xref: /openbmc/linux/drivers/xen/privcmd.c (revision 1edd0337)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /******************************************************************************
3  * privcmd.c
4  *
5  * Interface to privileged domain-0 commands.
6  *
7  * Copyright (c) 2002-2004, K A Fraser, B Dragovic
8  */
9 
10 #define pr_fmt(fmt) "xen:" KBUILD_MODNAME ": " fmt
11 
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/string.h>
17 #include <linux/errno.h>
18 #include <linux/mm.h>
19 #include <linux/mman.h>
20 #include <linux/uaccess.h>
21 #include <linux/swap.h>
22 #include <linux/highmem.h>
23 #include <linux/pagemap.h>
24 #include <linux/seq_file.h>
25 #include <linux/miscdevice.h>
26 #include <linux/moduleparam.h>
27 
28 #include <asm/xen/hypervisor.h>
29 #include <asm/xen/hypercall.h>
30 
31 #include <xen/xen.h>
32 #include <xen/privcmd.h>
33 #include <xen/interface/xen.h>
34 #include <xen/interface/memory.h>
35 #include <xen/interface/hvm/dm_op.h>
36 #include <xen/features.h>
37 #include <xen/page.h>
38 #include <xen/xen-ops.h>
39 #include <xen/balloon.h>
40 
41 #include "privcmd.h"
42 
43 MODULE_LICENSE("GPL");
44 
45 #define PRIV_VMA_LOCKED ((void *)1)
46 
47 static unsigned int privcmd_dm_op_max_num = 16;
48 module_param_named(dm_op_max_nr_bufs, privcmd_dm_op_max_num, uint, 0644);
49 MODULE_PARM_DESC(dm_op_max_nr_bufs,
50 		 "Maximum number of buffers per dm_op hypercall");
51 
52 static unsigned int privcmd_dm_op_buf_max_size = 4096;
53 module_param_named(dm_op_buf_max_size, privcmd_dm_op_buf_max_size, uint,
54 		   0644);
55 MODULE_PARM_DESC(dm_op_buf_max_size,
56 		 "Maximum size of a dm_op hypercall buffer");
57 
58 struct privcmd_data {
59 	domid_t domid;
60 };
61 
62 static int privcmd_vma_range_is_mapped(
63                struct vm_area_struct *vma,
64                unsigned long addr,
65                unsigned long nr_pages);
66 
67 static long privcmd_ioctl_hypercall(struct file *file, void __user *udata)
68 {
69 	struct privcmd_data *data = file->private_data;
70 	struct privcmd_hypercall hypercall;
71 	long ret;
72 
73 	/* Disallow arbitrary hypercalls if restricted */
74 	if (data->domid != DOMID_INVALID)
75 		return -EPERM;
76 
77 	if (copy_from_user(&hypercall, udata, sizeof(hypercall)))
78 		return -EFAULT;
79 
80 	xen_preemptible_hcall_begin();
81 	ret = privcmd_call(hypercall.op,
82 			   hypercall.arg[0], hypercall.arg[1],
83 			   hypercall.arg[2], hypercall.arg[3],
84 			   hypercall.arg[4]);
85 	xen_preemptible_hcall_end();
86 
87 	return ret;
88 }
89 
90 static void free_page_list(struct list_head *pages)
91 {
92 	struct page *p, *n;
93 
94 	list_for_each_entry_safe(p, n, pages, lru)
95 		__free_page(p);
96 
97 	INIT_LIST_HEAD(pages);
98 }
99 
100 /*
101  * Given an array of items in userspace, return a list of pages
102  * containing the data.  If copying fails, either because of memory
103  * allocation failure or a problem reading user memory, return an
104  * error code; its up to the caller to dispose of any partial list.
105  */
106 static int gather_array(struct list_head *pagelist,
107 			unsigned nelem, size_t size,
108 			const void __user *data)
109 {
110 	unsigned pageidx;
111 	void *pagedata;
112 	int ret;
113 
114 	if (size > PAGE_SIZE)
115 		return 0;
116 
117 	pageidx = PAGE_SIZE;
118 	pagedata = NULL;	/* quiet, gcc */
119 	while (nelem--) {
120 		if (pageidx > PAGE_SIZE-size) {
121 			struct page *page = alloc_page(GFP_KERNEL);
122 
123 			ret = -ENOMEM;
124 			if (page == NULL)
125 				goto fail;
126 
127 			pagedata = page_address(page);
128 
129 			list_add_tail(&page->lru, pagelist);
130 			pageidx = 0;
131 		}
132 
133 		ret = -EFAULT;
134 		if (copy_from_user(pagedata + pageidx, data, size))
135 			goto fail;
136 
137 		data += size;
138 		pageidx += size;
139 	}
140 
141 	ret = 0;
142 
143 fail:
144 	return ret;
145 }
146 
147 /*
148  * Call function "fn" on each element of the array fragmented
149  * over a list of pages.
