1 /* 2 * Copyright (C) 2012 Intel, Inc. 3 * Copyright (C) 2013 Intel, Inc. 4 * Copyright (C) 2014 Linaro Limited 5 * Copyright (C) 2011-2016 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18 /* This source file contains the implementation of a special device driver 19 * that intends to provide a *very* fast communication channel between the 20 * guest system and the QEMU emulator. 21 * 22 * Usage from the guest is simply the following (error handling simplified): 23 * 24 * int fd = open("/dev/qemu_pipe",O_RDWR); 25 * .... write() or read() through the pipe. 26 * 27 * This driver doesn't deal with the exact protocol used during the session. 28 * It is intended to be as simple as something like: 29 * 30 * // do this _just_ after opening the fd to connect to a specific 31 * // emulator service. 32 * const char* msg = "<pipename>"; 33 * if (write(fd, msg, strlen(msg)+1) < 0) { 34 * ... could not connect to <pipename> service 35 * close(fd); 36 * } 37 * 38 * // after this, simply read() and write() to communicate with the 39 * // service. Exact protocol details left as an exercise to the reader. 40 * 41 * This driver is very fast because it doesn't copy any data through 42 * intermediate buffers, since the emulator is capable of translating 43 * guest user addresses into host ones. 44 * 45 * Note that we must however ensure that each user page involved in the 46 * exchange is properly mapped during a transfer. 47 */ 48 49 50 #include <linux/module.h> 51 #include <linux/interrupt.h> 52 #include <linux/kernel.h> 53 #include <linux/spinlock.h> 54 #include <linux/miscdevice.h> 55 #include <linux/platform_device.h> 56 #include <linux/poll.h> 57 #include <linux/sched.h> 58 #include <linux/bitops.h> 59 #include <linux/slab.h> 60 #include <linux/io.h> 61 #include <linux/goldfish.h> 62 #include <linux/dma-mapping.h> 63 #include <linux/mm.h> 64 #include <linux/acpi.h> 65 66 /* 67 * Update this when something changes in the driver's behavior so the host 68 * can benefit from knowing it 69 */ 70 enum { 71 PIPE_DRIVER_VERSION = 2, 72 PIPE_CURRENT_DEVICE_VERSION = 2 73 }; 74 75 /* 76 * IMPORTANT: The following constants must match the ones used and defined 77 * in external/qemu/hw/goldfish_pipe.c in the Android source tree. 78 */ 79 80 /* List of bitflags returned in status of CMD_POLL command */ 81 enum PipePollFlags { 82 PIPE_POLL_IN = 1 << 0, 83 PIPE_POLL_OUT = 1 << 1, 84 PIPE_POLL_HUP = 1 << 2 85 }; 86 87 /* Possible status values used to signal errors - see goldfish_pipe_error_convert */ 88 enum PipeErrors { 89 PIPE_ERROR_INVAL = -1, 90 PIPE_ERROR_AGAIN = -2, 91 PIPE_ERROR_NOMEM = -3, 92 PIPE_ERROR_IO = -4 93 }; 94 95 /* Bit-flags used to signal events from the emulator */ 96 enum PipeWakeFlags { 97 PIPE_WAKE_CLOSED = 1 << 0, /* emulator closed pipe */ 98 PIPE_WAKE_READ = 1 << 1, /* pipe can now be read from */ 99 PIPE_WAKE_WRITE = 1 << 2 /* pipe can now be written to */ 100 }; 101 102 /* Bit flags for the 'flags' field */ 103 enum PipeFlagsBits { 104 BIT_CLOSED_ON_HOST = 0, /* pipe closed by host */ 105 BIT_WAKE_ON_WRITE = 1, /* want to be woken on writes */ 106 BIT_WAKE_ON_READ = 2, /* want to be woken on reads */ 107 }; 108 109 enum PipeRegs { 110 PIPE_REG_CMD = 0, 111 112 PIPE_REG_SIGNAL_BUFFER_HIGH = 4, 113 PIPE_REG_SIGNAL_BUFFER = 8, 114 PIPE_REG_SIGNAL_BUFFER_COUNT = 12, 115 116 PIPE_REG_OPEN_BUFFER_HIGH = 20, 117 PIPE_REG_OPEN_BUFFER = 24, 118 119 PIPE_REG_VERSION = 36, 120 121 PIPE_REG_GET_SIGNALLED = 48, 122 }; 123 124 enum PipeCmdCode { 125 PIPE_CMD_OPEN = 1, /* to be used by the pipe device itself */ 126 PIPE_CMD_CLOSE, 127 PIPE_CMD_POLL, 128 PIPE_CMD_WRITE, 129 PIPE_CMD_WAKE_ON_WRITE, 130 