1
/*P:400
2
 * This contains run_guest() which actually calls into the Host<->Guest
3
 * Switcher and analyzes the return, such as determining if the Guest wants the
4
 * Host to do something.  This file also contains useful helper routines.
5
:*/
6
#include <linux/module.h>
7
#include <linux/stringify.h>
8
#include <linux/stddef.h>
9
#include <linux/io.h>
10
#include <linux/mm.h>
11
#include <linux/vmalloc.h>
12
#include <linux/cpu.h>
13
#include <linux/freezer.h>
14
#include <linux/highmem.h>
15
#include <linux/slab.h>
16
#include <asm/paravirt.h>
17
#include <asm/pgtable.h>
18
#include <asm/uaccess.h>
19
#include <asm/poll.h>
20
#include <asm/asm-offsets.h>
21
#include "lg.h"
22

23

24
static struct vm_struct *switcher_vma;
25
static struct page **switcher_page;
26

27
/* This One Big lock protects all inter-guest data structures. */
28
DEFINE_MUTEX(lguest_lock);
29

30
/*H:010
31
 * We need to set up the Switcher at a high virtual address.  Remember the
32
 * Switcher is a few hundred bytes of assembler code which actually changes the
33
 * CPU to run the Guest, and then changes back to the Host when a trap or
34
 * interrupt happens.
35
 *
36
 * The Switcher code must be at the same virtual address in the Guest as the
37
 * Host since it will be running as the switchover occurs.
38
 *
39
 * Trying to map memory at a particular address is an unusual thing to do, so
40
 * it's not a simple one-liner.
41
 */
42
static __init int map_switcher(void)
43
{
44
	int i, err;
45
	struct page **pagep;
46

47
	/*
48
	 * Map the Switcher in to high memory.
49
	 *
50
	 * It turns out that if we choose the address 0xFFC00000 (4MB under the
51
	 * top virtual address), it makes setting up the page tables really
52
	 * easy.
53
	 */
54

55
	/*
56
	 * We allocate an array of struct page pointers.  map_vm_area() wants
57
	 * this, rather than just an array of pages.
58
	 */
59
	switcher_page = kmalloc(sizeof(switcher_page[0])*TOTAL_SWITCHER_PAGES,
60
				GFP_KERNEL);
61
	if (!switcher_page) {
62
		err = -ENOMEM;
63
		goto out;
64
	}
65

66
	/*
67
	 * Now we actually allocate the pages.  The Guest will see these pages,
68
	 * so we make sure they're zeroed.
69
	 */
70
	for (i = 0; i < TOTAL_SWITCHER_PAGES; i++) {
71
		switcher_page[i] = alloc_page(GFP_KERNEL|__GFP_ZERO);
72
		if (!switcher_page[i]) {
73
			err = -ENOMEM;
74
			goto free_some_pages;
75
		}
76
	}
77

78
	/*
79
	 * First we check that the Switcher won't overlap the fixmap area at
80
	 * the top of memory.  It's currently nowhere near, but it could have
81
	 * very strange effects if it ever happened.
82
	 */
83
	if (SWITCHER_ADDR + (TOTAL_SWITCHER_PAGES+1)*PAGE_SIZE > FIXADDR_START){
84
		err = -ENOMEM;
85
		printk("lguest: mapping switcher would thwack fixmap\n");
86
		goto free_pages;
87
	}
88

89
	/*
90
	 * Now we reserve the "virtual memory area" we want: 0xFFC00000
91
	 * (SWITCHER_ADDR).  We might not get it in theory, but in practice
92
	 * it's worked so far.  The end address needs +1 because __get_vm_area
93
	 * allocates an extra guard page, so we need space for that.
94
	 */
95
	switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
96
				     VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
97
				     + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
98
	if (!switcher_vma) {
99
		err = -ENOMEM;
100
		printk("lguest: could not map switcher pages high\n");
101
		goto free_pages;
102
	}
103

104
	/*
105
	 * This code actually sets up the pages we've allocated to appear at
106
	 * SWITCHER_ADDR.  map_vm_area() takes the vma we allocated above, the
107
	 * kind of pages we're mapping (kernel pages), and a pointer to our
108
	 * array of struct pages.  It increments that pointer, but we don't
109
	 * care.
110
	 */
111
	pagep = switcher_page;
112
	err = map_vm_area(switcher_vma, PAGE_KERNEL_EXEC, &pagep);
113
	if (err) {
114
		printk("lguest: map_vm_area failed: %i\n", err);
115
		goto free_vma;
116
	}
117

