xref: /openbmc/linux/drivers/vhost/net.c (revision c819e2cf)
1 /* Copyright (C) 2009 Red Hat, Inc.
2  * Author: Michael S. Tsirkin <mst@redhat.com>
3  *
4  * This work is licensed under the terms of the GNU GPL, version 2.
5  *
6  * virtio-net server in host kernel.
7  */
8 
9 #include <linux/compat.h>
10 #include <linux/eventfd.h>
11 #include <linux/vhost.h>
12 #include <linux/virtio_net.h>
13 #include <linux/miscdevice.h>
14 #include <linux/module.h>
15 #include <linux/moduleparam.h>
16 #include <linux/mutex.h>
17 #include <linux/workqueue.h>
18 #include <linux/file.h>
19 #include <linux/slab.h>
20 #include <linux/vmalloc.h>
21 
22 #include <linux/net.h>
23 #include <linux/if_packet.h>
24 #include <linux/if_arp.h>
25 #include <linux/if_tun.h>
26 #include <linux/if_macvlan.h>
27 #include <linux/if_vlan.h>
28 
29 #include <net/sock.h>
30 
31 #include "vhost.h"
32 
33 static int experimental_zcopytx = 1;
34 module_param(experimental_zcopytx, int, 0444);
35 MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
36 		                       " 1 -Enable; 0 - Disable");
37 
38 /* Max number of bytes transferred before requeueing the job.
39  * Using this limit prevents one virtqueue from starving others. */
40 #define VHOST_NET_WEIGHT 0x80000
41 
42 /* MAX number of TX used buffers for outstanding zerocopy */
43 #define VHOST_MAX_PEND 128
44 #define VHOST_GOODCOPY_LEN 256
45 
46 /*
47  * For transmit, used buffer len is unused; we override it to track buffer
48  * status internally; used for zerocopy tx only.
49  */
50 /* Lower device DMA failed */
51 #define VHOST_DMA_FAILED_LEN	((__force __virtio32)3)
52 /* Lower device DMA done */
53 #define VHOST_DMA_DONE_LEN	((__force __virtio32)2)
54 /* Lower device DMA in progress */
55 #define VHOST_DMA_IN_PROGRESS	((__force __virtio32)1)
56 /* Buffer unused */
57 #define VHOST_DMA_CLEAR_LEN	((__force __virtio32)0)
58 
59 #define VHOST_DMA_IS_DONE(len) ((__force u32)(len) >= (__force u32)VHOST_DMA_DONE_LEN)
60 
61 enum {
62 	VHOST_NET_FEATURES = VHOST_FEATURES |
63 			 (1ULL << VHOST_NET_F_VIRTIO_NET_HDR) |
64 			 (1ULL << VIRTIO_NET_F_MRG_RXBUF) |
65 			 (1ULL << VIRTIO_F_VERSION_1),
66 };
67 
68 enum {
69 	VHOST_NET_VQ_RX = 0,
70 	VHOST_NET_VQ_TX = 1,
71 	VHOST_NET_VQ_MAX = 2,
72 };
73 
74 struct vhost_net_ubuf_ref {
75 	/* refcount follows semantics similar to kref:
76 	 *  0: object is released
77 	 *  1: no outstanding ubufs
78 	 * >1: outstanding ubufs
79 	 */
80 	atomic_t refcount;
81 	wait_queue_head_t wait;
82 	struct vhost_virtqueue *vq;
83 };
84 
85 struct vhost_net_virtqueue {
86 	struct vhost_virtqueue vq;
87 	/* hdr is used to store the virtio header.
88 	 * Since each iovec has >= 1 byte length, we never need more than
89 	 * header length entries to store the header. */
90 	struct iovec hdr[sizeof(struct virtio_net_hdr_mrg_rxbuf)];
91 	size_t vhost_hlen;
92 	size_t sock_hlen;
93 	/* vhost zerocopy support fields below: */
94 	/* last used idx for outstanding DMA zerocopy buffers */
95 	int upend_idx;
96 	/* first used idx for DMA done zerocopy buffers */
97 	int done_idx;
98 	/* an array of userspace buffers info */
99 	struct ubuf_info *ubuf_info;
100 	/* Reference counting for outstanding ubufs.
101 	 * Protected by vq mutex. Writers must also take device mutex. */
102 	struct vhost_net_ubuf_ref *ubufs;
103 };
104 
105 struct vhost_net {
106 	struct vhost_dev dev;
107 	struct vhost_net_virtqueue vqs[VHOST_NET_VQ_MAX];
108 	struct vhost_poll poll[VHOST_NET_VQ_MAX];
109 	/* Number of TX recently submitted.
110 	 * Protected by tx vq lock. */
111 	unsigned tx_packets;
112 	/* Number of times zerocopy TX recently failed.
