1 /*
2  * Virtio-based remote processor messaging bus
3  *
4  * Copyright (C) 2011 Texas Instruments, Inc.
5  * Copyright (C) 2011 Google, Inc.
6  *
7  * Ohad Ben-Cohen <ohad@wizery.com>
8  * Brian Swetland <swetland@google.com>
9  *
10  * This software is licensed under the terms of the GNU General Public
11  * License version 2, as published by the Free Software Foundation, and
12  * may be copied, distributed, and modified under those terms.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  */
19 
20 #define pr_fmt(fmt) "%s: " fmt, __func__
21 
22 #include <linux/kernel.h>
23 #include <linux/module.h>
24 #include <linux/virtio.h>
25 #include <linux/virtio_ids.h>
26 #include <linux/virtio_config.h>
27 #include <linux/scatterlist.h>
28 #include <linux/dma-mapping.h>
29 #include <linux/slab.h>
30 #include <linux/idr.h>
31 #include <linux/jiffies.h>
32 #include <linux/sched.h>
33 #include <linux/wait.h>
34 #include <linux/rpmsg.h>
35 #include <linux/mutex.h>
36 
37 /**
38  * struct virtproc_info - virtual remote processor state
39  * @vdev:	the virtio device
40  * @rvq:	rx virtqueue
41  * @svq:	tx virtqueue
42  * @rbufs:	kernel address of rx buffers
43  * @sbufs:	kernel address of tx buffers
44  * @last_sbuf:	index of last tx buffer used
45  * @bufs_dma:	dma base addr of the buffers
46  * @tx_lock:	protects svq, sbufs and sleepers, to allow concurrent senders.
47  *		sending a message might require waking up a dozing remote
48  *		processor, which involves sleeping, hence the mutex.
49  * @endpoints:	idr of local endpoints, allows fast retrieval
50  * @endpoints_lock: lock of the endpoints set
51  * @sendq:	wait queue of sending contexts waiting for a tx buffers
52  * @sleepers:	number of senders that are waiting for a tx buffer
53  * @ns_ept:	the bus's name service endpoint
54  *
55  * This structure stores the rpmsg state of a given virtio remote processor
56  * device (there might be several virtio proc devices for each physical
57  * remote processor).
58  */
59 struct virtproc_info {
60 	struct virtio_device *vdev;
61 	struct virtqueue *rvq, *svq;
62 	void *rbufs, *sbufs;
63 	int last_sbuf;
64 	dma_addr_t bufs_dma;
65 	struct mutex tx_lock;
66 	struct idr endpoints;
67 	struct mutex endpoints_lock;
68 	wait_queue_head_t sendq;
69 	atomic_t sleepers;
70 	struct rpmsg_endpoint *ns_ept;
71 };
72 
73 /**
74  * struct rpmsg_channel_info - internal channel info representation
75  * @name: name of service
76  * @src: local address
77  * @dst: destination address
78  */
79 struct rpmsg_channel_info {
80 	char name[RPMSG_NAME_SIZE];
81 	u32 src;
82 	u32 dst;
83 };
84 
85 #define to_rpmsg_channel(d) container_of(d, struct rpmsg_channel, dev)
86 #define to_rpmsg_driver(d) container_of(d, struct rpmsg_driver, drv)
87 
88 /*
89  * We're allocating 512 buffers of 512 bytes for communications, and then
90  * using the first 256 buffers for RX, and the last 256 buffers for TX.
91  *
92  * Each buffer will have 16 bytes for the msg header and 496 bytes for
93  * the payload.
94  *
95  * This will require a total space of 256KB for the buffers.
96  *
97  * We might also want to add support for user-provided buffers in time.
98  * This will allow bigger buffer size flexibility, and can also be used
99  * to achieve zero-copy messaging.
100  *
101  * Note that these numbers are purely a decision of this driver - we
102  * can change this without changing anything in the firmware of the remote
103  * processor.
104  */
105 #define RPMSG_NUM_BUFS		(512)
106 #define RPMSG_BUF_SIZE		(512)
107 #define RPMSG_TOTAL_BUF_SPACE	(RPMSG_NUM_BUFS * RPMSG_BUF_SIZE)
108 
109 /*
110  * Local addresses are dynamically allocated on-demand.
111  * We do not dynamically assign addresses from the low 1024 range,
112  * in order to reserve that address range for predefined services.
113  */
114 #define RPMSG_RESERVED_ADDRESSES	(1024)
115 
116 /* Address 53 is reserved for advertising remote services */
117 #define RPMSG_NS_ADDR			(53)
118 
119 /* sysfs show configuration fields */
120 #define rpmsg_show_attr(field, path, format_string)			\
121 static ssize_t								\
122 field##_show(struct device *dev,					\
123 			struct device_attribute *attr, char *buf)	\
124 {									\
125 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);		\
126 									\
127 	return sprintf(buf, format_string, rpdev->path);		\
128 }
129 
130 /* for more info, see Documentation/ABI/testing/sysfs-bus-rpmsg */
131 rpmsg_show_attr(name, id.name, "%s\n");
132 rpmsg_show_attr(src, src, "0x%x\n");
133 rpmsg_show_attr(dst, dst, "0x%x\n");
134 rpmsg_show_attr(announce, announce ? "true" : "false", "%s\n");
135 
136 /*
137  * Unique (and free running) index for rpmsg devices.
138  *
139  * Yeah, we're not recycling those numbers (yet?). will be easy
140  * to change if/when we want to.
