xref: /linux/drivers/vhost/net.c (revision d6296cb65320be16dbf20f2fd584ddc25f3437cd)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2009 Red Hat, Inc.
3  * Author: Michael S. Tsirkin <mst@redhat.com>
4  *
5  * virtio-net server in host kernel.
6  */
7 
8 #include <linux/compat.h>
9 #include <linux/eventfd.h>
10 #include <linux/vhost.h>
11 #include <linux/virtio_net.h>
12 #include <linux/miscdevice.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
15 #include <linux/mutex.h>
16 #include <linux/workqueue.h>
17 #include <linux/file.h>
18 #include <linux/slab.h>
19 #include <linux/sched/clock.h>
20 #include <linux/sched/signal.h>
21 #include <linux/vmalloc.h>
22 
23 #include <linux/net.h>
24 #include <linux/if_packet.h>
25 #include <linux/if_arp.h>
26 #include <linux/if_tun.h>
27 #include <linux/if_macvlan.h>
28 #include <linux/if_tap.h>
29 #include <linux/if_vlan.h>
30 #include <linux/skb_array.h>
31 #include <linux/skbuff.h>
32 
33 #include <net/sock.h>
34 #include <net/xdp.h>
35 
36 #include "vhost.h"
37 
38 static int experimental_zcopytx = 0;
39 module_param(experimental_zcopytx, int, 0444);
40 MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
41 		                       " 1 -Enable; 0 - Disable");
42 
43 /* Max number of bytes transferred before requeueing the job.
44  * Using this limit prevents one virtqueue from starving others. */
45 #define VHOST_NET_WEIGHT 0x80000
46 
47 /* Max number of packets transferred before requeueing the job.
48  * Using this limit prevents one virtqueue from starving others with small
49  * pkts.
50  */
51 #define VHOST_NET_PKT_WEIGHT 256
52 
53 /* MAX number of TX used buffers for outstanding zerocopy */
54 #define VHOST_MAX_PEND 128
55 #define VHOST_GOODCOPY_LEN 256
56 
57 /*
58  * For transmit, used buffer len is unused; we override it to track buffer
59  * status internally; used for zerocopy tx only.
60  */
61 /* Lower device DMA failed */
62 #define VHOST_DMA_FAILED_LEN	((__force __virtio32)3)
63 /* Lower device DMA done */
64 #define VHOST_DMA_DONE_LEN	((__force __virtio32)2)
65 /* Lower device DMA in progress */
66 #define VHOST_DMA_IN_PROGRESS	((__force __virtio32)1)
67 /* Buffer unused */
68 #define VHOST_DMA_CLEAR_LEN	((__force __virtio32)0)
69 
70 #define VHOST_DMA_IS_DONE(len) ((__force u32)(len) >= (__force u32)VHOST_DMA_DONE_LEN)
71 
72 enum {
73 	VHOST_NET_FEATURES = VHOST_FEATURES |
74 			 (1ULL << VHOST_NET_F_VIRTIO_NET_HDR) |
75 			 (1ULL << VIRTIO_NET_F_MRG_RXBUF) |
76 			 (1ULL << VIRTIO_F_ACCESS_PLATFORM)
77 };
78 
79 enum {
80 	VHOST_NET_BACKEND_FEATURES = (1ULL << VHOST_BACKEND_F_IOTLB_MSG_V2)
81 };
82 
83 enum {
84 	VHOST_NET_VQ_RX = 0,
85 	VHOST_NET_VQ_TX = 1,
86 	VHOST_NET_VQ_MAX = 2,
87 };
88 
89 struct vhost_net_ubuf_ref {
90 	/* refcount follows semantics similar to kref:
91 	 *  0: object is released
92 	 *  1: no outstanding ubufs
93 	 * >1: outstanding ubufs
94 	 */
95 	atomic_t refcount;
96 	wait_queue_head_t wait;
97 	struct vhost_virtqueue *vq;
98 };
99 
100 #define VHOST_NET_BATCH 64
101 struct vhost_net_buf {
102 	void **queue;
103 	int tail;
104 	int head;
105 };
106 
107 struct vhost_net_virtqueue {
108 	struct vhost_virtqueue vq;
109 	size_t vhost_hlen;
110 	size_t sock_hlen;
111 	/* vhost zerocopy support fields below: */
112 	/* last used idx for outstanding DMA zerocopy buffers */
113 	int upend_idx;
114 	/* For TX, first used idx for DMA done zerocopy buffers
115 	 * For RX, number of batched heads
116 	 */
117 	int done_idx;
118 	/* Number of XDP frames batched */
119 	int batched_xdp;
120 	/* an array of userspace buffers info */
121 	struct ubuf_info_msgzc *ubuf_info;
122 	/* Reference counting for outstanding ubufs.
123 	 * Protected by vq mutex. Writers must also take device mutex. */
124 	struct vhost_net_ubuf_ref *ubufs;
125 	struct ptr_ring *rx_ring;
126 	struct vhost_net_buf rxq;
127 	/* Batched XDP buffs */
128 	struct xdp_buff *xdp;
129 };
130 
131 struct vhost_net {
132 	struct vhost_dev dev;
133 	struct vhost_net_virtqueue vqs[VHOST_NET_VQ_MAX];
134 	struct vhost_poll poll[VHOST_NET_VQ_MAX];
135 	/* Number of TX recently submitted.
136 	 * Protected by tx vq lock. */
137 	unsigned tx_packets;
138 	/* Number of times zerocopy TX recently failed.
139 	 * Protected by tx vq lock. */
140 	unsigned tx_zcopy_err;
141 	/* Flush in progress. Protected by tx vq lock. */
142 	bool tx_flush;
143 	/* Private page frag */
144 	struct page_frag page_frag;
145 	/* Refcount bias of page frag */
146 	int refcnt_bias;
147 };
148 
149 static unsigned vhost_net_zcopy_mask __read_mostly;
150 
151 static void *vhost_net_buf_get_ptr(struct vhost_net_buf *rxq)
152 {
153 	if (rxq->tail != rxq->head)
154 		return rxq->queue[rxq->head];
155 	else
156 		return NULL;
157 }
158 
159 static int vhost_net_buf_get_size(struct vhost_net_buf *rxq)
160 {
161 	return rxq->tail - rxq->head;
162 }
163 
164 static int vhost_net_buf_is_empty(struct vhost_net_buf *rxq)
165 {
166 	return rxq->tail == rxq->head;
167 }
168 
169 static void *vhost_net_buf_consume(struct vhost_net_buf *rxq)
170 {
171 	void *ret = vhost_net_buf_get_ptr(rxq);
172 	++rxq->head;
173 	return ret;
174 }
175 
176 static int vhost_net_buf_produce(struct vhost_net_virtqueue *nvq)
177 {
178 	struct vhost_net_buf *rxq = &nvq->rxq;
179 
180 	rxq->head = 0;
181 	rxq->tail = ptr_ring_consume_batched(nvq->rx_ring, rxq->queue,
182 					      VHOST_NET_BATCH);
183 	return rxq->tail;
184 }
185 
186 static void vhost_net_buf_unproduce(struct vhost_net_virtqueue *nvq)
187 {
188 	struct vhost_net_buf *rxq = &nvq->rxq;
189 
190 	if (nvq->rx_ring && !vhost_net_buf_is_empty(rxq)) {
191 		ptr_ring_unconsume(nvq->rx_ring, rxq->queue + rxq->head,
192 				   vhost_net_buf_get_size(rxq),
193 				   tun_ptr_free);