113 	 * Protected by tx vq lock. */
114 	unsigned tx_zcopy_err;
115 	/* Flush in progress. Protected by tx vq lock. */
116 	bool tx_flush;
117 };
118 
119 static unsigned vhost_net_zcopy_mask __read_mostly;
120 
121 static void vhost_net_enable_zcopy(int vq)
122 {
123 	vhost_net_zcopy_mask |= 0x1 << vq;
124 }
125 
126 static struct vhost_net_ubuf_ref *
127 vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy)
128 {
129 	struct vhost_net_ubuf_ref *ubufs;
130 	/* No zero copy backend? Nothing to count. */
131 	if (!zcopy)
132 		return NULL;
133 	ubufs = kmalloc(sizeof(*ubufs), GFP_KERNEL);
134 	if (!ubufs)
135 		return ERR_PTR(-ENOMEM);
136 	atomic_set(&ubufs->refcount, 1);
137 	init_waitqueue_head(&ubufs->wait);
138 	ubufs->vq = vq;
139 	return ubufs;
140 }
141 
142 static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
143 {
144 	int r = atomic_sub_return(1, &ubufs->refcount);
145 	if (unlikely(!r))
146 		wake_up(&ubufs->wait);
147 	return r;
148 }
149 
150 static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
151 {
152 	vhost_net_ubuf_put(ubufs);
153 	wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
154 }
155 
156 static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
157 {
158 	vhost_net_ubuf_put_and_wait(ubufs);
159 	kfree(ubufs);
160 }
161 
162 static void vhost_net_clear_ubuf_info(struct vhost_net *n)
163 {
164 	int i;
165 
166 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
167 		kfree(n->vqs[i].ubuf_info);
168 		n->vqs[i].ubuf_info = NULL;
169 	}
170 }
171 
172 static int vhost_net_set_ubuf_info(struct vhost_net *n)
173 {
174 	bool zcopy;
175 	int i;
176 
177 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
178 		zcopy = vhost_net_zcopy_mask & (0x1 << i);
179 		if (!zcopy)
180 			continue;
181 		n->vqs[i].ubuf_info = kmalloc(sizeof(*n->vqs[i].ubuf_info) *
182 					      UIO_MAXIOV, GFP_KERNEL);
183 		if  (!n->vqs[i].ubuf_info)
184 			goto err;
185 	}
186 	return 0;
187 
188 err:
189 	vhost_net_clear_ubuf_info(n);
190 	return -ENOMEM;
191 }
192 
193 static void vhost_net_vq_reset(struct vhost_net *n)
194 {
195 	int i;
196 
197 	vhost_net_clear_ubuf_info(n);
198 
199 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
200 		n->vqs[i].done_idx = 0;
201 		n->vqs[i].upend_idx = 0;
202 		n->vqs[i].ubufs = NULL;
203 		n->vqs[i].vhost_hlen = 0;
204 		n->vqs[i].sock_hlen = 0;
205 	}
206 
207 }
208 
209 static void vhost_net_tx_packet(struct vhost_net *net)
210 {
211 	++net->tx_packets;
212 	if (net->tx_packets < 1024)
213 		return;
214 	net->tx_packets = 0;
215 	net->tx_zcopy_err = 0;
216 }
217 
218 static void vhost_net_tx_err(struct vhost_net *net)
219 {
220 	++net->tx_zcopy_err;
221 }
222 
223 static bool vhost_net_tx_select_zcopy(struct vhost_net *net)
224 {
225 	/* TX flush waits for outstanding DMAs to be done.
226 	 * Don't start new DMAs.
227 	 */
228 	return !net->tx_flush &&
229 		net->tx_packets / 64 >= net->tx_zcopy_err;
230 }
231 
232 static bool vhost_sock_zcopy(struct socket *sock)
233 {
234 	return unlikely(experimental_zcopytx) &&
235 		sock_flag(sock->sk, SOCK_ZEROCOPY);
236 }
237 
238 /* Pop first len bytes from iovec. Return number of segments used. */
239 static int move_iovec_hdr(struct iovec *from, struct iovec *to,
240 			  size_t len, int iov_count)
241 {
242 	int seg = 0;
243 	size_t size;
244 
245 	while (len && seg < iov_count) {
246 		size = min(from->iov_len, len);
247 		to->iov_base = from->iov_base;
248 		to->iov_len = size;
249 		from->iov_len -= size;
250 		from->iov_base += size;
251 		len -= size;
252 		++from;
253 		++to;
254 		++seg;
255 	}
256 	return seg;
257 }
258 /* Copy iovec entries for len bytes from iovec. */
259 static void copy_iovec_hdr(const struct iovec *from, struct iovec *to,
260 			   size_t len, int iovcount)
261 {
262 	int seg = 0;
263 	size_t size;
264 
265 	while (len && seg < iovcount) {
266 		size = min(from->iov_len, len);
267 		to->iov_base = from->iov_base;
268 		to->iov_len = size;
269 		len -= size;
270 		++from;
271 		++to;
272 		++seg;
273 	}
274 }
275 
276 /* In case of DMA done not in order in lower device driver for some reason.
277  * upend_idx is used to track end of used idx, done_idx is used to track head
278  * of used idx. Once lower device DMA done contiguously, we will signal KVM
279  * guest used idx.
280  */
281 static void vhost_zerocopy_signal_used(struct vhost_net *net,
282 				       struct vhost_virtqueue *vq)
283 {
284 	struct vhost_net_virtqueue *nvq =
285 		container_of(vq, struct vhost_net_virtqueue, vq);
286 	int i, add;
287 	int j = 0;
288 
289 	for (i = nvq->done_idx; i != nvq->upend_idx; i = (i + 1) % UIO_MAXIOV) {
290 		if (vq->heads[i].len == VHOST_DMA_FAILED_LEN)
291 			vhost_net_tx_err(net);
292 		if (VHOST_DMA_IS_DONE(vq->heads[i].len)) {
293 			vq->heads[i].len = VHOST_DMA_CLEAR_LEN;
294 			++j;
295 		} else
296 			break;
297 	}
298 	while (j) {
299 		add = min(UIO_MAXIOV - nvq->done_idx, j);
300 		vhost_add_used_and_signal_n(vq->dev, vq,
301 					    &vq->heads[nvq->done_idx], add);
302 		nvq->done_idx = (nvq->done_idx + add) % UIO_MAXIOV;
303 		j -= add;
304 	}
305 }
306 
307 static void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool success)
308 {
309 	struct vhost_net_ubuf_ref *ubufs = ubuf->ctx;
310 	struct vhost_virtqueue *vq = ubufs->vq;
311 	int cnt;
312 
313 	rcu_read_lock_bh();
314 
315 	/* set len to mark this desc buffers done DMA */
316 	vq->heads[ubuf->desc].len = success ?
