xref: /linux/drivers/vhost/net.c (revision 1553a1c48281243359a9529a10ddb551f3b967ab)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2009 Red Hat, Inc.
3  * Author: Michael S. Tsirkin <mst@redhat.com>
4  *
5  * virtio-net server in host kernel.
6  */
7 
8 #include <linux/compat.h>
9 #include <linux/eventfd.h>
10 #include <linux/vhost.h>
11 #include <linux/virtio_net.h>
12 #include <linux/miscdevice.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
15 #include <linux/mutex.h>
16 #include <linux/workqueue.h>
17 #include <linux/file.h>
18 #include <linux/slab.h>
19 #include <linux/sched/clock.h>
20 #include <linux/sched/signal.h>
21 #include <linux/vmalloc.h>
22 
23 #include <linux/net.h>
24 #include <linux/if_packet.h>
25 #include <linux/if_arp.h>
26 #include <linux/if_tun.h>
27 #include <linux/if_macvlan.h>
28 #include <linux/if_tap.h>
29 #include <linux/if_vlan.h>
30 #include <linux/skb_array.h>
31 #include <linux/skbuff.h>
32 
33 #include <net/sock.h>
34 #include <net/xdp.h>
35 
36 #include "vhost.h"
37 
38 static int experimental_zcopytx = 0;
39 module_param(experimental_zcopytx, int, 0444);
40 MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
41 		                       " 1 -Enable; 0 - Disable");
42 
43 /* Max number of bytes transferred before requeueing the job.
44  * Using this limit prevents one virtqueue from starving others. */
45 #define VHOST_NET_WEIGHT 0x80000
46 
47 /* Max number of packets transferred before requeueing the job.
48  * Using this limit prevents one virtqueue from starving others with small
49  * pkts.
50  */
51 #define VHOST_NET_PKT_WEIGHT 256
52 
53 /* MAX number of TX used buffers for outstanding zerocopy */
54 #define VHOST_MAX_PEND 128
55 #define VHOST_GOODCOPY_LEN 256
56 
57 /*
58  * For transmit, used buffer len is unused; we override it to track buffer
59  * status internally; used for zerocopy tx only.
60  */
61 /* Lower device DMA failed */
62 #define VHOST_DMA_FAILED_LEN	((__force __virtio32)3)
63 /* Lower device DMA done */
64 #define VHOST_DMA_DONE_LEN	((__force __virtio32)2)
65 /* Lower device DMA in progress */
66 #define VHOST_DMA_IN_PROGRESS	((__force __virtio32)1)
67 /* Buffer unused */
68 #define VHOST_DMA_CLEAR_LEN	((__force __virtio32)0)
69 
70 #define VHOST_DMA_IS_DONE(len) ((__force u32)(len) >= (__force u32)VHOST_DMA_DONE_LEN)
71 
72 enum {
73 	VHOST_NET_FEATURES = VHOST_FEATURES |
74 			 (1ULL << VHOST_NET_F_VIRTIO_NET_HDR) |
75 			 (1ULL << VIRTIO_NET_F_MRG_RXBUF) |
76 			 (1ULL << VIRTIO_F_ACCESS_PLATFORM) |
77 			 (1ULL << VIRTIO_F_RING_RESET)
78 };
79 
80 enum {
81 	VHOST_NET_BACKEND_FEATURES = (1ULL << VHOST_BACKEND_F_IOTLB_MSG_V2)
82 };
83 
84 enum {
85 	VHOST_NET_VQ_RX = 0,
86 	VHOST_NET_VQ_TX = 1,
87 	VHOST_NET_VQ_MAX = 2,
88 };
89 
90 struct vhost_net_ubuf_ref {
91 	/* refcount follows semantics similar to kref:
92 	 *  0: object is released
93 	 *  1: no outstanding ubufs
94 	 * >1: outstanding ubufs
95 	 */
96 	atomic_t refcount;
97 	wait_queue_head_t wait;
98 	struct vhost_virtqueue *vq;
99 };
100 
101 #define VHOST_NET_BATCH 64
102 struct vhost_net_buf {
103 	void **queue;
104 	int tail;
105 	int head;
106 };
107 
108 struct vhost_net_virtqueue {
109 	struct vhost_virtqueue vq;
110 	size_t vhost_hlen;
111 	size_t sock_hlen;
112 	/* vhost zerocopy support fields below: */
113 	/* last used idx for outstanding DMA zerocopy buffers */
114 	int upend_idx;
115 	/* For TX, first used idx for DMA done zerocopy buffers
116 	 * For RX, number of batched heads
117 	 */
118 	int done_idx;
119 	/* Number of XDP frames batched */
120 	int batched_xdp;
121 	/* an array of userspace buffers info */
122 	struct ubuf_info_msgzc *ubuf_info;
123 	/* Reference counting for outstanding ubufs.
124 	 * Protected by vq mutex. Writers must also take device mutex. */
125 	struct vhost_net_ubuf_ref *ubufs;
126 	struct ptr_ring *rx_ring;
127 	struct vhost_net_buf rxq;
128 	/* Batched XDP buffs */
129 	struct xdp_buff *xdp;
130 };
131 
132 struct vhost_net {
133 	struct vhost_dev dev;
134 	struct vhost_net_virtqueue vqs[VHOST_NET_VQ_MAX];
135 	struct vhost_poll poll[VHOST_NET_VQ_MAX];
136 	/* Number of TX recently submitted.
137 	 * Protected by tx vq lock. */
138 	unsigned tx_packets;
139 	/* Number of times zerocopy TX recently failed.
140 	 * Protected by tx vq lock. */
141 	unsigned tx_zcopy_err;
142 	/* Flush in progress. Protected by tx vq lock. */
143 	bool tx_flush;
144 	/* Private page frag cache */
145 	struct page_frag_cache pf_cache;
146 };
147 
148 static unsigned vhost_net_zcopy_mask __read_mostly;
149 
150 static void *vhost_net_buf_get_ptr(struct vhost_net_buf *rxq)
151 {
152 	if (rxq->tail != rxq->head)
153 		return rxq->queue[rxq->head];
154 	else
155 		return NULL;
156 }
157 
158 static int vhost_net_buf_get_size(struct vhost_net_buf *rxq)
159 {
160 	return rxq->tail - rxq->head;
161 }
162 
163 static int vhost_net_buf_is_empty(struct vhost_net_buf *rxq)
164 {
165 	return rxq->tail == rxq->head;
166 }
167 
168 static void *vhost_net_buf_consume(struct vhost_net_buf *rxq)
169 {
170 	void *ret = vhost_net_buf_get_ptr(rxq);
171 	++rxq->head;
172 	return ret;
173 }
174 
175 static int vhost_net_buf_produce(struct vhost_net_virtqueue *nvq)
176 {
177 	struct vhost_net_buf *rxq = &nvq->rxq;
178 
179 	rxq->head = 0;
180 	rxq->tail = ptr_ring_consume_batched(nvq->rx_ring, rxq->queue,
181 					      VHOST_NET_BATCH);
182 	return rxq->tail;
183 }
184 
185 static void vhost_net_buf_unproduce(struct vhost_net_virtqueue *nvq)
186 {
187 	struct vhost_net_buf *rxq = &nvq->rxq;
188 
189 	if (nvq->rx_ring && !vhost_net_buf_is_empty(rxq)) {
190 		ptr_ring_unconsume(nvq->rx_ring, rxq->queue + rxq->head,
191 				   vhost_net_buf_get_size(rxq),
192 				   tun_ptr_free);
