
759 		return -ENOMEM;
760 	}
761 
762 	dev = &n->dev;
763 	vqs[VHOST_NET_VQ_TX] = &n->vqs[VHOST_NET_VQ_TX].vq;
764 	vqs[VHOST_NET_VQ_RX] = &n->vqs[VHOST_NET_VQ_RX].vq;
765 	n->vqs[VHOST_NET_VQ_TX].vq.handle_kick = handle_tx_kick;
766 	n->vqs[VHOST_NET_VQ_RX].vq.handle_kick = handle_rx_kick;
767 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
768 		n->vqs[i].ubufs = NULL;
769 		n->vqs[i].ubuf_info = NULL;
770 		n->vqs[i].upend_idx = 0;
771 		n->vqs[i].done_idx = 0;
772 		n->vqs[i].vhost_hlen = 0;
773 		n->vqs[i].sock_hlen = 0;
774 	}
775 	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
776 
777 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
778 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);
779 
780 	f->private_data = n;
781 
782 	return 0;
783 }
784 
785 static void vhost_net_disable_vq(struct vhost_net *n,
786 				 struct vhost_virtqueue *vq)
787 {
788 	struct vhost_net_virtqueue *nvq =
789 		container_of(vq, struct vhost_net_virtqueue, vq);
790 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
791 	if (!vq->private_data)
792 		return;
793 	vhost_poll_stop(poll);
794 }
795 
796 static int vhost_net_enable_vq(struct vhost_net *n,
797 				struct vhost_virtqueue *vq)
798 {
799 	struct vhost_net_virtqueue *nvq =
800 		container_of(vq, struct vhost_net_virtqueue, vq);
801 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
802 	struct socket *sock;
803 
804 	sock = vq->private_data;
805 	if (!sock)
806 		return 0;
807 
808 	return vhost_poll_start(poll, sock->file);
809 }
810 
811 static struct socket *vhost_net_stop_vq(struct vhost_net *n,
812 					struct vhost_virtqueue *vq)
813 {
814 	struct socket *sock;
815 
816 	mutex_lock(&vq->mutex);
817 	sock = vq->private_data;
818 	vhost_net_disable_vq(n, vq);
819 	vq->private_data = NULL;
820 	mutex_unlock(&vq->mutex);
821 	return sock;
822 }
823 
824 static void vhost_net_stop(struct vhost_net *n, struct socket **tx_sock,
825 			   struct socket **rx_sock)
826 {
827 	*tx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_TX].vq);
828 	*rx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_RX].vq);
829 }
830 
831 static void vhost_net_flush_vq(struct vhost_net *n, int index)
832 {
833 	vhost_poll_flush(n->poll + index);
834 	vhost_poll_flush(&n->vqs[index].vq.poll);
835 }
836 
837 static void vhost_net_flush(struct vhost_net *n)
838 {
839 	vhost_net_flush_vq(n, VHOST_NET_VQ_TX);
840 	vhost_net_flush_vq(n, VHOST_NET_VQ_RX);
841 	if (n->vqs[VHOST_NET_VQ_TX].ubufs) {
842 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
843 		n->tx_flush = true;
844 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
845 		/* Wait for all lower device DMAs done. */
846 		vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
847 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
848 		n->tx_flush = false;
849 		atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
850 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
851 	}
852 }
853 
854 static int vhost_net_release(struct inode *inode, struct file *f)
855 {
856 	struct vhost_net *n = f->private_data;