150  */
151 static int traverse_pages(unsigned nelem, size_t size,
152 			  struct list_head *pos,
153 			  int (*fn)(void *data, void *state),
154 			  void *state)
155 {
156 	void *pagedata;
157 	unsigned pageidx;
158 	int ret = 0;
159 
160 	BUG_ON(size > PAGE_SIZE);
161 
162 	pageidx = PAGE_SIZE;
163 	pagedata = NULL;	/* hush, gcc */
164 
165 	while (nelem--) {
166 		if (pageidx > PAGE_SIZE-size) {
167 			struct page *page;
168 			pos = pos->next;
169 			page = list_entry(pos, struct page, lru);
170 			pagedata = page_address(page);
171 			pageidx = 0;
172 		}
173 
174 		ret = (*fn)(pagedata + pageidx, state);
175 		if (ret)
176 			break;
177 		pageidx += size;
178 	}
179 
180 	return ret;
181 }
182 
183 /*
184  * Similar to traverse_pages, but use each page as a "block" of
185  * data to be processed as one unit.
186  */
187 static int traverse_pages_block(unsigned nelem, size_t size,
188 				struct list_head *pos,
189 				int (*fn)(void *data, int nr, void *state),
190 				void *state)
191 {
192 	void *pagedata;
193 	int ret = 0;
194 
195 	BUG_ON(size > PAGE_SIZE);
196 
197 	while (nelem) {
198 		int nr = (PAGE_SIZE/size);
199 		struct page *page;
200 		if (nr > nelem)
201 			nr = nelem;
202 		pos = pos->next;
203 		page = list_entry(pos, struct page, lru);
204 		pagedata = page_address(page);
205 		ret = (*fn)(pagedata, nr, state);
206 		if (ret)
207 			break;
208 		nelem -= nr;
209 	}
210 
211 	return ret;
212 }
213 
214 struct mmap_gfn_state {
215 	unsigned long va;
216 	struct vm_area_struct *vma;
217 	domid_t domain;
218 };
219 
220 static int mmap_gfn_range(void *data, void *state)
221 {
222 	struct privcmd_mmap_entry *msg = data;
223 	struct mmap_gfn_state *st = state;
224 	struct vm_area_struct *vma = st->vma;
225 	int rc;
226 
227 	/* Do not allow range to wrap the address space. */
228 	if ((msg->npages > (LONG_MAX >> PAGE_SHIFT)) ||
229 	    ((unsigned long)(msg->npages << PAGE_SHIFT) >= -st->va))
230 		return -EINVAL;
231 
232 	/* Range chunks must be contiguous in va space. */
233 	if ((msg->va != st->va) ||
234 	    ((msg->va+(msg->npages<<PAGE_SHIFT)) > vma->vm_end))
235 		return -EINVAL;
236 
237 	rc = xen_remap_domain_gfn_range(vma,
238 					msg->va & PAGE_MASK,
239 					msg->mfn, msg->npages,
240 					vma->vm_page_prot,
241 					st->domain, NULL);
242 	if (rc < 0)
243 		return rc;
244 
245 	st->va += msg->npages << PAGE_SHIFT;
246 
247 	return 0;
248 }
249 
250 static long privcmd_ioctl_mmap(struct file *file, void __user *udata)
251 {
252 	struct privcmd_data *data = file->private_data;
253 	struct privcmd_mmap mmapcmd;
254 	struct mm_struct *mm = current->mm;
255 	struct vm_area_struct *vma;
256 	int rc;
257 	LIST_HEAD(pagelist);
258 	struct mmap_gfn_state state;
259 
260 	/* We only support privcmd_ioctl_mmap_batch for non-auto-translated. */
261 	if (xen_feature(XENFEAT_auto_translated_physmap))
262 		return -ENOSYS;
263 
264 	if (copy_from_user(&mmapcmd, udata, sizeof(mmapcmd)))
265 		return -EFAULT;
266 
267 	/* If restriction is in place, check the domid matches */
268 	if (data->domid != DOMID_INVALID && data->domid != mmapcmd.dom)