193 		rxq->head = rxq->tail = 0;
194 	}
195 }
196 
197 static int vhost_net_buf_peek_len(void *ptr)
198 {
199 	if (tun_is_xdp_frame(ptr)) {
200 		struct xdp_frame *xdpf = tun_ptr_to_xdp(ptr);
201 
202 		return xdpf->len;
203 	}
204 
205 	return __skb_array_len_with_tag(ptr);
206 }
207 
208 static int vhost_net_buf_peek(struct vhost_net_virtqueue *nvq)
209 {
210 	struct vhost_net_buf *rxq = &nvq->rxq;
211 
212 	if (!vhost_net_buf_is_empty(rxq))
213 		goto out;
214 
215 	if (!vhost_net_buf_produce(nvq))
216 		return 0;
217 
218 out:
219 	return vhost_net_buf_peek_len(vhost_net_buf_get_ptr(rxq));
220 }
221 
222 static void vhost_net_buf_init(struct vhost_net_buf *rxq)
223 {
224 	rxq->head = rxq->tail = 0;
225 }
226 
227 static void vhost_net_enable_zcopy(int vq)
228 {
229 	vhost_net_zcopy_mask |= 0x1 << vq;
230 }
231 
232 static struct vhost_net_ubuf_ref *
233 vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy)
234 {
235 	struct vhost_net_ubuf_ref *ubufs;
236 	/* No zero copy backend? Nothing to count. */
237 	if (!zcopy)
238 		return NULL;
239 	ubufs = kmalloc(sizeof(*ubufs), GFP_KERNEL);
240 	if (!ubufs)
241 		return ERR_PTR(-ENOMEM);
242 	atomic_set(&ubufs->refcount, 1);
243 	init_waitqueue_head(&ubufs->wait);
244 	ubufs->vq = vq;
245 	return ubufs;
246 }
247 
248 static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
249 {
250 	int r = atomic_sub_return(1, &ubufs->refcount);
251 	if (unlikely(!r))
252 		wake_up(&ubufs->wait);
253 	return r;
254 }
255 
256 static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
257 {
258 	vhost_net_ubuf_put(ubufs);
259 	wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
260 }
261 
262 static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
263 {
264 	vhost_net_ubuf_put_and_wait(ubufs);
265 	kfree(ubufs);
266 }
267 
268 static void vhost_net_clear_ubuf_info(struct vhost_net *n)
269 {
270 	int i;
271 
272 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
273 		kfree(n->vqs[i].ubuf_info);
274 		n->vqs[i].ubuf_info = NULL;
275 	}
276 }
277 
278 static int vhost_net_set_ubuf_info(struct vhost_net *n)
279 {
280 	bool zcopy;
281 	int i;
282 
283 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
284 		zcopy = vhost_net_zcopy_mask & (0x1 << i);
285 		if (!zcopy)
286 			continue;
287 		n->vqs[i].ubuf_info =
288 			kmalloc_array(UIO_MAXIOV,
289 				      sizeof(*n->vqs[i].ubuf_info),
290 				      GFP_KERNEL);
291 		if  (!n->vqs[i].ubuf_info)
292 			goto err;
293 	}
294 	return 0;
295 
296 err:
297 	vhost_net_clear_ubuf_info(n);
298 	return -ENOMEM;
299 }
300 
301 static void vhost_net_vq_reset(struct vhost_net *n)
302 {
303 	int i;
304 
305 	vhost_net_clear_ubuf_info(n);
306 
307 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
308 		n->vqs[i].done_idx = 0;
309 		n->vqs[i].upend_idx = 0;
310 		n->vqs[i].ubufs = NULL;
311 		n->vqs[i].vhost_hlen = 0;
312 		n->vqs[i].sock_hlen = 0;
313 		vhost_net_buf_init(&n->vqs[i].rxq);
314 	}
315 
316 }
317 
318 static void vhost_net_tx_packet(struct vhost_net *net)
319 {
320 	++net->tx_packets;
321 	if (net->tx_packets < 1024)
322 		return;
323 	net->tx_packets = 0;
324 	net->tx_zcopy_err = 0;
325 }
326 
327 static void vhost_net_tx_err(struct vhost_net *net)
328 {
329 	++net->tx_zcopy_err;
330 }
331 
332 static bool vhost_net_tx_select_zcopy(struct vhost_net *net)
333 {
334 	/* TX flush waits for outstanding DMAs to be done.
335 	 * Don't start new DMAs.
336 	 */
337 	return !net->tx_flush &&
338 		net->tx_packets / 64 >= net->tx_zcopy_err;
339 }
340 
341 static bool vhost_sock_zcopy(struct socket *sock)
342 {
343 	return unlikely(experimental_zcopytx) &&
344 		sock_flag(sock->sk, SOCK_ZEROCOPY);
345 }
346 
347 static bool vhost_sock_xdp(struct socket *sock)
348 {
349 	return sock_flag(sock->sk, SOCK_XDP);
350 }
351 
352 /* In case of DMA done not in order in lower device driver for some reason.
353  * upend_idx is used to track end of used idx, done_idx is used to track head
354  * of used idx. Once lower device DMA done contiguously, we will signal KVM
355  * guest used idx.
356  */
357 static void vhost_zerocopy_signal_used(struct vhost_net *net,
358 				       struct vhost_virtqueue *vq)
359 {
360 	struct vhost_net_virtqueue *nvq =
361 		container_of(vq, struct vhost_net_virtqueue, vq);
362 	int i, add;
363 	int j = 0;
364 
365 	for (i = nvq->done_idx; i != nvq->upend_idx; i = (i + 1) % UIO_MAXIOV) {
366 		if (vq->heads[i].len == VHOST_DMA_FAILED_LEN)
367 			vhost_net_tx_err(net);
368 		if (VHOST_DMA_IS_DONE(vq->heads[i].len)) {
369 			vq->heads[i].len = VHOST_DMA_CLEAR_LEN;
370 			++j;
371 		} else
372 			break;
373 	}
374 	while (j) {
375 		add = min(UIO_MAXIOV - nvq->done_idx, j);
376 		vhost_add_used_and_signal_n(vq->dev, vq,
377 					    &vq->heads[nvq->done_idx], add);
378 		nvq->done_idx = (nvq->done_idx + add) % UIO_MAXIOV;
379 		j -= add;
380 	}
381 }
382 
383 static void vhost_zerocopy_callback(struct sk_buff *skb,
384 				    struct ubuf_info *ubuf_base, bool success)
385 {
386 	struct ubuf_info_msgzc *ubuf = uarg_to_msgzc(ubuf_base);
387 	struct vhost_net_ubuf_ref *ubufs = ubuf->ctx;
388 	struct vhost_virtqueue *vq = ubufs->vq;
389 	int cnt;
390 
391 	rcu_read_lock_bh();
392 
393 	/* set len to mark this desc buffers done DMA */
394 	vq->heads[ubuf->desc].len = success ?
395 		VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN;
396 	cnt = vhost_net_ubuf_put(ubufs);
397 
398 	/*
399 	 * Trigger polling thread if guest stopped submitting new buffers:
400 	 * in this case, the refcount after decrement will eventually reach 1.
401 	 * We also trigger polling periodically after each 16 packets
402 	 * (the value 16 here is more or less arbitrary, it's tuned to trigger
403 	 * less than 10% of times).