857 	struct socket *tx_sock;
858 	struct socket *rx_sock;
859 
860 	vhost_net_stop(n, &tx_sock, &rx_sock);
861 	vhost_net_flush(n);
862 	vhost_dev_stop(&n->dev);
863 	vhost_dev_cleanup(&n->dev, false);
864 	vhost_net_vq_reset(n);
865 	if (tx_sock)
866 		sockfd_put(tx_sock);
867 	if (rx_sock)
868 		sockfd_put(rx_sock);
869 	/* Make sure no callbacks are outstanding */
870 	synchronize_rcu_bh();
871 	/* We do an extra flush before freeing memory,
872 	 * since jobs can re-queue themselves. */
873 	vhost_net_flush(n);
874 	kfree(n->dev.vqs);
875 	kvfree(n);
876 	return 0;
877 }
878 
879 static struct socket *get_raw_socket(int fd)
880 {
881 	struct {
882 		struct sockaddr_ll sa;
883 		char  buf[MAX_ADDR_LEN];
884 	} uaddr;
885 	int uaddr_len = sizeof uaddr, r;
886 	struct socket *sock = sockfd_lookup(fd, &r);
887 
888 	if (!sock)
889 		return ERR_PTR(-ENOTSOCK);
890 
891 	/* Parameter checking */
892 	if (sock->sk->sk_type != SOCK_RAW) {
893 		r = -ESOCKTNOSUPPORT;
894 		goto err;
895 	}
896 
897 	r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa,
898 			       &uaddr_len, 0);
899 	if (r)
900 		goto err;
901 
902 	if (uaddr.sa.sll_family != AF_PACKET) {
903 		r = -EPFNOSUPPORT;
904 		goto err;
905 	}
906 	return sock;
907 err:
908 	sockfd_put(sock);
909 	return ERR_PTR(r);
910 }
911 
912 static struct socket *get_tap_socket(int fd)
913 {
914 	struct file *file = fget(fd);
915 	struct socket *sock;
916 
917 	if (!file)
918 		return ERR_PTR(-EBADF);
919 	sock = tun_get_socket(file);
920 	if (!IS_ERR(sock))
921 		return sock;
922 	sock = macvtap_get_socket(file);
923 	if (IS_ERR(sock))
924 		fput(file);
925 	return sock;
926 }
927 
928 static struct socket *get_socket(int fd)
929 {
930 	struct socket *sock;
931 
932 	/* special case to disable backend */
933 	if (fd == -1)
934 		return NULL;
935 	sock = get_raw_socket(fd);
936 	if (!IS_ERR(sock))
937 		return sock;
938 	sock = get_tap_socket(fd);
939 	if (!IS_ERR(sock))
940 		return sock;
941 	return ERR_PTR(-ENOTSOCK);
942 }
943 
944 static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
945 {
946 	struct socket *sock, *oldsock;
947 	struct vhost_virtqueue *vq;
948 	struct vhost_net_virtqueue *nvq;
949 	struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL;
950 	int r;
951 
952 	mutex_lock(&n->dev.mutex);
953 	r = vhost_dev_check_owner(&n->dev);
954 	if (r)
955 		goto err;
956 
957 	if (index >= VHOST_NET_VQ_MAX) {
958 		r = -ENOBUFS;
959 		goto err;
960 	}
961 	vq = &n->vqs[index].vq;
962 	nvq = &n->vqs[index];
963 	mutex_lock(&vq->mutex);
964 
965 	/* Verify that ring has been setup correctly. */
966 	if (!vhost_vq_access_ok(vq)) {
967 		r = -EFAULT;
968 		goto err_vq;
969 	}
970 	sock = get_socket(fd);
971 	if (IS_ERR(sock)) {
972 		r = PTR_ERR(sock);
973 		goto err_vq;
974 	}
975 
976 	/* start polling new socket */
977 	oldsock = vq->private_data;
978 	if (sock != oldsock) {
979 		ubufs = vhost_net_ubuf_alloc(vq,
980 					     sock && vhost_sock_zcopy(sock));
981 		if (IS_ERR(ubufs)) {
982 			r = PTR_ERR(ubufs);
983 			goto err_ubufs;
