1 // SPDX-License-Identifier: GPL-2.0 OR MIT
2 /*
3 * Copyright 2016 VMware, Inc., Palo Alto, CA., USA
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining a
6 * copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sub license, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice (including the
14 * next paragraph) shall be included in all copies or substantial portions
15 * of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
20 * THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
21 * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
22 * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
23 * USE OR OTHER DEALINGS IN THE SOFTWARE.
24 *
25 */
26
27 #include <linux/objtool.h>
28 #include <linux/kernel.h>
29 #include <linux/module.h>
30 #include <linux/slab.h>
31 #include <linux/mem_encrypt.h>
32
33 #include <asm/hypervisor.h>
34
35 #include "vmwgfx_drv.h"
36 #include "vmwgfx_msg.h"
37
38 #define MESSAGE_STATUS_SUCCESS 0x0001
39 #define MESSAGE_STATUS_DORECV 0x0002
40 #define MESSAGE_STATUS_CPT 0x0010
41 #define MESSAGE_STATUS_HB 0x0080
42
43 #define RPCI_PROTOCOL_NUM 0x49435052
44 #define GUESTMSG_FLAG_COOKIE 0x80000000
45
46 #define RETRIES 3
47
48 #define VMW_HYPERVISOR_MAGIC 0x564D5868
49
50 #define VMW_PORT_CMD_MSG 30
51 #define VMW_PORT_CMD_HB_MSG 0
52 #define VMW_PORT_CMD_OPEN_CHANNEL (MSG_TYPE_OPEN << 16 | VMW_PORT_CMD_MSG)
53 #define VMW_PORT_CMD_CLOSE_CHANNEL (MSG_TYPE_CLOSE << 16 | VMW_PORT_CMD_MSG)
54 #define VMW_PORT_CMD_SENDSIZE (MSG_TYPE_SENDSIZE << 16 | VMW_PORT_CMD_MSG)
55 #define VMW_PORT_CMD_RECVSIZE (MSG_TYPE_RECVSIZE << 16 | VMW_PORT_CMD_MSG)
56 #define VMW_PORT_CMD_RECVSTATUS (MSG_TYPE_RECVSTATUS << 16 | VMW_PORT_CMD_MSG)
57
58 #define HIGH_WORD(X) ((X & 0xFFFF0000) >> 16)
59
60 #define MAX_USER_MSG_LENGTH PAGE_SIZE
61
62 static u32 vmw_msg_enabled = 1;
63
64 enum rpc_msg_type {
65 MSG_TYPE_OPEN,
66 MSG_TYPE_SENDSIZE,
67 MSG_TYPE_SENDPAYLOAD,
68 MSG_TYPE_RECVSIZE,
69 MSG_TYPE_RECVPAYLOAD,
70 MSG_TYPE_RECVSTATUS,
71 MSG_TYPE_CLOSE,
72 };
73
74 struct rpc_channel {
75 u16 channel_id;
76 u32 cookie_high;
77 u32 cookie_low;
78 };
79
80
81
82 /**
83 * vmw_open_channel
84 *
85 * @channel: RPC channel
86 * @protocol:
87 *
88 * Returns: 0 on success
89 */
vmw_open_channel(struct rpc_channel * channel,unsigned int protocol)90 static int vmw_open_channel(struct rpc_channel *channel, unsigned int protocol)
91 {
92 unsigned long eax, ebx, ecx, edx, si = 0, di = 0;
93
94 VMW_PORT(VMW_PORT_CMD_OPEN_CHANNEL,
95 (protocol | GUESTMSG_FLAG_COOKIE), si, di,
96 0,
97 VMW_HYPERVISOR_MAGIC,
98 eax, ebx, ecx, edx, si, di);
99
100 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
101 return -EINVAL;
102
103 channel->channel_id = HIGH_WORD(edx);
104 channel->cookie_high = si;
105 channel->cookie_low = di;
106
107 return 0;
108 }
109
110
111
112 /**
113 * vmw_close_channel
114 *
115 * @channel: RPC channel
116 *
117 * Returns: 0 on success
118 */
vmw_close_channel(struct rpc_channel * channel)119 static int vmw_close_channel(struct rpc_channel *channel)
120 {
121 unsigned long eax, ebx, ecx, edx, si, di;
122
123 /* Set up additional parameters */
124 si = channel->cookie_high;
125 di = channel->cookie_low;
126
127 VMW_PORT(VMW_PORT_CMD_CLOSE_CHANNEL,
128 0, si, di,
129 channel->channel_id << 16,
130 VMW_HYPERVISOR_MAGIC,
131 eax, ebx, ecx, edx, si, di);
132
133 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
134 return -EINVAL;
135
136 return 0;
137 }
138
139 /**
140 * vmw_port_hb_out - Send the message payload either through the
141 * high-bandwidth port if available, or through the backdoor otherwise.