269 		return -EPERM;
270 
271 	rc = gather_array(&pagelist,
272 			  mmapcmd.num, sizeof(struct privcmd_mmap_entry),
273 			  mmapcmd.entry);
274 
275 	if (rc || list_empty(&pagelist))
276 		goto out;
277 
278 	mmap_write_lock(mm);
279 
280 	{
281 		struct page *page = list_first_entry(&pagelist,
282 						     struct page, lru);
283 		struct privcmd_mmap_entry *msg = page_address(page);
284 
285 		vma = vma_lookup(mm, msg->va);
286 		rc = -EINVAL;
287 
288 		if (!vma || (msg->va != vma->vm_start) || vma->vm_private_data)
289 			goto out_up;
290 		vma->vm_private_data = PRIV_VMA_LOCKED;
291 	}
292 
293 	state.va = vma->vm_start;
294 	state.vma = vma;
295 	state.domain = mmapcmd.dom;
296 
297 	rc = traverse_pages(mmapcmd.num, sizeof(struct privcmd_mmap_entry),
298 			    &pagelist,
299 			    mmap_gfn_range, &state);
300 
301 
302 out_up:
303 	mmap_write_unlock(mm);
304 
305 out:
306 	free_page_list(&pagelist);
307 
308 	return rc;
309 }
310 
311 struct mmap_batch_state {
312 	domid_t domain;
313 	unsigned long va;
314 	struct vm_area_struct *vma;
315 	int index;
316 	/* A tristate:
317 	 *      0 for no errors
318 	 *      1 if at least one error has happened (and no
319 	 *          -ENOENT errors have happened)
320 	 *      -ENOENT if at least 1 -ENOENT has happened.
321 	 */
322 	int global_error;
323 	int version;
324 
325 	/* User-space gfn array to store errors in the second pass for V1. */
326 	xen_pfn_t __user *user_gfn;
327 	/* User-space int array to store errors in the second pass for V2. */
328 	int __user *user_err;
329 };
330 
331 /* auto translated dom0 note: if domU being created is PV, then gfn is
332  * mfn(addr on bus). If it's auto xlated, then gfn is pfn (input to HAP).
333  */
334 static int mmap_batch_fn(void *data, int nr, void *state)
335 {
336 	xen_pfn_t *gfnp = data;
337 	struct mmap_batch_state *st = state;
338 	struct vm_area_struct *vma = st->vma;
339 	struct page **pages = vma->vm_private_data;
340 	struct page **cur_pages = NULL;
341 	int ret;
342 
343 	if (xen_feature(XENFEAT_auto_translated_physmap))
344 		cur_pages = &pages[st->index];
345 
346 	BUG_ON(nr < 0);
347 	ret = xen_remap_domain_gfn_array(st->vma, st->va & PAGE_MASK, gfnp, nr,
348 					 (int *)gfnp, st->vma->vm_page_prot,
349 					 st->domain, cur_pages);
350 
351 	/* Adjust the global_error? */
352 	if (ret != nr) {
353 		if (ret == -ENOENT)
354 			st->global_error = -ENOENT;
355 		else {
356 			/* Record that at least one error has happened. */
357 			if (st->global_error == 0)
358 				st->global_error = 1;
359 		}
360 	}
361 	st->va += XEN_PAGE_SIZE * nr;
362 	st->index += nr / XEN_PFN_PER_PAGE;
363 
364 	return 0;
365 }
366 
367 static int mmap_return_error(int err, struct mmap_batch_state *st)
368 {
369 	int ret;
370 
371 	if (st->version == 1) {
372 		if (err) {
373 			xen_pfn_t gfn;
374 
375 			ret = get_user(gfn, st->user_gfn);
376 			if (ret < 0)
377 				return ret;
378 			/*
379 			 * V1 encodes the error codes in the 32bit top
380 			 * nibble of the gfn (with its known
381 			 * limitations vis-a-vis 64 bit callers).
382 			 */
383 			gfn |= (err == -ENOENT) ?