141  */
142 static unsigned int rpmsg_dev_index;
143 
144 static ssize_t modalias_show(struct device *dev,
145 			     struct device_attribute *attr, char *buf)
146 {
147 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
148 
149 	return sprintf(buf, RPMSG_DEVICE_MODALIAS_FMT "\n", rpdev->id.name);
150 }
151 
152 static struct device_attribute rpmsg_dev_attrs[] = {
153 	__ATTR_RO(name),
154 	__ATTR_RO(modalias),
155 	__ATTR_RO(dst),
156 	__ATTR_RO(src),
157 	__ATTR_RO(announce),
158 	__ATTR_NULL
159 };
160 
161 /* rpmsg devices and drivers are matched using the service name */
162 static inline int rpmsg_id_match(const struct rpmsg_channel *rpdev,
163 				  const struct rpmsg_device_id *id)
164 {
165 	return strncmp(id->name, rpdev->id.name, RPMSG_NAME_SIZE) == 0;
166 }
167 
168 /* match rpmsg channel and rpmsg driver */
169 static int rpmsg_dev_match(struct device *dev, struct device_driver *drv)
170 {
171 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
172 	struct rpmsg_driver *rpdrv = to_rpmsg_driver(drv);
173 	const struct rpmsg_device_id *ids = rpdrv->id_table;
174 	unsigned int i;
175 
176 	for (i = 0; ids[i].name[0]; i++)
177 		if (rpmsg_id_match(rpdev, &ids[i]))
178 			return 1;
179 
180 	return 0;
181 }
182 
183 static int rpmsg_uevent(struct device *dev, struct kobj_uevent_env *env)
184 {
185 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
186 
187 	return add_uevent_var(env, "MODALIAS=" RPMSG_DEVICE_MODALIAS_FMT,
188 					rpdev->id.name);
189 }
190 
191 /**
192  * __ept_release() - deallocate an rpmsg endpoint
193  * @kref: the ept's reference count
194  *
195  * This function deallocates an ept, and is invoked when its @kref refcount
196  * drops to zero.
197  *
198  * Never invoke this function directly!
199  */
200 static void __ept_release(struct kref *kref)
201 {
202 	struct rpmsg_endpoint *ept = container_of(kref, struct rpmsg_endpoint,
203 						  refcount);
204 	/*
205 	 * At this point no one holds a reference to ept anymore,
206 	 * so we can directly free it
207 	 */
208 	kfree(ept);
209 }
210 
211 /* for more info, see below documentation of rpmsg_create_ept() */
212 static struct rpmsg_endpoint *__rpmsg_create_ept(struct virtproc_info *vrp,
213 		struct rpmsg_channel *rpdev, rpmsg_rx_cb_t cb,
214 		void *priv, u32 addr)
215 {
216 	int id_min, id_max, id;
217 	struct rpmsg_endpoint *ept;
218 	struct device *dev = rpdev ? &rpdev->dev : &vrp->vdev->dev;
219 
220 	ept = kzalloc(sizeof(*ept), GFP_KERNEL);
221 	if (!ept) {
222 		dev_err(dev, "failed to kzalloc a new ept\n");
223 		return NULL;
224 	}
225 
226 	kref_init(&ept->refcount);
227 	mutex_init(&ept->cb_lock);
228 
229 	ept->rpdev = rpdev;
230 	ept->cb = cb;
231 	ept->priv = priv;
232 
233 	/* do we need to allocate a local address ? */
234 	if (addr == RPMSG_ADDR_ANY) {
235 		id_min = RPMSG_RESERVED_ADDRESSES;
236 		id_max = 0;
237 	} else {
238 		id_min = addr;
239 		id_max = addr + 1;
240 	}
241 
242 	mutex_lock(&vrp->endpoints_lock);
243 
244 	/* bind the endpoint to an rpmsg address (and allocate one if needed) */
245 	id = idr_alloc(&vrp->endpoints, ept, id_min, id_max, GFP_KERNEL);
246 	if (id < 0) {
247 		dev_err(dev, "idr_alloc failed: %d\n", id);
248 		goto free_ept;
249 	}
250 	ept->addr = id;
251 
252 	mutex_unlock(&vrp->endpoints_lock);
253 
254 	return ept;
255 
256 free_ept:
257 	mutex_unlock(&vrp->endpoints_lock);
258 	kref_put(&ept->refcount, __ept_release);
259 	return NULL;
260 }
261 
262 /**
263  * rpmsg_create_ept() - create a new rpmsg_endpoint
264  * @rpdev: rpmsg channel device
265  * @cb: rx callback handler
266  * @priv: private data for the driver's use
267  * @addr: local rpmsg address to bind with @cb
268  *
269  * Every rpmsg address in the system is bound to an rx callback (so when
270  * inbound messages arrive, they are dispatched by the rpmsg bus using the
271  * appropriate callback handler) by means of an rpmsg_endpoint struct.
272  *
273  * This function allows drivers to create such an endpoint, and by that,
274  * bind a callback, and possibly some private data too, to an rpmsg address
275  * (either one that is known in advance, or one that will be dynamically
276  * assigned for them).
277  *
278  * Simple rpmsg drivers need not call rpmsg_create_ept, because an endpoint
279  * is already created for them when they are probed by the rpmsg bus
280  * (using the rx callback provided when they registered to the rpmsg bus).
281  *
282  * So things should just work for simple drivers: they already have an
283  * endpoint, their rx callback is bound to their rpmsg address, and when
284  * relevant inbound messages arrive (i.e. messages which their dst address
285  * equals to the src address of their rpmsg channel), the driver's handler
286  * is invoked to process it.