404 	 */
405 	if (cnt <= 1 || !(cnt % 16))
406 		vhost_poll_queue(&vq->poll);
407 
408 	rcu_read_unlock_bh();
409 }
410 
411 static inline unsigned long busy_clock(void)
412 {
413 	return local_clock() >> 10;
414 }
415 
416 static bool vhost_can_busy_poll(unsigned long endtime)
417 {
418 	return likely(!need_resched() && !time_after(busy_clock(), endtime) &&
419 		      !signal_pending(current));
420 }
421 
422 static void vhost_net_disable_vq(struct vhost_net *n,
423 				 struct vhost_virtqueue *vq)
424 {
425 	struct vhost_net_virtqueue *nvq =
426 		container_of(vq, struct vhost_net_virtqueue, vq);
427 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
428 	if (!vhost_vq_get_backend(vq))
429 		return;
430 	vhost_poll_stop(poll);
431 }
432 
433 static int vhost_net_enable_vq(struct vhost_net *n,
434 				struct vhost_virtqueue *vq)
435 {
436 	struct vhost_net_virtqueue *nvq =
437 		container_of(vq, struct vhost_net_virtqueue, vq);
438 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
439 	struct socket *sock;
440 
441 	sock = vhost_vq_get_backend(vq);
442 	if (!sock)
443 		return 0;
444 
445 	return vhost_poll_start(poll, sock->file);
446 }
447 
448 static void vhost_net_signal_used(struct vhost_net_virtqueue *nvq)
449 {
450 	struct vhost_virtqueue *vq = &nvq->vq;
451 	struct vhost_dev *dev = vq->dev;
452 
453 	if (!nvq->done_idx)
454 		return;
455 
456 	vhost_add_used_and_signal_n(dev, vq, vq->heads, nvq->done_idx);
457 	nvq->done_idx = 0;
458 }
459 
460 static void vhost_tx_batch(struct vhost_net *net,
461 			   struct vhost_net_virtqueue *nvq,
462 			   struct socket *sock,
463 			   struct msghdr *msghdr)
464 {
465 	struct tun_msg_ctl ctl = {
466 		.type = TUN_MSG_PTR,
467 		.num = nvq->batched_xdp,
468 		.ptr = nvq->xdp,
469 	};
470 	int i, err;
471 
472 	if (nvq->batched_xdp == 0)
473 		goto signal_used;
474 
475 	msghdr->msg_control = &ctl;
476 	msghdr->msg_controllen = sizeof(ctl);
477 	err = sock->ops->sendmsg(sock, msghdr, 0);
478 	if (unlikely(err < 0)) {
479 		vq_err(&nvq->vq, "Fail to batch sending packets\n");
480 
481 		/* free pages owned by XDP; since this is an unlikely error path,
482 		 * keep it simple and avoid more complex bulk update for the
483 		 * used pages
484 		 */
485 		for (i = 0; i < nvq->batched_xdp; ++i)
486 			put_page(virt_to_head_page(nvq->xdp[i].data));
487 		nvq->batched_xdp = 0;
488 		nvq->done_idx = 0;
489 		return;
490 	}
491 
492 signal_used:
493 	vhost_net_signal_used(nvq);
494 	nvq->batched_xdp = 0;
495 }
496 
497 static int sock_has_rx_data(struct socket *sock)
498 {
499 	if (unlikely(!sock))
500 		return 0;
501 
502 	if (sock->ops->peek_len)
503 		return sock->ops->peek_len(sock);
504 
505 	return skb_queue_empty(&sock->sk->sk_receive_queue);
506 }
507 
508 static void vhost_net_busy_poll_try_queue(struct vhost_net *net,
509 					  struct vhost_virtqueue *vq)
510 {
511 	if (!vhost_vq_avail_empty(&net->dev, vq)) {
512 		vhost_poll_queue(&vq->poll);
513 	} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
514 		vhost_disable_notify(&net->dev, vq);
515 		vhost_poll_queue(&vq->poll);
516 	}
517 }
518 
519 static void vhost_net_busy_poll(struct vhost_net *net,
520 				struct vhost_virtqueue *rvq,
521 				struct vhost_virtqueue *tvq,
522 				bool *busyloop_intr,
523 				bool poll_rx)
524 {
525 	unsigned long busyloop_timeout;
526 	unsigned long endtime;
527 	struct socket *sock;
528 	struct vhost_virtqueue *vq = poll_rx ? tvq : rvq;
529 
530 	/* Try to hold the vq mutex of the paired virtqueue. We can't
531 	 * use mutex_lock() here since we could not guarantee a
532 	 * consistenet lock ordering.
533 	 */
534 	if (!mutex_trylock(&vq->mutex))
535 		return;
536 
537 	vhost_disable_notify(&net->dev, vq);
538 	sock = vhost_vq_get_backend(rvq);
539 
540 	busyloop_timeout = poll_rx ? rvq->busyloop_timeout:
541 				     tvq->busyloop_timeout;
542 
543 	preempt_disable();
544 	endtime = busy_clock() + busyloop_timeout;
545 
546 	while (vhost_can_busy_poll(endtime)) {
547 		if (vhost_vq_has_work(vq)) {
548 			*busyloop_intr = true;
549 			break;
550 		}
551 
552 		if ((sock_has_rx_data(sock) &&
553 		     !vhost_vq_avail_empty(&net->dev, rvq)) ||
554 		    !vhost_vq_avail_empty(&net->dev, tvq))
555 			break;
556 
557 		cpu_relax();
558 	}
559 
560 	preempt_enable();
561 
562 	if (poll_rx || sock_has_rx_data(sock))
563 		vhost_net_busy_poll_try_queue(net, vq);
564 	else if (!poll_rx) /* On tx here, sock has no rx data. */
565 		vhost_enable_notify(&net->dev, rvq);
566 
567 	mutex_unlock(&vq->mutex);
568 }
569 
570 static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
571 				    struct vhost_net_virtqueue *tnvq,
572 				    unsigned int *out_num, unsigned int *in_num,
573 				    struct msghdr *msghdr, bool *busyloop_intr)
574 {
575 	struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
576 	struct vhost_virtqueue *rvq = &rnvq->vq;
577 	struct vhost_virtqueue *tvq = &tnvq->vq;
578 
579 	int r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
580 				  out_num, in_num, NULL, NULL);
581 
582 	if (r == tvq->num && tvq->busyloop_timeout) {
583 		/* Flush batched packets first */
584 		if (!vhost_sock_zcopy(vhost_vq_get_backend(tvq)))
585 			vhost_tx_batch(net, tnvq,
586 				       vhost_vq_get_backend(tvq),
587 				       msghdr);
588 
589 		vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, false);
590 
591 		r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
592 				      out_num, in_num, NULL, NULL);
593 	}
594 
595 	return r;
596 }
597 
598 static bool vhost_exceeds_maxpend(struct vhost_net *net)
599 {
600 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
601 	struct vhost_virtqueue *vq = &nvq->vq;
602 
603 	return (nvq->upend_idx + UIO_MAXIOV - nvq->done_idx) % UIO_MAXIOV >
604 	       min_t(unsigned int, VHOST_MAX_PEND, vq->num >> 2);
605 }
606 
607 static size_t init_iov_iter(struct vhost_virtqueue *vq, struct iov_iter *iter,
608 			    size_t hdr_size, int out)
609 {
610 	/* Skip header. TODO: support TSO. */
611 	size_t len = iov_length(vq->iov, out);
612 
613 	iov_iter_init(iter, ITER_SOURCE, vq->iov, out, len);
614 	iov_iter_advance(iter, hdr_size);
615 
616 	return iov_iter_count(iter);
617 }
618 
619 static int get_tx_bufs(struct vhost_net *net,
620 		       struct vhost_net_virtqueue *nvq,
621 		       struct msghdr *msg,
622 		       unsigned int *out, unsigned int *in,
623 		       size_t *len, bool *busyloop_intr)
624 {
625 	struct vhost_virtqueue *vq = &nvq->vq;
626 	int ret;
627 
628 	ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, busyloop_intr);
629 
630 	if (ret < 0 || ret == vq->num)
631 		return ret;
632 
633 	if (*in) {
634 		vq_err(vq, "Unexpected descriptor format for TX: out %d, int %d\n",
635 			*out, *in);
636 		return -EFAULT;
637 	}
638 
639 	/* Sanity check */
640 	*len = init_iov_iter(vq, &msg->msg_iter, nvq->vhost_hlen, *out);
641 	if (*len == 0) {
642 		vq_err(vq, "Unexpected header len for TX: %zd expected %zd\n",
643 			*len, nvq->vhost_hlen);
644 		return -EFAULT;
645 	}
646 
647 	return ret;
648 }
649 
650 static bool tx_can_batch(struct vhost_virtqueue *vq, size_t total_len)