384 				PRIVCMD_MMAPBATCH_PAGED_ERROR :
385 				PRIVCMD_MMAPBATCH_MFN_ERROR;
386 			return __put_user(gfn, st->user_gfn++);
387 		} else
388 			st->user_gfn++;
389 	} else { /* st->version == 2 */
390 		if (err)
391 			return __put_user(err, st->user_err++);
392 		else
393 			st->user_err++;
394 	}
395 
396 	return 0;
397 }
398 
399 static int mmap_return_errors(void *data, int nr, void *state)
400 {
401 	struct mmap_batch_state *st = state;
402 	int *errs = data;
403 	int i;
404 	int ret;
405 
406 	for (i = 0; i < nr; i++) {
407 		ret = mmap_return_error(errs[i], st);
408 		if (ret < 0)
409 			return ret;
410 	}
411 	return 0;
412 }
413 
414 /* Allocate pfns that are then mapped with gfns from foreign domid. Update
415  * the vma with the page info to use later.
416  * Returns: 0 if success, otherwise -errno
417  */
418 static int alloc_empty_pages(struct vm_area_struct *vma, int numpgs)
419 {
420 	int rc;
421 	struct page **pages;
422 
423 	pages = kvcalloc(numpgs, sizeof(pages[0]), GFP_KERNEL);
424 	if (pages == NULL)
425 		return -ENOMEM;
426 
427 	rc = xen_alloc_unpopulated_pages(numpgs, pages);
428 	if (rc != 0) {
429 		pr_warn("%s Could not alloc %d pfns rc:%d\n", __func__,
430 			numpgs, rc);
431 		kvfree(pages);
432 		return -ENOMEM;
433 	}
434 	BUG_ON(vma->vm_private_data != NULL);
435 	vma->vm_private_data = pages;
436 
437 	return 0;
438 }
439 
440 static const struct vm_operations_struct privcmd_vm_ops;
441 
442 static long privcmd_ioctl_mmap_batch(
443 	struct file *file, void __user *udata, int version)
444 {
445 	struct privcmd_data *data = file->private_data;
446 	int ret;
447 	struct privcmd_mmapbatch_v2 m;
448 	struct mm_struct *mm = current->mm;
449 	struct vm_area_struct *vma;
450 	unsigned long nr_pages;
451 	LIST_HEAD(pagelist);
452 	struct mmap_batch_state state;
453 
454 	switch (version) {
455 	case 1:
456 		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch)))
457 			return -EFAULT;
458 		/* Returns per-frame error in m.arr. */
459 		m.err = NULL;
460 		if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
461 			return -EFAULT;
462 		break;
463 	case 2:
464 		if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
465 			return -EFAULT;
466 		/* Returns per-frame error code in m.err. */
467 		if (!access_ok(m.err, m.num * (sizeof(*m.err))))
468 			return -EFAULT;
469 		break;
470 	default:
471 		return -EINVAL;
472 	}
473 
474 	/* If restriction is in place, check the domid matches */
475 	if (data->domid != DOMID_INVALID && data->domid != m.dom)
476 		return -EPERM;
477 
478 	nr_pages = DIV_ROUND_UP(m.num, XEN_PFN_PER_PAGE);
479 	if ((m.num <= 0) || (nr_pages > (LONG_MAX >> PAGE_SHIFT)))
480 		return -EINVAL;
481 
482 	ret = gather_array(&pagelist, m.num, sizeof(xen_pfn_t), m.arr);
483 
484 	if (ret)
485 		goto out;
486 	if (list_empty(&pagelist)) {
487 		ret = -EINVAL;
488 		goto out;
489 	}
490 
491 	if (version == 2) {
492 		/* Zero error array now to only copy back actual errors. */
493 		if (clear_user(m.err, sizeof(int) * m.num)) {
494 			ret = -EFAULT;
495 			goto out;
496 		}
497 	}
498 
499 	mmap_write_lock(mm);
500 
501 	vma = find_vma(mm, m.addr);
502 	if (!vma ||
503 	    vma->vm_ops != &privcmd_vm_ops) {
504 		ret = -EINVAL;
505 		goto out_unlock;
506 	}
507 
508 	/*
509 	 * Caller must either:
510 	 *
511 	 * Map the whole VMA range, which will also allocate all the
512 	 * pages required for the auto_translated_physmap case.
513 	 *
514 	 * Or
515 	 *
516 	 * Map unmapped holes left from a previous map attempt (e.g.,
517 	 * because those foreign frames were previously paged out).