317 		VHOST_DMA_DONE_LEN : VHOST_DMA_FAILED_LEN;
318 	cnt = vhost_net_ubuf_put(ubufs);
319 
320 	/*
321 	 * Trigger polling thread if guest stopped submitting new buffers:
322 	 * in this case, the refcount after decrement will eventually reach 1.
323 	 * We also trigger polling periodically after each 16 packets
324 	 * (the value 16 here is more or less arbitrary, it's tuned to trigger
325 	 * less than 10% of times).
326 	 */
327 	if (cnt <= 1 || !(cnt % 16))
328 		vhost_poll_queue(&vq->poll);
329 
330 	rcu_read_unlock_bh();
331 }
332 
333 /* Expects to be always run from workqueue - which acts as
334  * read-size critical section for our kind of RCU. */
335 static void handle_tx(struct vhost_net *net)
336 {
337 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_TX];
338 	struct vhost_virtqueue *vq = &nvq->vq;
339 	unsigned out, in, s;
340 	int head;
341 	struct msghdr msg = {
342 		.msg_name = NULL,
343 		.msg_namelen = 0,
344 		.msg_control = NULL,
345 		.msg_controllen = 0,
346 		.msg_flags = MSG_DONTWAIT,
347 	};
348 	size_t len, total_len = 0;
349 	int err;
350 	size_t hdr_size;
351 	struct socket *sock;
352 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
353 	bool zcopy, zcopy_used;
354 
355 	mutex_lock(&vq->mutex);
356 	sock = vq->private_data;
357 	if (!sock)
358 		goto out;
359 
360 	vhost_disable_notify(&net->dev, vq);
361 
362 	hdr_size = nvq->vhost_hlen;
363 	zcopy = nvq->ubufs;
364 
365 	for (;;) {
366 		/* Release DMAs done buffers first */
367 		if (zcopy)
368 			vhost_zerocopy_signal_used(net, vq);
369 
370 		/* If more outstanding DMAs, queue the work.
371 		 * Handle upend_idx wrap around
372 		 */
373 		if (unlikely((nvq->upend_idx + vq->num - VHOST_MAX_PEND)
374 			      % UIO_MAXIOV == nvq->done_idx))
375 			break;
376 
377 		head = vhost_get_vq_desc(vq, vq->iov,
378 					 ARRAY_SIZE(vq->iov),
379 					 &out, &in,
380 					 NULL, NULL);
381 		/* On error, stop handling until the next kick. */
382 		if (unlikely(head < 0))
383 			break;
384 		/* Nothing new?  Wait for eventfd to tell us they refilled. */
385 		if (head == vq->num) {
386 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {
387 				vhost_disable_notify(&net->dev, vq);
388 				continue;
389 			}
390 			break;
391 		}
392 		if (in) {
393 			vq_err(vq, "Unexpected descriptor format for TX: "
394 			       "out %d, int %d\n", out, in);
395 			break;
396 		}
397 		/* Skip header. TODO: support TSO. */
398 		s = move_iovec_hdr(vq->iov, nvq->hdr, hdr_size, out);
399 		len = iov_length(vq->iov, out);
400 		iov_iter_init(&msg.msg_iter, WRITE, vq->iov, out, len);
401 		/* Sanity check */
402 		if (!len) {
403 			vq_err(vq, "Unexpected header len for TX: "
404 			       "%zd expected %zd\n",
405 			       iov_length(nvq->hdr, s), hdr_size);
406 			break;
407 		}
408 
409 		zcopy_used = zcopy && len >= VHOST_GOODCOPY_LEN
410 				   && (nvq->upend_idx + 1) % UIO_MAXIOV !=
411 				      nvq->done_idx
412 				   && vhost_net_tx_select_zcopy(net);
413 
414 		/* use msg_control to pass vhost zerocopy ubuf info to skb */
415 		if (zcopy_used) {
416 			struct ubuf_info *ubuf;
417 			ubuf = nvq->ubuf_info + nvq->upend_idx;
418 
419 			vq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head);
420 			vq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS;
421 			ubuf->callback = vhost_zerocopy_callback;
422 			ubuf->ctx = nvq->ubufs;
423 			ubuf->desc = nvq->upend_idx;
424 			msg.msg_control = ubuf;
425 			msg.msg_controllen = sizeof(ubuf);
426 			ubufs = nvq->ubufs;
427 			atomic_inc(&ubufs->refcount);
428 			nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
429 		} else {
430 			msg.msg_control = NULL;
431 			ubufs = NULL;
432 		}
433 		/* TODO: Check specific error and bomb out unless ENOBUFS? */
434 		err = sock->ops->sendmsg(NULL, sock, &msg, len);
435 		if (unlikely(err < 0)) {
436 			if (zcopy_used) {
437 				vhost_net_ubuf_put(ubufs);
438 				nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
439 					% UIO_MAXIOV;
440 			}
441 			vhost_discard_vq_desc(vq, 1);
442 			break;
443 		}
444 		if (err != len)
445 			pr_debug("Truncated TX packet: "
446 				 " len %d != %zd\n", err, len);
447 		if (!zcopy_used)
448 			vhost_add_used_and_signal(&net->dev, vq, head, 0);
449 		else
450 			vhost_zerocopy_signal_used(net, vq);
451 		total_len += len;
452 		vhost_net_tx_packet(net);
453 		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
454 			vhost_poll_queue(&vq->poll);
455 			break;
456 		}
457 	}
458 out:
459 	mutex_unlock(&vq->mutex);
460 }
461 
462 static int peek_head_len(struct sock *sk)
463 {
464 	struct sk_buff *head;
465 	int len = 0;
466 	unsigned long flags;
467 
468 	spin_lock_irqsave(&sk->sk_receive_queue.lock, flags);
469 	head = skb_peek(&sk->sk_receive_queue);
470 	if (likely(head)) {
471 		len = head->len;
472 		if (vlan_tx_tag_present(head))
473 			len += VLAN_HLEN;
474 	}
475 
476 	spin_unlock_irqrestore(&sk->sk_receive_queue.lock, flags);
477 	return len;
478 }
479 
480 /* This is a multi-buffer version of vhost_get_desc, that works if
481  *	vq has read descriptors only.