194 		rxq->head = rxq->tail = 0;
195 	}
196 }
197 
198 static int vhost_net_buf_peek_len(void *ptr)
199 {
200 	if (tun_is_xdp_frame(ptr)) {
201 		struct xdp_frame *xdpf = tun_ptr_to_xdp(ptr);
202 
203 		return xdpf->len;
204 	}
205 
206 	return __skb_array_len_with_tag(ptr);
207 }
208 
209 static int vhost_net_buf_peek(struct vhost_net_virtqueue *nvq)
210 {
211 	struct vhost_net_buf *rxq = &nvq->rxq;
212 
213 	if (!vhost_net_buf_is_empty(rxq))
214 		goto out;
215 
216 	if (!vhost_net_buf_produce(nvq))
217 		return 0;
218 
219 out:
220 	return vhost_net_buf_peek_len(vhost_net_buf_get_ptr(rxq));
221 }
222 
223 static void vhost_net_buf_init(struct vhost_net_buf *rxq)
224 {
225 	rxq->head = rxq->tail = 0;
226 }
227 
228 static void vhost_net_enable_zcopy(int vq)
229 {
230 	vhost_net_zcopy_mask |= 0x1 << vq;
231 }
232 
233 static struct vhost_net_ubuf_ref *
234 vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy)
235 {
236 	struct vhost_net_ubuf_ref *ubufs;
237 	/* No zero copy backend? Nothing to count. */
238 	if (!zcopy)
239 		return NULL;
240 	ubufs = kmalloc(sizeof(*ubufs), GFP_KERNEL);
241 	if (!ubufs)
242 		return ERR_PTR(-ENOMEM);
243 	atomic_set(&ubufs->refcount, 1);
244 	init_waitqueue_head(&ubufs->wait);
245 	ubufs->vq = vq;
246 	return ubufs;
247 }
248 
249 static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
250 {
251 	int r = atomic_sub_return(1, &ubufs->refcount);
252 	if (unlikely(!r))
253 		wake_up(&ubufs->wait);
254 	return r;
255 }
256 
257 static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
258 {
259 	vhost_net_ubuf_put(ubufs);
260 	wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
261 }
262 
263 static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
264 {
265 	vhost_net_ubuf_put_and_wait(ubufs);
266 	kfree(ubufs);
267 }
268 
269 static void vhost_net_clear_ubuf_info(struct vhost_net *n)
270 {
271 	int i;
272 
273 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
274 		kfree(n->vqs[i].ubuf_info);
275 		n->vqs[i].ubuf_info = NULL;
276 	}
277 }
278 
279 static int vhost_net_set_ubuf_info(struct vhost_net *n)
280 {
281 	bool zcopy;
282 	int i;
283 
284 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
285 		zcopy = vhost_net_zcopy_mask & (0x1 << i);
286 		if (!zcopy)
287 			continue;
288 		n->vqs[i].ubuf_info =
289 			kmalloc_array(UIO_MAXIOV,
290 				      sizeof(*n->vqs[i].ubuf_info),
291 				      GFP_KERNEL);
292 		if  (!n->vqs[i].ubuf_info)
293 			goto err;
294 	}
295 	return 0;
296 
297 err:
298 	vhost_net_clear_ubuf_info(n);
299 	return -ENOMEM;
300 }
301 
302 static void vhost_net_vq_reset(struct vhost_net *n)
303 {
304 	int i;
305 
306 	vhost_net_clear_ubuf_info(n);
307 
308 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
309 		n->vqs[i].done_idx = 0;
310 		n->vqs[i].upend_idx = 0;
311 		n->vqs[i].ubufs = NULL;
312 		n->vqs[i].vhost_hlen = 0;
313 		n->vqs[i].sock_hlen = 0;
314 		vhost_net_buf_init(&n->vqs[i].rxq);
315 	}
316 
317 }
318 
319 static void vhost_net_tx_packet(struct vhost_net *net)
320 {
321 	++net->tx_packets;
322 	if (net->tx_packets < 1024)
323 		return;
324 	net->tx_packets = 0;
325 	net->tx_zcopy_err = 0;
326 }
327 
328 static void vhost_net_tx_err(struct vhost_net *net)
329 {
330 	++net->tx_zcopy_err;
331 }
332 
333 static bool vhost_net_tx_select_zcopy(struct vhost_net *net)
334 {
335 	/* TX flush waits for outstanding DMAs to be done.
336 	 * Don't start new DMAs.
337 	 */
338 	return !net->tx_flush &&
339 		net->tx_packets / 64 >= net->tx_zcopy_err;
340 }
341 
342 static bool vhost_sock_zcopy(struct socket *sock)
343 {
344 	return unlikely(experimental_zcopytx) &&
345 		sock_flag(sock->sk, SOCK_ZEROCOPY);
346 }
347 
348 static bool vhost_sock_xdp(struct socket *sock)
349 {
350 	return sock_flag(sock->sk, SOCK_XDP);
351 }
352 
353 /* In case of DMA done not in order in lower device driver for some reason.
354  * upend_idx is used to track end of used idx, done_idx is used to track head
355  * of used idx. Once lower device DMA done contiguously, we will signal KVM
356  * guest used idx.
357  */
358 static void vhost_zerocopy_signal_used(struct vhost_net *net,
359 				       struct vhost_virtqueue *vq)
360 {
361 	struct vhost_net_virtqueue *nvq =
362 		container_of(vq, struct vhost_net_virtqueue, vq);
363 	int i, add;
364 	int j = 0;
365 
366 	for (i = nvq->done_idx; i != nvq->upend_idx; i = (i + 1) % UIO_MAXIOV) {
367 		if (vq->heads[i].len == VHOST_DMA_FAILED_LEN)
368 			vhost_net_tx_err(net);
369 		if (VHOST_DMA_IS_DONE(vq->heads[i].len)) {
370 			vq->heads[i].len = VHOST_DMA_CLEAR_LEN;
371 			++j;
372 		} else
373 			break;
374 	}
375 	while (j) {
376 		add = min(UIO_MAXIOV - nvq->done_idx, j);
377 		vhost_add_used_and_signal_n(vq->dev, vq,
378 					    &vq->heads[nvq->done_idx], add);
379 		nvq->done_idx = (nvq->done_idx + add) % UIO_MAXIOV;
380 		j -= add;
381 	}
382 }
383 
384 static void vhost_zerocopy_callback(struct sk_buff *skb,
385 				    struct ubuf_info *ubuf_base, bool success)
386 {
387 	struct ubuf_info_msgzc *ubuf = uarg_to_msgzc(ubuf_base);
388 	struct vhost_net_ubuf_ref *ubufs = ubuf->ctx;
389 	struct vhost_virtqueue *vq = ubufs->vq;
390 	int cnt;
391 
392 	rcu_read_lock_bh();
393 
394 	/* set len to mark this desc buffers done DMA */
395 	vq->heads[ubuf->desc].len = success ?
396 		VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN;
397 	cnt = vhost_net_ubuf_put(ubufs);
398 
399 	/*
400 	 * Trigger polling thread if guest stopped submitting new buffers:
401 	 * in this case, the refcount after decrement will eventually reach 1.
402 	 * We also trigger polling periodically after each 16 packets
403 	 * (the value 16 here is more or less arbitrary, it's tuned to trigger
404 	 * less than 10% of times).