518 	 */
519 	if (vma->vm_private_data == NULL) {
520 		if (m.addr != vma->vm_start ||
521 		    m.addr + (nr_pages << PAGE_SHIFT) != vma->vm_end) {
522 			ret = -EINVAL;
523 			goto out_unlock;
524 		}
525 		if (xen_feature(XENFEAT_auto_translated_physmap)) {
526 			ret = alloc_empty_pages(vma, nr_pages);
527 			if (ret < 0)
528 				goto out_unlock;
529 		} else
530 			vma->vm_private_data = PRIV_VMA_LOCKED;
531 	} else {
532 		if (m.addr < vma->vm_start ||
533 		    m.addr + (nr_pages << PAGE_SHIFT) > vma->vm_end) {
534 			ret = -EINVAL;
535 			goto out_unlock;
536 		}
537 		if (privcmd_vma_range_is_mapped(vma, m.addr, nr_pages)) {
538 			ret = -EINVAL;
539 			goto out_unlock;
540 		}
541 	}
542 
543 	state.domain        = m.dom;
544 	state.vma           = vma;
545 	state.va            = m.addr;
546 	state.index         = 0;
547 	state.global_error  = 0;
548 	state.version       = version;
549 
550 	BUILD_BUG_ON(((PAGE_SIZE / sizeof(xen_pfn_t)) % XEN_PFN_PER_PAGE) != 0);
551 	/* mmap_batch_fn guarantees ret == 0 */
552 	BUG_ON(traverse_pages_block(m.num, sizeof(xen_pfn_t),
553 				    &pagelist, mmap_batch_fn, &state));
554 
555 	mmap_write_unlock(mm);
556 
557 	if (state.global_error) {
558 		/* Write back errors in second pass. */
559 		state.user_gfn = (xen_pfn_t *)m.arr;
560 		state.user_err = m.err;
561 		ret = traverse_pages_block(m.num, sizeof(xen_pfn_t),
562 					   &pagelist, mmap_return_errors, &state);
563 	} else
564 		ret = 0;
565 
566 	/* If we have not had any EFAULT-like global errors then set the global
567 	 * error to -ENOENT if necessary. */
568 	if ((ret == 0) && (state.global_error == -ENOENT))
569 		ret = -ENOENT;
570 
571 out:
572 	free_page_list(&pagelist);
573 	return ret;
574 
575 out_unlock:
576 	mmap_write_unlock(mm);
577 	goto out;
578 }
579 
580 static int lock_pages(
581 	struct privcmd_dm_op_buf kbufs[], unsigned int num,
582 	struct page *pages[], unsigned int nr_pages, unsigned int *pinned)
583 {
584 	unsigned int i, off = 0;
585 
586 	for (i = 0; i < num; ) {
587 		unsigned int requested;
588 		int page_count;
589 
590 		requested = DIV_ROUND_UP(
591 			offset_in_page(kbufs[i].uptr) + kbufs[i].size,
592 			PAGE_SIZE) - off;
593 		if (requested > nr_pages)
594 			return -ENOSPC;
595 
596 		page_count = pin_user_pages_fast(
597 			(unsigned long)kbufs[i].uptr + off * PAGE_SIZE,
598 			requested, FOLL_WRITE, pages);
599 		if (page_count <= 0)
600 			return page_count ? : -EFAULT;
601 
602 		*pinned += page_count;
603 		nr_pages -= page_count;
604 		pages += page_count;
605 
606 		off = (requested == page_count) ? 0 : off + page_count;
607 		i += !off;
608 	}
609 
610 	return 0;
611 }
612 
613 static void unlock_pages(struct page *pages[], unsigned int nr_pages)
614 {
615 	unpin_user_pages_dirty_lock(pages, nr_pages, true);
616 }
617 
618 static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
619 {
620 	struct privcmd_data *data = file->private_data;
621 	struct privcmd_dm_op kdata;
622 	struct privcmd_dm_op_buf *kbufs;
623 	unsigned int nr_pages = 0;
624 	struct page **pages = NULL;
625 	struct xen_dm_op_buf *xbufs = NULL;
626 	unsigned int i;
627 	long rc;
628 	unsigned int pinned = 0;
629 
630 	if (copy_from_user(&kdata, udata, sizeof(kdata)))
631 		return -EFAULT;
632 