651 {
652 	return total_len < VHOST_NET_WEIGHT &&
653 	       !vhost_vq_avail_empty(vq->dev, vq);
654 }
655 
656 #define VHOST_NET_RX_PAD (NET_IP_ALIGN + NET_SKB_PAD)
657 
658 static int vhost_net_build_xdp(struct vhost_net_virtqueue *nvq,
659 			       struct iov_iter *from)
660 {
661 	struct vhost_virtqueue *vq = &nvq->vq;
662 	struct vhost_net *net = container_of(vq->dev, struct vhost_net,
663 					     dev);
664 	struct socket *sock = vhost_vq_get_backend(vq);
665 	struct virtio_net_hdr *gso;
666 	struct xdp_buff *xdp = &nvq->xdp[nvq->batched_xdp];
667 	struct tun_xdp_hdr *hdr;
668 	size_t len = iov_iter_count(from);
669 	int headroom = vhost_sock_xdp(sock) ? XDP_PACKET_HEADROOM : 0;
670 	int buflen = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
671 	int pad = SKB_DATA_ALIGN(VHOST_NET_RX_PAD + headroom + nvq->sock_hlen);
672 	int sock_hlen = nvq->sock_hlen;
673 	void *buf;
674 	int copied;
675 	int ret;
676 
677 	if (unlikely(len < nvq->sock_hlen))
678 		return -EFAULT;
679 
680 	if (SKB_DATA_ALIGN(len + pad) +
681 	    SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
682 		return -ENOSPC;
683 
684 	buflen += SKB_DATA_ALIGN(len + pad);
685 	buf = page_frag_alloc_align(&net->pf_cache, buflen, GFP_KERNEL,
686 				    SMP_CACHE_BYTES);
687 	if (unlikely(!buf))
688 		return -ENOMEM;
689 
690 	copied = copy_from_iter(buf + offsetof(struct tun_xdp_hdr, gso),
691 				sock_hlen, from);
692 	if (copied != sock_hlen) {
693 		ret = -EFAULT;
694 		goto err;
695 	}
696 
697 	hdr = buf;
698 	gso = &hdr->gso;
699 
700 	if (!sock_hlen)
701 		memset(buf, 0, pad);
702 
703 	if ((gso->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) &&
704 	    vhost16_to_cpu(vq, gso->csum_start) +
705 	    vhost16_to_cpu(vq, gso->csum_offset) + 2 >
706 	    vhost16_to_cpu(vq, gso->hdr_len)) {
707 		gso->hdr_len = cpu_to_vhost16(vq,
708 			       vhost16_to_cpu(vq, gso->csum_start) +
709 			       vhost16_to_cpu(vq, gso->csum_offset) + 2);
710 
711 		if (vhost16_to_cpu(vq, gso->hdr_len) > len) {
712 			ret = -EINVAL;
713 			goto err;
714 		}
715 	}
716 
717 	len -= sock_hlen;
718 	copied = copy_from_iter(buf + pad, len, from);
719 	if (copied != len) {
720 		ret = -EFAULT;
721 		goto err;
722 	}
723 
724 	xdp_init_buff(xdp, buflen, NULL);
725 	xdp_prepare_buff(xdp, buf, pad, len, true);
726 	hdr->buflen = buflen;
727 
728 	++nvq->batched_xdp;
729 
730 	return 0;
731 
732 err:
733 	page_frag_free(buf);
734 	return ret;
735 }
736 
737 static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
738 {
739 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
740 	struct vhost_virtqueue *vq = &nvq->vq;
741 	unsigned out, in;
742 	int head;
743 	struct msghdr msg = {
744 		.msg_name = NULL,
745 		.msg_namelen = 0,
746 		.msg_control = NULL,
747 		.msg_controllen = 0,
748 		.msg_flags = MSG_DONTWAIT,
749 	};
750 	size_t len, total_len = 0;
751 	int err;
752 	int sent_pkts = 0;
753 	bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
754 
755 	do {
756 		bool busyloop_intr = false;
757 
758 		if (nvq->done_idx == VHOST_NET_BATCH)
759 			vhost_tx_batch(net, nvq, sock, &msg);
760 
761 		head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
762 				   &busyloop_intr);
763 		/* On error, stop handling until the next kick. */
764 		if (unlikely(head < 0))
765 			break;
766 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
767 		if (head == vq->num) {
768 			if (unlikely(busyloop_intr)) {
769 				vhost_poll_queue(&vq->poll);
770 			} else if (unlikely(vhost_enable_notify(&net->dev,
771 								vq))) {
772 				vhost_disable_notify(&net->dev, vq);
773 				continue;
774 			}
775 			break;
776 		}
777 
778 		total_len += len;
779 
780 		/* For simplicity, TX batching is only enabled if
781 		 * sndbuf is unlimited.
782 		 */
783 		if (sock_can_batch) {
784 			err = vhost_net_build_xdp(nvq, &msg.msg_iter);
785 			if (!err) {
786 				goto done;
787 			} else if (unlikely(err != -ENOSPC)) {
788 				vhost_tx_batch(net, nvq, sock, &msg);
789 				vhost_discard_vq_desc(vq, 1);
790 				vhost_net_enable_vq(net, vq);
791 				break;
792 			}
793 
794 			/* We can't build XDP buff, go for single
795 			 * packet path but let's flush batched
796 			 * packets.
797 			 */
798 			vhost_tx_batch(net, nvq, sock, &msg);
799 			msg.msg_control = NULL;
800 		} else {
801 			if (tx_can_batch(vq, total_len))
802 				msg.msg_flags |= MSG_MORE;
803 			else
804 				msg.msg_flags &= ~MSG_MORE;
805 		}
806 
807 		err = sock->ops->sendmsg(sock, &msg, len);
808 		if (unlikely(err < 0)) {
809 			if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) {
810 				vhost_discard_vq_desc(vq, 1);
811 				vhost_net_enable_vq(net, vq);
812 				break;
813 			}
814 			pr_debug("Fail to send packet: err %d", err);
815 		} else if (unlikely(err != len))
816 			pr_debug("Truncated TX packet: len %d != %zd\n",
817 				 err, len);
818 done:
819 		vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);
820 		vq->heads[nvq->done_idx].len = 0;
821 		++nvq->done_idx;
822 	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
823 
824 	vhost_tx_batch(net, nvq, sock, &msg);
825 }
826 
827 static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
828 {
829 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
830 	struct vhost_virtqueue *vq = &nvq->vq;
831 	unsigned out, in;
832 	int head;
833 	struct msghdr msg = {
834 		.msg_name = NULL,
835 		.msg_namelen = 0,
836 		.msg_control = NULL,
837 		.msg_controllen = 0,
838 		.msg_flags = MSG_DONTWAIT,
839 	};
840 	struct tun_msg_ctl ctl;
841 	size_t len, total_len = 0;
842 	int err;
843 	struct vhost_net_ubuf_ref *ubufs;
844 	struct ubuf_info_msgzc *ubuf;
845 	bool zcopy_used;
846 	int sent_pkts = 0;
847 
848 	do {
849 		bool busyloop_intr;
850 
851 		/* Release DMAs done buffers first */
852 		vhost_zerocopy_signal_used(net, vq);
853 
854 		busyloop_intr = false;
855 		head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
856 				   &busyloop_intr);
857 		/* On error, stop handling until the next kick. */
858 		if (unlikely(head < 0))
859 			break;
860 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
861 		if (head == vq->num) {
862 			if (unlikely(busyloop_intr)) {
863 				vhost_poll_queue(&vq->poll);
864 			} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
865 				vhost_disable_notify(&net->dev, vq);
866 				continue;
867 			}
868 			break;
869 		}
870 
871 		zcopy_used = len >= VHOST_GOODCOPY_LEN
872 			     && !vhost_exceeds_maxpend(net)
873 			     && vhost_net_tx_select_zcopy(net);
874 
875 		/* use msg_control to pass vhost zerocopy ubuf info to skb */
876 		if (zcopy_used) {
877 			ubuf = nvq->ubuf_info + nvq->upend_idx;
878 			vq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head);
879 			vq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS;
880 			ubuf->ctx = nvq->ubufs;
881 			ubuf->desc = nvq->upend_idx;
882 			ubuf->ubuf.callback = vhost_zerocopy_callback;
883 			ubuf->ubuf.flags = SKBFL_ZEROCOPY_FRAG;
884 			refcount_set(&ubuf->ubuf.refcnt, 1);
885 			msg.msg_control = &ctl;
886 			ctl.type = TUN_MSG_UBUF;