PIPE_CMD_READ, 131 PIPE_CMD_WAKE_ON_READ, 132 133 /* 134 * TODO(zyy): implement a deferred read/write execution to allow 135 * parallel processing of pipe operations on the host. 136 */ 137 PIPE_CMD_WAKE_ON_DONE_IO, 138 }; 139 140 enum { 141 MAX_BUFFERS_PER_COMMAND = 336, 142 MAX_SIGNALLED_PIPES = 64, 143 INITIAL_PIPES_CAPACITY = 64 144 }; 145 146 struct goldfish_pipe_dev; 147 struct goldfish_pipe; 148 struct goldfish_pipe_command; 149 150 /* A per-pipe command structure, shared with the host */ 151 struct goldfish_pipe_command { 152 s32 cmd; /* PipeCmdCode, guest -> host */ 153 s32 id; /* pipe id, guest -> host */ 154 s32 status; /* command execution status, host -> guest */ 155 s32 reserved; /* to pad to 64-bit boundary */ 156 union { 157 /* Parameters for PIPE_CMD_{READ,WRITE} */ 158 struct { 159 /* number of buffers, guest -> host */ 160 u32 buffers_count; 161 /* number of consumed bytes, host -> guest */ 162 s32 consumed_size; 163 /* buffer pointers, guest -> host */ 164 u64 ptrs[MAX_BUFFERS_PER_COMMAND]; 165 /* buffer sizes, guest -> host */ 166 u32 sizes[MAX_BUFFERS_PER_COMMAND]; 167 } rw_params; 168 }; 169 }; 170 171 /* A single signalled pipe information */ 172 struct signalled_pipe_buffer { 173 u32 id; 174 u32 flags; 175 }; 176 177 /* Parameters for the PIPE_CMD_OPEN command */ 178 struct open_command_param { 179 u64 command_buffer_ptr; 180 u32 rw_params_max_count; 181 }; 182 183 /* Device-level set of buffers shared with the host */ 184 struct goldfish_pipe_dev_buffers { 185 struct open_command_param open_command_params; 186 struct signalled_pipe_buffer signalled_pipe_buffers[ 187 MAX_SIGNALLED_PIPES]; 188 }; 189 190 /* This data type models a given pipe instance */ 191 struct goldfish_pipe { 192 /* pipe ID - index into goldfish_pipe_dev::pipes array */ 193 u32 id; 194 /* The wake flags pipe is waiting for 195 * Note: not protected with any lock, uses atomic operations 196 * and barriers to make it thread-safe. 197 */ 198 unsigned long flags; 199 /* wake flags host have signalled, 200 * - protected by goldfish_pipe_dev::lock 201 */ 202 unsigned long signalled_flags; 203 204 /* A pointer to command buffer */ 205 struct goldfish_pipe_command *command_buffer; 206 207 /* doubly linked list of signalled pipes, protected by 208 * goldfish_pipe_dev::lock 209 */ 210 struct goldfish_pipe *prev_signalled; 211 struct goldfish_pipe *next_signalled; 212 213 /* 214 * A pipe's own lock. Protects the following: 215 * - *command_buffer - makes sure a command can safely write its 216 * parameters to the host and read the results back. 217 */ 218 struct mutex lock; 219 220 /* A wake queue for sleeping until host signals an event */ 221 wait_queue_head_t wake_queue; 222 /* Pointer to the parent goldfish_pipe_dev instance */ 223 struct goldfish_pipe_dev *dev; 224 }; 225 226 /* The global driver data. Holds a reference to the i/o page used to 227 * communicate with the emulator, and a wake queue for blocked tasks 228 * waiting to be awoken. 229 */ 230 struct goldfish_pipe_dev { 231 /* 232 * Global device spinlock. Protects the following members: 233 * - pipes, pipes_capacity 234 * - [*pipes, *pipes + pipes_capacity) - array data 235 * - first_signalled_pipe, 236 * goldfish_pipe::prev_signalled, 237 * goldfish_pipe::next_signalled, 238 * goldfish_pipe::signalled_flags - all singnalled-related fields, 239 * in all allocated pipes 240 * - open_command_params - PIPE_CMD_OPEN-related buffers 241 * 242 * It looks like a lot of different fields, but the trick is that 243 * the only operation that happens often is the signalled pipes array 244 * manipulation. That's why it's OK for now to keep the rest of the 245 * fields under the same lock. If we notice too much contention because 246 * of PIPE_CMD_OPEN, then we should add a separate lock there. 