633 	/* If restriction is in place, check the domid matches */
634 	if (data->domid != DOMID_INVALID && data->domid != kdata.dom)
635 		return -EPERM;
636 
637 	if (kdata.num == 0)
638 		return 0;
639 
640 	if (kdata.num > privcmd_dm_op_max_num)
641 		return -E2BIG;
642 
643 	kbufs = kcalloc(kdata.num, sizeof(*kbufs), GFP_KERNEL);
644 	if (!kbufs)
645 		return -ENOMEM;
646 
647 	if (copy_from_user(kbufs, kdata.ubufs,
648 			   sizeof(*kbufs) * kdata.num)) {
649 		rc = -EFAULT;
650 		goto out;
651 	}
652 
653 	for (i = 0; i < kdata.num; i++) {
654 		if (kbufs[i].size > privcmd_dm_op_buf_max_size) {
655 			rc = -E2BIG;
656 			goto out;
657 		}
658 
659 		if (!access_ok(kbufs[i].uptr,
660 			       kbufs[i].size)) {
661 			rc = -EFAULT;
662 			goto out;
663 		}
664 
665 		nr_pages += DIV_ROUND_UP(
666 			offset_in_page(kbufs[i].uptr) + kbufs[i].size,
667 			PAGE_SIZE);
668 	}
669 
670 	pages = kcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
671 	if (!pages) {
672 		rc = -ENOMEM;
673 		goto out;
674 	}
675 
676 	xbufs = kcalloc(kdata.num, sizeof(*xbufs), GFP_KERNEL);
677 	if (!xbufs) {
678 		rc = -ENOMEM;
679 		goto out;
680 	}
681 
682 	rc = lock_pages(kbufs, kdata.num, pages, nr_pages, &pinned);
683 	if (rc < 0)
684 		goto out;
685 
686 	for (i = 0; i < kdata.num; i++) {
687 		set_xen_guest_handle(xbufs[i].h, kbufs[i].uptr);
688 		xbufs[i].size = kbufs[i].size;
689 	}
690 
691 	xen_preemptible_hcall_begin();
692 	rc = HYPERVISOR_dm_op(kdata.dom, kdata.num, xbufs);
693 	xen_preemptible_hcall_end();
694 
695 out:
696 	unlock_pages(pages, pinned);
697 	kfree(xbufs);
698 	kfree(pages);
699 	kfree(kbufs);
700 
701 	return rc;
702 }
703 
704 static long privcmd_ioctl_restrict(struct file *file, void __user *udata)
705 {
706 	struct privcmd_data *data = file->private_data;
707 	domid_t dom;
708 
709 	if (copy_from_user(&dom, udata, sizeof(dom)))
710 		return -EFAULT;
711 
712 	/* Set restriction to the specified domain, or check it matches */
713 	if (data->domid == DOMID_INVALID)
714 		data->domid = dom;
715 	else if (data->domid != dom)
716 		return -EINVAL;
717 
718 	return 0;
719 }
720 
721 static long privcmd_ioctl_mmap_resource(struct file *file,
722 				struct privcmd_mmap_resource __user *udata)
723 {
724 	struct privcmd_data *data = file->private_data;
725 	struct mm_struct *mm = current->mm;
726 	struct vm_area_struct *vma;
727 	struct privcmd_mmap_resource kdata;
728 	xen_pfn_t *pfns = NULL;
729 	struct xen_mem_acquire_resource xdata = { };
730 	int rc;
731 
732 	if (copy_from_user(&kdata, udata, sizeof(kdata)))
733 		return -EFAULT;
734 
735 	/* If restriction is in place, check the domid matches */
736 	if (data->domid != DOMID_INVALID && data->domid != kdata.dom)
737 		return -EPERM;
738 
739 	/* Both fields must be set or unset */
740 	if (!!kdata.addr != !!kdata.num)
741 		return -EINVAL;
742 
743 	xdata.domid = kdata.dom;
744 	xdata.type = kdata.type;
745 	xdata.id = kdata.id;
746 
747 	if (!kdata.addr && !kdata.num) {
748 		/* Query the size of the resource. */
749 		rc = HYPERVISOR_memory_op(XENMEM_acquire_resource, &xdata);
750 		if (rc)
751 			return rc;
752 		return __put_user(xdata.nr_frames, &udata->num);
753 	}
754 
755 	mmap_write_lock(mm);
756 
757 	vma = find_vma(mm, kdata.addr);
758 	if (!vma || vma->vm_ops != &privcmd_vm_ops) {