287  *
288  * That said, more complicated drivers might do need to allocate
289  * additional rpmsg addresses, and bind them to different rx callbacks.
290  * To accomplish that, those drivers need to call this function.
291  *
292  * Drivers should provide their @rpdev channel (so the new endpoint would belong
293  * to the same remote processor their channel belongs to), an rx callback
294  * function, an optional private data (which is provided back when the
295  * rx callback is invoked), and an address they want to bind with the
296  * callback. If @addr is RPMSG_ADDR_ANY, then rpmsg_create_ept will
297  * dynamically assign them an available rpmsg address (drivers should have
298  * a very good reason why not to always use RPMSG_ADDR_ANY here).
299  *
300  * Returns a pointer to the endpoint on success, or NULL on error.
301  */
302 struct rpmsg_endpoint *rpmsg_create_ept(struct rpmsg_channel *rpdev,
303 				rpmsg_rx_cb_t cb, void *priv, u32 addr)
304 {
305 	return __rpmsg_create_ept(rpdev->vrp, rpdev, cb, priv, addr);
306 }
307 EXPORT_SYMBOL(rpmsg_create_ept);
308 
309 /**
310  * __rpmsg_destroy_ept() - destroy an existing rpmsg endpoint
311  * @vrp: virtproc which owns this ept
312  * @ept: endpoing to destroy
313  *
314  * An internal function which destroy an ept without assuming it is
315  * bound to an rpmsg channel. This is needed for handling the internal
316  * name service endpoint, which isn't bound to an rpmsg channel.
317  * See also __rpmsg_create_ept().
318  */
319 static void
320 __rpmsg_destroy_ept(struct virtproc_info *vrp, struct rpmsg_endpoint *ept)
321 {
322 	/* make sure new inbound messages can't find this ept anymore */
323 	mutex_lock(&vrp->endpoints_lock);
324 	idr_remove(&vrp->endpoints, ept->addr);
325 	mutex_unlock(&vrp->endpoints_lock);
326 
327 	/* make sure in-flight inbound messages won't invoke cb anymore */
328 	mutex_lock(&ept->cb_lock);
329 	ept->cb = NULL;
330 	mutex_unlock(&ept->cb_lock);
331 
332 	kref_put(&ept->refcount, __ept_release);
333 }
334 
335 /**
336  * rpmsg_destroy_ept() - destroy an existing rpmsg endpoint
337  * @ept: endpoing to destroy
338  *
339  * Should be used by drivers to destroy an rpmsg endpoint previously
340  * created with rpmsg_create_ept().
341  */
342 void rpmsg_destroy_ept(struct rpmsg_endpoint *ept)
343 {
344 	__rpmsg_destroy_ept(ept->rpdev->vrp, ept);
345 }
346 EXPORT_SYMBOL(rpmsg_destroy_ept);
347 
348 /*
349  * when an rpmsg driver is probed with a channel, we seamlessly create
350  * it an endpoint, binding its rx callback to a unique local rpmsg
351  * address.
352  *
353  * if we need to, we also announce about this channel to the remote
354  * processor (needed in case the driver is exposing an rpmsg service).
355  */
356 static int rpmsg_dev_probe(struct device *dev)
357 {
358 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
359 	struct rpmsg_driver *rpdrv = to_rpmsg_driver(rpdev->dev.driver);
360 	struct virtproc_info *vrp = rpdev->vrp;
361 	struct rpmsg_endpoint *ept;
362 	int err;
363 
364 	ept = rpmsg_create_ept(rpdev, rpdrv->callback, NULL, rpdev->src);
365 	if (!ept) {
366 		dev_err(dev, "failed to create endpoint\n");
367 		err = -ENOMEM;
368 		goto out;
369 	}
370 
371 	rpdev->ept = ept;
372 	rpdev->src = ept->addr;
373 
374 	err = rpdrv->probe(rpdev);
375 	if (err) {
376 		dev_err(dev, "%s: failed: %d\n", __func__, err);
377 		rpmsg_destroy_ept(ept);
378 		goto out;
379 	}
380 
381 	/* need to tell remote processor's name service about this channel ? */
382 	if (rpdev->announce &&
383 			virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
384 		struct rpmsg_ns_msg nsm;
385 
386 		strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
387 		nsm.addr = rpdev->src;
388 		nsm.flags = RPMSG_NS_CREATE;
389 
390 		err = rpmsg_sendto(rpdev, &nsm, sizeof(nsm), RPMSG_NS_ADDR);
391 		if (err)
392 			dev_err(dev, "failed to announce service %d\n", err);
393 	}
394 
395 out:
396 	return err;
397 }
398 
399 static int rpmsg_dev_remove(struct device *dev)
400 {
401 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
402 	struct rpmsg_driver *rpdrv = to_rpmsg_driver(rpdev->dev.driver);
403 	struct virtproc_info *vrp = rpdev->vrp;
404 	int err = 0;
405 
406 	/* tell remote processor's name service we're removing this channel */
407 	if (rpdev->announce &&
408 			virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
409 		struct rpmsg_ns_msg nsm;
410 
411 		strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
412 		nsm.addr = rpdev->src;
413 		nsm.flags = RPMSG_NS_DESTROY;
414 
415 		err = rpmsg_sendto(rpdev, &nsm, sizeof(nsm), RPMSG_NS_ADDR);
416 		if (err)
417 			dev_err(dev, "failed to announce service %d\n", err);
418 	}
419 
420 	rpdrv->remove(rpdev);
421 
422 	rpmsg_destroy_ept(rpdev->ept);
423 
424 	return err;
425 }
426 
427 static struct bus_type rpmsg_bus = {
428 	.name		= "rpmsg",
429 	.match		= rpmsg_dev_match,
430 	.dev_attrs	= rpmsg_dev_attrs,
431 	.uevent		= rpmsg_uevent,
432 	.probe		= rpmsg_dev_probe,
433 	.remove		= rpmsg_dev_remove,
434 };
435 
436 /**
437  * register_rpmsg_driver() - register an rpmsg driver with the rpmsg bus
438  * @rpdrv: pointer to a struct rpmsg_driver
439  *
440  * Returns 0 on success, and an appropriate error value on failure.