482  * @vq		- the relevant virtqueue
483  * @datalen	- data length we'll be reading
484  * @iovcount	- returned count of io vectors we fill
485  * @log		- vhost log
486  * @log_num	- log offset
487  * @quota       - headcount quota, 1 for big buffer
488  *	returns number of buffer heads allocated, negative on error
489  */
490 static int get_rx_bufs(struct vhost_virtqueue *vq,
491 		       struct vring_used_elem *heads,
492 		       int datalen,
493 		       unsigned *iovcount,
494 		       struct vhost_log *log,
495 		       unsigned *log_num,
496 		       unsigned int quota)
497 {
498 	unsigned int out, in;
499 	int seg = 0;
500 	int headcount = 0;
501 	unsigned d;
502 	int r, nlogs = 0;
503 	/* len is always initialized before use since we are always called with
504 	 * datalen > 0.
505 	 */
506 	u32 uninitialized_var(len);
507 
508 	while (datalen > 0 && headcount < quota) {
509 		if (unlikely(seg >= UIO_MAXIOV)) {
510 			r = -ENOBUFS;
511 			goto err;
512 		}
513 		r = vhost_get_vq_desc(vq, vq->iov + seg,
514 				      ARRAY_SIZE(vq->iov) - seg, &out,
515 				      &in, log, log_num);
516 		if (unlikely(r < 0))
517 			goto err;
518 
519 		d = r;
520 		if (d == vq->num) {
521 			r = 0;
522 			goto err;
523 		}
524 		if (unlikely(out || in <= 0)) {
525 			vq_err(vq, "unexpected descriptor format for RX: "
526 				"out %d, in %d\n", out, in);
527 			r = -EINVAL;
528 			goto err;
529 		}
530 		if (unlikely(log)) {
531 			nlogs += *log_num;
532 			log += *log_num;
533 		}
534 		heads[headcount].id = cpu_to_vhost32(vq, d);
535 		len = iov_length(vq->iov + seg, in);
536 		heads[headcount].len = cpu_to_vhost32(vq, len);
537 		datalen -= len;
538 		++headcount;
539 		seg += in;
540 	}
541 	heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
542 	*iovcount = seg;
543 	if (unlikely(log))
544 		*log_num = nlogs;
545 
546 	/* Detect overrun */
547 	if (unlikely(datalen > 0)) {
548 		r = UIO_MAXIOV + 1;
549 		goto err;
550 	}
551 	return headcount;
552 err:
553 	vhost_discard_vq_desc(vq, headcount);
554 	return r;
555 }
556 
557 /* Expects to be always run from workqueue - which acts as
558  * read-size critical section for our kind of RCU. */
559 static void handle_rx(struct vhost_net *net)
560 {
561 	struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];
562 	struct vhost_virtqueue *vq = &nvq->vq;
563 	unsigned uninitialized_var(in), log;
564 	struct vhost_log *vq_log;
565 	struct msghdr msg = {
566 		.msg_name = NULL,
567 		.msg_namelen = 0,
568 		.msg_control = NULL, /* FIXME: get and handle RX aux data. */
569 		.msg_controllen = 0,
570 		.msg_flags = MSG_DONTWAIT,
571 	};
572 	struct virtio_net_hdr_mrg_rxbuf hdr = {
573 		.hdr.flags = 0,
574 		.hdr.gso_type = VIRTIO_NET_HDR_GSO_NONE
575 	};
576 	size_t total_len = 0;
577 	int err, mergeable;
578 	s16 headcount;
579 	size_t vhost_hlen, sock_hlen;
580 	size_t vhost_len, sock_len;
581 	struct socket *sock;
582 
583 	mutex_lock(&vq->mutex);
584 	sock = vq->private_data;
585 	if (!sock)
586 		goto out;
587 	vhost_disable_notify(&net->dev, vq);
588 
589 	vhost_hlen = nvq->vhost_hlen;
590 	sock_hlen = nvq->sock_hlen;
591 
592 	vq_log = unlikely(vhost_has_feature(vq, VHOST_F_LOG_ALL)) ?