118
	/*
119
	 * Now the Switcher is mapped at the right address, we can't fail!
120
	 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
121
	 */
122
	memcpy(switcher_vma->addr, start_switcher_text,
123
	       end_switcher_text - start_switcher_text);
124

125
	printk(KERN_INFO "lguest: mapped switcher at %p\n",
126
	       switcher_vma->addr);
127
	/* And we succeeded... */
128
	return 0;
129

130
free_vma:
131
	vunmap(switcher_vma->addr);
132
free_pages:
133
	i = TOTAL_SWITCHER_PAGES;
134
free_some_pages:
135
	for (--i; i >= 0; i--)
136
		__free_pages(switcher_page[i], 0);
137
	kfree(switcher_page);
138
out:
139
	return err;
140
}
141
/*:*/
142

143
/* Cleaning up the mapping when the module is unloaded is almost... too easy. */
144
static void unmap_switcher(void)
145
{
146
	unsigned int i;
147

148
	/* vunmap() undoes *both* map_vm_area() and __get_vm_area(). */
149
	vunmap(switcher_vma->addr);
150
	/* Now we just need to free the pages we copied the switcher into */
151
	for (i = 0; i < TOTAL_SWITCHER_PAGES; i++)
152
		__free_pages(switcher_page[i], 0);
153
	kfree(switcher_page);
154
}
155

156
/*H:032
157
 * Dealing With Guest Memory.
158
 *
159
 * Before we go too much further into the Host, we need to grok the routines
160
 * we use to deal with Guest memory.
161
 *
162
 * When the Guest gives us (what it thinks is) a physical address, we can use
163
 * the normal copy_from_user() & copy_to_user() on the corresponding place in
164
 * the memory region allocated by the Launcher.
165
 *
166
 * But we can't trust the Guest: it might be trying to access the Launcher
167
 * code.  We have to check that the range is below the pfn_limit the Launcher
168
 * gave us.  We have to make sure that addr + len doesn't give us a false
169
 * positive by overflowing, too.
170
 */
171
bool lguest_address_ok(const struct lguest *lg,
172
		       unsigned long addr, unsigned long len)
173
{
174
	return (addr+len) / PAGE_SIZE < lg->pfn_limit && (addr+len >= addr);
175
}
176

177
/*
178
 * This routine copies memory from the Guest.  Here we can see how useful the
179
 * kill_lguest() routine we met in the Launcher can be: we return a random
180
 * value (all zeroes) instead of needing to return an error.
181
 */
182
void __lgread(struct lg_cpu *cpu, void *b, unsigned long addr, unsigned bytes)
183
{
184
	if (!lguest_address_ok(cpu->lg, addr, bytes)
185
	    || copy_from_user(b, cpu->lg->mem_base + addr, bytes) != 0) {
186
		/* copy_from_user should do this, but as we rely on it... */
187
		memset(b, 0, bytes);
188
		kill_guest(cpu, "bad read address %#lx len %u", addr, bytes);
189
	}
190
}
191

192
/* This is the write (copy into Guest) version. */
193
void __lgwrite(struct lg_cpu *cpu, unsigned long addr, const void *b,
194
	       unsigned bytes)
195
{
196
	if (!lguest_address_ok(cpu->lg, addr, bytes)
197
	    || copy_to_user(cpu->lg->mem_base + addr, b, bytes) != 0)
198
		kill_guest(cpu, "bad write address %#lx len %u", addr, bytes);
199
}
200
/*:*/
201

202
/*H:030
203
 * Let's jump straight to the the main loop which runs the Guest.
204
 * Remember, this is called by the Launcher reading /dev/lguest, and we keep
205
 * going around and around until something interesting happens.
206
 */
207
int run_guest(struct lg_cpu *cpu, unsigned long __user *user)
208
{
209
	/* We stop running once the Guest is dead. */
210
	while (!cpu->lg->dead) {
211
		unsigned int irq;
212
		bool more;
213

214
		/* First we run any hypercalls the Guest wants done. */
215
		if (cpu->hcall)
216
			do_hypercalls(cpu);
217

218
		/*
219
		 * It's possible the Guest did a NOTIFY hypercall to the
220
		 * Launcher.
221
		 */
222
		if (cpu->pending_notify) {
223
			/*
224
			 * Does it just needs to write to a registered
225
			 * eventfd (ie. the appropriate virtqueue thread)?
226
			 */
227
			if (!send_notify_to_eventfd(cpu)) {
228
				/* OK, we tell the main Laucher. */
229
				if (put_user(cpu->pending_notify, user))
230
					return -EFAULT;
231
				return sizeof(cpu->pending_notify);
232
			}
233
		}
234