247 */ 248 spinlock_t lock; 249 250 /* 251 * Array of the pipes of |pipes_capacity| elements, 252 * indexed by goldfish_pipe::id 253 */ 254 struct goldfish_pipe **pipes; 255 u32 pipes_capacity; 256 257 /* Pointers to the buffers host uses for interaction with this driver */ 258 struct goldfish_pipe_dev_buffers *buffers; 259 260 /* Head of a doubly linked list of signalled pipes */ 261 struct goldfish_pipe *first_signalled_pipe; 262 263 /* Some device-specific data */ 264 int irq; 265 int version; 266 unsigned char __iomem *base; 267 }; 268 269 static struct goldfish_pipe_dev pipe_dev[1] = {}; 270 271 static int goldfish_cmd_locked(struct goldfish_pipe *pipe, enum PipeCmdCode cmd) 272 { 273 pipe->command_buffer->cmd = cmd; 274 /* failure by default */ 275 pipe->command_buffer->status = PIPE_ERROR_INVAL; 276 writel(pipe->id, pipe->dev->base + PIPE_REG_CMD); 277 return pipe->command_buffer->status; 278 } 279 280 static int goldfish_cmd(struct goldfish_pipe *pipe, enum PipeCmdCode cmd) 281 { 282 int status; 283 284 if (mutex_lock_interruptible(&pipe->lock)) 285 return PIPE_ERROR_IO; 286 status = goldfish_cmd_locked(pipe, cmd); 287 mutex_unlock(&pipe->lock); 288 return status; 289 } 290 291 /* 292 * This function converts an error code returned by the emulator through 293 * the PIPE_REG_STATUS i/o register into a valid negative errno value. 294 */ 295 static int goldfish_pipe_error_convert(int status) 296 { 297 switch (status) { 298 case PIPE_ERROR_AGAIN: 299 return -EAGAIN; 300 case PIPE_ERROR_NOMEM: 301 return -ENOMEM; 302 case PIPE_ERROR_IO: 303 return -EIO; 304 default: 305 return -EINVAL; 306 } 307 } 308 309 static int pin_user_pages(unsigned long first_page, unsigned long last_page, 310 unsigned int last_page_size, int is_write, 311 struct page *pages[MAX_BUFFERS_PER_COMMAND], 312 unsigned int *iter_last_page_size) 313 { 314 int ret; 315 int requested_pages = ((last_page - first_page) >> PAGE_SHIFT) + 1; 316 317 if (requested_pages > MAX_BUFFERS_PER_COMMAND) { 318 requested_pages = MAX_BUFFERS_PER_COMMAND; 319 *iter_last_page_size = PAGE_SIZE; 320 } else { 321 *iter_last_page_size = last_page_size; 322 } 323 324 ret = get_user_pages_fast( 325 first_page, requested_pages, !is_write, pages); 326 if (ret <= 0) 327 return -EFAULT; 328 if (ret < requested_pages) 329 *iter_last_page_size = PAGE_SIZE; 330 return ret; 331 332 } 333 334 static void release_user_pages(struct page **pages, int pages_count, 335 int is_write, s32 consumed_size) 336 { 337 int i; 338 339 for (i = 0; i < pages_count; i++) { 340 if (!is_write && consumed_size > 0) 341 set_page_dirty(pages[i]); 342 put_page(pages[i]); 343 } 344 } 345 346 /* Populate the call parameters, merging adjacent pages together */ 347 static void populate_rw_params( 348 struct page **pages, int pages_count, 349 unsigned long address, unsigned long address_end, 350 unsigned long first_page, unsigned long last_page, 351 unsigned int iter_last_page_size, int is_write, 352 struct goldfish_pipe_command *command) 353 { 354 /* 355 * Process the first page separately - it's the only page that 356 * needs special handling for its start address. 357 */ 358 unsigned long xaddr = page_to_phys(pages[0]); 359 unsigned long xaddr_prev = xaddr; 360 int buffer_idx = 0; 361 int i = 1; 362 int size_on_page = first_page == last_page 363 ? (int)(address_end - address) 364 : (PAGE_SIZE - (address & ~PAGE_MASK)); 365 command->rw_params.ptrs[0] = (u64)(xaddr | (address & ~PAGE_MASK)); 366 command->rw_params.sizes[0] = size_on_page; 367 for (; i < pages_count; ++i) { 368 xaddr = page_to_phys(pages[i]); 369 size_on_page = (i == pages_count - 1) ? 