441  */
442 int register_rpmsg_driver(struct rpmsg_driver *rpdrv)
443 {
444 	rpdrv->drv.bus = &rpmsg_bus;
445 	return driver_register(&rpdrv->drv);
446 }
447 EXPORT_SYMBOL(register_rpmsg_driver);
448 
449 /**
450  * unregister_rpmsg_driver() - unregister an rpmsg driver from the rpmsg bus
451  * @rpdrv: pointer to a struct rpmsg_driver
452  *
453  * Returns 0 on success, and an appropriate error value on failure.
454  */
455 void unregister_rpmsg_driver(struct rpmsg_driver *rpdrv)
456 {
457 	driver_unregister(&rpdrv->drv);
458 }
459 EXPORT_SYMBOL(unregister_rpmsg_driver);
460 
461 static void rpmsg_release_device(struct device *dev)
462 {
463 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
464 
465 	kfree(rpdev);
466 }
467 
468 /*
469  * match an rpmsg channel with a channel info struct.
470  * this is used to make sure we're not creating rpmsg devices for channels
471  * that already exist.
472  */
473 static int rpmsg_channel_match(struct device *dev, void *data)
474 {
475 	struct rpmsg_channel_info *chinfo = data;
476 	struct rpmsg_channel *rpdev = to_rpmsg_channel(dev);
477 
478 	if (chinfo->src != RPMSG_ADDR_ANY && chinfo->src != rpdev->src)
479 		return 0;
480 
481 	if (chinfo->dst != RPMSG_ADDR_ANY && chinfo->dst != rpdev->dst)
482 		return 0;
483 
484 	if (strncmp(chinfo->name, rpdev->id.name, RPMSG_NAME_SIZE))
485 		return 0;
486 
487 	/* found a match ! */
488 	return 1;
489 }
490 
491 /*
492  * create an rpmsg channel using its name and address info.
493  * this function will be used to create both static and dynamic
494  * channels.
495  */
496 static struct rpmsg_channel *rpmsg_create_channel(struct virtproc_info *vrp,
497 				struct rpmsg_channel_info *chinfo)
498 {
499 	struct rpmsg_channel *rpdev;
500 	struct device *tmp, *dev = &vrp->vdev->dev;
501 	int ret;
502 
503 	/* make sure a similar channel doesn't already exist */
504 	tmp = device_find_child(dev, chinfo, rpmsg_channel_match);
505 	if (tmp) {
506 		/* decrement the matched device's refcount back */
507 		put_device(tmp);
508 		dev_err(dev, "channel %s:%x:%x already exist\n",
509 				chinfo->name, chinfo->src, chinfo->dst);
510 		return NULL;
511 	}
512 
513 	rpdev = kzalloc(sizeof(struct rpmsg_channel), GFP_KERNEL);
514 	if (!rpdev) {
515 		pr_err("kzalloc failed\n");
516 		return NULL;
517 	}
518 
519 	rpdev->vrp = vrp;
520 	rpdev->src = chinfo->src;
521 	rpdev->dst = chinfo->dst;
522 
523 	/*
524 	 * rpmsg server channels has predefined local address (for now),
525 	 * and their existence needs to be announced remotely
526 	 */
527 	rpdev->announce = rpdev->src != RPMSG_ADDR_ANY ? true : false;
528 
529 	strncpy(rpdev->id.name, chinfo->name, RPMSG_NAME_SIZE);
530 
531 	/* very simple device indexing plumbing which is enough for now */
532 	dev_set_name(&rpdev->dev, "rpmsg%d", rpmsg_dev_index++);
533 
534 	rpdev->dev.parent = &vrp->vdev->dev;
535 	rpdev->dev.bus = &rpmsg_bus;
536 	rpdev->dev.release = rpmsg_release_device;
537 
538 	ret = device_register(&rpdev->dev);
539 	if (ret) {
540 		dev_err(dev, "device_register failed: %d\n", ret);
541 		put_device(&rpdev->dev);
542 		return NULL;
543 	}
544 
545 	return rpdev;
546 }
547 
548 /*
549  * find an existing channel using its name + address properties,
550  * and destroy it
551  */
552 static int rpmsg_destroy_channel(struct virtproc_info *vrp,
553 					struct rpmsg_channel_info *chinfo)
554 {
555 	struct virtio_device *vdev = vrp->vdev;
556 	struct device *dev;
557 
558 	dev = device_find_child(&vdev->dev, chinfo, rpmsg_channel_match);
559 	if (!dev)
560 		return -EINVAL;
561 
562 	device_unregister(dev);
563 
564 	put_device(dev);
565 
566 	return 0;
567 }
568 
569 /* super simple buffer "allocator" that is just enough for now */
570 static void *get_a_tx_buf(struct virtproc_info *vrp)
571 {
572 	unsigned int len;
573 	void *ret;
574 
575 	/* support multiple concurrent senders */
576 	mutex_lock(&vrp->tx_lock);
577 
578 	/*
579 	 * either pick the next unused tx buffer
580 	 * (half of our buffers are used for sending messages)
581 	 */
582 	if (vrp->last_sbuf < RPMSG_NUM_BUFS / 2)
583 		ret = vrp->sbufs + RPMSG_BUF_SIZE * vrp->last_sbuf++;
584 	/* or recycle a used one */
585 	else
586 		ret = virtqueue_get_buf(vrp->svq, &len);
587 
588 	mutex_unlock(&vrp->tx_lock);
589 
590 	return ret;
591 }
592 
593 /**
594  * rpmsg_upref_sleepers() - enable "tx-complete" interrupts, if needed
595  * @vrp: virtual remote processor state
596  *
597  * This function is called before a sender is blocked, waiting for
598  * a tx buffer to become available.