142 * @channel: The rpc channel.
143 * @msg: NULL-terminated message.
144 * @hb: Whether the high-bandwidth port is available.
145 *
146 * Return: The port status.
147 */
vmw_port_hb_out(struct rpc_channel * channel,const char * msg,bool hb)148 static unsigned long vmw_port_hb_out(struct rpc_channel *channel,
149 const char *msg, bool hb)
150 {
151 unsigned long si, di, eax, ebx, ecx, edx;
152 unsigned long msg_len = strlen(msg);
153
154 /* HB port can't access encrypted memory. */
155 if (hb && !mem_encrypt_active()) {
156 unsigned long bp = channel->cookie_high;
157
158 si = (uintptr_t) msg;
159 di = channel->cookie_low;
160
161 VMW_PORT_HB_OUT(
162 (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
163 msg_len, si, di,
164 VMWARE_HYPERVISOR_HB | (channel->channel_id << 16) |
165 VMWARE_HYPERVISOR_OUT,
166 VMW_HYPERVISOR_MAGIC, bp,
167 eax, ebx, ecx, edx, si, di);
168
169 return ebx;
170 }
171
172 /* HB port not available. Send the message 4 bytes at a time. */
173 ecx = MESSAGE_STATUS_SUCCESS << 16;
174 while (msg_len && (HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS)) {
175 unsigned int bytes = min_t(size_t, msg_len, 4);
176 unsigned long word = 0;
177
178 memcpy(&word, msg, bytes);
179 msg_len -= bytes;
180 msg += bytes;
181 si = channel->cookie_high;
182 di = channel->cookie_low;
183
184 VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_SENDPAYLOAD << 16),
185 word, si, di,
186 channel->channel_id << 16,
187 VMW_HYPERVISOR_MAGIC,
188 eax, ebx, ecx, edx, si, di);
189 }
190
191 return ecx;
192 }
193
194 /**
195 * vmw_port_hb_in - Receive the message payload either through the
196 * high-bandwidth port if available, or through the backdoor otherwise.
197 * @channel: The rpc channel.
198 * @reply: Pointer to buffer holding reply.
199 * @reply_len: Length of the reply.
200 * @hb: Whether the high-bandwidth port is available.
201 *
202 * Return: The port status.
203 */
vmw_port_hb_in(struct rpc_channel * channel,char * reply,unsigned long reply_len,bool hb)204 static unsigned long vmw_port_hb_in(struct rpc_channel *channel, char *reply,
205 unsigned long reply_len, bool hb)
206 {
207 unsigned long si, di, eax, ebx, ecx, edx;
208
209 /* HB port can't access encrypted memory */
210 if (hb && !mem_encrypt_active()) {
211 unsigned long bp = channel->cookie_low;
212
213 si = channel->cookie_high;
214 di = (uintptr_t) reply;
215
216 VMW_PORT_HB_IN(
217 (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
218 reply_len, si, di,
219 VMWARE_HYPERVISOR_HB | (channel->channel_id << 16),
220 VMW_HYPERVISOR_MAGIC, bp,
221 eax, ebx, ecx, edx, si, di);
222
223 return ebx;
224 }
225
226 /* HB port not available. Retrieve the message 4 bytes at a time. */
227 ecx = MESSAGE_STATUS_SUCCESS << 16;
228 while (reply_len) {
229 unsigned int bytes = min_t(unsigned long, reply_len, 4);
230
231 si = channel->cookie_high;
232 di = channel->cookie_low;
233
234 VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_RECVPAYLOAD << 16),
235 MESSAGE_STATUS_SUCCESS, si, di,
236 channel->channel_id << 16,
237 VMW_HYPERVISOR_MAGIC,
238 eax, ebx, ecx, edx, si, di);
239
240 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
241 break;
242
243 memcpy(reply, &ebx, bytes);
244 reply_len -= bytes;
245 reply += bytes;
246 }
247
248 return ecx;
249 }
250
251
252 /**
253 * vmw_send_msg: Sends a message to the host
254 *
255 * @channel: RPC channel
256 * @logmsg: NULL terminated string
257 *
258 * Returns: 0 on success
259 */
vmw_send_msg(struct rpc_channel * channel,const char * msg)260 static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
261 {
262 unsigned long eax, ebx, ecx, edx, si, di;
263 size_t msg_len = strlen(msg);
264 int retries = 0;
265
266 while (retries < RETRIES) {
267 retries++;
268
269 /* Set up additional parameters */
270 si = channel->cookie_high;
271 di = channel->cookie_low;
272
273 VMW_PORT(VMW_PORT_CMD_SENDSIZE,
274 msg_len, si, di,
275 channel->channel_id << 16,
276 VMW_HYPERVISOR_MAGIC,
277 eax, ebx, ecx, edx, si, di);
278
279 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
280 /* Expected success. Give up. */
281 return -EINVAL;
282 }
283
284 /* Send msg */
285 ebx = vmw_port_hb_out(channel, msg,
286 !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
287
288 if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) != 0) {
289 return 0;
290 } else if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) {
291 /* A checkpoint occurred. Retry. */
292 continue;
293 } else {
294 break;
295 }
296 }
297
298 return -EINVAL;
299 }
300 STACK_FRAME_NON_STANDARD(vmw_send_msg);
301
302
303 /**
304 * vmw_recv_msg: Receives a message from the host
305 *
306 * Note: It is the caller's responsibility to call kfree() on msg.