887 			ctl.ptr = &ubuf->ubuf;
888 			msg.msg_controllen = sizeof(ctl);
889 			ubufs = nvq->ubufs;
890 			atomic_inc(&ubufs->refcount);
891 			nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
892 		} else {
893 			msg.msg_control = NULL;
894 			ubufs = NULL;
895 		}
896 		total_len += len;
897 		if (tx_can_batch(vq, total_len) &&
898 		    likely(!vhost_exceeds_maxpend(net))) {
899 			msg.msg_flags |= MSG_MORE;
900 		} else {
901 			msg.msg_flags &= ~MSG_MORE;
902 		}
903 
904 		err = sock->ops->sendmsg(sock, &msg, len);
905 		if (unlikely(err < 0)) {
906 			bool retry = err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS;
907 
908 			if (zcopy_used) {
909 				if (vq->heads[ubuf->desc].len == VHOST_DMA_IN_PROGRESS)
910 					vhost_net_ubuf_put(ubufs);
911 				if (retry)
912 					nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
913 						% UIO_MAXIOV;
914 				else
915 					vq->heads[ubuf->desc].len = VHOST_DMA_DONE_LEN;
916 			}
917 			if (retry) {
918 				vhost_discard_vq_desc(vq, 1);
919 				vhost_net_enable_vq(net, vq);
920 				break;
921 			}
922 			pr_debug("Fail to send packet: err %d", err);
923 		} else if (unlikely(err != len))
924 			pr_debug("Truncated TX packet: "
925 				 " len %d != %zd\n", err, len);
926 		if (!zcopy_used)
927 			vhost_add_used_and_signal(&net->dev, vq, head, 0);
928 		else
929 			vhost_zerocopy_signal_used(net, vq);
930 		vhost_net_tx_packet(net);
931 	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
932 }
933 
934 /* Expects to be always run from workqueue - which acts as
935  * read-size critical section for our kind of RCU. */
936 static void handle_tx(struct vhost_net *net)
937 {
938 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
939 	struct vhost_virtqueue *vq = &nvq->vq;
940 	struct socket *sock;
941 
942 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_TX);
943 	sock = vhost_vq_get_backend(vq);
944 	if (!sock)
945 		goto out;
946 
947 	if (!vq_meta_prefetch(vq))
948 		goto out;
949 
950 	vhost_disable_notify(&net->dev, vq);
951 	vhost_net_disable_vq(net, vq);
952 
953 	if (vhost_sock_zcopy(sock))
954 		handle_tx_zerocopy(net, sock);
955 	else
956 		handle_tx_copy(net, sock);
957 
958 out:
959 	mutex_unlock(&vq->mutex);
960 }
961 
962 static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk)
963 {
964 	struct sk_buff *head;
965 	int len = 0;
966 	unsigned long flags;
967 
968 	if (rvq->rx_ring)
969 		return vhost_net_buf_peek(rvq);
970 
971 	spin_lock_irqsave(&sk->sk_receive_queue.lock, flags);
972 	head = skb_peek(&sk->sk_receive_queue);
973 	if (likely(head)) {
974 		len = head->len;
975 		if (skb_vlan_tag_present(head))
976 			len += VLAN_HLEN;
977 	}
978 
979 	spin_unlock_irqrestore(&sk->sk_receive_queue.lock, flags);
980 	return len;
981 }
982 
983 static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk,
984 				      bool *busyloop_intr)
985 {
986 	struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
987 	struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX];
988 	struct vhost_virtqueue *rvq = &rnvq->vq;
989 	struct vhost_virtqueue *tvq = &tnvq->vq;
990 	int len = peek_head_len(rnvq, sk);
991 
992 	if (!len && rvq->busyloop_timeout) {
993 		/* Flush batched heads first */
994 		vhost_net_signal_used(rnvq);
995 		/* Both tx vq and rx socket were polled here */
996 		vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true);
997 
998 		len = peek_head_len(rnvq, sk);
999 	}
1000 
1001 	return len;
1002 }
1003 
1004 /* This is a multi-buffer version of vhost_get_desc, that works if
1005  *	vq has read descriptors only.
1006  * @vq		- the relevant virtqueue
1007  * @datalen	- data length we'll be reading
1008  * @iovcount	- returned count of io vectors we fill
1009  * @log		- vhost log
1010  * @log_num	- log offset
1011  * @quota       - headcount quota, 1 for big buffer
1012  *	returns number of buffer heads allocated, negative on error
1013  */
1014 static int get_rx_bufs(struct vhost_virtqueue *vq,
1015 		       struct vring_used_elem *heads,
1016 		       int datalen,
1017 		       unsigned *iovcount,
1018 		       struct vhost_log *log,
1019 		       unsigned *log_num,
1020 		       unsigned int quota)
1021 {
1022 	unsigned int out, in;
1023 	int seg = 0;
1024 	int headcount = 0;
1025 	unsigned d;
1026 	int r, nlogs = 0;
1027 	/* len is always initialized before use since we are always called with
1028 	 * datalen > 0.
1029 	 */
1030 	u32 len;
1031 
1032 	while (datalen > 0 && headcount < quota) {
1033 		if (unlikely(seg >= UIO_MAXIOV)) {
1034 			r = -ENOBUFS;
1035 			goto err;
1036 		}
1037 		r = vhost_get_vq_desc(vq, vq->iov + seg,
1038 				      ARRAY_SIZE(vq->iov) - seg, &out,
1039 				      &in, log, log_num);
1040 		if (unlikely(r < 0))
1041 			goto err;
1042 
1043 		d = r;
1044 		if (d == vq->num) {
1045 			r = 0;
1046 			goto err;
1047 		}
1048 		if (unlikely(out || in <= 0)) {
1049 			vq_err(vq, "unexpected descriptor format for RX: "
1050 				"out %d, in %d\n", out, in);
1051 			r = -EINVAL;
1052 			goto err;
1053 		}
1054 		if (unlikely(log)) {
1055 			nlogs += *log_num;
1056 			log += *log_num;
1057 		}
1058 		heads[headcount].id = cpu_to_vhost32(vq, d);
1059 		len = iov_length(vq->iov + seg, in);
1060 		heads[headcount].len = cpu_to_vhost32(vq, len);
1061 		datalen -= len;
1062 		++headcount;
1063 		seg += in;
1064 	}
1065 	heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
1066 	*iovcount = seg;
1067 	if (unlikely(log))
1068 		*log_num = nlogs;
1069 
1070 	/* Detect overrun */
1071 	if (unlikely(datalen > 0)) {
1072 		r = UIO_MAXIOV + 1;
1073 		goto err;
1074 	}
1075 	return headcount;
1076 err:
1077 	vhost_discard_vq_desc(vq, headcount);
1078 	return r;
1079 }
1080 
1081 /* Expects to be always run from workqueue - which acts as
1082  * read-size critical section for our kind of RCU. */
1083 static void handle_rx(struct vhost_net *net)
1084 {
1085 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];
1086 	struct vhost_virtqueue *vq = &nvq->vq;
1087 	unsigned in, log;
1088 	struct vhost_log *vq_log;
1089 	struct msghdr msg = {
1090 		.msg_name = NULL,
1091 		.msg_namelen = 0,
1092 		.msg_control = NULL, /* FIXME: get and handle RX aux data. */
1093 		.msg_controllen = 0,
1094 		.msg_flags = MSG_DONTWAIT,
1095 	};
1096 	struct virtio_net_hdr hdr = {
1097 		.flags = 0,
1098 		.gso_type = VIRTIO_NET_HDR_GSO_NONE
1099 	};
1100 	size_t total_len = 0;
1101 	int err, mergeable;
1102 	s16 headcount;
1103 	size_t vhost_hlen, sock_hlen;
1104 	size_t vhost_len, sock_len;
1105 	bool busyloop_intr = false;
1106 	struct socket *sock;
1107 	struct iov_iter fixup;
1108 	__virtio16 num_buffers;
1109 	int recv_pkts = 0;
1110 
1111 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
1112 	sock = vhost_vq_get_backend(vq);
1113 	if (!sock)
1114 		goto out;
1115 
1116 	if (!vq_meta_prefetch(vq))
1117 		goto out;
1118 
1119 	vhost_disable_notify(&net->dev, vq);
1120 	vhost_net_disable_vq(net, vq);
1121 
1122 	vhost_hlen = nvq->vhost_hlen;
1123 	sock_hlen = nvq->sock_hlen;
1124 
1125 	vq_log = unlikely(vhost_has_feature(vq, VHOST_F_LOG_ALL)) ?