370 iter_last_page_size : PAGE_SIZE; 371 if (xaddr == xaddr_prev + PAGE_SIZE) { 372 command->rw_params.sizes[buffer_idx] += size_on_page; 373 } else { 374 ++buffer_idx; 375 command->rw_params.ptrs[buffer_idx] = (u64)xaddr; 376 command->rw_params.sizes[buffer_idx] = size_on_page; 377 } 378 xaddr_prev = xaddr; 379 } 380 command->rw_params.buffers_count = buffer_idx + 1; 381 } 382 383 static int transfer_max_buffers(struct goldfish_pipe *pipe, 384 unsigned long address, unsigned long address_end, int is_write, 385 unsigned long last_page, unsigned int last_page_size, 386 s32 *consumed_size, int *status) 387 { 388 static struct page *pages[MAX_BUFFERS_PER_COMMAND]; 389 unsigned long first_page = address & PAGE_MASK; 390 unsigned int iter_last_page_size; 391 int pages_count = pin_user_pages(first_page, last_page, 392 last_page_size, is_write, 393 pages, &iter_last_page_size); 394 395 if (pages_count < 0) 396 return pages_count; 397 398 /* Serialize access to the pipe command buffers */ 399 if (mutex_lock_interruptible(&pipe->lock)) 400 return -ERESTARTSYS; 401 402 populate_rw_params(pages, pages_count, address, address_end, 403 first_page, last_page, iter_last_page_size, is_write, 404 pipe->command_buffer); 405 406 /* Transfer the data */ 407 *status = goldfish_cmd_locked(pipe, 408 is_write ? PIPE_CMD_WRITE : PIPE_CMD_READ); 409 410 *consumed_size = pipe->command_buffer->rw_params.consumed_size; 411 412 release_user_pages(pages, pages_count, is_write, *consumed_size); 413 414 mutex_unlock(&pipe->lock); 415 416 return 0; 417 } 418 419 static int wait_for_host_signal(struct goldfish_pipe *pipe, int is_write) 420 { 421 u32 wakeBit = is_write ? BIT_WAKE_ON_WRITE : BIT_WAKE_ON_READ; 422 423 set_bit(wakeBit, &pipe->flags); 424 425 /* Tell the emulator we're going to wait for a wake event */ 426 (void)goldfish_cmd(pipe, 427 is_write ? PIPE_CMD_WAKE_ON_WRITE : PIPE_CMD_WAKE_ON_READ); 428 429 while (test_bit(wakeBit, &pipe->flags)) { 430 if (wait_event_interruptible( 431 pipe->wake_queue, 432 !test_bit(wakeBit, &pipe->flags))) 433 return -ERESTARTSYS; 434 435 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags)) 436 return -EIO; 437 } 438 439 return 0; 440 } 441 442 static ssize_t goldfish_pipe_read_write(struct file *filp, 443 char __user *buffer, size_t bufflen, int is_write) 444 { 445 struct goldfish_pipe *pipe = filp->private_data; 446 int count = 0, ret = -EINVAL; 447 unsigned long address, address_end, last_page; 448 unsigned int last_page_size; 449 450 /* If the emulator already closed the pipe, no need to go further */ 451 if (unlikely(test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))) 452 return -EIO; 453 /* Null reads or writes succeeds */ 454 if (unlikely(bufflen == 0)) 455 return 0; 456 /* Check the buffer range for access */ 457 if (unlikely(!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ, 458 buffer, bufflen))) 459 return -EFAULT; 460 461 address = (unsigned long)buffer; 462 address_end = address + bufflen; 463 last_page = (address_end - 1) & PAGE_MASK; 464 last_page_size = ((address_end - 1) & ~PAGE_MASK) + 1; 465 466 while (address < address_end) { 467 s32 consumed_size; 468 int status; 469 470 ret = transfer_max_buffers(pipe, address, address_end, is_write, 471 last_page, last_page_size, &consumed_size, 472 &status); 473 if (ret < 0) 474 break; 475 476 if (consumed_size > 0) { 477 /* No matter what's the status, we've transferred 478 * something. 