307 *
308 * @channel: channel opened by vmw_open_channel
309 * @msg: [OUT] message received from the host
310 * @msg_len: message length
311 */
vmw_recv_msg(struct rpc_channel * channel,void ** msg,size_t * msg_len)312 static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
313 size_t *msg_len)
314 {
315 unsigned long eax, ebx, ecx, edx, si, di;
316 char *reply;
317 size_t reply_len;
318 int retries = 0;
319
320
321 *msg_len = 0;
322 *msg = NULL;
323
324 while (retries < RETRIES) {
325 retries++;
326
327 /* Set up additional parameters */
328 si = channel->cookie_high;
329 di = channel->cookie_low;
330
331 VMW_PORT(VMW_PORT_CMD_RECVSIZE,
332 0, si, di,
333 channel->channel_id << 16,
334 VMW_HYPERVISOR_MAGIC,
335 eax, ebx, ecx, edx, si, di);
336
337 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
338 DRM_ERROR("Failed to get reply size for host message.\n");
339 return -EINVAL;
340 }
341
342 /* No reply available. This is okay. */
343 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_DORECV) == 0)
344 return 0;
345
346 reply_len = ebx;
347 reply = kzalloc(reply_len + 1, GFP_KERNEL);
348 if (!reply) {
349 DRM_ERROR("Cannot allocate memory for host message reply.\n");
350 return -ENOMEM;
351 }
352
353
354 /* Receive buffer */
355 ebx = vmw_port_hb_in(channel, reply, reply_len,
356 !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
357 if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) {
358 kfree(reply);
359 reply = NULL;
360 if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) {
361 /* A checkpoint occurred. Retry. */
362 continue;
363 }
364
365 return -EINVAL;
366 }
367
368 reply[reply_len] = '\0';
369
370
371 /* Ack buffer */
372 si = channel->cookie_high;
373 di = channel->cookie_low;
374
375 VMW_PORT(VMW_PORT_CMD_RECVSTATUS,
376 MESSAGE_STATUS_SUCCESS, si, di,
377 channel->channel_id << 16,
378 VMW_HYPERVISOR_MAGIC,
379 eax, ebx, ecx, edx, si, di);
380
381 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
382 kfree(reply);
383 reply = NULL;
384 if ((HIGH_WORD(ecx) & MESSAGE_STATUS_CPT) != 0) {
385 /* A checkpoint occurred. Retry. */
386 continue;
387 }
388
389 return -EINVAL;
390 }
391
392 break;
393 }
394
395 if (!reply)
396 return -EINVAL;
397
398 *msg_len = reply_len;
399 *msg = reply;
400
401 return 0;
402 }
403 STACK_FRAME_NON_STANDARD(vmw_recv_msg);
404
405
406 /**
407 * vmw_host_get_guestinfo: Gets a GuestInfo parameter
408 *
409 * Gets the value of a GuestInfo.* parameter. The value returned will be in
410 * a string, and it is up to the caller to post-process.
411 *
412 * @guest_info_param: Parameter to get, e.g. GuestInfo.svga.gl3
413 * @buffer: if NULL, *reply_len will contain reply size.