593 		vq->log : NULL;
594 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
595 
596 	while ((sock_len = peek_head_len(sock->sk))) {
597 		sock_len += sock_hlen;
598 		vhost_len = sock_len + vhost_hlen;
599 		headcount = get_rx_bufs(vq, vq->heads, vhost_len,
600 					&in, vq_log, &log,
601 					likely(mergeable) ? UIO_MAXIOV : 1);
602 		/* On error, stop handling until the next kick. */
603 		if (unlikely(headcount < 0))
604 			break;
605 		/* On overrun, truncate and discard */
606 		if (unlikely(headcount > UIO_MAXIOV)) {
607 			iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
608 			err = sock->ops->recvmsg(NULL, sock, &msg,
609 						 1, MSG_DONTWAIT | MSG_TRUNC);
610 			pr_debug("Discarded rx packet: len %zd\n", sock_len);
611 			continue;
612 		}
613 		/* OK, now we need to know about added descriptors. */
614 		if (!headcount) {
615 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {
616 				/* They have slipped one in as we were
617 				 * doing that: check again. */
618 				vhost_disable_notify(&net->dev, vq);
619 				continue;
620 			}
621 			/* Nothing new?  Wait for eventfd to tell us
622 			 * they refilled. */
623 			break;
624 		}
625 		/* We don't need to be notified again. */
626 		if (unlikely((vhost_hlen)))
627 			/* Skip header. TODO: support TSO. */
628 			move_iovec_hdr(vq->iov, nvq->hdr, vhost_hlen, in);
629 		else
630 			/* Copy the header for use in VIRTIO_NET_F_MRG_RXBUF:
631 			 * needed because recvmsg can modify msg_iov. */
632 			copy_iovec_hdr(vq->iov, nvq->hdr, sock_hlen, in);
633 		iov_iter_init(&msg.msg_iter, READ, vq->iov, in, sock_len);
634 		err = sock->ops->recvmsg(NULL, sock, &msg,
635 					 sock_len, MSG_DONTWAIT | MSG_TRUNC);
636 		/* Userspace might have consumed the packet meanwhile:
637 		 * it's not supposed to do this usually, but might be hard
638 		 * to prevent. Discard data we got (if any) and keep going. */
639 		if (unlikely(err != sock_len)) {
640 			pr_debug("Discarded rx packet: "
641 				 " len %d, expected %zd\n", err, sock_len);
642 			vhost_discard_vq_desc(vq, headcount);
643 			continue;
644 		}
645 		if (unlikely(vhost_hlen) &&
646 		    memcpy_toiovecend(nvq->hdr, (unsigned char *)&hdr, 0,
647 				      vhost_hlen)) {
648 			vq_err(vq, "Unable to write vnet_hdr at addr %p\n",
649 			       vq->iov->iov_base);
650 			break;
651 		}
652 		/* TODO: Should check and handle checksum. */
653 		if (likely(mergeable) &&
654 		    memcpy_toiovecend(nvq->hdr, (unsigned char *)&headcount,
655 				      offsetof(typeof(hdr), num_buffers),
656 				      sizeof hdr.num_buffers)) {
657 			vq_err(vq, "Failed num_buffers write");
658 			vhost_discard_vq_desc(vq, headcount);
659 			break;
660 		}
661 		vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
662 					    headcount);
663 		if (unlikely(vq_log))
664 			vhost_log_write(vq, vq_log, log, vhost_len);
665 		total_len += vhost_len;
666 		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
667 			vhost_poll_queue(&vq->poll);
668 			break;
669 		}
670 	}
671 out:
672 	mutex_unlock(&vq->mutex);
673 }
674 
675 static void handle_tx_kick(struct vhost_work *work)
676 {
677 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
678 						  poll.work);
679 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
680 
681 	handle_tx(net);
682 }
683 
684 static void handle_rx_kick(struct vhost_work *work)
685 {
686 	struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue,
687 						  poll.work);
688 	struct vhost_net *net = container_of(vq->dev, struct vhost_net, dev);
689 
690 	handle_rx(net);
691 }
692 
693 static void handle_tx_net(struct vhost_work *work)
694 {
695 	struct vhost_net *net = container_of(work, struct vhost_net,
696 					     poll[VHOST_NET_VQ_TX].work);
697 	handle_tx(net);
698 }
699 
700 static void handle_rx_net(struct vhost_work *work)
701 {
702 	struct vhost_net *net = container_of(work, struct vhost_net,
703 					     poll[VHOST_NET_VQ_RX].work);
704 	handle_rx(net);
705 }
706 
707 static int vhost_net_open(struct inode *inode, struct file *f)
708 {
709 	struct vhost_net *n;
710 	struct vhost_dev *dev;
711 	struct vhost_virtqueue **vqs;
712 	int i;
713 