405 	 */
406 	if (cnt <= 1 || !(cnt % 16))
407 		vhost_poll_queue(&vq->poll);
408 
409 	rcu_read_unlock_bh();
410 }
411 
412 static inline unsigned long busy_clock(void)
413 {
414 	return local_clock() >> 10;
415 }
416 
417 static bool vhost_can_busy_poll(unsigned long endtime)
418 {
419 	return likely(!need_resched() && !time_after(busy_clock(), endtime) &&
420 		      !signal_pending(current));
421 }
422 
423 static void vhost_net_disable_vq(struct vhost_net *n,
424 				 struct vhost_virtqueue *vq)
425 {
426 	struct vhost_net_virtqueue *nvq =
427 		container_of(vq, struct vhost_net_virtqueue, vq);
428 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
429 	if (!vhost_vq_get_backend(vq))
430 		return;
431 	vhost_poll_stop(poll);
432 }
433 
434 static int vhost_net_enable_vq(struct vhost_net *n,
435 				struct vhost_virtqueue *vq)
436 {
437 	struct vhost_net_virtqueue *nvq =
438 		container_of(vq, struct vhost_net_virtqueue, vq);
439 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
440 	struct socket *sock;
441 
442 	sock = vhost_vq_get_backend(vq);
443 	if (!sock)
444 		return 0;
445 
446 	return vhost_poll_start(poll, sock->file);
447 }
448 
449 static void vhost_net_signal_used(struct vhost_net_virtqueue *nvq)
450 {
451 	struct vhost_virtqueue *vq = &nvq->vq;
452 	struct vhost_dev *dev = vq->dev;
453 
454 	if (!nvq->done_idx)
455 		return;
456 
457 	vhost_add_used_and_signal_n(dev, vq, vq->heads, nvq->done_idx);
458 	nvq->done_idx = 0;
459 }
460 
461 static void vhost_tx_batch(struct vhost_net *net,
462 			   struct vhost_net_virtqueue *nvq,
463 			   struct socket *sock,
464 			   struct msghdr *msghdr)
465 {
466 	struct tun_msg_ctl ctl = {
467 		.type = TUN_MSG_PTR,
468 		.num = nvq->batched_xdp,
469 		.ptr = nvq->xdp,
470 	};
471 	int i, err;
472 
473 	if (nvq->batched_xdp == 0)
474 		goto signal_used;
475 
476 	msghdr->msg_control = &ctl;
477 	msghdr->msg_controllen = sizeof(ctl);
478 	err = sock->ops->sendmsg(sock, msghdr, 0);
479 	if (unlikely(err < 0)) {
480 		vq_err(&nvq->vq, "Fail to batch sending packets\n");
481 
482 		/* free pages owned by XDP; since this is an unlikely error path,
483 		 * keep it simple and avoid more complex bulk update for the
484 		 * used pages
485 		 */
486 		for (i = 0; i < nvq->batched_xdp; ++i)
487 			put_page(virt_to_head_page(nvq->xdp[i].data));
488 		nvq->batched_xdp = 0;
489 		nvq->done_idx = 0;
490 		return;
491 	}
492 
493 signal_used:
494 	vhost_net_signal_used(nvq);
495 	nvq->batched_xdp = 0;
496 }
497 
498 static int sock_has_rx_data(struct socket *sock)
499 {
500 	if (unlikely(!sock))
501 		return 0;
502 
503 	if (sock->ops->peek_len)
504 		return sock->ops->peek_len(sock);
505 
506 	return skb_queue_empty(&sock->sk->sk_receive_queue);
507 }
508 
509 static void vhost_net_busy_poll_try_queue(struct vhost_net *net,
510 					  struct vhost_virtqueue *vq)
511 {
512 	if (!vhost_vq_avail_empty(&net->dev, vq)) {
513 		vhost_poll_queue(&vq->poll);
514 	} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
515 		vhost_disable_notify(&net->dev, vq);
516 		vhost_poll_queue(&vq->poll);
517 	}
518 }
519 
520 static void vhost_net_busy_poll(struct vhost_net *net,
521 				struct vhost_virtqueue *rvq,
522 				struct vhost_virtqueue *tvq,
523 				bool *busyloop_intr,
524 				bool poll_rx)
525 {
526 	unsigned long busyloop_timeout;
527 	unsigned long endtime;
528 	struct socket *sock;
529 	struct vhost_virtqueue *vq = poll_rx ? tvq : rvq;
530 
531 	/* Try to hold the vq mutex of the paired virtqueue. We can't
532 	 * use mutex_lock() here since we could not guarantee a
533 	 * consistenet lock ordering.
534 	 */
535 	if (!mutex_trylock(&vq->mutex))
536 		return;
537 
538 	vhost_disable_notify(&net->dev, vq);
539 	sock = vhost_vq_get_backend(rvq);
540 
541 	busyloop_timeout = poll_rx ? rvq->busyloop_timeout:
542 				     tvq->busyloop_timeout;
543 
544 	preempt_disable();
545 	endtime = busy_clock() + busyloop_timeout;
546 
547 	while (vhost_can_busy_poll(endtime)) {
548 		if (vhost_has_work(&net->dev)) {
549 			*busyloop_intr = true;
550 			break;
551 		}
552 
553 		if ((sock_has_rx_data(sock) &&
554 		     !vhost_vq_avail_empty(&net->dev, rvq)) ||
555 		    !vhost_vq_avail_empty(&net->dev, tvq))
556 			break;
557 
558 		cpu_relax();
559 	}
560 
561 	preempt_enable();
562 
563 	if (poll_rx || sock_has_rx_data(sock))
564 		vhost_net_busy_poll_try_queue(net, vq);
565 	else if (!poll_rx) /* On tx here, sock has no rx data. */
566 		vhost_enable_notify(&net->dev, rvq);
567 
568 	mutex_unlock(&vq->mutex);
569 }
570 
571 static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
572 				    struct vhost_net_virtqueue *tnvq,
573 				    unsigned int *out_num, unsigned int *in_num,
574 				    struct msghdr *msghdr, bool *busyloop_intr)
575 {
576 	struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
577 	struct vhost_virtqueue *rvq = &rnvq->vq;
578 	struct vhost_virtqueue *tvq = &tnvq->vq;
579 
580 	int r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
581 				  out_num, in_num, NULL, NULL);
582 
583 	if (r == tvq->num && tvq->busyloop_timeout) {
584 		/* Flush batched packets first */
585 		if (!vhost_sock_zcopy(vhost_vq_get_backend(tvq)))
586 			vhost_tx_batch(net, tnvq,
587 				       vhost_vq_get_backend(tvq),
588 				       msghdr);
589 
590 		vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, false);
591 
592 		r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
593 				      out_num, in_num, NULL, NULL);
594 	}
595 
596 	return r;
597 }
598 
599 static bool vhost_exceeds_maxpend(struct vhost_net *net)
600 {
601 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
602 	struct vhost_virtqueue *vq = &nvq->vq;
603 
604 	return (nvq->upend_idx + UIO_MAXIOV - nvq->done_idx) % UIO_MAXIOV >
605 	       min_t(unsigned int, VHOST_MAX_PEND, vq->num >> 2);
606 }
607 
608 static size_t init_iov_iter(struct vhost_virtqueue *vq, struct iov_iter *iter,
609 			    size_t hdr_size, int out)
610 {
611 	/* Skip header. TODO: support TSO. */
612 	size_t len = iov_length(vq->iov, out);
613 
614 	iov_iter_init(iter, ITER_SOURCE, vq->iov, out, len);
615 	iov_iter_advance(iter, hdr_size);
616 
617 	return iov_iter_count(iter);
618 }
619 
620 static int get_tx_bufs(struct vhost_net *net,
621 		       struct vhost_net_virtqueue *nvq,
622 		       struct msghdr *msg,
623 		       unsigned int *out, unsigned int *in,
624 		       size_t *len, bool *busyloop_intr)
625 {
626 	struct vhost_virtqueue *vq = &nvq->vq;
627 	int ret;
628 
629 	ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, busyloop_intr);
630 
631 	if (ret < 0 || ret == vq->num)
632 		return ret;
633 
634 	if (*in) {
635 		vq_err(vq, "Unexpected descriptor format for TX: out %d, int %d\n",
636 			*out, *in);
637 		return -EFAULT;
638 	}
639 
640 	/* Sanity check */
641 	*len = init_iov_iter(vq, &msg->msg_iter, nvq->vhost_hlen, *out);
642 	if (*len == 0) {
643 		vq_err(vq, "Unexpected header len for TX: %zd expected %zd\n",
644 			*len, nvq->vhost_hlen);
645 		return -EFAULT;
646 	}
647 
648 	return ret;
649 }
650 
651 static bool tx_can_batch(struct vhost_virtqueue *vq, size_t total_len)
652 {
653 	return total_len < VHOST_NET_WEIGHT &&
654 	       !vhost_vq_avail_empty(vq->dev, vq);
655 }
656 
657 static bool vhost_net_page_frag_refill(struct vhost_net *net, unsigned int sz,
658 				       struct page_frag *pfrag, gfp_t gfp)
659 {
660 	if (pfrag->page) {
661 		if (pfrag->offset + sz <= pfrag->size)