1126 		vq->log : NULL;
1127 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
1128 
1129 	do {
1130 		sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
1131 						      &busyloop_intr);
1132 		if (!sock_len)
1133 			break;
1134 		sock_len += sock_hlen;
1135 		vhost_len = sock_len + vhost_hlen;
1136 		headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
1137 					vhost_len, &in, vq_log, &log,
1138 					likely(mergeable) ? UIO_MAXIOV : 1);
1139 		/* On error, stop handling until the next kick. */
1140 		if (unlikely(headcount < 0))
1141 			goto out;
1142 		/* OK, now we need to know about added descriptors. */
1143 		if (!headcount) {
1144 			if (unlikely(busyloop_intr)) {
1145 				vhost_poll_queue(&vq->poll);
1146 			} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
1147 				/* They have slipped one in as we were
1148 				 * doing that: check again. */
1149 				vhost_disable_notify(&net->dev, vq);
1150 				continue;
1151 			}
1152 			/* Nothing new?  Wait for eventfd to tell us
1153 			 * they refilled. */
1154 			goto out;
1155 		}
1156 		busyloop_intr = false;
1157 		if (nvq->rx_ring)
1158 			msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
1159 		/* On overrun, truncate and discard */
1160 		if (unlikely(headcount > UIO_MAXIOV)) {
1161 			iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, 1, 1);
1162 			err = sock->ops->recvmsg(sock, &msg,
1163 						 1, MSG_DONTWAIT | MSG_TRUNC);
1164 			pr_debug("Discarded rx packet: len %zd\n", sock_len);
1165 			continue;
1166 		}
1167 		/* We don't need to be notified again. */
1168 		iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, in, vhost_len);
1169 		fixup = msg.msg_iter;
1170 		if (unlikely((vhost_hlen))) {
1171 			/* We will supply the header ourselves
1172 			 * TODO: support TSO.
1173 			 */
1174 			iov_iter_advance(&msg.msg_iter, vhost_hlen);
1175 		}
1176 		err = sock->ops->recvmsg(sock, &msg,
1177 					 sock_len, MSG_DONTWAIT | MSG_TRUNC);
1178 		/* Userspace might have consumed the packet meanwhile:
1179 		 * it's not supposed to do this usually, but might be hard
1180 		 * to prevent. Discard data we got (if any) and keep going. */
1181 		if (unlikely(err != sock_len)) {
1182 			pr_debug("Discarded rx packet: "
1183 				 " len %d, expected %zd\n", err, sock_len);
1184 			vhost_discard_vq_desc(vq, headcount);
1185 			continue;
1186 		}
1187 		/* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */
1188 		if (unlikely(vhost_hlen)) {
1189 			if (copy_to_iter(&hdr, sizeof(hdr),
1190 					 &fixup) != sizeof(hdr)) {
1191 				vq_err(vq, "Unable to write vnet_hdr "
1192 				       "at addr %p\n", vq->iov->iov_base);
1193 				goto out;
1194 			}
1195 		} else {
1196 			/* Header came from socket; we'll need to patch
1197 			 * ->num_buffers over if VIRTIO_NET_F_MRG_RXBUF
1198 			 */
1199 			iov_iter_advance(&fixup, sizeof(hdr));
1200 		}
1201 		/* TODO: Should check and handle checksum. */
1202 
1203 		num_buffers = cpu_to_vhost16(vq, headcount);
1204 		if (likely(mergeable) &&
1205 		    copy_to_iter(&num_buffers, sizeof num_buffers,
1206 				 &fixup) != sizeof num_buffers) {
1207 			vq_err(vq, "Failed num_buffers write");
1208 			vhost_discard_vq_desc(vq, headcount);
1209 			goto out;
1210 		}
1211 		nvq->done_idx += headcount;
1212 		if (nvq->done_idx > VHOST_NET_BATCH)
1213 			vhost_net_signal_used(nvq);
1214 		if (unlikely(vq_log))
1215 			vhost_log_write(vq, vq_log, log, vhost_len,
1216 					vq->iov, in);
1217 		total_len += vhost_len;
1218 	} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
1219 
1220 	if (unlikely(busyloop_intr))
1221 		vhost_poll_queue(&vq->poll);
1222 	else if (!sock_len)
1223 		vhost_net_enable_vq(net, vq);
1224 out:
1225 	vhost_net_signal_used(nvq);
1226 	mutex_unlock(&vq->mutex);
1227 }
1228 
1229 static void handle_tx_kick(struct vhost_work *work)
1230 {
1231 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
1232 						  poll.work);
1233 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
1234 
1235 	handle_tx(net);
1236 }
1237 
1238 static void handle_rx_kick(struct vhost_work *work)
1239 {
1240 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
1241 						  poll.work);
1242 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
1243 
1244 	handle_rx(net);
1245 }
1246 
1247 static void handle_tx_net(struct vhost_work *work)
1248 {
1249 	struct vhost_net *net = container_of(work, struct vhost_net,
1250 					     poll[VHOST_NET_VQ_TX].work);
1251 	handle_tx(net);
1252 }
1253 
1254 static void handle_rx_net(struct vhost_work *work)
1255 {
1256 	struct vhost_net *net = container_of(work, struct vhost_net,
1257 					     poll[VHOST_NET_VQ_RX].work);
1258 	handle_rx(net);
1259 }
1260 
1261 static int vhost_net_open(struct inode *inode, struct file *f)
1262 {
1263 	struct vhost_net *n;
1264 	struct vhost_dev *dev;
1265 	struct vhost_virtqueue **vqs;
1266 	void **queue;
1267 	struct xdp_buff *xdp;
1268 	int i;
1269 
1270 	n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
1271 	if (!n)
1272 		return -ENOMEM;
1273 	vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
1274 	if (!vqs) {
1275 		kvfree(n);
1276 		return -ENOMEM;
1277 	}
1278 
1279 	queue = kmalloc_array(VHOST_NET_BATCH, sizeof(void *),
1280 			      GFP_KERNEL);
1281 	if (!queue) {
1282 		kfree(vqs);
1283 		kvfree(n);
1284 		return -ENOMEM;
1285 	}
1286 	n->vqs[VHOST_NET_VQ_RX].rxq.queue = queue;
1287 
1288 	xdp = kmalloc_array(VHOST_NET_BATCH, sizeof(*xdp), GFP_KERNEL);
1289 	if (!xdp) {
1290 		kfree(vqs);
1291 		kvfree(n);
1292 		kfree(queue);
1293 		return -ENOMEM;
1294 	}
1295 	n->vqs[VHOST_NET_VQ_TX].xdp = xdp;
1296 
1297 	dev = &n->dev;
1298 	vqs[VHOST_NET_VQ_TX] = &n->vqs[VHOST_NET_VQ_TX].vq;
1299 	vqs[VHOST_NET_VQ_RX] = &n->vqs[VHOST_NET_VQ_RX].vq;
1300 	n->vqs[VHOST_NET_VQ_TX].vq.handle_kick = handle_tx_kick;
1301 	n->vqs[VHOST_NET_VQ_RX].vq.handle_kick = handle_rx_kick;
1302 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
1303 		n->vqs[i].ubufs = NULL;
1304 		n->vqs[i].ubuf_info = NULL;
1305 		n->vqs[i].upend_idx = 0;
1306 		n->vqs[i].done_idx = 0;
1307 		n->vqs[i].batched_xdp = 0;
1308 		n->vqs[i].vhost_hlen = 0;
1309 		n->vqs[i].sock_hlen = 0;
1310 		n->vqs[i].rx_ring = NULL;
1311 		vhost_net_buf_init(&n->vqs[i].rxq);
1312 	}
1313 	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
1314 		       UIO_MAXIOV + VHOST_NET_BATCH,
1315 		       VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT, true,
1316 		       NULL);
1317 
1318 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, EPOLLOUT, dev,
1319 			vqs[VHOST_NET_VQ_TX]);
1320 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, EPOLLIN, dev,
1321 			vqs[VHOST_NET_VQ_RX]);
1322 
1323 	f->private_data = n;
1324 	n->pf_cache.va = NULL;
1325 
1326 	return 0;
1327 }
1328 
1329 static struct socket *vhost_net_stop_vq(struct vhost_net *n,
1330 					struct vhost_virtqueue *vq)
1331 {
1332 	struct socket *sock;
1333 	struct vhost_net_virtqueue *nvq =
1334 		container_of(vq, struct vhost_net_virtqueue, vq);
1335 
1336 	mutex_lock(&vq->mutex);