714 	n = kmalloc(sizeof *n, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
715 	if (!n) {
716 		n = vmalloc(sizeof *n);
717 		if (!n)
718 			return -ENOMEM;
719 	}
720 	vqs = kmalloc(VHOST_NET_VQ_MAX * sizeof(*vqs), GFP_KERNEL);
721 	if (!vqs) {
722 		kvfree(n);
723 		return -ENOMEM;
724 	}
725 
726 	dev = &n->dev;
727 	vqs[VHOST_NET_VQ_TX] = &n->vqs[VHOST_NET_VQ_TX].vq;
728 	vqs[VHOST_NET_VQ_RX] = &n->vqs[VHOST_NET_VQ_RX].vq;
729 	n->vqs[VHOST_NET_VQ_TX].vq.handle_kick = handle_tx_kick;
730 	n->vqs[VHOST_NET_VQ_RX].vq.handle_kick = handle_rx_kick;
731 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
732 		n->vqs[i].ubufs = NULL;
733 		n->vqs[i].ubuf_info = NULL;
734 		n->vqs[i].upend_idx = 0;
735 		n->vqs[i].done_idx = 0;
736 		n->vqs[i].vhost_hlen = 0;
737 		n->vqs[i].sock_hlen = 0;
738 	}
739 	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
740 
741 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
742 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);
743 
744 	f->private_data = n;
745 
746 	return 0;
747 }
748 
749 static void vhost_net_disable_vq(struct vhost_net *n,
750 				 struct vhost_virtqueue *vq)
751 {
752 	struct vhost_net_virtqueue *nvq =
753 		container_of(vq, struct vhost_net_virtqueue, vq);
754 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
755 	if (!vq->private_data)
756 		return;
757 	vhost_poll_stop(poll);
758 }
759 
760 static int vhost_net_enable_vq(struct vhost_net *n,
761 				struct vhost_virtqueue *vq)
762 {
763 	struct vhost_net_virtqueue *nvq =
764 		container_of(vq, struct vhost_net_virtqueue, vq);
765 	struct vhost_poll *poll = n->poll + (nvq - n->vqs);
766 	struct socket *sock;
767 
768 	sock = vq->private_data;
769 	if (!sock)
770 		return 0;
771 
772 	return vhost_poll_start(poll, sock->file);
773 }
774 
775 static struct socket *vhost_net_stop_vq(struct vhost_net *n,
776 					struct vhost_virtqueue *vq)
777 {
778 	struct socket *sock;
779 
780 	mutex_lock(&vq->mutex);
781 	sock = vq->private_data;
782 	vhost_net_disable_vq(n, vq);
783 	vq->private_data = NULL;
784 	mutex_unlock(&vq->mutex);
785 	return sock;
786 }
787 
788 static void vhost_net_stop(struct vhost_net *n, struct socket **tx_sock,
789 			   struct socket **rx_sock)
790 {
791 	*tx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_TX].vq);
792 	*rx_sock = vhost_net_stop_vq(n, &n->vqs[VHOST_NET_VQ_RX].vq);
793 }
794 
795 static void vhost_net_flush_vq(struct vhost_net *n, int index)
796 {
797 	vhost_poll_flush(n->poll + index);
798 	vhost_poll_flush(&n->vqs[index].vq.poll);
799 }
800 
801 static void vhost_net_flush(struct vhost_net *n)
802 {
803 	vhost_net_flush_vq(n, VHOST_NET_VQ_TX);
804 	vhost_net_flush_vq(n, VHOST_NET_VQ_RX);
805 	if (n->vqs[VHOST_NET_VQ_TX].ubufs) {
806 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
807 		n->tx_flush = true;
808 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
809 		/* Wait for all lower device DMAs done. */
810 		vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
811 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
812 		n->tx_flush = false;
813 		atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
814 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
815 	}
816 }
817 
818 static int vhost_net_release(struct inode *inode, struct file *f)
819 {
820 	struct vhost_net *n = f->private_data;
821 	struct socket *tx_sock;
822 	struct socket *rx_sock;
823 
824 	vhost_net_stop(n, &tx_sock, &rx_sock);
825 	vhost_net_flush(n);
826 	vhost_dev_stop(&n->dev);
827 	vhost_dev_cleanup(&n->dev, false);
828 	vhost_net_vq_reset(n);
829 	if (tx_sock)
830 		sockfd_put(tx_sock);
831 	if (rx_sock)
832 		sockfd_put(rx_sock);
833 	/* Make sure no callbacks are outstanding */
834 	synchronize_rcu_bh();
835 	/* We do an extra flush before freeing memory,
836 	 * since jobs can re-queue themselves. */
837 	vhost_net_flush(n);
838 	kfree(n->dev.vqs);
839 	kvfree(n);
840 	return 0;
841 }
842 
843 static struct socket *get_raw_socket(int fd)
844 {
845 	struct {
846 		struct sockaddr_ll sa;
847 		char  buf[MAX_ADDR_LEN];
848 	} uaddr;
849 	int uaddr_len = sizeof uaddr, r;
850 	struct socket *sock = sockfd_lookup(fd, &r);
851 
852 	if (!sock)
853 		return ERR_PTR(-ENOTSOCK);
854 
855 	/* Parameter checking */