662 			return true;
663 		__page_frag_cache_drain(pfrag->page, net->refcnt_bias);
664 	}
665 
666 	pfrag->offset = 0;
667 	net->refcnt_bias = 0;
668 	if (SKB_FRAG_PAGE_ORDER) {
669 		/* Avoid direct reclaim but allow kswapd to wake */
670 		pfrag->page = alloc_pages((gfp & ~__GFP_DIRECT_RECLAIM) |
671 					  __GFP_COMP | __GFP_NOWARN |
672 					  __GFP_NORETRY,
673 					  SKB_FRAG_PAGE_ORDER);
674 		if (likely(pfrag->page)) {
675 			pfrag->size = PAGE_SIZE << SKB_FRAG_PAGE_ORDER;
676 			goto done;
677 		}
678 	}
679 	pfrag->page = alloc_page(gfp);
680 	if (likely(pfrag->page)) {
681 		pfrag->size = PAGE_SIZE;
682 		goto done;
683 	}
684 	return false;
685 
686 done:
687 	net->refcnt_bias = USHRT_MAX;
688 	page_ref_add(pfrag->page, USHRT_MAX - 1);
689 	return true;
690 }
691 
692 #define VHOST_NET_RX_PAD (NET_IP_ALIGN + NET_SKB_PAD)
693 
694 static int vhost_net_build_xdp(struct vhost_net_virtqueue *nvq,
695 			       struct iov_iter *from)
696 {
697 	struct vhost_virtqueue *vq = &nvq->vq;
698 	struct vhost_net *net = container_of(vq->dev, struct vhost_net,
699 					     dev);
700 	struct socket *sock = vhost_vq_get_backend(vq);
701 	struct page_frag *alloc_frag = &net->page_frag;
702 	struct virtio_net_hdr *gso;
703 	struct xdp_buff *xdp = &nvq->xdp[nvq->batched_xdp];
704 	struct tun_xdp_hdr *hdr;
705 	size_t len = iov_iter_count(from);
706 	int headroom = vhost_sock_xdp(sock) ? XDP_PACKET_HEADROOM : 0;
707 	int buflen = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
708 	int pad = SKB_DATA_ALIGN(VHOST_NET_RX_PAD + headroom + nvq->sock_hlen);
709 	int sock_hlen = nvq->sock_hlen;
710 	void *buf;
711 	int copied;
712 
713 	if (unlikely(len < nvq->sock_hlen))
714 		return -EFAULT;
715 
716 	if (SKB_DATA_ALIGN(len + pad) +
717 	    SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
718 		return -ENOSPC;
719 
720 	buflen += SKB_DATA_ALIGN(len + pad);
721 	alloc_frag->offset = ALIGN((u64)alloc_frag->offset, SMP_CACHE_BYTES);
722 	if (unlikely(!vhost_net_page_frag_refill(net, buflen,
723 						 alloc_frag, GFP_KERNEL)))
724 		return -ENOMEM;
725 
726 	buf = (char *)page_address(alloc_frag->page) + alloc_frag->offset;
727 	copied = copy_page_from_iter(alloc_frag->page,
728 				     alloc_frag->offset +
729 				     offsetof(struct tun_xdp_hdr, gso),
730 				     sock_hlen, from);
731 	if (copied != sock_hlen)
732 		return -EFAULT;
733 
734 	hdr = buf;
735 	gso = &hdr->gso;
736 
737 	if ((gso->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) &&
738 	    vhost16_to_cpu(vq, gso->csum_start) +
739 	    vhost16_to_cpu(vq, gso->csum_offset) + 2 >
740 	    vhost16_to_cpu(vq, gso->hdr_len)) {
741 		gso->hdr_len = cpu_to_vhost16(vq,
742 			       vhost16_to_cpu(vq, gso->csum_start) +
743 			       vhost16_to_cpu(vq, gso->csum_offset) + 2);
744 
745 		if (vhost16_to_cpu(vq, gso->hdr_len) > len)
746 			return -EINVAL;
747 	}
748 
749 	len -= sock_hlen;
750 	copied = copy_page_from_iter(alloc_frag->page,
751 				     alloc_frag->offset + pad,
752 				     len, from);
753 	if (copied != len)
754 		return -EFAULT;
755 
756 	xdp_init_buff(xdp, buflen, NULL);
757 	xdp_prepare_buff(xdp, buf, pad, len, true);
758 	hdr->buflen = buflen;
759 
760 	--net->refcnt_bias;
761 	alloc_frag->offset += buflen;
762 
763 	++nvq->batched_xdp;
764 
765 	return 0;
766 }
767 
768 static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
769 {
770 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
771 	struct vhost_virtqueue *vq = &nvq->vq;
772 	unsigned out, in;
773 	int head;
774 	struct msghdr msg = {
775 		.msg_name = NULL,
776 		.msg_namelen = 0,
777 		.msg_control = NULL,
778 		.msg_controllen = 0,
779 		.msg_flags = MSG_DONTWAIT,
780 	};
781 	size_t len, total_len = 0;
782 	int err;
783 	int sent_pkts = 0;
784 	bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
785 
786 	do {
787 		bool busyloop_intr = false;
788 
789 		if (nvq->done_idx == VHOST_NET_BATCH)
790 			vhost_tx_batch(net, nvq, sock, &msg);
791 
792 		head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
793 				   &busyloop_intr);
794 		/* On error, stop handling until the next kick. */
795 		if (unlikely(head < 0))
796 			break;
797 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
798 		if (head == vq->num) {
799 			if (unlikely(busyloop_intr)) {
800 				vhost_poll_queue(&vq->poll);
801 			} else if (unlikely(vhost_enable_notify(&net->dev,
802 								vq))) {
803 				vhost_disable_notify(&net->dev, vq);
804 				continue;
805 			}
806 			break;
807 		}
808 
809 		total_len += len;
810 
811 		/* For simplicity, TX batching is only enabled if
812 		 * sndbuf is unlimited.
813 		 */
814 		if (sock_can_batch) {
815 			err = vhost_net_build_xdp(nvq, &msg.msg_iter);
816 			if (!err) {
817 				goto done;
818 			} else if (unlikely(err != -ENOSPC)) {
819 				vhost_tx_batch(net, nvq, sock, &msg);
820 				vhost_discard_vq_desc(vq, 1);
821 				vhost_net_enable_vq(net, vq);
822 				break;
823 			}
824 
825 			/* We can't build XDP buff, go for single
826 			 * packet path but let's flush batched
827 			 * packets.
828 			 */
829 			vhost_tx_batch(net, nvq, sock, &msg);
830 			msg.msg_control = NULL;
831 		} else {
832 			if (tx_can_batch(vq, total_len))
833 				msg.msg_flags |= MSG_MORE;
834 			else
835 				msg.msg_flags &= ~MSG_MORE;
836 		}
837 
838 		err = sock->ops->sendmsg(sock, &msg, len);
839 		if (unlikely(err < 0)) {
840 			if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) {
841 				vhost_discard_vq_desc(vq, 1);
842 				vhost_net_enable_vq(net, vq);
843 				break;
844 			}
845 			pr_debug("Fail to send packet: err %d", err);
846 		} else if (unlikely(err != len))
847 			pr_debug("Truncated TX packet: len %d != %zd\n",
848 				 err, len);
849 done:
850 		vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);
851 		vq->heads[nvq->done_idx].len = 0;
852 		++nvq->done_idx;
853 	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
854 
855 	vhost_tx_batch(net, nvq, sock, &msg);
856 }
857 
858 static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
859 {
860 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
861 	struct vhost_virtqueue *vq = &nvq->vq;
862 	unsigned out, in;
863 	int head;
864 	struct msghdr msg = {
865 		.msg_name = NULL,
866 		.msg_namelen = 0,
867 		.msg_control = NULL,
868 		.msg_controllen = 0,
869 		.msg_flags = MSG_DONTWAIT,
870 	};
871 	struct tun_msg_ctl ctl;
872 	size_t len, total_len = 0;
873 	int err;
874 	struct vhost_net_ubuf_ref *ubufs;
875 	struct ubuf_info_msgzc *ubuf;
876 	bool zcopy_used;
877 	int sent_pkts = 0;
878 
879 	do {
880 		bool busyloop_intr;
881 
882 		/* Release DMAs done buffers first */
883 		vhost_zerocopy_signal_used(net, vq);
884 
885 		busyloop_intr = false;
886 		head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
887 				   &busyloop_intr);
888 		/* On error, stop handling until the next kick. */
889 		if (unlikely(head < 0))
890 			break;
891 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
892 		if (head == vq->num) {
893 			if (unlikely(busyloop_intr)) {
894 				vhost_poll_queue(&vq->poll);
895 			} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
896 				vhost_disable_notify(&net->dev, vq);
897 				continue;
898 			}
899 			break;
900 		}
901 
902 		zcopy_used = len >= VHOST_GOODCOPY_LEN
903 			     && !vhost_exceeds_maxpend(net)
904 			     && vhost_net_tx_select_zcopy(net);
905 
906 		/* use msg_control to pass vhost zerocopy ubuf info to skb */