414 * @length: size of the reply_buf. Set to size of reply upon return
415 *
416 * Returns: 0 on success
417 */
vmw_host_get_guestinfo(const char * guest_info_param,char * buffer,size_t * length)418 int vmw_host_get_guestinfo(const char *guest_info_param,
419 char *buffer, size_t *length)
420 {
421 struct rpc_channel channel;
422 char *msg, *reply = NULL;
423 size_t reply_len = 0;
424
425 if (!vmw_msg_enabled)
426 return -ENODEV;
427
428 if (!guest_info_param || !length)
429 return -EINVAL;
430
431 msg = kasprintf(GFP_KERNEL, "info-get %s", guest_info_param);
432 if (!msg) {
433 DRM_ERROR("Cannot allocate memory to get guest info \"%s\".",
434 guest_info_param);
435 return -ENOMEM;
436 }
437
438 if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
439 goto out_open;
440
441 if (vmw_send_msg(&channel, msg) ||
442 vmw_recv_msg(&channel, (void *) &reply, &reply_len))
443 goto out_msg;
444
445 vmw_close_channel(&channel);
446 if (buffer && reply && reply_len > 0) {
447 /* Remove reply code, which are the first 2 characters of
448 * the reply
449 */
450 reply_len = max(reply_len - 2, (size_t) 0);
451 reply_len = min(reply_len, *length);
452
453 if (reply_len > 0)
454 memcpy(buffer, reply + 2, reply_len);
455 }
456
457 *length = reply_len;
458
459 kfree(reply);
460 kfree(msg);
461
462 return 0;
463
464 out_msg:
465 vmw_close_channel(&channel);
466 kfree(reply);
467 out_open:
468 *length = 0;
469 kfree(msg);
470 DRM_ERROR("Failed to get guest info \"%s\".", guest_info_param);
471
472 return -EINVAL;
473 }
474
475
476
477 /**
478 * vmw_host_log: Sends a log message to the host
479 *
480 * @log: NULL terminated string
481 *
482 * Returns: 0 on success
483 */
vmw_host_log(const char * log)484 int vmw_host_log(const char *log)
485 {
486 struct rpc_channel channel;
487 char *msg;
488 int ret = 0;
489
490
491 if (!vmw_msg_enabled)
492 return -ENODEV;
493
494 if (!log)
495 return ret;
496
497 msg = kasprintf(GFP_KERNEL, "log %s", log);
498 if (!msg) {
499 DRM_ERROR("Cannot allocate memory for host log message.\n");
500 return -ENOMEM;
501 }
502
503 if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
504 goto out_open;
505
506 if (vmw_send_msg(&channel, msg))
507 goto out_msg;
508
509 vmw_close_channel(&channel);
510 kfree(msg);
511
512 return 0;
513
514 out_msg:
515 vmw_close_channel(&channel);
516 out_open:
517 kfree(msg);
518 DRM_ERROR("Failed to send host log message.\n");
519
520 return -EINVAL;
521 }
522
523
524 /**
525 * vmw_msg_ioctl: Sends and receveives a message to/from host from/to user-space
526 *
527 * Sends a message from user-space to host.
528 * Can also receive a result from host and return that to user-space.
529 *
530 * @dev: Identifies the drm device.
531 * @data: Pointer to the ioctl argument.
532 * @file_priv: Identifies the caller.
533 * Return: Zero on success, negative error code on error.
534 */
535
vmw_msg_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)536 int vmw_msg_ioctl(struct drm_device *dev, void *data,
537 struct drm_file *file_priv)
538 {
539 struct drm_vmw_msg_arg *arg =
540 (struct drm_vmw_msg_arg *) data;
541 struct rpc_channel channel;
542 char *msg;
543 int length;
544
545 msg = kmalloc(MAX_USER_MSG_LENGTH, GFP_KERNEL);
546 if (!msg) {
547 DRM_ERROR("Cannot allocate memory for log message.\n");
548 return -ENOMEM;
549 }
550
551 length = strncpy_from_user(msg, (void __user *)((unsigned long)arg->send),
552 MAX_USER_MSG_LENGTH);
553 if (length < 0 || length >= MAX_USER_MSG_LENGTH) {
554 DRM_ERROR("Userspace message access failure.\n");
555 kfree(msg);
556 return -EINVAL;
557 }
558
559
560 if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM)) {
561 DRM_ERROR("Failed to open channel.\n");
562 goto out_open;
563 }
564
565 if (vmw_send_msg(&channel, msg)) {
566 DRM_ERROR("Failed to send message to host.\n");
567 goto out_msg;
568 }
569
570 if (!arg->send_only) {
571 char *reply = NULL;
572 size_t reply_len = 0;
573
574 if (vmw_recv_msg(&channel, (void *) &reply, &reply_len)) {
575 DRM_ERROR("Failed to receive message from host.\n");
576 goto out_msg;
577 }
578 if (reply && reply_len > 0) {
579 if (copy_to_user((void __user *)((unsigned long)arg->receive),
580 reply, reply_len)) {
581 DRM_ERROR("Failed to copy message to userspace.\n");
582 kfree(reply);
583 goto out_msg;
584 }
585 arg->receive_len = (__u32)reply_len;
586 }
587 kfree(reply);
588 }
589
590 vmw_close_channel(&channel);
591 kfree(msg);
592
593 return 0;
594
595 out_msg:
596 vmw_close_channel(&channel);
597 out_open:
598 kfree(msg);
599
600 return -EINVAL;
601 }
602