856 	if (sock->sk->sk_type != SOCK_RAW) {
857 		r = -ESOCKTNOSUPPORT;
858 		goto err;
859 	}
860 
861 	r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa,
862 			       &uaddr_len, 0);
863 	if (r)
864 		goto err;
865 
866 	if (uaddr.sa.sll_family != AF_PACKET) {
867 		r = -EPFNOSUPPORT;
868 		goto err;
869 	}
870 	return sock;
871 err:
872 	sockfd_put(sock);
873 	return ERR_PTR(r);
874 }
875 
876 static struct socket *get_tap_socket(int fd)
877 {
878 	struct file *file = fget(fd);
879 	struct socket *sock;
880 
881 	if (!file)
882 		return ERR_PTR(-EBADF);
883 	sock = tun_get_socket(file);
884 	if (!IS_ERR(sock))
885 		return sock;
886 	sock = macvtap_get_socket(file);
887 	if (IS_ERR(sock))
888 		fput(file);
889 	return sock;
890 }
891 
892 static struct socket *get_socket(int fd)
893 {
894 	struct socket *sock;
895 
896 	/* special case to disable backend */
897 	if (fd == -1)
898 		return NULL;
899 	sock = get_raw_socket(fd);
900 	if (!IS_ERR(sock))
901 		return sock;
902 	sock = get_tap_socket(fd);
903 	if (!IS_ERR(sock))
904 		return sock;
905 	return ERR_PTR(-ENOTSOCK);
906 }
907 
908 static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
909 {
910 	struct socket *sock, *oldsock;
911 	struct vhost_virtqueue *vq;
912 	struct vhost_net_virtqueue *nvq;
913 	struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL;
914 	int r;
915 
916 	mutex_lock(&n->dev.mutex);
917 	r = vhost_dev_check_owner(&n->dev);
918 	if (r)
919 		goto err;
920 
921 	if (index >= VHOST_NET_VQ_MAX) {
922 		r = -ENOBUFS;
923 		goto err;
924 	}
925 	vq = &n->vqs[index].vq;
926 	nvq = &n->vqs[index];
927 	mutex_lock(&vq->mutex);
928 
929 	/* Verify that ring has been setup correctly. */
930 	if (!vhost_vq_access_ok(vq)) {
931 		r = -EFAULT;
932 		goto err_vq;
933 	}
934 	sock = get_socket(fd);
935 	if (IS_ERR(sock)) {
936 		r = PTR_ERR(sock);
937 		goto err_vq;
938 	}
939 
940 	/* start polling new socket */
941 	oldsock = vq->private_data;
942 	if (sock != oldsock) {
943 		ubufs = vhost_net_ubuf_alloc(vq,
944 					     sock && vhost_sock_zcopy(sock));
945 		if (IS_ERR(ubufs)) {
946 			r = PTR_ERR(ubufs);
947 			goto err_ubufs;
948 		}
949 
950 		vhost_net_disable_vq(n, vq);
951 		vq->private_data = sock;
952 		r = vhost_init_used(vq);
953 		if (r)
954 			goto err_used;
955 		r = vhost_net_enable_vq(n, vq);
956 		if (r)
957 			goto err_used;
958 
959 		oldubufs = nvq->ubufs;
960 		nvq->ubufs = ubufs;
961 
962 		n->tx_packets = 0;
963 		n->tx_zcopy_err = 0;
964 		n->tx_flush = false;
965 	}
966 
967 	mutex_unlock(&vq->mutex);
968 
969 	if (oldubufs) {
970 		vhost_net_ubuf_put_wait_and_free(oldubufs);
971 		mutex_lock(&vq->mutex);
972 		vhost_zerocopy_signal_used(n, vq);
973 		mutex_unlock(&vq->mutex);
974 	}
975 
976 	if (oldsock) {
977 		vhost_net_flush_vq(n, index);
978 		sockfd_put(oldsock);
979 	}
980 
981 	mutex_unlock(&n->dev.mutex);
982 	return 0;
983 
984 err_used:
985 	vq->private_data = oldsock;
986 	vhost_net_enable_vq(n, vq);
987 	if (ubufs)
988 		vhost_net_ubuf_put_wait_and_free(ubufs);
989 err_ubufs:
990 	sockfd_put(sock);
991 err_vq:
992 	mutex_unlock(&vq->mutex);
993 err:
994 	mutex_unlock(&n->dev.mutex);
995 	return r;
996 }
997 
998 static long vhost_net_reset_owner(struct vhost_net *n)
999 {
1000 	struct socket *tx_sock = NULL;
1001 	struct socket *rx_sock = NULL;
1002 	long err;
1003 	struct vhost_memory *memory;
1004 
1005 	mutex_lock(&n->dev.mutex);
1006 	err = vhost_dev_check_owner(&n->dev);
1007 	if (err)
1008 		goto done;
1009 	memory = vhost_dev_reset_owner_prepare();
1010 	if (!memory) {
1011 		err = -ENOMEM;
1012 		goto done;
1013 	}
1014 	vhost_net_stop(n, &tx_sock, &rx_sock);
1015 	vhost_net_flush(n);
1016 	vhost_dev_reset_owner(&n->dev, memory);
1017 	vhost_net_vq_reset(n);
1018 done:
1019 	mutex_unlock(&n->dev.mutex);
1020 	if (tx_sock)
1021 		sockfd_put(tx_sock);
1022 	if (rx_sock)
1023 		sockfd_put(rx_sock);
1024 	return err;
1025 }
1026 
1027 static int vhost_net_set_features(struct vhost_net *n, u64 features)
1028 {
1029 	size_t vhost_hlen, sock_hlen, hdr_len;
1030 	int i;
1031 
1032 	hdr_len = (features & ((1ULL << VIRTIO_NET_F_MRG_RXBUF) |
1033 			       (1ULL << VIRTIO_F_VERSION_1))) ?