599  *
600  * If we already have blocking senders, this function merely increases
601  * the "sleepers" reference count, and exits.
602  *
603  * Otherwise, if this is the first sender to block, we also enable
604  * virtio's tx callbacks, so we'd be immediately notified when a tx
605  * buffer is consumed (we rely on virtio's tx callback in order
606  * to wake up sleeping senders as soon as a tx buffer is used by the
607  * remote processor).
608  */
609 static void rpmsg_upref_sleepers(struct virtproc_info *vrp)
610 {
611 	/* support multiple concurrent senders */
612 	mutex_lock(&vrp->tx_lock);
613 
614 	/* are we the first sleeping context waiting for tx buffers ? */
615 	if (atomic_inc_return(&vrp->sleepers) == 1)
616 		/* enable "tx-complete" interrupts before dozing off */
617 		virtqueue_enable_cb(vrp->svq);
618 
619 	mutex_unlock(&vrp->tx_lock);
620 }
621 
622 /**
623  * rpmsg_downref_sleepers() - disable "tx-complete" interrupts, if needed
624  * @vrp: virtual remote processor state
625  *
626  * This function is called after a sender, that waited for a tx buffer
627  * to become available, is unblocked.
628  *
629  * If we still have blocking senders, this function merely decreases
630  * the "sleepers" reference count, and exits.
631  *
632  * Otherwise, if there are no more blocking senders, we also disable
633  * virtio's tx callbacks, to avoid the overhead incurred with handling
634  * those (now redundant) interrupts.
635  */
636 static void rpmsg_downref_sleepers(struct virtproc_info *vrp)
637 {
638 	/* support multiple concurrent senders */
639 	mutex_lock(&vrp->tx_lock);
640 
641 	/* are we the last sleeping context waiting for tx buffers ? */
642 	if (atomic_dec_and_test(&vrp->sleepers))
643 		/* disable "tx-complete" interrupts */
644 		virtqueue_disable_cb(vrp->svq);
645 
646 	mutex_unlock(&vrp->tx_lock);
647 }
648 
649 /**
650  * rpmsg_send_offchannel_raw() - send a message across to the remote processor
651  * @rpdev: the rpmsg channel
652  * @src: source address
653  * @dst: destination address
654  * @data: payload of message
655  * @len: length of payload
656  * @wait: indicates whether caller should block in case no TX buffers available
657  *
658  * This function is the base implementation for all of the rpmsg sending API.
659  *
660  * It will send @data of length @len to @dst, and say it's from @src. The
661  * message will be sent to the remote processor which the @rpdev channel
662  * belongs to.
663  *
664  * The message is sent using one of the TX buffers that are available for
665  * communication with this remote processor.
666  *
667  * If @wait is true, the caller will be blocked until either a TX buffer is
668  * available, or 15 seconds elapses (we don't want callers to
669  * sleep indefinitely due to misbehaving remote processors), and in that
670  * case -ERESTARTSYS is returned. The number '15' itself was picked
671  * arbitrarily; there's little point in asking drivers to provide a timeout
672  * value themselves.
673  *
674  * Otherwise, if @wait is false, and there are no TX buffers available,
675  * the function will immediately fail, and -ENOMEM will be returned.
676  *
677  * Normally drivers shouldn't use this function directly; instead, drivers
678  * should use the appropriate rpmsg_{try}send{to, _offchannel} API
679  * (see include/linux/rpmsg.h).
680  *
681  * Returns 0 on success and an appropriate error value on failure.
682  */
683 int rpmsg_send_offchannel_raw(struct rpmsg_channel *rpdev, u32 src, u32 dst,
684 					void *data, int len, bool wait)
685 {
686 	struct virtproc_info *vrp = rpdev->vrp;
687 	struct device *dev = &rpdev->dev;
688 	struct scatterlist sg;
689 	struct rpmsg_hdr *msg;
690 	int err;
691 
692 	/* bcasting isn't allowed */
693 	if (src == RPMSG_ADDR_ANY || dst == RPMSG_ADDR_ANY) {
694 		dev_err(dev, "invalid addr (src 0x%x, dst 0x%x)\n", src, dst);
695 		return -EINVAL;
696 	}
697 
698 	/*
699 	 * We currently use fixed-sized buffers, and therefore the payload
700 	 * length is limited.
701 	 *
702 	 * One of the possible improvements here is either to support
703 	 * user-provided buffers (and then we can also support zero-copy
704 	 * messaging), or to improve the buffer allocator, to support
705 	 * variable-length buffer sizes.