984 		}
985 
986 		vhost_net_disable_vq(n, vq);
987 		vq->private_data = sock;
988 		r = vhost_vq_init_access(vq);
989 		if (r)
990 			goto err_used;
991 		r = vhost_net_enable_vq(n, vq);
992 		if (r)
993 			goto err_used;
994 
995 		oldubufs = nvq->ubufs;
996 		nvq->ubufs = ubufs;
997 
998 		n->tx_packets = 0;
999 		n->tx_zcopy_err = 0;
1000 		n->tx_flush = false;
1001 	}
1002 
1003 	mutex_unlock(&vq->mutex);
1004 
1005 	if (oldubufs) {
1006 		vhost_net_ubuf_put_wait_and_free(oldubufs);
1007 		mutex_lock(&vq->mutex);
1008 		vhost_zerocopy_signal_used(n, vq);
1009 		mutex_unlock(&vq->mutex);
1010 	}
1011 
1012 	if (oldsock) {
1013 		vhost_net_flush_vq(n, index);
1014 		sockfd_put(oldsock);
1015 	}
1016 
1017 	mutex_unlock(&n->dev.mutex);
1018 	return 0;
1019 
1020 err_used:
1021 	vq->private_data = oldsock;
1022 	vhost_net_enable_vq(n, vq);
1023 	if (ubufs)
1024 		vhost_net_ubuf_put_wait_and_free(ubufs);
1025 err_ubufs:
1026 	sockfd_put(sock);
1027 err_vq:
1028 	mutex_unlock(&vq->mutex);
1029 err:
1030 	mutex_unlock(&n->dev.mutex);
1031 	return r;
1032 }
1033 
1034 static long vhost_net_reset_owner(struct vhost_net *n)
1035 {
1036 	struct socket *tx_sock = NULL;
1037 	struct socket *rx_sock = NULL;
1038 	long err;
1039 	struct vhost_memory *memory;
1040 
1041 	mutex_lock(&n->dev.mutex);
1042 	err = vhost_dev_check_owner(&n->dev);
1043 	if (err)
1044 		goto done;
1045 	memory = vhost_dev_reset_owner_prepare();
1046 	if (!memory) {
1047 		err = -ENOMEM;
1048 		goto done;
1049 	}
1050 	vhost_net_stop(n, &tx_sock, &rx_sock);
1051 	vhost_net_flush(n);
1052 	vhost_dev_reset_owner(&n->dev, memory);
1053 	vhost_net_vq_reset(n);
1054 done:
1055 	mutex_unlock(&n->dev.mutex);
1056 	if (tx_sock)
1057 		sockfd_put(tx_sock);
1058 	if (rx_sock)
1059 		sockfd_put(rx_sock);
1060 	return err;
1061 }
1062 
1063 static int vhost_net_set_features(struct vhost_net *n, u64 features)
1064 {
1065 	size_t vhost_hlen, sock_hlen, hdr_len;
1066 	int i;
1067 
1068 	hdr_len = (features & ((1ULL << VIRTIO_NET_F_MRG_RXBUF) |
1069 			       (1ULL << VIRTIO_F_VERSION_1))) ?
1070 			sizeof(struct virtio_net_hdr_mrg_rxbuf) :
1071 			sizeof(struct virtio_net_hdr);
1072 	if (features & (1 << VHOST_NET_F_VIRTIO_NET_HDR)) {
1073 		/* vhost provides vnet_hdr */
1074 		vhost_hlen = hdr_len;
1075 		sock_hlen = 0;
1076 	} else {
1077 		/* socket provides vnet_hdr */
1078 		vhost_hlen = 0;
1079 		sock_hlen = hdr_len;
1080 	}
1081 	mutex_lock(&n->dev.mutex);
1082 	if ((features & (1 << VHOST_F_LOG_ALL)) &&
1083 	    !vhost_log_access_ok(&n->dev)) {
1084 		mutex_unlock(&n->dev.mutex);
1085 		return -EFAULT;
1086 	}
1087 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
1088 		mutex_lock(&n->vqs[i].vq.mutex);
1089 		n->vqs[i].vq.acked_features = features;
1090 		n->vqs[i].vhost_hlen = vhost_hlen;
1091 		n->vqs[i].sock_hlen = sock_hlen;
1092 		mutex_unlock(&n->vqs[i].vq.mutex);
1093 	}
1094 	mutex_unlock(&n->dev.mutex);
1095 	return 0;
1096 }
1097 
1098 static long vhost_net_set_owner(struct vhost_net *n)
1099 {
1100 	int r;
1101 
1102 	mutex_lock(&n->dev.mutex);