907 		if (zcopy_used) {
908 			ubuf = nvq->ubuf_info + nvq->upend_idx;
909 			vq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head);
910 			vq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS;
911 			ubuf->ctx = nvq->ubufs;
912 			ubuf->desc = nvq->upend_idx;
913 			ubuf->ubuf.callback = vhost_zerocopy_callback;
914 			ubuf->ubuf.flags = SKBFL_ZEROCOPY_FRAG;
915 			refcount_set(&ubuf->ubuf.refcnt, 1);
916 			msg.msg_control = &ctl;
917 			ctl.type = TUN_MSG_UBUF;
918 			ctl.ptr = &ubuf->ubuf;
919 			msg.msg_controllen = sizeof(ctl);
920 			ubufs = nvq->ubufs;
921 			atomic_inc(&ubufs->refcount);
922 			nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
923 		} else {
924 			msg.msg_control = NULL;
925 			ubufs = NULL;
926 		}
927 		total_len += len;
928 		if (tx_can_batch(vq, total_len) &&
929 		    likely(!vhost_exceeds_maxpend(net))) {
930 			msg.msg_flags |= MSG_MORE;
931 		} else {
932 			msg.msg_flags &= ~MSG_MORE;
933 		}
934 
935 		err = sock->ops->sendmsg(sock, &msg, len);
936 		if (unlikely(err < 0)) {
937 			if (zcopy_used) {
938 				if (vq->heads[ubuf->desc].len == VHOST_DMA_IN_PROGRESS)
939 					vhost_net_ubuf_put(ubufs);
940 				nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
941 					% UIO_MAXIOV;
942 			}
943 			if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) {
944 				vhost_discard_vq_desc(vq, 1);
945 				vhost_net_enable_vq(net, vq);
946 				break;
947 			}
948 			pr_debug("Fail to send packet: err %d", err);
949 		} else if (unlikely(err != len))
950 			pr_debug("Truncated TX packet: "
951 				 " len %d != %zd\n", err, len);
952 		if (!zcopy_used)
953 			vhost_add_used_and_signal(&net->dev, vq, head, 0);
954 		else
955 			vhost_zerocopy_signal_used(net, vq);
956 		vhost_net_tx_packet(net);
957 	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
958 }
959 
960 /* Expects to be always run from workqueue - which acts as
961  * read-size critical section for our kind of RCU. */
962 static void handle_tx(struct vhost_net *net)
963 {
964 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
965 	struct vhost_virtqueue *vq = &nvq->vq;
966 	struct socket *sock;
967 
968 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_TX);
969 	sock = vhost_vq_get_backend(vq);
970 	if (!sock)
971 		goto out;
972 
973 	if (!vq_meta_prefetch(vq))
974 		goto out;
975 
976 	vhost_disable_notify(&net->dev, vq);
977 	vhost_net_disable_vq(net, vq);
978 
979 	if (vhost_sock_zcopy(sock))
980 		handle_tx_zerocopy(net, sock);
981 	else
982 		handle_tx_copy(net, sock);
983 
984 out:
985 	mutex_unlock(&vq->mutex);
986 }
987 
988 static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk)
989 {
990 	struct sk_buff *head;
991 	int len = 0;
992 	unsigned long flags;
993 
994 	if (rvq->rx_ring)
995 		return vhost_net_buf_peek(rvq);
996 
997 	spin_lock_irqsave(&sk->sk_receive_queue.lock, flags);
998 	head = skb_peek(&sk->sk_receive_queue);
999 	if (likely(head)) {
1000 		len = head->len;
1001 		if (skb_vlan_tag_present(head))
1002 			len += VLAN_HLEN;
1003 	}
1004 
1005 	spin_unlock_irqrestore(&sk->sk_receive_queue.lock, flags);
1006 	return len;
1007 }
1008 
1009 static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk,
1010 				      bool *busyloop_intr)
1011 {
1012 	struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
1013 	struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX];
1014 	struct vhost_virtqueue *rvq = &rnvq->vq;
1015 	struct vhost_virtqueue *tvq = &tnvq->vq;
1016 	int len = peek_head_len(rnvq, sk);
1017 
1018 	if (!len && rvq->busyloop_timeout) {
1019 		/* Flush batched heads first */
1020 		vhost_net_signal_used(rnvq);
1021 		/* Both tx vq and rx socket were polled here */
1022 		vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true);
1023 
1024 		len = peek_head_len(rnvq, sk);
1025 	}
1026 
1027 	return len;
1028 }
1029 
1030 /* This is a multi-buffer version of vhost_get_desc, that works if
1031  *	vq has read descriptors only.
1032  * @vq		- the relevant virtqueue
1033  * @datalen	- data length we'll be reading
1034  * @iovcount	- returned count of io vectors we fill
1035  * @log		- vhost log
1036  * @log_num	- log offset
1037  * @quota       - headcount quota, 1 for big buffer
1038  *	returns number of buffer heads allocated, negative on error
1039  */
1040 static int get_rx_bufs(struct vhost_virtqueue *vq,
1041 		       struct vring_used_elem *heads,
1042 		       int datalen,
1043 		       unsigned *iovcount,
1044 		       struct vhost_log *log,
1045 		       unsigned *log_num,
1046 		       unsigned int quota)
1047 {
1048 	unsigned int out, in;
1049 	int seg = 0;
1050 	int headcount = 0;
1051 	unsigned d;
1052 	int r, nlogs = 0;
1053 	/* len is always initialized before use since we are always called with
1054 	 * datalen > 0.
1055 	 */
1056 	u32 len;
1057 
1058 	while (datalen > 0 && headcount < quota) {
1059 		if (unlikely(seg >= UIO_MAXIOV)) {
1060 			r = -ENOBUFS;
1061 			goto err;
1062 		}
1063 		r = vhost_get_vq_desc(vq, vq->iov + seg,
1064 				      ARRAY_SIZE(vq->iov) - seg, &out,
1065 				      &in, log, log_num);
1066 		if (unlikely(r < 0))
1067 			goto err;
1068 
1069 		d = r;
1070 		if (d == vq->num) {
1071 			r = 0;
1072 			goto err;
1073 		}
1074 		if (unlikely(out || in <= 0)) {
1075 			vq_err(vq, "unexpected descriptor format for RX: "
1076 				"out %d, in %d\n", out, in);
1077 			r = -EINVAL;
1078 			goto err;
1079 		}
1080 		if (unlikely(log)) {
1081 			nlogs += *log_num;
1082 			log += *log_num;
1083 		}
1084 		heads[headcount].id = cpu_to_vhost32(vq, d);
1085 		len = iov_length(vq->iov + seg, in);
1086 		heads[headcount].len = cpu_to_vhost32(vq, len);
1087 		datalen -= len;
1088 		++headcount;
1089 		seg += in;
1090 	}
1091 	heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
1092 	*iovcount = seg;
1093 	if (unlikely(log))
1094 		*log_num = nlogs;
1095 
1096 	/* Detect overrun */
1097 	if (unlikely(datalen > 0)) {
1098 		r = UIO_MAXIOV + 1;
1099 		goto err;
1100 	}
1101 	return headcount;
1102 err:
1103 	vhost_discard_vq_desc(vq, headcount);
1104 	return r;
1105 }
1106 
1107 /* Expects to be always run from workqueue - which acts as
1108  * read-size critical section for our kind of RCU. */
1109 static void handle_rx(struct vhost_net *net)
1110 {
1111 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];
1112 	struct vhost_virtqueue *vq = &nvq->vq;
1113 	unsigned in, log;
1114 	struct vhost_log *vq_log;
1115 	struct msghdr msg = {
1116 		.msg_name = NULL,
1117 		.msg_namelen = 0,
1118 		.msg_control = NULL, /* FIXME: get and handle RX aux data. */
1119 		.msg_controllen = 0,
1120 		.msg_flags = MSG_DONTWAIT,
1121 	};
1122 	struct virtio_net_hdr hdr = {
1123 		.flags = 0,
1124 		.gso_type = VIRTIO_NET_HDR_GSO_NONE
1125 	};
1126 	size_t total_len = 0;
1127 	int err, mergeable;
1128 	s16 headcount;
1129 	size_t vhost_hlen, sock_hlen;
1130 	size_t vhost_len, sock_len;
1131 	bool busyloop_intr = false;
1132 	struct socket *sock;
1133 	struct iov_iter fixup;
1134 	__virtio16 num_buffers;
1135 	int recv_pkts = 0;
1136 
1137 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
1138 	sock = vhost_vq_get_backend(vq);
1139 	if (!sock)
1140 		goto out;
1141 
1142 	if (!vq_meta_prefetch(vq))
1143 		goto out;
1144 
1145 	vhost_disable_notify(&net->dev, vq);
1146 	vhost_net_disable_vq(net, vq);
1147 
1148 	vhost_hlen = nvq->vhost_hlen;
1149 	sock_hlen = nvq->sock_hlen;
1150 
1151 	vq_log = unlikely(vhost_has_feature(vq, VHOST_F_LOG_ALL)) ?