479 */ 480 count += consumed_size; 481 address += consumed_size; 482 } 483 if (status > 0) 484 continue; 485 if (status == 0) { 486 /* EOF */ 487 ret = 0; 488 break; 489 } 490 if (count > 0) { 491 /* 492 * An error occurred, but we already transferred 493 * something on one of the previous iterations. 494 * Just return what we already copied and log this 495 * err. 496 */ 497 if (status != PIPE_ERROR_AGAIN) 498 pr_info_ratelimited("goldfish_pipe: backend error %d on %s\n", 499 status, is_write ? "write" : "read"); 500 break; 501 } 502 503 /* 504 * If the error is not PIPE_ERROR_AGAIN, or if we are in 505 * non-blocking mode, just return the error code. 506 */ 507 if (status != PIPE_ERROR_AGAIN || 508 (filp->f_flags & O_NONBLOCK) != 0) { 509 ret = goldfish_pipe_error_convert(status); 510 break; 511 } 512 513 status = wait_for_host_signal(pipe, is_write); 514 if (status < 0) 515 return status; 516 } 517 518 if (count > 0) 519 return count; 520 return ret; 521 } 522 523 static ssize_t goldfish_pipe_read(struct file *filp, char __user *buffer, 524 size_t bufflen, loff_t *ppos) 525 { 526 return goldfish_pipe_read_write(filp, buffer, bufflen, 527 /* is_write */ 0); 528 } 529 530 static ssize_t goldfish_pipe_write(struct file *filp, 531 const char __user *buffer, size_t bufflen, 532 loff_t *ppos) 533 { 534 return goldfish_pipe_read_write(filp, 535 /* cast away the const */(char __user *)buffer, bufflen, 536 /* is_write */ 1); 537 } 538 539 static __poll_t goldfish_pipe_poll(struct file *filp, poll_table *wait) 540 { 541 struct goldfish_pipe *pipe = filp->private_data; 542 __poll_t mask = 0; 543 int status; 544 545 poll_wait(filp, &pipe->wake_queue, wait); 546 547 status = goldfish_cmd(pipe, PIPE_CMD_POLL); 548 if (status < 0) 549 return -ERESTARTSYS; 550 551 if (status & PIPE_POLL_IN) 552 mask |= EPOLLIN | EPOLLRDNORM; 553 if (status & PIPE_POLL_OUT) 554 mask |= EPOLLOUT | EPOLLWRNORM; 555 if (status & PIPE_POLL_HUP) 556 mask |= EPOLLHUP; 557 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags)) 558 mask |= EPOLLERR; 559 560 return mask; 561 } 562 563 static void signalled_pipes_add_locked(struct goldfish_pipe_dev *dev, 564 u32 id, u32 flags) 565 { 566 struct goldfish_pipe *pipe; 567 568 if (WARN_ON(id >= dev->pipes_capacity)) 569 return; 570 571 pipe = dev->pipes[id]; 572 if (!pipe) 573 return; 574 pipe->signalled_flags |= flags; 575 576 if (pipe->prev_signalled || pipe->next_signalled 577 || dev->first_signalled_pipe == pipe) 578 return; /* already in the list */ 579 pipe->next_signalled = dev->first_signalled_pipe; 580 if (dev->first_signalled_pipe) 581 dev->first_signalled_pipe->prev_signalled = pipe; 582 dev->first_signalled_pipe = pipe; 583 } 584 585 static void signalled_pipes_remove_locked(struct goldfish_pipe_dev *dev, 586 struct goldfish_pipe *pipe) { 587 if (pipe->prev_signalled) 588 pipe->prev_signalled->next_signalled = pipe->next_signalled; 589 if (pipe->next_signalled) 590 pipe->next_signalled->prev_signalled = pipe->prev_signalled; 591 if (pipe == dev->first_signalled_pipe) 592 dev->first_signalled_pipe = pipe->next_signalled; 593 pipe->prev_signalled = NULL; 594 pipe->next_signalled = NULL; 595 } 596 597 static struct goldfish_pipe *signalled_pipes_pop_front( 598 struct goldfish_pipe_dev *dev, int *wakes) 599 { 600 struct goldfish_pipe *pipe; 601 unsigned long flags; 602 603 spin_lock_irqsave(&dev->lock, flags); 604 605 pipe = dev->first_signalled_pipe; 606 if (pipe) { 607 *wakes = pipe->signalled_flags; 608 pipe->signalled_flags = 0; 609 /* 610 * This is an optimized version of 611 * signalled_pipes_remove_locked() 612 * - We want to make it as fast as possible to 613 * wake the sleeping pipe operations faster. 