759 		rc = -EINVAL;
760 		goto out;
761 	}
762 
763 	pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL | __GFP_NOWARN);
764 	if (!pfns) {
765 		rc = -ENOMEM;
766 		goto out;
767 	}
768 
769 	if (IS_ENABLED(CONFIG_XEN_AUTO_XLATE) &&
770 	    xen_feature(XENFEAT_auto_translated_physmap)) {
771 		unsigned int nr = DIV_ROUND_UP(kdata.num, XEN_PFN_PER_PAGE);
772 		struct page **pages;
773 		unsigned int i;
774 
775 		rc = alloc_empty_pages(vma, nr);
776 		if (rc < 0)
777 			goto out;
778 
779 		pages = vma->vm_private_data;
780 		for (i = 0; i < kdata.num; i++) {
781 			xen_pfn_t pfn =
782 				page_to_xen_pfn(pages[i / XEN_PFN_PER_PAGE]);
783 
784 			pfns[i] = pfn + (i % XEN_PFN_PER_PAGE);
785 		}
786 	} else
787 		vma->vm_private_data = PRIV_VMA_LOCKED;
788 
789 	xdata.frame = kdata.idx;
790 	xdata.nr_frames = kdata.num;
791 	set_xen_guest_handle(xdata.frame_list, pfns);
792 
793 	xen_preemptible_hcall_begin();
794 	rc = HYPERVISOR_memory_op(XENMEM_acquire_resource, &xdata);
795 	xen_preemptible_hcall_end();
796 
797 	if (rc)
798 		goto out;
799 
800 	if (IS_ENABLED(CONFIG_XEN_AUTO_XLATE) &&
801 	    xen_feature(XENFEAT_auto_translated_physmap)) {
802 		rc = xen_remap_vma_range(vma, kdata.addr, kdata.num << PAGE_SHIFT);
803 	} else {
804 		unsigned int domid =
805 			(xdata.flags & XENMEM_rsrc_acq_caller_owned) ?
806 			DOMID_SELF : kdata.dom;
807 		int num, *errs = (int *)pfns;
808 
809 		BUILD_BUG_ON(sizeof(*errs) > sizeof(*pfns));
810 		num = xen_remap_domain_mfn_array(vma,
811 						 kdata.addr & PAGE_MASK,
812 						 pfns, kdata.num, errs,
813 						 vma->vm_page_prot,
814 						 domid);
815 		if (num < 0)
816 			rc = num;
817 		else if (num != kdata.num) {
818 			unsigned int i;
819 
820 			for (i = 0; i < num; i++) {
821 				rc = errs[i];
822 				if (rc < 0)
823 					break;
824 			}
825 		} else
826 			rc = 0;
827 	}
828 
829 out:
830 	mmap_write_unlock(mm);
831 	kfree(pfns);
832 
833 	return rc;
834 }
835 
836 static long privcmd_ioctl(struct file *file,
837 			  unsigned int cmd, unsigned long data)
838 {
839 	int ret = -ENOTTY;
840 	void __user *udata = (void __user *) data;
841 
842 	switch (cmd) {
843 	case IOCTL_PRIVCMD_HYPERCALL:
844 		ret = privcmd_ioctl_hypercall(file, udata);
845 		break;
846 
847 	case IOCTL_PRIVCMD_MMAP:
848 		ret = privcmd_ioctl_mmap(file, udata);
849 		break;
850 
851 	case IOCTL_PRIVCMD_MMAPBATCH:
852 		ret = privcmd_ioctl_mmap_batch(file, udata, 1);
853 		break;
854 
855 	case IOCTL_PRIVCMD_MMAPBATCH_V2:
856 		ret = privcmd_ioctl_mmap_batch(file, udata, 2);
857 		break;
858 
859 	case IOCTL_PRIVCMD_DM_OP:
860 		ret = privcmd_ioctl_dm_op(file, udata);
861 		break;
862 
863 	case IOCTL_PRIVCMD_RESTRICT:
864 		ret = privcmd_ioctl_restrict(file, udata);
865 		break;
866 
867 	case IOCTL_PRIVCMD_MMAP_RESOURCE:
868 		ret = privcmd_ioctl_mmap_resource(file, udata);
869 		break;
870 
871 	default:
872 		break;
873 	}
874 
875 	return ret;
876 }
877 
878 static int privcmd_open(struct inode *ino, struct file *file)
879 {
880 	struct privcmd_data *data = kzalloc(sizeof(*data), GFP_KERNEL);
881 
882 	if (!data)
883 		return -ENOMEM;
884 
885 	/* DOMID_INVALID implies no restriction */
886 	data->domid = DOMID_INVALID;
887 
888 	file->private_data = data;
889 	return 0;
890 }
891 