1152 		vq->log : NULL;
1153 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
1154 
1155 	do {
1156 		sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
1157 						      &busyloop_intr);
1158 		if (!sock_len)
1159 			break;
1160 		sock_len += sock_hlen;
1161 		vhost_len = sock_len + vhost_hlen;
1162 		headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
1163 					vhost_len, &in, vq_log, &log,
1164 					likely(mergeable) ? UIO_MAXIOV : 1);
1165 		/* On error, stop handling until the next kick. */
1166 		if (unlikely(headcount < 0))
1167 			goto out;
1168 		/* OK, now we need to know about added descriptors. */
1169 		if (!headcount) {
1170 			if (unlikely(busyloop_intr)) {
1171 				vhost_poll_queue(&vq->poll);
1172 			} else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
1173 				/* They have slipped one in as we were
1174 				 * doing that: check again. */
1175 				vhost_disable_notify(&net->dev, vq);
1176 				continue;
1177 			}
1178 			/* Nothing new?  Wait for eventfd to tell us
1179 			 * they refilled. */
1180 			goto out;
1181 		}
1182 		busyloop_intr = false;
1183 		if (nvq->rx_ring)
1184 			msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
1185 		/* On overrun, truncate and discard */
1186 		if (unlikely(headcount > UIO_MAXIOV)) {
1187 			iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, 1, 1);
1188 			err = sock->ops->recvmsg(sock, &msg,
1189 						 1, MSG_DONTWAIT | MSG_TRUNC);
1190 			pr_debug("Discarded rx packet: len %zd\n", sock_len);
1191 			continue;
1192 		}
1193 		/* We don't need to be notified again. */
1194 		iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, in, vhost_len);
1195 		fixup = msg.msg_iter;
1196 		if (unlikely((vhost_hlen))) {
1197 			/* We will supply the header ourselves
1198 			 * TODO: support TSO.
1199 			 */
1200 			iov_iter_advance(&msg.msg_iter, vhost_hlen);
1201 		}
1202 		err = sock->ops->recvmsg(sock, &msg,
1203 					 sock_len, MSG_DONTWAIT | MSG_TRUNC);
1204 		/* Userspace might have consumed the packet meanwhile:
1205 		 * it's not supposed to do this usually, but might be hard
1206 		 * to prevent. Discard data we got (if any) and keep going. */
1207 		if (unlikely(err != sock_len)) {
1208 			pr_debug("Discarded rx packet: "
1209 				 " len %d, expected %zd\n", err, sock_len);
1210 			vhost_discard_vq_desc(vq, headcount);
1211 			continue;
1212 		}
1213 		/* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */
1214 		if (unlikely(vhost_hlen)) {
1215 			if (copy_to_iter(&hdr, sizeof(hdr),
1216 					 &fixup) != sizeof(hdr)) {
1217 				vq_err(vq, "Unable to write vnet_hdr "
1218 				       "at addr %p\n", vq->iov->iov_base);
1219 				goto out;
1220 			}
1221 		} else {
1222 			/* Header came from socket; we'll need to patch
1223 			 * ->num_buffers over if VIRTIO_NET_F_MRG_RXBUF
1224 			 */
1225 			iov_iter_advance(&fixup, sizeof(hdr));
1226 		}
1227 		/* TODO: Should check and handle checksum. */
1228 
1229 		num_buffers = cpu_to_vhost16(vq, headcount);
1230 		if (likely(mergeable) &&
1231 		    copy_to_iter(&num_buffers, sizeof num_buffers,
1232 				 &fixup) != sizeof num_buffers) {
1233 			vq_err(vq, "Failed num_buffers write");
1234 			vhost_discard_vq_desc(vq, headcount);
1235 			goto out;
1236 		}
1237 		nvq->done_idx += headcount;
1238 		if (nvq->done_idx > VHOST_NET_BATCH)
1239 			vhost_net_signal_used(nvq);
1240 		if (unlikely(vq_log))
1241 			vhost_log_write(vq, vq_log, log, vhost_len,
1242 					vq->iov, in);
1243 		total_len += vhost_len;
1244 	} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
1245 
1246 	if (unlikely(busyloop_intr))
1247 		vhost_poll_queue(&vq->poll);
1248 	else if (!sock_len)
1249 		vhost_net_enable_vq(net, vq);
1250 out:
1251 	vhost_net_signal_used(nvq);
1252 	mutex_unlock(&vq->mutex);
1253 }
1254 
1255 static void handle_tx_kick(struct vhost_work *work)
1256 {
1257 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
1258 						  poll.work);
1259 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
1260 
1261 	handle_tx(net);
1262 }
1263 
1264 static void handle_rx_kick(struct vhost_work *work)
1265 {
1266 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
1267 						  poll.work);
1268 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
1269 
1270 	handle_rx(net);
1271 }
1272 
1273 static void handle_tx_net(struct vhost_work *work)
1274 {
1275 	struct vhost_net *net = container_of(work, struct vhost_net,
1276 					     poll[VHOST_NET_VQ_TX].work);
1277 	handle_tx(net);
1278 }
1279 
1280 static void handle_rx_net(struct vhost_work *work)
1281 {
1282 	struct vhost_net *net = container_of(work, struct vhost_net,
1283 					     poll[VHOST_NET_VQ_RX].work);
1284 	handle_rx(net);
1285 }
1286 
1287 static int vhost_net_open(struct inode *inode, struct file *f)
1288 {
1289 	struct vhost_net *n;
1290 	struct vhost_dev *dev;
1291 	struct vhost_virtqueue **vqs;
1292 	void **queue;
1293 	struct xdp_buff *xdp;
1294 	int i;
1295 
1296 	n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
1297 	if (!n)
1298 		return -ENOMEM;
1299 	vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
1300 	if (!vqs) {
1301 		kvfree(n);
1302 		return -ENOMEM;
1303 	}
1304 
1305 	queue = kmalloc_array(VHOST_NET_BATCH, sizeof(void *),
1306 			      GFP_KERNEL);
1307 	if (!queue) {
1308 		kfree(vqs);
1309 		kvfree(n);
1310 		return -ENOMEM;
1311 	}
1312 	n->vqs[VHOST_NET_VQ_RX].rxq.queue = queue;
1313 
1314 	xdp = kmalloc_array(VHOST_NET_BATCH, sizeof(*xdp), GFP_KERNEL);
1315 	if (!xdp) {
1316 		kfree(vqs);
1317 		kvfree(n);
1318 		kfree(queue);
1319 		return -ENOMEM;
1320 	}
1321 	n->vqs[VHOST_NET_VQ_TX].xdp = xdp;
1322 
1323 	dev = &n->dev;
1324 	vqs[VHOST_NET_VQ_TX] = &n->vqs[VHOST_NET_VQ_TX].vq;
1325 	vqs[VHOST_NET_VQ_RX] = &n->vqs[VHOST_NET_VQ_RX].vq;
1326 	n->vqs[VHOST_NET_VQ_TX].vq.handle_kick = handle_tx_kick;
1327 	n->vqs[VHOST_NET_VQ_RX].vq.handle_kick = handle_rx_kick;
1328 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
1329 		n->vqs[i].ubufs = NULL;
1330 		n->vqs[i].ubuf_info = NULL;
1331 		n->vqs[i].upend_idx = 0;
1332 		n->vqs[i].done_idx = 0;
1333 		n->vqs[i].batched_xdp = 0;
1334 		n->vqs[i].vhost_hlen = 0;
1335 		n->vqs[i].sock_hlen = 0;
1336 		n->vqs[i].rx_ring = NULL;
1337 		vhost_net_buf_init(&n->vqs[i].rxq);
1338 	}
1339 	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
1340 		       UIO_MAXIOV + VHOST_NET_BATCH,
1341 		       VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT, true,
1342 		       NULL);
1343 
1344 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, EPOLLOUT, dev);
1345 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, EPOLLIN, dev);
1346 
1347 	f->private_data = n;
1348 	n->page_frag.page = NULL;
1349 	n->refcnt_bias = 0;
1350 
1351 	return 0;
1352 }
1353 
1354 static struct socket *vhost_net_stop_vq(struct vhost_net *n,
1355 					struct vhost_virtqueue *vq)
1356 {
1357 	struct socket *sock;
1358 	struct vhost_net_virtqueue *nvq =
1359 		container_of(vq, struct vhost_net_virtqueue, vq);
1360 
1361 	mutex_lock(&vq->mutex);
1362 	sock = vhost_vq_get_backend(vq);