1103 	if (vhost_dev_has_owner(&n->dev)) {
1104 		r = -EBUSY;
1105 		goto out;
1106 	}
1107 	r = vhost_net_set_ubuf_info(n);
1108 	if (r)
1109 		goto out;
1110 	r = vhost_dev_set_owner(&n->dev);
1111 	if (r)
1112 		vhost_net_clear_ubuf_info(n);
1113 	vhost_net_flush(n);
1114 out:
1115 	mutex_unlock(&n->dev.mutex);
1116 	return r;
1117 }
1118 
1119 static long vhost_net_ioctl(struct file *f, unsigned int ioctl,
1120 			    unsigned long arg)
1121 {
1122 	struct vhost_net *n = f->private_data;
1123 	void __user *argp = (void __user *)arg;
1124 	u64 __user *featurep = argp;
1125 	struct vhost_vring_file backend;
1126 	u64 features;
1127 	int r;
1128 
1129 	switch (ioctl) {
1130 	case VHOST_NET_SET_BACKEND:
1131 		if (copy_from_user(&backend, argp, sizeof backend))
1132 			return -EFAULT;
1133 		return vhost_net_set_backend(n, backend.index, backend.fd);
1134 	case VHOST_GET_FEATURES:
1135 		features = VHOST_NET_FEATURES;
1136 		if (copy_to_user(featurep, &features, sizeof features))
1137 			return -EFAULT;
1138 		return 0;
1139 	case VHOST_SET_FEATURES:
1140 		if (copy_from_user(&features, featurep, sizeof features))
1141 			return -EFAULT;
1142 		if (features & ~VHOST_NET_FEATURES)
1143 			return -EOPNOTSUPP;
1144 		return vhost_net_set_features(n, features);
1145 	case VHOST_RESET_OWNER:
1146 		return vhost_net_reset_owner(n);
1147 	case VHOST_SET_OWNER:
1148 		return vhost_net_set_owner(n);
1149 	default:
1150 		mutex_lock(&n->dev.mutex);
1151 		r = vhost_dev_ioctl(&n->dev, ioctl, argp);
1152 		if (r == -ENOIOCTLCMD)
1153 			r = vhost_vring_ioctl(&n->dev, ioctl, argp);
1154 		else
1155 			vhost_net_flush(n);
1156 		mutex_unlock(&n->dev.mutex);
1157 		return r;
1158 	}
1159 }
1160 
1161 #ifdef CONFIG_COMPAT
1162 static long vhost_net_compat_ioctl(struct file *f, unsigned int ioctl,
1163 				   unsigned long arg)
1164 {
1165 	return vhost_net_ioctl(f, ioctl, (unsigned long)compat_ptr(arg));
1166 }
1167 #endif
1168 
1169 static const struct file_operations vhost_net_fops = {
1170 	.owner          = THIS_MODULE,
1171 	.release        = vhost_net_release,
1172 	.unlocked_ioctl = vhost_net_ioctl,
1173 #ifdef CONFIG_COMPAT
1174 	.compat_ioctl   = vhost_net_compat_ioctl,
1175 #endif
1176 	.open           = vhost_net_open,
1177 	.llseek		= noop_llseek,
1178 };
1179 
1180 static struct miscdevice vhost_net_misc = {
1181 	.minor = VHOST_NET_MINOR,
1182 	.name = "vhost-net",
1183 	.fops = &vhost_net_fops,
1184 };
1185 
1186 static int vhost_net_init(void)
1187 {
1188 	if (experimental_zcopytx)
1189 		vhost_net_enable_zcopy(VHOST_NET_VQ_TX);
1190 	return misc_register(&vhost_net_misc);
1191 }
1192 module_init(vhost_net_init);
1193 
1194 static void vhost_net_exit(void)
1195 {
1196 	misc_deregister(&vhost_net_misc);
1197 }
1198 module_exit(vhost_net_exit);
1199 
1200 MODULE_VERSION("0.0.1");
1201 MODULE_LICENSE("GPL v2");
1202 MODULE_AUTHOR("Michael S. Tsirkin");
1203 MODULE_DESCRIPTION("Host kernel accelerator for virtio net");
1204 MODULE_ALIAS_MISCDEV(VHOST_NET_MINOR);
1205 MODULE_ALIAS("devname:vhost-net");
1206