235
		/* Check for signals */
236
		if (signal_pending(current))
237
			return -ERESTARTSYS;
238

239
		/*
240
		 * Check if there are any interrupts which can be delivered now:
241
		 * if so, this sets up the hander to be executed when we next
242
		 * run the Guest.
243
		 */
244
		irq = interrupt_pending(cpu, &more);
245
		if (irq < LGUEST_IRQS)
246
			try_deliver_interrupt(cpu, irq, more);
247

248
		/*
249
		 * All long-lived kernel loops need to check with this horrible
250
		 * thing called the freezer.  If the Host is trying to suspend,
251
		 * it stops us.
252
		 */
253
		try_to_freeze();
254

255
		/*
256
		 * Just make absolutely sure the Guest is still alive.  One of
257
		 * those hypercalls could have been fatal, for example.
258
		 */
259
		if (cpu->lg->dead)
260
			break;
261

262
		/*
263
		 * If the Guest asked to be stopped, we sleep.  The Guest's
264
		 * clock timer will wake us.
265
		 */
266
		if (cpu->halted) {
267
			set_current_state(TASK_INTERRUPTIBLE);
268
			/*
269
			 * Just before we sleep, make sure no interrupt snuck in
270
			 * which we should be doing.
271
			 */
272
			if (interrupt_pending(cpu, &more) < LGUEST_IRQS)
273
				set_current_state(TASK_RUNNING);
274
			else
275
				schedule();
276
			continue;
277
		}
278

279
		/*
280
		 * OK, now we're ready to jump into the Guest.  First we put up
281
		 * the "Do Not Disturb" sign:
282
		 */
283
		local_irq_disable();
284

285
		/* Actually run the Guest until something happens. */
286
		lguest_arch_run_guest(cpu);
287

288
		/* Now we're ready to be interrupted or moved to other CPUs */
289
		local_irq_enable();
290

291
		/* Now we deal with whatever happened to the Guest. */
292
		lguest_arch_handle_trap(cpu);
293
	}
294

295
	/* Special case: Guest is 'dead' but wants a reboot. */
296
	if (cpu->lg->dead == ERR_PTR(-ERESTART))
297
		return -ERESTART;
298

299
	/* The Guest is dead => "No such file or directory" */
300
	return -ENOENT;
301
}
302

303
/*H:000
304
 * Welcome to the Host!
305
 *
306
 * By this point your brain has been tickled by the Guest code and numbed by
307
 * the Launcher code; prepare for it to be stretched by the Host code.  This is
308
 * the heart.  Let's begin at the initialization routine for the Host's lg
309
 * module.
310
 */
311
static int __init init(void)
312
{
313
	int err;
314

315
	/* Lguest can't run under Xen, VMI or itself.  It does Tricky Stuff. */
316
	if (paravirt_enabled()) {
317
		printk("lguest is afraid of being a guest\n");
318
		return -EPERM;
319
	}
320

321
	/* First we put the Switcher up in very high virtual memory. */
322
	err = map_switcher();
323
	if (err)
324
		goto out;
325

326
	/* Now we set up the pagetable implementation for the Guests. */
327
	err = init_pagetables(switcher_page, SHARED_SWITCHER_PAGES);
328
	if (err)
329
		goto unmap;
330

331
	/* We might need to reserve an interrupt vector. */
332
	err = init_interrupts();
333
	if (err)
334
		goto free_pgtables;
335

336
	/* /dev/lguest needs to be registered. */
337
	err = lguest_device_init();
338
	if (err)
339
		goto free_interrupts;
340

341
	/* Finally we do some architecture-specific setup. */
342
	lguest_arch_host_init();
343

344
	/* All good! */
345
	return 0;
346

347
free_interrupts:
348
	free_interrupts();
349
free_pgtables:
350
	free_pagetables();
351
unmap:
352
	unmap_switcher();
353
out:
354
	return err;
355
}
356

357
/* Cleaning up is just the same code, backwards.  With a little French. */
358
static void __exit fini(void)
359
{
360
	lguest_device_remove();
361
	free_interrupts();
362
	free_pagetables();
363
	unmap_switcher();
364

365
	lguest_arch_host_fini();
366
}
367
/*:*/
368

369
/*
370
 * The Host side of lguest can be a module.  This is a nice way for people to
371
 * play with it.
372
 */
373
module_init(init);
374
module_exit(fini);
375
MODULE_LICENSE("GPL");
376
MODULE_AUTHOR("Rusty Russell <[email protected]>");
377

378