1363 	vhost_net_disable_vq(n, vq);
1364 	vhost_vq_set_backend(vq, NULL);
1365 	vhost_net_buf_unproduce(nvq);
1366 	nvq->rx_ring = NULL;
1367 	mutex_unlock(&vq->mutex);
1368 	return sock;
1369 }
1370 
1371 static void vhost_net_stop(struct vhost_net *n, struct socket **tx_sock,
1372 			   struct socket **rx_sock)
1373 {
1374 	*tx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_TX].vq);
1375 	*rx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_RX].vq);
1376 }
1377 
1378 static void vhost_net_flush(struct vhost_net *n)
1379 {
1380 	vhost_dev_flush(&n->dev);
1381 	if (n->vqs[VHOST_NET_VQ_TX].ubufs) {
1382 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1383 		n->tx_flush = true;
1384 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1385 		/* Wait for all lower device DMAs done. */
1386 		vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
1387 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1388 		n->tx_flush = false;
1389 		atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
1390 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
1391 	}
1392 }
1393 
1394 static int vhost_net_release(struct inode *inode, struct file *f)
1395 {
1396 	struct vhost_net *n = f->private_data;
1397 	struct socket *tx_sock;
1398 	struct socket *rx_sock;
1399 
1400 	vhost_net_stop(n, &tx_sock, &rx_sock);
1401 	vhost_net_flush(n);
1402 	vhost_dev_stop(&n->dev);
1403 	vhost_dev_cleanup(&n->dev);
1404 	vhost_net_vq_reset(n);
1405 	if (tx_sock)
1406 		sockfd_put(tx_sock);
1407 	if (rx_sock)
1408 		sockfd_put(rx_sock);
1409 	/* Make sure no callbacks are outstanding */
1410 	synchronize_rcu();
1411 	/* We do an extra flush before freeing memory,
1412 	 * since jobs can re-queue themselves. */
1413 	vhost_net_flush(n);
1414 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
1415 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
1416 	kfree(n->dev.vqs);
1417 	if (n->page_frag.page)
1418 		__page_frag_cache_drain(n->page_frag.page, n->refcnt_bias);
1419 	kvfree(n);
1420 	return 0;
1421 }
1422 
1423 static struct socket *get_raw_socket(int fd)
1424 {
1425 	int r;
1426 	struct socket *sock = sockfd_lookup(fd, &r);
1427 
1428 	if (!sock)
1429 		return ERR_PTR(-ENOTSOCK);
1430 
1431 	/* Parameter checking */
1432 	if (sock->sk->sk_type != SOCK_RAW) {
1433 		r = -ESOCKTNOSUPPORT;
1434 		goto err;
1435 	}
1436 
1437 	if (sock->sk->sk_family != AF_PACKET) {
1438 		r = -EPFNOSUPPORT;
1439 		goto err;
1440 	}
1441 	return sock;
1442 err:
1443 	sockfd_put(sock);
1444 	return ERR_PTR(r);
1445 }
1446 
1447 static struct ptr_ring *get_tap_ptr_ring(struct file *file)
1448 {
1449 	struct ptr_ring *ring;
1450 	ring = tun_get_tx_ring(file);
1451 	if (!IS_ERR(ring))
1452 		goto out;
1453 	ring = tap_get_ptr_ring(file);
1454 	if (!IS_ERR(ring))
1455 		goto out;
1456 	ring = NULL;
1457 out:
1458 	return ring;
1459 }
1460 
1461 static struct socket *get_tap_socket(int fd)
1462 {
1463 	struct file *file = fget(fd);
1464 	struct socket *sock;
1465 
1466 	if (!file)
1467 		return ERR_PTR(-EBADF);
1468 	sock = tun_get_socket(file);
1469 	if (!IS_ERR(sock))
1470 		return sock;
1471 	sock = tap_get_socket(file);
1472 	if (IS_ERR(sock))
1473 		fput(file);
1474 	return sock;
1475 }
1476 
1477 static struct socket *get_socket(int fd)
1478 {
1479 	struct socket *sock;
1480 
1481 	/* special case to disable backend */
1482 	if (fd == -1)
1483 		return NULL;
1484 	sock = get_raw_socket(fd);
1485 	if (!IS_ERR(sock))
1486 		return sock;
1487 	sock = get_tap_socket(fd);
1488 	if (!IS_ERR(sock))
1489 		return sock;
1490 	return ERR_PTR(-ENOTSOCK);
1491 }
1492 
1493 static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
1494 {
1495 	struct socket *sock, *oldsock;
1496 	struct vhost_virtqueue *vq;
1497 	struct vhost_net_virtqueue *nvq;
1498 	struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL;
1499 	int r;
1500 
1501 	mutex_lock(&n->dev.mutex);
1502 	r = vhost_dev_check_owner(&n->dev);
1503 	if (r)
1504 		goto err;
1505 
1506 	if (index >= VHOST_NET_VQ_MAX) {
1507 		r = -ENOBUFS;
1508 		goto err;
1509 	}
1510 	vq = &n->vqs[index].vq;
1511 	nvq = &n->vqs[index];
1512 	mutex_lock(&vq->mutex);
1513 
1514 	if (fd == -1)
1515 		vhost_clear_msg(&n->dev);
1516 
1517 	/* Verify that ring has been setup correctly. */
1518 	if (!vhost_vq_access_ok(vq)) {
1519 		r = -EFAULT;
1520 		goto err_vq;
1521 	}
1522 	sock = get_socket(fd);
1523 	if (IS_ERR(sock)) {
1524 		r = PTR_ERR(sock);
1525 		goto err_vq;
1526 	}
1527 
1528 	/* start polling new socket */
1529 	oldsock = vhost_vq_get_backend(vq);
1530 	if (sock != oldsock) {
1531 		ubufs = vhost_net_ubuf_alloc(vq,
1532 					     sock && vhost_sock_zcopy(sock));
1533 		if (IS_ERR(ubufs)) {
1534 			r = PTR_ERR(ubufs);
1535 			goto err_ubufs;
1536 		}
1537 
1538 		vhost_net_disable_vq(n, vq);
1539 		vhost_vq_set_backend(vq, sock);
1540 		vhost_net_buf_unproduce(nvq);
1541 		r = vhost_vq_init_access(vq);
1542 		if (r)
1543 			goto err_used;
1544 		r = vhost_net_enable_vq(n, vq);
1545 		if (r)
1546 			goto err_used;
1547 		if (index == VHOST_NET_VQ_RX) {
1548 			if (sock)
1549 				nvq->rx_ring = get_tap_ptr_ring(sock->file);
1550 			else
1551 				nvq->rx_ring = NULL;
1552 		}
1553 
1554 		oldubufs = nvq->ubufs;
1555 		nvq->ubufs = ubufs;
1556 
1557 		n->tx_packets = 0;
1558 		n->tx_zcopy_err = 0;
1559 		n->tx_flush = false;
1560 	}
1561 
1562 	mutex_unlock(&vq->mutex);
1563 
1564 	if (oldubufs) {
1565 		vhost_net_ubuf_put_wait_and_free(oldubufs);
1566 		mutex_lock(&vq->mutex);
1567 		vhost_zerocopy_signal_used(n, vq);
1568 		mutex_unlock(&vq->mutex);
1569 	}
1570 
1571 	if (oldsock) {
1572 		vhost_dev_flush(&n->dev);
1573 		sockfd_put(oldsock);
1574 	}
1575 
1576 	mutex_unlock(&n->dev.mutex);
1577 	return 0;
1578 
1579 err_used:
1580 	vhost_vq_set_backend(vq, oldsock);
1581 	vhost_net_enable_vq(n, vq);
1582 	if (ubufs)
1583 		vhost_net_ubuf_put_wait_and_free(ubufs);
1584 err_ubufs:
1585 	if (sock)
1586 		sockfd_put(sock);
1587 err_vq:
1588 	mutex_unlock(&vq->mutex);
1589 err:
1590 	mutex_unlock(&n->dev.mutex);
1591 	return r;
1592 }
1593 
1594 static long vhost_net_reset_owner(struct vhost_net *n)
1595 {
1596 	struct socket *tx_sock = NULL;
1597 	struct socket *rx_sock = NULL;
1598 	long err;
1599 	struct vhost_iotlb *umem;
1600 
1601 	mutex_lock(&n->dev.mutex);
1602 	err = vhost_dev_check_owner(&n->dev);
1603 	if (err)
1604 		goto done;
1605 	umem = vhost_dev_reset_owner_prepare();
1606 	if (!umem) {
1607 		err = -ENOMEM;
1608 		goto done;
1609 	}
1610 	vhost_net_stop(n, &tx_sock, &rx_sock);
1611 	vhost_net_flush(n);
1612 	vhost_dev_stop(&n->dev);
1613 	vhost_dev_reset_owner(&n->dev, umem);
1614 	vhost_net_vq_reset(n);
1615 done:
1616 	mutex_unlock(&n->dev.mutex);
1617 	if (tx_sock)
1618 		sockfd_put(tx_sock);
1619 	if (rx_sock)
1620 		sockfd_put(rx_sock);
1621 	return err;
1622 }
1623 
1624 static int vhost_net_set_features(struct vhost_net *n, u64 features)
1625 {
1626 	size_t vhost_hlen, sock_hlen, hdr_len;
1627 	int i;
1628 
1629 	hdr_len = (features & ((1ULL << VIRTIO_NET_F_MRG_RXBUF) |
1630 			       (1ULL << VIRTIO_F_VERSION_1))) ?