706 	 */
707 	if (len > RPMSG_BUF_SIZE - sizeof(struct rpmsg_hdr)) {
708 		dev_err(dev, "message is too big (%d)\n", len);
709 		return -EMSGSIZE;
710 	}
711 
712 	/* grab a buffer */
713 	msg = get_a_tx_buf(vrp);
714 	if (!msg && !wait)
715 		return -ENOMEM;
716 
717 	/* no free buffer ? wait for one (but bail after 15 seconds) */
718 	while (!msg) {
719 		/* enable "tx-complete" interrupts, if not already enabled */
720 		rpmsg_upref_sleepers(vrp);
721 
722 		/*
723 		 * sleep until a free buffer is available or 15 secs elapse.
724 		 * the timeout period is not configurable because there's
725 		 * little point in asking drivers to specify that.
726 		 * if later this happens to be required, it'd be easy to add.
727 		 */
728 		err = wait_event_interruptible_timeout(vrp->sendq,
729 					(msg = get_a_tx_buf(vrp)),
730 					msecs_to_jiffies(15000));
731 
732 		/* disable "tx-complete" interrupts if we're the last sleeper */
733 		rpmsg_downref_sleepers(vrp);
734 
735 		/* timeout ? */
736 		if (!err) {
737 			dev_err(dev, "timeout waiting for a tx buffer\n");
738 			return -ERESTARTSYS;
739 		}
740 	}
741 
742 	msg->len = len;
743 	msg->flags = 0;
744 	msg->src = src;
745 	msg->dst = dst;
746 	msg->reserved = 0;
747 	memcpy(msg->data, data, len);
748 
749 	dev_dbg(dev, "TX From 0x%x, To 0x%x, Len %d, Flags %d, Reserved %d\n",
750 					msg->src, msg->dst, msg->len,
751 					msg->flags, msg->reserved);
752 	print_hex_dump(KERN_DEBUG, "rpmsg_virtio TX: ", DUMP_PREFIX_NONE, 16, 1,
753 					msg, sizeof(*msg) + msg->len, true);
754 
755 	sg_init_one(&sg, msg, sizeof(*msg) + len);
756 
757 	mutex_lock(&vrp->tx_lock);
758 
759 	/* add message to the remote processor's virtqueue */
760 	err = virtqueue_add_outbuf(vrp->svq, &sg, 1, msg, GFP_KERNEL);
761 	if (err) {
762 		/*
763 		 * need to reclaim the buffer here, otherwise it's lost
764 		 * (memory won't leak, but rpmsg won't use it again for TX).
765 		 * this will wait for a buffer management overhaul.
766 		 */
767 		dev_err(dev, "virtqueue_add_outbuf failed: %d\n", err);
768 		goto out;
769 	}
770 
771 	/* tell the remote processor it has a pending message to read */
772 	virtqueue_kick(vrp->svq);
773 out:
774 	mutex_unlock(&vrp->tx_lock);
775 	return err;
776 }
777 EXPORT_SYMBOL(rpmsg_send_offchannel_raw);
778 
779 static int rpmsg_recv_single(struct virtproc_info *vrp, struct device *dev,
780 			     struct rpmsg_hdr *msg, unsigned int len)
781 {
782 	struct rpmsg_endpoint *ept;
783 	struct scatterlist sg;
784 	int err;
785 
786 	dev_dbg(dev, "From: 0x%x, To: 0x%x, Len: %d, Flags: %d, Reserved: %d\n",
787 					msg->src, msg->dst, msg->len,
788 					msg->flags, msg->reserved);
789 	print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1,
790 					msg, sizeof(*msg) + msg->len, true);
791 
792 	/*
793 	 * We currently use fixed-sized buffers, so trivially sanitize
794 	 * the reported payload length.
795 	 */
796 	if (len > RPMSG_BUF_SIZE ||
797 		msg->len > (len - sizeof(struct rpmsg_hdr))) {
798 		dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len);
799 		return -EINVAL;
800 	}
801 
802 	/* use the dst addr to fetch the callback of the appropriate user */
803 	mutex_lock(&vrp->endpoints_lock);
804 
805 	ept = idr_find(&vrp->endpoints, msg->dst);
806 
807 	/* let's make sure no one deallocates ept while we use it */
808 	if (ept)
809 		kref_get(&ept->refcount);
810 
811 	mutex_unlock(&vrp->endpoints_lock);
812 
813 	if (ept) {
814 		/* make sure ept->cb doesn't go away while we use it */
815 		mutex_lock(&ept->cb_lock);
816 
817 		if (ept->cb)
818 			ept->cb(ept->rpdev, msg->data, msg->len, ept->priv,
819 				msg->src);
820 
821 		mutex_unlock(&ept->cb_lock);
822 
823 		/* farewell, ept, we don't need you anymore */
824 		kref_put(&ept->refcount, __ept_release);
825 	} else
826 		dev_warn(dev, "msg received with no recipient\n");
827 
828 	/* publish the real size of the buffer */
829 	sg_init_one(&sg, msg, RPMSG_BUF_SIZE);
830 
831 	/* add the buffer back to the remote processor's virtqueue */
832 	err = virtqueue_add_inbuf(vrp->rvq, &sg, 1, msg, GFP_KERNEL);
833 	if (err < 0) {
834 		dev_err(dev, "failed to add a virtqueue buffer: %d\n", err);
835 		return err;
836 	}
837 
838 	return 0;
839 }
840 
841 /* called when an rx buffer is used, and it's time to digest a message */
842 static void rpmsg_recv_done(struct virtqueue *rvq)
843 {
844 	struct virtproc_info *vrp = rvq->vdev->priv;
845 	struct device *dev = &rvq->vdev->dev;
846 	struct rpmsg_hdr *msg;
847 	unsigned int len, msgs_received = 0;
848 	int err;
849 
850 	msg = virtqueue_get_buf(rvq, &len);
851 	if (!msg) {
852 		dev_err(dev, "uhm, incoming signal, but no used buffer ?\n");
853 		return;
854 	}
855 
856 	while (msg) {
857 		err = rpmsg_recv_single(vrp, dev, msg, len);
858 		if (err)
859 			break;
860 
861 		msgs_received++;
862 
863 		msg = virtqueue_get_buf(rvq, &len);
864 	};
865 
866 	dev_dbg(dev, "Received %u messages\n", msgs_received);
867 
868 	/* tell the remote processor we added another available rx buffer */
869 	if (msgs_received)
870 		virtqueue_kick(vrp->rvq);
871 }
872 
873 /*
874  * This is invoked whenever the remote processor completed processing
875  * a TX msg we just sent it, and the buffer is put back to the used ring.