892 static int privcmd_release(struct inode *ino, struct file *file)
893 {
894 	struct privcmd_data *data = file->private_data;
895 
896 	kfree(data);
897 	return 0;
898 }
899 
900 static void privcmd_close(struct vm_area_struct *vma)
901 {
902 	struct page **pages = vma->vm_private_data;
903 	int numpgs = vma_pages(vma);
904 	int numgfns = (vma->vm_end - vma->vm_start) >> XEN_PAGE_SHIFT;
905 	int rc;
906 
907 	if (!xen_feature(XENFEAT_auto_translated_physmap) || !numpgs || !pages)
908 		return;
909 
910 	rc = xen_unmap_domain_gfn_range(vma, numgfns, pages);
911 	if (rc == 0)
912 		xen_free_unpopulated_pages(numpgs, pages);
913 	else
914 		pr_crit("unable to unmap MFN range: leaking %d pages. rc=%d\n",
915 			numpgs, rc);
916 	kvfree(pages);
917 }
918 
919 static vm_fault_t privcmd_fault(struct vm_fault *vmf)
920 {
921 	printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
922 	       vmf->vma, vmf->vma->vm_start, vmf->vma->vm_end,
923 	       vmf->pgoff, (void *)vmf->address);
924 
925 	return VM_FAULT_SIGBUS;
926 }
927 
928 static const struct vm_operations_struct privcmd_vm_ops = {
929 	.close = privcmd_close,
930 	.fault = privcmd_fault
931 };
932 
933 static int privcmd_mmap(struct file *file, struct vm_area_struct *vma)
934 {
935 	/* DONTCOPY is essential for Xen because copy_page_range doesn't know
936 	 * how to recreate these mappings */
937 	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTCOPY |
938 			 VM_DONTEXPAND | VM_DONTDUMP);
939 	vma->vm_ops = &privcmd_vm_ops;
940 	vma->vm_private_data = NULL;
941 
942 	return 0;
943 }
944 
945 /*
946  * For MMAPBATCH*. This allows asserting the singleshot mapping
947  * on a per pfn/pte basis. Mapping calls that fail with ENOENT
948  * can be then retried until success.
949  */
950 static int is_mapped_fn(pte_t *pte, unsigned long addr, void *data)
951 {
952 	return pte_none(*pte) ? 0 : -EBUSY;
953 }
954 
955 static int privcmd_vma_range_is_mapped(
956 	           struct vm_area_struct *vma,
957 	           unsigned long addr,
958 	           unsigned long nr_pages)
959 {
960 	return apply_to_page_range(vma->vm_mm, addr, nr_pages << PAGE_SHIFT,
961 				   is_mapped_fn, NULL) != 0;
962 }
963 
964 const struct file_operations xen_privcmd_fops = {
965 	.owner = THIS_MODULE,
966 	.unlocked_ioctl = privcmd_ioctl,
967 	.open = privcmd_open,
968 	.release = privcmd_release,
969 	.mmap = privcmd_mmap,
970 };
971 EXPORT_SYMBOL_GPL(xen_privcmd_fops);
972 
973 static struct miscdevice privcmd_dev = {
974 	.minor = MISC_DYNAMIC_MINOR,
975 	.name = "xen/privcmd",
976 	.fops = &xen_privcmd_fops,
977 };
978 
979 static int __init privcmd_init(void)
980 {
981 	int err;
982 
983 	if (!xen_domain())
984 		return -ENODEV;
985 
986 	err = misc_register(&privcmd_dev);
987 	if (err != 0) {
988 		pr_err("Could not register Xen privcmd device\n");
989 		return err;
990 	}
991 
992 	err = misc_register(&xen_privcmdbuf_dev);
993 	if (err != 0) {
994 		pr_err("Could not register Xen hypercall-buf device\n");
995 		misc_deregister(&privcmd_dev);
996 		return err;
997 	}
998 
999 	return 0;
1000 }
1001 
1002 static void __exit privcmd_exit(void)
1003 {
1004 	misc_deregister(&privcmd_dev);
1005 	misc_deregister(&xen_privcmdbuf_dev);
1006 }
1007 
1008 module_init(privcmd_init);
1009 module_exit(privcmd_exit);
1010