614 */ 615 dev->first_signalled_pipe = pipe->next_signalled; 616 if (dev->first_signalled_pipe) 617 dev->first_signalled_pipe->prev_signalled = NULL; 618 pipe->next_signalled = NULL; 619 } 620 621 spin_unlock_irqrestore(&dev->lock, flags); 622 return pipe; 623 } 624 625 static void goldfish_interrupt_task(unsigned long unused) 626 { 627 struct goldfish_pipe_dev *dev = pipe_dev; 628 /* Iterate over the signalled pipes and wake them one by one */ 629 struct goldfish_pipe *pipe; 630 int wakes; 631 632 while ((pipe = signalled_pipes_pop_front(dev, &wakes)) != NULL) { 633 if (wakes & PIPE_WAKE_CLOSED) { 634 pipe->flags = 1 << BIT_CLOSED_ON_HOST; 635 } else { 636 if (wakes & PIPE_WAKE_READ) 637 clear_bit(BIT_WAKE_ON_READ, &pipe->flags); 638 if (wakes & PIPE_WAKE_WRITE) 639 clear_bit(BIT_WAKE_ON_WRITE, &pipe->flags); 640 } 641 /* 642 * wake_up_interruptible() implies a write barrier, so don't 643 * explicitly add another one here. 644 */ 645 wake_up_interruptible(&pipe->wake_queue); 646 } 647 } 648 DECLARE_TASKLET(goldfish_interrupt_tasklet, goldfish_interrupt_task, 0); 649 650 /* 651 * The general idea of the interrupt handling: 652 * 653 * 1. device raises an interrupt if there's at least one signalled pipe 654 * 2. IRQ handler reads the signalled pipes and their count from the device 655 * 3. device writes them into a shared buffer and returns the count 656 * it only resets the IRQ if it has returned all signalled pipes, 657 * otherwise it leaves it raised, so IRQ handler will be called 658 * again for the next chunk 659 * 4. IRQ handler adds all returned pipes to the device's signalled pipes list 660 * 5. IRQ handler launches a tasklet to process the signalled pipes from the 661 * list in a separate context 662 */ 663 static irqreturn_t goldfish_pipe_interrupt(int irq, void *dev_id) 664 { 665 u32 count; 666 u32 i; 667 unsigned long flags; 668 struct goldfish_pipe_dev *dev = dev_id; 669 670 if (dev != pipe_dev) 671 return IRQ_NONE; 672 673 /* Request the signalled pipes from the device */ 674 spin_lock_irqsave(&dev->lock, flags); 675 676 count = readl(dev->base + PIPE_REG_GET_SIGNALLED); 677 if (count == 0) { 678 spin_unlock_irqrestore(&dev->lock, flags); 679 return IRQ_NONE; 680 } 681 if (count > MAX_SIGNALLED_PIPES) 682 count = MAX_SIGNALLED_PIPES; 683 684 for (i = 0; i < count; ++i) 685 signalled_pipes_add_locked(dev, 686 dev->buffers->signalled_pipe_buffers[i].id, 687 dev->buffers->signalled_pipe_buffers[i].flags); 688 689 spin_unlock_irqrestore(&dev->lock, flags); 690 691 tasklet_schedule(&goldfish_interrupt_tasklet); 692 return IRQ_HANDLED; 693 } 694 695 static int get_free_pipe_id_locked(struct goldfish_pipe_dev *dev) 696 { 697 int id; 698 699 for (id = 0; id < dev->pipes_capacity; ++id) 700 if (!dev->pipes[id]) 701 return id; 702 703 { 704 /* Reallocate the array */ 705 u32 new_capacity = 2 * dev->pipes_capacity; 706 struct goldfish_pipe **pipes = 707 kcalloc(new_capacity, sizeof(*pipes), GFP_ATOMIC); 708 if (!pipes) 709 return -ENOMEM; 710 memcpy(pipes, dev->pipes, sizeof(*pipes) * dev->pipes_capacity); 711 kfree(dev->pipes); 712 dev->pipes = pipes; 713 id = dev->pipes_capacity; 714 dev->pipes_capacity = new_capacity; 715 } 716 return id; 717 } 718 719 /** 720 * goldfish_pipe_open - open a channel to the AVD 721 * @inode: inode of device 722 * @file: file struct of opener 723 * 724 * Create a new pipe link between the emulator and the use application. 