876  *
877  * Normally, though, we suppress this "tx complete" interrupt in order to
878  * avoid the incurred overhead.
879  */
880 static void rpmsg_xmit_done(struct virtqueue *svq)
881 {
882 	struct virtproc_info *vrp = svq->vdev->priv;
883 
884 	dev_dbg(&svq->vdev->dev, "%s\n", __func__);
885 
886 	/* wake up potential senders that are waiting for a tx buffer */
887 	wake_up_interruptible(&vrp->sendq);
888 }
889 
890 /* invoked when a name service announcement arrives */
891 static void rpmsg_ns_cb(struct rpmsg_channel *rpdev, void *data, int len,
892 							void *priv, u32 src)
893 {
894 	struct rpmsg_ns_msg *msg = data;
895 	struct rpmsg_channel *newch;
896 	struct rpmsg_channel_info chinfo;
897 	struct virtproc_info *vrp = priv;
898 	struct device *dev = &vrp->vdev->dev;
899 	int ret;
900 
901 	print_hex_dump(KERN_DEBUG, "NS announcement: ",
902 			DUMP_PREFIX_NONE, 16, 1,
903 			data, len, true);
904 
905 	if (len != sizeof(*msg)) {
906 		dev_err(dev, "malformed ns msg (%d)\n", len);
907 		return;
908 	}
909 
910 	/*
911 	 * the name service ept does _not_ belong to a real rpmsg channel,
912 	 * and is handled by the rpmsg bus itself.
913 	 * for sanity reasons, make sure a valid rpdev has _not_ sneaked
914 	 * in somehow.
915 	 */
916 	if (rpdev) {
917 		dev_err(dev, "anomaly: ns ept has an rpdev handle\n");
918 		return;
919 	}
920 
921 	/* don't trust the remote processor for null terminating the name */
922 	msg->name[RPMSG_NAME_SIZE - 1] = '\0';
923 
924 	dev_info(dev, "%sing channel %s addr 0x%x\n",
925 			msg->flags & RPMSG_NS_DESTROY ? "destroy" : "creat",
926 			msg->name, msg->addr);
927 
928 	strncpy(chinfo.name, msg->name, sizeof(chinfo.name));
929 	chinfo.src = RPMSG_ADDR_ANY;
930 	chinfo.dst = msg->addr;
931 
932 	if (msg->flags & RPMSG_NS_DESTROY) {
933 		ret = rpmsg_destroy_channel(vrp, &chinfo);
934 		if (ret)
935 			dev_err(dev, "rpmsg_destroy_channel failed: %d\n", ret);
936 	} else {
937 		newch = rpmsg_create_channel(vrp, &chinfo);
938 		if (!newch)
939 			dev_err(dev, "rpmsg_create_channel failed\n");
940 	}
941 }
942 
943 static int rpmsg_probe(struct virtio_device *vdev)
944 {
945 	vq_callback_t *vq_cbs[] = { rpmsg_recv_done, rpmsg_xmit_done };
946 	const char *names[] = { "input", "output" };
947 	struct virtqueue *vqs[2];
948 	struct virtproc_info *vrp;
949 	void *bufs_va;
950 	int err = 0, i;
951 
952 	vrp = kzalloc(sizeof(*vrp), GFP_KERNEL);
953 	if (!vrp)
954 		return -ENOMEM;
955 
956 	vrp->vdev = vdev;
957 
958 	idr_init(&vrp->endpoints);
959 	mutex_init(&vrp->endpoints_lock);
960 	mutex_init(&vrp->tx_lock);
961 	init_waitqueue_head(&vrp->sendq);
962 
963 	/* We expect two virtqueues, rx and tx (and in this order) */
964 	err = vdev->config->find_vqs(vdev, 2, vqs, vq_cbs, names);
965 	if (err)
966 		goto free_vrp;
967 
968 	vrp->rvq = vqs[0];
969 	vrp->svq = vqs[1];
970 
971 	/* allocate coherent memory for the buffers */
972 	bufs_va = dma_alloc_coherent(vdev->dev.parent->parent,
973 				RPMSG_TOTAL_BUF_SPACE,
974 				&vrp->bufs_dma, GFP_KERNEL);
975 	if (!bufs_va) {
976 		err = -ENOMEM;
977 		goto vqs_del;
978 	}
979 
980 	dev_dbg(&vdev->dev, "buffers: va %p, dma 0x%llx\n", bufs_va,
981 					(unsigned long long)vrp->bufs_dma);
982 
983 	/* half of the buffers is dedicated for RX */
984 	vrp->rbufs = bufs_va;
985 
986 	/* and half is dedicated for TX */
987 	vrp->sbufs = bufs_va + RPMSG_TOTAL_BUF_SPACE / 2;
988 
989 	/* set up the receive buffers */