1337 	sock = vhost_vq_get_backend(vq);
1338 	vhost_net_disable_vq(n, vq);
1339 	vhost_vq_set_backend(vq, NULL);
1340 	vhost_net_buf_unproduce(nvq);
1341 	nvq->rx_ring = NULL;
1342 	mutex_unlock(&vq->mutex);
1343 	return sock;
1344 }
1345 
1346 static void vhost_net_stop(struct vhost_net *n, struct socket **tx_sock,
1347 			   struct socket **rx_sock)
1348 {
1349 	*tx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_TX].vq);
1350 	*rx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_RX].vq);
1351 }
1352 
1353 static void vhost_net_flush(struct vhost_net *n)
1354 {
1355 	vhost_dev_flush(&n->dev);
1356 	if (n->vqs[VHOST_NET_VQ_TX].ubufs) {
1357 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1358 		n->tx_flush = true;
1359 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1360 		/* Wait for all lower device DMAs done. */
1361 		vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
1362 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1363 		n->tx_flush = false;
1364 		atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
1365 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1366 	}
1367 }
1368 
1369 static int vhost_net_release(struct inode *inode, struct file *f)
1370 {
1371 	struct vhost_net *n = f->private_data;
1372 	struct socket *tx_sock;
1373 	struct socket *rx_sock;
1374 
1375 	vhost_net_stop(n, &tx_sock, &rx_sock);
1376 	vhost_net_flush(n);
1377 	vhost_dev_stop(&n->dev);
1378 	vhost_dev_cleanup(&n->dev);
1379 	vhost_net_vq_reset(n);
1380 	if (tx_sock)
1381 		sockfd_put(tx_sock);
1382 	if (rx_sock)
1383 		sockfd_put(rx_sock);
1384 	/* Make sure no callbacks are outstanding */
1385 	synchronize_rcu();
1386 	/* We do an extra flush before freeing memory,
1387 	 * since jobs can re-queue themselves. */
1388 	vhost_net_flush(n);
1389 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
1390 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
1391 	kfree(n->dev.vqs);
1392 	page_frag_cache_drain(&n->pf_cache);
1393 	kvfree(n);
1394 	return 0;
1395 }
1396 
1397 static struct socket *get_raw_socket(int fd)
1398 {
1399 	int r;
1400 	struct socket *sock = sockfd_lookup(fd, &r);
1401 
1402 	if (!sock)
1403 		return ERR_PTR(-ENOTSOCK);
1404 
1405 	/* Parameter checking */
1406 	if (sock->sk->sk_type != SOCK_RAW) {
1407 		r = -ESOCKTNOSUPPORT;
1408 		goto err;
1409 	}
1410 
1411 	if (sock->sk->sk_family != AF_PACKET) {
1412 		r = -EPFNOSUPPORT;
1413 		goto err;
1414 	}
1415 	return sock;
1416 err:
1417 	sockfd_put(sock);
1418 	return ERR_PTR(r);
1419 }
1420 
1421 static struct ptr_ring *get_tap_ptr_ring(struct file *file)
1422 {
1423 	struct ptr_ring *ring;
1424 	ring = tun_get_tx_ring(file);
1425 	if (!IS_ERR(ring))
1426 		goto out;
1427 	ring = tap_get_ptr_ring(file);
1428 	if (!IS_ERR(ring))
1429 		goto out;
1430 	ring = NULL;
1431 out:
1432 	return ring;
1433 }
1434 
1435 static struct socket *get_tap_socket(int fd)
1436 {
1437 	struct file *file = fget(fd);
1438 	struct socket *sock;
1439 
1440 	if (!file)
1441 		return ERR_PTR(-EBADF);
1442 	sock = tun_get_socket(file);
1443 	if (!IS_ERR(sock))
1444 		return sock;
1445 	sock = tap_get_socket(file);
1446 	if (IS_ERR(sock))
1447 		fput(file);
1448 	return sock;
1449 }
1450 
1451 static struct socket *get_socket(int fd)
1452 {
1453 	struct socket *sock;
1454 
1455 	/* special case to disable backend */
1456 	if (fd == -1)
1457 		return NULL;
1458 	sock = get_raw_socket(fd);
1459 	if (!IS_ERR(sock))
1460 		return sock;
1461 	sock = get_tap_socket(fd);
1462 	if (!IS_ERR(sock))
1463 		return sock;
1464 	return ERR_PTR(-ENOTSOCK);
1465 }
1466 
1467 static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
1468 {
1469 	struct socket *sock, *oldsock;
1470 	struct vhost_virtqueue *vq;
1471 	struct vhost_net_virtqueue *nvq;
1472 	struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL;
1473 	int r;
1474 
1475 	mutex_lock(&n->dev.mutex);
1476 	r = vhost_dev_check_owner(&n->dev);
1477 	if (r)
1478 		goto err;
1479 
1480 	if (index >= VHOST_NET_VQ_MAX) {
1481 		r = -ENOBUFS;
1482 		goto err;
1483 	}
1484 	vq = &n->vqs[index].vq;
1485 	nvq = &n->vqs[index];
1486 	mutex_lock(&vq->mutex);
1487 
1488 	if (fd == -1)
1489 		vhost_clear_msg(&n->dev);
1490 
1491 	/* Verify that ring has been setup correctly. */
1492 	if (!vhost_vq_access_ok(vq)) {
1493 		r = -EFAULT;
1494 		goto err_vq;
1495 	}
1496 	sock = get_socket(fd);
1497 	if (IS_ERR(sock)) {
1498 		r = PTR_ERR(sock);
1499 		goto err_vq;
1500 	}
1501 
1502 	/* start polling new socket */
1503 	oldsock = vhost_vq_get_backend(vq);
1504 	if (sock != oldsock) {
1505 		ubufs = vhost_net_ubuf_alloc(vq,
1506 					     sock && vhost_sock_zcopy(sock));
1507 		if (IS_ERR(ubufs)) {
1508 			r = PTR_ERR(ubufs);
1509 			goto err_ubufs;
1510 		}
1511 
1512 		vhost_net_disable_vq(n, vq);
1513 		vhost_vq_set_backend(vq, sock);
1514 		vhost_net_buf_unproduce(nvq);
1515 		r = vhost_vq_init_access(vq);
1516 		if (r)
1517 			goto err_used;
1518 		r = vhost_net_enable_vq(n, vq);
1519 		if (r)
1520 			goto err_used;
1521 		if (index == VHOST_NET_VQ_RX) {
1522 			if (sock)
1523 				nvq->rx_ring = get_tap_ptr_ring(sock->file);
1524 			else
1525 				nvq->rx_ring = NULL;
1526 		}
1527 
1528 		oldubufs = nvq->ubufs;
1529 		nvq->ubufs = ubufs;
1530 
1531 		n->tx_packets = 0;
1532 		n->tx_zcopy_err = 0;
1533 		n->tx_flush = false;
1534 	}
1535 
1536 	mutex_unlock(&vq->mutex);
1537 
1538 	if (oldubufs) {
1539 		vhost_net_ubuf_put_wait_and_free(oldubufs);
1540 		mutex_lock(&vq->mutex);
1541 		vhost_zerocopy_signal_used(n, vq);
1542 		mutex_unlock(&vq->mutex);
1543 	}
1544 
1545 	if (oldsock) {
1546 		vhost_dev_flush(&n->dev);
1547 		sockfd_put(oldsock);
1548 	}
1549 
1550 	mutex_unlock(&n->dev.mutex);
1551 	return 0;
1552 
1553 err_used:
1554 	vhost_vq_set_backend(vq, oldsock);
1555 	vhost_net_enable_vq(n, vq);
1556 	if (ubufs)
1557 		vhost_net_ubuf_put_wait_and_free(ubufs);
1558 err_ubufs:
1559 	if (sock)
1560 		sockfd_put(sock);
1561 err_vq:
1562 	mutex_unlock(&vq->mutex);
1563 err:
1564 	mutex_unlock(&n->dev.mutex);
1565 	return r;
1566 }
1567 
1568 static long vhost_net_reset_owner(struct vhost_net *n)
1569 {
1570 	struct socket *tx_sock = NULL;
1571 	struct socket *rx_sock = NULL;
1572 	long err;
1573 	struct vhost_iotlb *umem;
1574 
1575 	mutex_lock(&n->dev.mutex);
1576 	err = vhost_dev_check_owner(&n->dev);
1577 	if (err)
1578 		goto done;
1579 	umem = vhost_dev_reset_owner_prepare();
1580 	if (!umem) {
1581 		err = -ENOMEM;
1582 		goto done;
1583 	}
1584 	vhost_net_stop(n, &tx_sock, &rx_sock);
1585 	vhost_net_flush(n);
1586 	vhost_dev_stop(&n->dev);
1587 	vhost_dev_reset_owner(&n->dev, umem);
1588 	vhost_net_vq_reset(n);
1589 done:
1590 	mutex_unlock(&n->dev.mutex);
1591 	if (tx_sock)
1592 		sockfd_put(tx_sock);
1593 	if (rx_sock)
1594 		sockfd_put(rx_sock);
1595 	return err;
1596 }
1597 
1598 static int vhost_net_set_features(struct vhost_net *n, u64 features)
1599 {
1600 	size_t vhost_hlen, sock_hlen, hdr_len;
1601 	int i;
1602 
1603 	hdr_len = (features & ((1ULL << VIRTIO_NET_F_MRG_RXBUF) |
1604 			       (1ULL << VIRTIO_F_VERSION_1))) ?