725 * Each new request produces a new pipe. 726 * 727 * Note: we use the pipe ID as a mux. All goldfish emulations are 32bit 728 * right now so this is fine. A move to 64bit will need this addressing 729 */ 730 static int goldfish_pipe_open(struct inode *inode, struct file *file) 731 { 732 struct goldfish_pipe_dev *dev = pipe_dev; 733 unsigned long flags; 734 int id; 735 int status; 736 737 /* Allocate new pipe kernel object */ 738 struct goldfish_pipe *pipe = kzalloc(sizeof(*pipe), GFP_KERNEL); 739 if (pipe == NULL) 740 return -ENOMEM; 741 742 pipe->dev = dev; 743 mutex_init(&pipe->lock); 744 init_waitqueue_head(&pipe->wake_queue); 745 746 /* 747 * Command buffer needs to be allocated on its own page to make sure 748 * it is physically contiguous in host's address space. 749 */ 750 pipe->command_buffer = 751 (struct goldfish_pipe_command *)__get_free_page(GFP_KERNEL); 752 if (!pipe->command_buffer) { 753 status = -ENOMEM; 754 goto err_pipe; 755 } 756 757 spin_lock_irqsave(&dev->lock, flags); 758 759 id = get_free_pipe_id_locked(dev); 760 if (id < 0) { 761 status = id; 762 goto err_id_locked; 763 } 764 765 dev->pipes[id] = pipe; 766 pipe->id = id; 767 pipe->command_buffer->id = id; 768 769 /* Now tell the emulator we're opening a new pipe. */ 770 dev->buffers->open_command_params.rw_params_max_count = 771 MAX_BUFFERS_PER_COMMAND; 772 dev->buffers->open_command_params.command_buffer_ptr = 773 (u64)(unsigned long)__pa(pipe->command_buffer); 774 status = goldfish_cmd_locked(pipe, PIPE_CMD_OPEN); 775 spin_unlock_irqrestore(&dev->lock, flags); 776 if (status < 0) 777 goto err_cmd; 778 /* All is done, save the pipe into the file's private data field */ 779 file->private_data = pipe; 780 return 0; 781 782 err_cmd: 783 spin_lock_irqsave(&dev->lock, flags); 784 dev->pipes[id] = NULL; 785 err_id_locked: 786 spin_unlock_irqrestore(&dev->lock, flags); 787 free_page((unsigned long)pipe->command_buffer); 788 err_pipe: 789 kfree(pipe); 790 return status; 791 } 792 793 static int goldfish_pipe_release(struct inode *inode, struct file *filp) 794 { 795 unsigned long flags; 796 struct goldfish_pipe *pipe = filp->private_data; 797 struct goldfish_pipe_dev *dev = pipe->dev; 798 799 /* The guest is closing the channel, so tell the emulator right now */ 800 (void)goldfish_cmd(pipe, PIPE_CMD_CLOSE); 801 802 spin_lock_irqsave(&dev->lock, flags); 803 dev->pipes[pipe->id] = NULL; 804 signalled_pipes_remove_locked(dev, pipe); 805 spin_unlock_irqrestore(&dev->lock, flags); 806 807 filp->private_data = NULL; 808 free_page((unsigned long)pipe->command_buffer); 809 kfree(pipe); 810 return 0; 811 } 812 813 static const struct file_operations goldfish_pipe_fops = { 814 .owner = THIS_MODULE, 815 .read = goldfish_pipe_read, 816 .write = goldfish_pipe_write, 817 .poll = goldfish_pipe_poll, 818 .open = goldfish_pipe_open, 819 .release = goldfish_pipe_release, 820 }; 821 822 static struct miscdevice goldfish_pipe_dev = { 823 .minor = MISC_DYNAMIC_MINOR, 824 .name = "goldfish_pipe", 825 .fops = &goldfish_pipe_fops, 826 }; 827 828 static int goldfish_pipe_device_init(struct platform_device *pdev) 829 { 830 char *page; 831 struct goldfish_pipe_dev *dev = pipe_dev; 832 int err = devm_request_irq(&pdev->dev, dev->irq, 833 goldfish_pipe_interrupt, 834 IRQF_SHARED, "goldfish_pipe", dev); 835 if (err) { 836 dev_err(&pdev->dev, "unable to allocate IRQ for v2\n"); 837 return err; 838 } 839 840 err = misc_register(&goldfish_pipe_dev); 841 if (err) { 842 dev_err(&pdev->dev, "unable to register v2 device\n"); 843 return err; 844 } 845 846 dev->first_signalled_pipe = NULL; 847 dev->pipes_capacity = INITIAL_PIPES_CAPACITY; 848 dev->pipes = kcalloc(dev->pipes_capacity, sizeof(*dev->pipes), 849 GFP_KERNEL); 850 if (!dev->pipes) 851 return -ENOMEM; 852 853 /* 854 * We're going to pass two buffers, open_command_params and 855 * signalled_pipe_buffers, to the host. This means each of those buffers 856 * needs to be contained in a single physical page. The easiest choice 857 * is to just allocate a page and