1631 			sizeof(struct virtio_net_hdr_mrg_rxbuf) :
1632 			sizeof(struct virtio_net_hdr);
1633 	if (features & (1 << VHOST_NET_F_VIRTIO_NET_HDR)) {
1634 		/* vhost provides vnet_hdr */
1635 		vhost_hlen = hdr_len;
1636 		sock_hlen = 0;
1637 	} else {
1638 		/* socket provides vnet_hdr */
1639 		vhost_hlen = 0;
1640 		sock_hlen = hdr_len;
1641 	}
1642 	mutex_lock(&n->dev.mutex);
1643 	if ((features & (1 << VHOST_F_LOG_ALL)) &&
1644 	    !vhost_log_access_ok(&n->dev))
1645 		goto out_unlock;
1646 
1647 	if ((features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) {
1648 		if (vhost_init_device_iotlb(&n->dev, true))
1649 			goto out_unlock;
1650 	}
1651 
1652 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
1653 		mutex_lock(&n->vqs[i].vq.mutex);
1654 		n->vqs[i].vq.acked_features = features;
1655 		n->vqs[i].vhost_hlen = vhost_hlen;
1656 		n->vqs[i].sock_hlen = sock_hlen;
1657 		mutex_unlock(&n->vqs[i].vq.mutex);
1658 	}
1659 	mutex_unlock(&n->dev.mutex);
1660 	return 0;
1661 
1662 out_unlock:
1663 	mutex_unlock(&n->dev.mutex);
1664 	return -EFAULT;
1665 }
1666 
1667 static long vhost_net_set_owner(struct vhost_net *n)
1668 {
1669 	int r;
1670 
1671 	mutex_lock(&n->dev.mutex);
1672 	if (vhost_dev_has_owner(&n->dev)) {
1673 		r = -EBUSY;
1674 		goto out;
1675 	}
1676 	r = vhost_net_set_ubuf_info(n);
1677 	if (r)
1678 		goto out;
1679 	r = vhost_dev_set_owner(&n->dev);
1680 	if (r)
1681 		vhost_net_clear_ubuf_info(n);
1682 	vhost_net_flush(n);
1683 out:
1684 	mutex_unlock(&n->dev.mutex);
1685 	return r;
1686 }
1687 
1688 static long vhost_net_ioctl(struct file *f, unsigned int ioctl,
1689 			    unsigned long arg)
1690 {
1691 	struct vhost_net *n = f->private_data;
1692 	void __user *argp = (void __user *)arg;
1693 	u64 __user *featurep = argp;
1694 	struct vhost_vring_file backend;
1695 	u64 features;
1696 	int r;
1697 
1698 	switch (ioctl) {
1699 	case VHOST_NET_SET_BACKEND:
1700 		if (copy_from_user(&backend, argp, sizeof backend))
1701 			return -EFAULT;
1702 		return vhost_net_set_backend(n, backend.index, backend.fd);
1703 	case VHOST_GET_FEATURES:
1704 		features = VHOST_NET_FEATURES;
1705 		if (copy_to_user(featurep, &features, sizeof features))
1706 			return -EFAULT;
1707 		return 0;
1708 	case VHOST_SET_FEATURES:
1709 		if (copy_from_user(&features, featurep, sizeof features))
1710 			return -EFAULT;
1711 		if (features & ~VHOST_NET_FEATURES)
1712 			return -EOPNOTSUPP;
1713 		return vhost_net_set_features(n, features);
1714 	case VHOST_GET_BACKEND_FEATURES:
1715 		features = VHOST_NET_BACKEND_FEATURES;
1716 		if (copy_to_user(featurep, &features, sizeof(features)))
1717 			return -EFAULT;
1718 		return 0;
1719 	case VHOST_SET_BACKEND_FEATURES:
1720 		if (copy_from_user(&features, featurep, sizeof(features)))
1721 			return -EFAULT;
1722 		if (features & ~VHOST_NET_BACKEND_FEATURES)
1723 			return -EOPNOTSUPP;
1724 		vhost_set_backend_features(&n->dev, features);
1725 		return 0;
1726 	case VHOST_RESET_OWNER:
1727 		return vhost_net_reset_owner(n);
1728 	case VHOST_SET_OWNER:
1729 		return vhost_net_set_owner(n);
1730 	default:
1731 		mutex_lock(&n->dev.mutex);
1732 		r = vhost_dev_ioctl(&n->dev, ioctl, argp);
1733 		if (r == -ENOIOCTLCMD)
1734 			r = vhost_vring_ioctl(&n->dev, ioctl, argp);
1735 		else
1736 			vhost_net_flush(n);
1737 		mutex_unlock(&n->dev.mutex);
1738 		return r;
1739 	}
1740 }
1741 
1742 static ssize_t vhost_net_chr_read_iter(struct kiocb *iocb, struct iov_iter *to)
1743 {
1744 	struct file *file = iocb->ki_filp;
1745 	struct vhost_net *n = file->private_data;
1746 	struct vhost_dev *dev = &n->dev;
1747 	int noblock = file->f_flags & O_NONBLOCK;
1748 
1749 	return vhost_chr_read_iter(dev, to, noblock);
1750 }
1751 
1752 static ssize_t vhost_net_chr_write_iter(struct kiocb *iocb,
1753 					struct iov_iter *from)
1754 {
1755 	struct file *file = iocb->ki_filp;
1756 	struct vhost_net *n = file->private_data;
1757 	struct vhost_dev *dev = &n->dev;
1758 
1759 	return vhost_chr_write_iter(dev, from);
1760 }
1761 
1762 static __poll_t vhost_net_chr_poll(struct file *file, poll_table *wait)
1763 {
1764 	struct vhost_net *n = file->private_data;
1765 	struct vhost_dev *dev = &n->dev;
1766 
1767 	return vhost_chr_poll(file, dev, wait);
1768 }
1769 
1770 static const struct file_operations vhost_net_fops = {
1771 	.owner          = THIS_MODULE,
1772 	.release        = vhost_net_release,
1773 	.read_iter      = vhost_net_chr_read_iter,
1774 	.write_iter     = vhost_net_chr_write_iter,
1775 	.poll           = vhost_net_chr_poll,
1776 	.unlocked_ioctl = vhost_net_ioctl,
1777 	.compat_ioctl   = compat_ptr_ioctl,
1778 	.open           = vhost_net_open,
1779 	.llseek		= noop_llseek,
1780 };
1781 
1782 static struct miscdevice vhost_net_misc = {
1783 	.minor = VHOST_NET_MINOR,
1784 	.name = "vhost-net",
1785 	.fops = &vhost_net_fops,
1786 };
1787 
1788 static int __init vhost_net_init(void)
1789 {
1790 	if (experimental_zcopytx)
1791 		vhost_net_enable_zcopy(VHOST_NET_VQ_TX);
1792 	return misc_register(&vhost_net_misc);
1793 }
1794 module_init(vhost_net_init);
1795 
1796 static void __exit vhost_net_exit(void)
1797 {
1798 	misc_deregister(&vhost_net_misc);
1799 }
1800 module_exit(vhost_net_exit);
1801 
1802 MODULE_VERSION("0.0.1");
1803 MODULE_LICENSE("GPL v2");
1804 MODULE_AUTHOR("Michael S. Tsirkin");
1805 MODULE_DESCRIPTION("Host kernel accelerator for virtio net");
1806 MODULE_ALIAS_MISCDEV(VHOST_NET_MINOR);
1807 MODULE_ALIAS("devname:vhost-net");
1808