1605 			sizeof(struct virtio_net_hdr_mrg_rxbuf) :
1606 			sizeof(struct virtio_net_hdr);
1607 	if (features & (1 << VHOST_NET_F_VIRTIO_NET_HDR)) {
1608 		/* vhost provides vnet_hdr */
1609 		vhost_hlen = hdr_len;
1610 		sock_hlen = 0;
1611 	} else {
1612 		/* socket provides vnet_hdr */
1613 		vhost_hlen = 0;
1614 		sock_hlen = hdr_len;
1615 	}
1616 	mutex_lock(&n->dev.mutex);
1617 	if ((features & (1 << VHOST_F_LOG_ALL)) &&
1618 	    !vhost_log_access_ok(&n->dev))
1619 		goto out_unlock;
1620 
1621 	if ((features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) {
1622 		if (vhost_init_device_iotlb(&n->dev))
1623 			goto out_unlock;
1624 	}
1625 
1626 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
1627 		mutex_lock(&n->vqs[i].vq.mutex);
1628 		n->vqs[i].vq.acked_features = features;
1629 		n->vqs[i].vhost_hlen = vhost_hlen;
1630 		n->vqs[i].sock_hlen = sock_hlen;
1631 		mutex_unlock(&n->vqs[i].vq.mutex);
1632 	}
1633 	mutex_unlock(&n->dev.mutex);
1634 	return 0;
1635 
1636 out_unlock:
1637 	mutex_unlock(&n->dev.mutex);
1638 	return -EFAULT;
1639 }
1640 
1641 static long vhost_net_set_owner(struct vhost_net *n)
1642 {
1643 	int r;
1644 
1645 	mutex_lock(&n->dev.mutex);
1646 	if (vhost_dev_has_owner(&n->dev)) {
1647 		r = -EBUSY;
1648 		goto out;
1649 	}
1650 	r = vhost_net_set_ubuf_info(n);
1651 	if (r)
1652 		goto out;
1653 	r = vhost_dev_set_owner(&n->dev);
1654 	if (r)
1655 		vhost_net_clear_ubuf_info(n);
1656 	vhost_net_flush(n);
1657 out:
1658 	mutex_unlock(&n->dev.mutex);
1659 	return r;
1660 }
1661 
1662 static long vhost_net_ioctl(struct file *f, unsigned int ioctl,
1663 			    unsigned long arg)
1664 {
1665 	struct vhost_net *n = f->private_data;
1666 	void __user *argp = (void __user *)arg;
1667 	u64 __user *featurep = argp;
1668 	struct vhost_vring_file backend;
1669 	u64 features;
1670 	int r;
1671 
1672 	switch (ioctl) {
1673 	case VHOST_NET_SET_BACKEND:
1674 		if (copy_from_user(&backend, argp, sizeof backend))
1675 			return -EFAULT;
1676 		return vhost_net_set_backend(n, backend.index, backend.fd);
1677 	case VHOST_GET_FEATURES:
1678 		features = VHOST_NET_FEATURES;
1679 		if (copy_to_user(featurep, &features, sizeof features))
1680 			return -EFAULT;
1681 		return 0;
1682 	case VHOST_SET_FEATURES:
1683 		if (copy_from_user(&features, featurep, sizeof features))
1684 			return -EFAULT;
1685 		if (features & ~VHOST_NET_FEATURES)
1686 			return -EOPNOTSUPP;
1687 		return vhost_net_set_features(n, features);
1688 	case VHOST_GET_BACKEND_FEATURES:
1689 		features = VHOST_NET_BACKEND_FEATURES;
1690 		if (copy_to_user(featurep, &features, sizeof(features)))
1691 			return -EFAULT;
1692 		return 0;
1693 	case VHOST_SET_BACKEND_FEATURES:
1694 		if (copy_from_user(&features, featurep, sizeof(features)))
1695 			return -EFAULT;
1696 		if (features & ~VHOST_NET_BACKEND_FEATURES)
1697 			return -EOPNOTSUPP;
1698 		vhost_set_backend_features(&n->dev, features);
1699 		return 0;
1700 	case VHOST_RESET_OWNER:
1701 		return vhost_net_reset_owner(n);
1702 	case VHOST_SET_OWNER:
1703 		return vhost_net_set_owner(n);
1704 	default:
1705 		mutex_lock(&n->dev.mutex);
1706 		r = vhost_dev_ioctl(&n->dev, ioctl, argp);
1707 		if (r == -ENOIOCTLCMD)
1708 			r = vhost_vring_ioctl(&n->dev, ioctl, argp);
1709 		else
1710 			vhost_net_flush(n);
1711 		mutex_unlock(&n->dev.mutex);
1712 		return r;
1713 	}
1714 }
1715 
1716 static ssize_t vhost_net_chr_read_iter(struct kiocb *iocb, struct iov_iter *to)
1717 {
1718 	struct file *file = iocb->ki_filp;
1719 	struct vhost_net *n = file->private_data;
1720 	struct vhost_dev *dev = &n->dev;
1721 	int noblock = file->f_flags & O_NONBLOCK;
1722 
1723 	return vhost_chr_read_iter(dev, to, noblock);
1724 }
1725 
1726 static ssize_t vhost_net_chr_write_iter(struct kiocb *iocb,
1727 					struct iov_iter *from)
1728 {
1729 	struct file *file = iocb->ki_filp;
1730 	struct vhost_net *n = file->private_data;
1731 	struct vhost_dev *dev = &n->dev;
1732 
1733 	return vhost_chr_write_iter(dev, from);
1734 }
1735 
1736 static __poll_t vhost_net_chr_poll(struct file *file, poll_table *wait)
1737 {
1738 	struct vhost_net *n = file->private_data;
1739 	struct vhost_dev *dev = &n->dev;
1740 
1741 	return vhost_chr_poll(file, dev, wait);
1742 }
1743 
1744 static const struct file_operations vhost_net_fops = {
1745 	.owner          = THIS_MODULE,
1746 	.release        = vhost_net_release,
1747 	.read_iter      = vhost_net_chr_read_iter,
1748 	.write_iter     = vhost_net_chr_write_iter,
1749 	.poll           = vhost_net_chr_poll,
1750 	.unlocked_ioctl = vhost_net_ioctl,
1751 	.compat_ioctl   = compat_ptr_ioctl,
1752 	.open           = vhost_net_open,
1753 	.llseek		= noop_llseek,
1754 };
1755 
1756 static struct miscdevice vhost_net_misc = {
1757 	.minor = VHOST_NET_MINOR,
1758 	.name = "vhost-net",
1759 	.fops = &vhost_net_fops,
1760 };
1761 
1762 static int __init vhost_net_init(void)
1763 {
1764 	if (experimental_zcopytx)
1765 		vhost_net_enable_zcopy(VHOST_NET_VQ_TX);
1766 	return misc_register(&vhost_net_misc);
1767 }
1768 module_init(vhost_net_init);
1769 
1770 static void __exit vhost_net_exit(void)
1771 {
1772 	misc_deregister(&vhost_net_misc);
1773 }
1774 module_exit(vhost_net_exit);
1775 
1776 MODULE_VERSION("0.0.1");
1777 MODULE_LICENSE("GPL v2");
1778 MODULE_AUTHOR("Michael S. Tsirkin");
1779 MODULE_DESCRIPTION("Host kernel accelerator for virtio net");
1780 MODULE_ALIAS_MISCDEV(VHOST_NET_MINOR);
1781 MODULE_ALIAS("devname:vhost-net");
1782