990 	for (i = 0; i < RPMSG_NUM_BUFS / 2; i++) {
991 		struct scatterlist sg;
992 		void *cpu_addr = vrp->rbufs + i * RPMSG_BUF_SIZE;
993 
994 		sg_init_one(&sg, cpu_addr, RPMSG_BUF_SIZE);
995 
996 		err = virtqueue_add_inbuf(vrp->rvq, &sg, 1, cpu_addr,
997 								GFP_KERNEL);
998 		WARN_ON(err); /* sanity check; this can't really happen */
999 	}
1000 
1001 	/* suppress "tx-complete" interrupts */
1002 	virtqueue_disable_cb(vrp->svq);
1003 
1004 	vdev->priv = vrp;
1005 
1006 	/* if supported by the remote processor, enable the name service */
1007 	if (virtio_has_feature(vdev, VIRTIO_RPMSG_F_NS)) {
1008 		/* a dedicated endpoint handles the name service msgs */
1009 		vrp->ns_ept = __rpmsg_create_ept(vrp, NULL, rpmsg_ns_cb,
1010 						vrp, RPMSG_NS_ADDR);
1011 		if (!vrp->ns_ept) {
1012 			dev_err(&vdev->dev, "failed to create the ns ept\n");
1013 			err = -ENOMEM;
1014 			goto free_coherent;
1015 		}
1016 	}
1017 
1018 	/* tell the remote processor it can start sending messages */
1019 	virtqueue_kick(vrp->rvq);
1020 
1021 	dev_info(&vdev->dev, "rpmsg host is online\n");
1022 
1023 	return 0;
1024 
1025 free_coherent:
1026 	dma_free_coherent(vdev->dev.parent->parent, RPMSG_TOTAL_BUF_SPACE,
1027 					bufs_va, vrp->bufs_dma);
1028 vqs_del:
1029 	vdev->config->del_vqs(vrp->vdev);
1030 free_vrp:
1031 	kfree(vrp);
1032 	return err;
1033 }
1034 
1035 static int rpmsg_remove_device(struct device *dev, void *data)
1036 {
1037 	device_unregister(dev);
1038 
1039 	return 0;
1040 }
1041 
1042 static void rpmsg_remove(struct virtio_device *vdev)
1043 {
1044 	struct virtproc_info *vrp = vdev->priv;
1045 	int ret;
1046 
1047 	vdev->config->reset(vdev);
1048 
1049 	ret = device_for_each_child(&vdev->dev, NULL, rpmsg_remove_device);
1050 	if (ret)
1051 		dev_warn(&vdev->dev, "can't remove rpmsg device: %d\n", ret);
1052 
1053 	if (vrp->ns_ept)
1054 		__rpmsg_destroy_ept(vrp, vrp->ns_ept);
1055 
1056 	idr_destroy(&vrp->endpoints);
1057 
1058 	vdev->config->del_vqs(vrp->vdev);
1059 
1060 	dma_free_coherent(vdev->dev.parent->parent, RPMSG_TOTAL_BUF_SPACE,
1061 					vrp->rbufs, vrp->bufs_dma);
1062 
1063 	kfree(vrp);
1064 }
1065 
1066 static struct virtio_device_id id_table[] = {
1067 	{ VIRTIO_ID_RPMSG, VIRTIO_DEV_ANY_ID },
1068 	{ 0 },
1069 };
1070 
1071 static unsigned int features[] = {
1072 	VIRTIO_RPMSG_F_NS,
1073 };
1074 
1075 static struct virtio_driver virtio_ipc_driver = {
1076 	.feature_table	= features,
1077 	.feature_table_size = ARRAY_SIZE(features),
1078 	.driver.name	= KBUILD_MODNAME,
1079 	.driver.owner	= THIS_MODULE,
1080 	.id_table	= id_table,
1081 	.probe		= rpmsg_probe,
1082 	.remove		= rpmsg_remove,
1083 };
1084 
1085 static int __init rpmsg_init(void)
1086 {
1087 	int ret;
1088 
1089 	ret = bus_register(&rpmsg_bus);
1090 	if (ret) {
1091 		pr_err("failed to register rpmsg bus: %d\n", ret);
1092 		return ret;
1093 	}
1094 
1095 	ret = register_virtio_driver(&virtio_ipc_driver);
1096 	if (ret) {
1097 		pr_err("failed to register virtio driver: %d\n", ret);
1098 		bus_unregister(&rpmsg_bus);
1099 	}
1100 
1101 	return ret;
1102 }
1103 subsys_initcall(rpmsg_init);
1104 
1105 static void __exit rpmsg_fini(void)
1106 {
1107 	unregister_virtio_driver(&virtio_ipc_driver);
1108 	bus_unregister(&rpmsg_bus);
1109 }
1110 module_exit(rpmsg_fini);
1111 
1112 MODULE_DEVICE_TABLE(virtio, id_table);
1113 MODULE_DESCRIPTION("Virtio-based remote processor messaging bus");
1114 MODULE_LICENSE("GPL v2");
1115