place the buffers in it. 858 */ 859 if (WARN_ON(sizeof(*dev->buffers) > PAGE_SIZE)) 860 return -ENOMEM; 861 862 page = (char *)__get_free_page(GFP_KERNEL); 863 if (!page) { 864 kfree(dev->pipes); 865 return -ENOMEM; 866 } 867 dev->buffers = (struct goldfish_pipe_dev_buffers *)page; 868 869 /* Send the buffer addresses to the host */ 870 { 871 u64 paddr = __pa(&dev->buffers->signalled_pipe_buffers); 872 873 writel((u32)(unsigned long)(paddr >> 32), 874 dev->base + PIPE_REG_SIGNAL_BUFFER_HIGH); 875 writel((u32)(unsigned long)paddr, 876 dev->base + PIPE_REG_SIGNAL_BUFFER); 877 writel((u32)MAX_SIGNALLED_PIPES, 878 dev->base + PIPE_REG_SIGNAL_BUFFER_COUNT); 879 880 paddr = __pa(&dev->buffers->open_command_params); 881 writel((u32)(unsigned long)(paddr >> 32), 882 dev->base + PIPE_REG_OPEN_BUFFER_HIGH); 883 writel((u32)(unsigned long)paddr, 884 dev->base + PIPE_REG_OPEN_BUFFER); 885 } 886 return 0; 887 } 888 889 static void goldfish_pipe_device_deinit(struct platform_device *pdev) 890 { 891 struct goldfish_pipe_dev *dev = pipe_dev; 892 893 misc_deregister(&goldfish_pipe_dev); 894 kfree(dev->pipes); 895 free_page((unsigned long)dev->buffers); 896 } 897 898 static int goldfish_pipe_probe(struct platform_device *pdev) 899 { 900 int err; 901 struct resource *r; 902 struct goldfish_pipe_dev *dev = pipe_dev; 903 904 if (WARN_ON(sizeof(struct goldfish_pipe_command) > PAGE_SIZE)) 905 return -ENOMEM; 906 907 /* not thread safe, but this should not happen */ 908 WARN_ON(dev->base != NULL); 909 910 spin_lock_init(&dev->lock); 911 912 r = platform_get_resource(pdev, IORESOURCE_MEM, 0); 913 if (r == NULL || resource_size(r) < PAGE_SIZE) { 914 dev_err(&pdev->dev, "can't allocate i/o page\n"); 915 return -EINVAL; 916 } 917 dev->base = devm_ioremap(&pdev->dev, r->start, PAGE_SIZE); 918 if (dev->base == NULL) { 919 dev_err(&pdev->dev, "ioremap failed\n"); 920 return -EINVAL; 921 } 922 923 r = platform_get_resource(pdev, IORESOURCE_IRQ, 0); 924 if (r == NULL) { 925 err = -EINVAL; 926 goto error; 927 } 928 dev->irq = r->start; 929 930 /* 931 * Exchange the versions with the host device 932 * 933 * Note: v1 driver used to not report its version, so we write it before 934 * reading device version back: this allows the host implementation to 935 * detect the old driver (if there was no version write before read). 936 */ 937 writel((u32)PIPE_DRIVER_VERSION, dev->base + PIPE_REG_VERSION); 938 dev->version = readl(dev->base + PIPE_REG_VERSION); 939 if (WARN_ON(dev->version < PIPE_CURRENT_DEVICE_VERSION)) 940 return -EINVAL; 941 942 err = goldfish_pipe_device_init(pdev); 943 if (!err) 944 return 0; 945 946 error: 947 dev->base = NULL; 948 return err; 949 } 950 951 static int goldfish_pipe_remove(struct platform_device *pdev) 952 { 953 struct goldfish_pipe_dev *dev = pipe_dev; 954 goldfish_pipe_device_deinit(pdev); 955 dev->base = NULL; 956 return 0; 957 } 958 959 static const struct acpi_device_id goldfish_pipe_acpi_match[] = { 960 { "GFSH0003", 0 }, 961 { }, 962 }; 963 MODULE_DEVICE_TABLE(acpi, goldfish_pipe_acpi_match); 964 965 static const struct of_device_id goldfish_pipe_of_match[] = { 966 { .compatible = "google,android-pipe", }, 967 {}, 968 }; 969 MODULE_DEVICE_TABLE(of, goldfish_pipe_of_match); 970 971 static struct platform_driver goldfish_pipe_driver = { 972 .probe = goldfish_pipe_probe, 973 .remove = goldfish_pipe_remove, 974 .driver = { 975 .name = "goldfish_pipe", 976 .of_match_table = goldfish_pipe_of_match, 977 .acpi_match_table = ACPI_PTR(goldfish_pipe_acpi_match), 978 } 979 }; 980 981 module_platform_driver(goldfish_pipe_driver); 982 MODULE_AUTHOR("David Turner <digit@google.com>"); 983 MODULE_LICENSE("GPL"); 984