1034 			sizeof(struct virtio_net_hdr_mrg_rxbuf) :
1035 			sizeof(struct virtio_net_hdr);
1036 	if (features & (1 << VHOST_NET_F_VIRTIO_NET_HDR)) {
1037 		/* vhost provides vnet_hdr */
1038 		vhost_hlen = hdr_len;
1039 		sock_hlen = 0;
1040 	} else {
1041 		/* socket provides vnet_hdr */
1042 		vhost_hlen = 0;
1043 		sock_hlen = hdr_len;
1044 	}
1045 	mutex_lock(&n->dev.mutex);
1046 	if ((features & (1 << VHOST_F_LOG_ALL)) &&
1047 	    !vhost_log_access_ok(&n->dev)) {
1048 		mutex_unlock(&n->dev.mutex);
1049 		return -EFAULT;
1050 	}
1051 	for (i = 0; i < VHOST_NET_VQ_MAX; ++i) {
1052 		mutex_lock(&n->vqs[i].vq.mutex);
1053 		n->vqs[i].vq.acked_features = features;
1054 		n->vqs[i].vhost_hlen = vhost_hlen;
1055 		n->vqs[i].sock_hlen = sock_hlen;
1056 		mutex_unlock(&n->vqs[i].vq.mutex);
1057 	}
1058 	mutex_unlock(&n->dev.mutex);
1059 	return 0;
1060 }
1061 
1062 static long vhost_net_set_owner(struct vhost_net *n)
1063 {
1064 	int r;
1065 
1066 	mutex_lock(&n->dev.mutex);
1067 	if (vhost_dev_has_owner(&n->dev)) {
1068 		r = -EBUSY;
1069 		goto out;
1070 	}
1071 	r = vhost_net_set_ubuf_info(n);
1072 	if (r)
1073 		goto out;
1074 	r = vhost_dev_set_owner(&n->dev);
1075 	if (r)
1076 		vhost_net_clear_ubuf_info(n);
1077 	vhost_net_flush(n);
1078 out:
1079 	mutex_unlock(&n->dev.mutex);
1080 	return r;
1081 }
1082 
1083 static long vhost_net_ioctl(struct file *f, unsigned int ioctl,
1084 			    unsigned long arg)
1085 {
1086 	struct vhost_net *n = f->private_data;
1087 	void __user *argp = (void __user *)arg;
1088 	u64 __user *featurep = argp;
1089 	struct vhost_vring_file backend;
1090 	u64 features;
1091 	int r;
1092 
1093 	switch (ioctl) {
1094 	case VHOST_NET_SET_BACKEND:
1095 		if (copy_from_user(&backend, argp, sizeof backend))
1096 			return -EFAULT;
1097 		return vhost_net_set_backend(n, backend.index, backend.fd);
1098 	case VHOST_GET_FEATURES:
1099 		features = VHOST_NET_FEATURES;
1100 		if (copy_to_user(featurep, &features, sizeof features))
1101 			return -EFAULT;
1102 		return 0;
1103 	case VHOST_SET_FEATURES:
1104 		if (copy_from_user(&features, featurep, sizeof features))
1105 			return -EFAULT;
1106 		if (features & ~VHOST_NET_FEATURES)
1107 			return -EOPNOTSUPP;
1108 		return vhost_net_set_features(n, features);
1109 	case VHOST_RESET_OWNER:
1110 		return vhost_net_reset_owner(n);
1111 	case VHOST_SET_OWNER:
1112 		return vhost_net_set_owner(n);
1113 	default:
1114 		mutex_lock(&n->dev.mutex);
1115 		r = vhost_dev_ioctl(&n->dev, ioctl, argp);
1116 		if (r == -ENOIOCTLCMD)
1117 			r = vhost_vring_ioctl(&n->dev, ioctl, argp);
1118 		else
1119 			vhost_net_flush(n);
1120 		mutex_unlock(&n->dev.mutex);
1121 		return r;
1122 	}
1123 }
1124 
1125 #ifdef CONFIG_COMPAT
1126 static long vhost_net_compat_ioctl(struct file *f, unsigned int ioctl,
1127 				   unsigned long arg)
1128 {
1129 	return vhost_net_ioctl(f, ioctl, (unsigned long)compat_ptr(arg));
1130 }
1131 #endif
1132 
1133 static const struct file_operations vhost_net_fops = {
1134 	.owner          = THIS_MODULE,
1135 	.release        = vhost_net_release,
1136 	.unlocked_ioctl = vhost_net_ioctl,
1137 #ifdef CONFIG_COMPAT
1138 	.compat_ioctl   = vhost_net_compat_ioctl,
1139 #endif
1140 	.open           = vhost_net_open,
1141 	.llseek		= noop_llseek,
1142 };
1143 
1144 static struct miscdevice vhost_net_misc = {
1145 	.minor = VHOST_NET_MINOR,
1146 	.name = "vhost-net",
1147 	.fops = &vhost_net_fops,
1148 };
1149 
1150 static int vhost_net_init(void)
1151 {
1152 	if (experimental_zcopytx)
1153 		vhost_net_enable_zcopy(VHOST_NET_VQ_TX);
1154 	return misc_register(&vhost_net_misc);
1155 }
1156 module_init(vhost_net_init);
1157 
1158 static void vhost_net_exit(void)
1159 {
1160 	misc_deregister(&vhost_net_misc);
1161 }
1162 module_exit(vhost_net_exit);
1163 
1164 MODULE_VERSION("0.0.1");
1165 MODULE_LICENSE("GPL v2");
1166 MODULE_AUTHOR("Michael S. Tsirkin");
1167 MODULE_DESCRIPTION("Host kernel accelerator for virtio net");
1168 MODULE_ALIAS_MISCDEV(VHOST_NET_MINOR);
1169 MODULE_ALIAS("devname:vhost-net");
1170