1 // SPDX-License-Identifier: GPL-2.0 OR MIT
2 /*
3  * Copyright 2016 VMware, Inc., Palo Alto, CA., USA
4  *
5  * Permission is hereby granted, free of charge, to any person obtaining a
6  * copy of this software and associated documentation files (the
7  * "Software"), to deal in the Software without restriction, including
8  * without limitation the rights to use, copy, modify, merge, publish,
9  * distribute, sub license, and/or sell copies of the Software, and to
10  * permit persons to whom the Software is furnished to do so, subject to
11  * the following conditions:
12  *
13  * The above copyright notice and this permission notice (including the
14  * next paragraph) shall be included in all copies or substantial portions
15  * of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
20  * THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
21  * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
22  * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
23  * USE OR OTHER DEALINGS IN THE SOFTWARE.
24  *
25  */
26 
27 #include <linux/objtool.h>
28 #include <linux/kernel.h>
29 #include <linux/module.h>
30 #include <linux/slab.h>
31 #include <linux/mem_encrypt.h>
32 
33 #include <asm/hypervisor.h>
34 
35 #include "vmwgfx_drv.h"
36 #include "vmwgfx_msg.h"
37 
38 #define MESSAGE_STATUS_SUCCESS  0x0001
39 #define MESSAGE_STATUS_DORECV   0x0002
40 #define MESSAGE_STATUS_CPT      0x0010
41 #define MESSAGE_STATUS_HB       0x0080
42 
43 #define RPCI_PROTOCOL_NUM       0x49435052
44 #define GUESTMSG_FLAG_COOKIE    0x80000000
45 
46 #define RETRIES                 3
47 
48 #define VMW_HYPERVISOR_MAGIC    0x564D5868
49 
50 #define VMW_PORT_CMD_MSG        30
51 #define VMW_PORT_CMD_HB_MSG     0
52 #define VMW_PORT_CMD_OPEN_CHANNEL  (MSG_TYPE_OPEN << 16 | VMW_PORT_CMD_MSG)
53 #define VMW_PORT_CMD_CLOSE_CHANNEL (MSG_TYPE_CLOSE << 16 | VMW_PORT_CMD_MSG)
54 #define VMW_PORT_CMD_SENDSIZE   (MSG_TYPE_SENDSIZE << 16 | VMW_PORT_CMD_MSG)
55 #define VMW_PORT_CMD_RECVSIZE   (MSG_TYPE_RECVSIZE << 16 | VMW_PORT_CMD_MSG)
56 #define VMW_PORT_CMD_RECVSTATUS (MSG_TYPE_RECVSTATUS << 16 | VMW_PORT_CMD_MSG)
57 
58 #define HIGH_WORD(X) ((X & 0xFFFF0000) >> 16)
59 
60 #define MAX_USER_MSG_LENGTH	PAGE_SIZE
61 
62 static u32 vmw_msg_enabled = 1;
63 
64 enum rpc_msg_type {
65 	MSG_TYPE_OPEN,
66 	MSG_TYPE_SENDSIZE,
67 	MSG_TYPE_SENDPAYLOAD,
68 	MSG_TYPE_RECVSIZE,
69 	MSG_TYPE_RECVPAYLOAD,
70 	MSG_TYPE_RECVSTATUS,
71 	MSG_TYPE_CLOSE,
72 };
73 
74 struct rpc_channel {
75 	u16 channel_id;
76 	u32 cookie_high;
77 	u32 cookie_low;
78 };
79 
80 
81 
82 /**
83  * vmw_open_channel
84  *
85  * @channel: RPC channel
86  * @protocol:
87  *
88  * Returns: 0 on success
89  */
vmw_open_channel(struct rpc_channel * channel,unsigned int protocol)90 static int vmw_open_channel(struct rpc_channel *channel, unsigned int protocol)
91 {
92 	unsigned long eax, ebx, ecx, edx, si = 0, di = 0;
93 
94 	VMW_PORT(VMW_PORT_CMD_OPEN_CHANNEL,
95 		(protocol | GUESTMSG_FLAG_COOKIE), si, di,
96 		0,
97 		VMW_HYPERVISOR_MAGIC,
98 		eax, ebx, ecx, edx, si, di);
99 
100 	if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
101 		return -EINVAL;
102 
103 	channel->channel_id  = HIGH_WORD(edx);
104 	channel->cookie_high = si;
105 	channel->cookie_low  = di;
106 
107 	return 0;
108 }
109 
110 
111 
112 /**
113  * vmw_close_channel
114  *
115  * @channel: RPC channel
116  *
117  * Returns: 0 on success
118  */
vmw_close_channel(struct rpc_channel * channel)119 static int vmw_close_channel(struct rpc_channel *channel)
120 {
121 	unsigned long eax, ebx, ecx, edx, si, di;
122 
123 	/* Set up additional parameters */
124 	si  = channel->cookie_high;
125 	di  = channel->cookie_low;
126 
127 	VMW_PORT(VMW_PORT_CMD_CLOSE_CHANNEL,
128 		0, si, di,
129 		channel->channel_id << 16,
130 		VMW_HYPERVISOR_MAGIC,
131 		eax, ebx, ecx, edx, si, di);
132 
133 	if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
134 		return -EINVAL;
135 
136 	return 0;
137 }
138 
139 /**
140  * vmw_port_hb_out - Send the message payload either through the
141  * high-bandwidth port if available, or through the backdoor otherwise.
142  * @channel: The rpc channel.
143  * @msg: NULL-terminated message.
144  * @hb: Whether the high-bandwidth port is available.
145  *
146  * Return: The port status.
147  */
vmw_port_hb_out(struct rpc_channel * channel,const char * msg,bool hb)148 static unsigned long vmw_port_hb_out(struct rpc_channel *channel,
149 				     const char *msg, bool hb)
150 {
151 	unsigned long si, di, eax, ebx, ecx, edx;
152 	unsigned long msg_len = strlen(msg);
153 
154 	/* HB port can't access encrypted memory. */
155 	if (hb && !mem_encrypt_active()) {
156 		unsigned long bp = channel->cookie_high;
157 
158 		si = (uintptr_t) msg;
159 		di = channel->cookie_low;
160 
161 		VMW_PORT_HB_OUT(
162 			(MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
163 			msg_len, si, di,
164 			VMWARE_HYPERVISOR_HB | (channel->channel_id << 16) |
165 			VMWARE_HYPERVISOR_OUT,
166 			VMW_HYPERVISOR_MAGIC, bp,
167 			eax, ebx, ecx, edx, si, di);
168 
169 		return ebx;
170 	}
171 
172 	/* HB port not available. Send the message 4 bytes at a time. */
173 	ecx = MESSAGE_STATUS_SUCCESS << 16;
174 	while (msg_len && (HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS)) {
175 		unsigned int bytes = min_t(size_t, msg_len, 4);
176 		unsigned long word = 0;
177 
178 		memcpy(&word, msg, bytes);
179 		msg_len -= bytes;
180 		msg += bytes;
181 		si = channel->cookie_high;
182 		di = channel->cookie_low;
183 
184 		VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_SENDPAYLOAD << 16),
185 			 word, si, di,
186 			 channel->channel_id << 16,
187 			 VMW_HYPERVISOR_MAGIC,
188 			 eax, ebx, ecx, edx, si, di);
189 	}
190 
191 	return ecx;
192 }
193 
194 /**
195  * vmw_port_hb_in - Receive the message payload either through the
196  * high-bandwidth port if available, or through the backdoor otherwise.
197  * @channel: The rpc channel.
198  * @reply: Pointer to buffer holding reply.
199  * @reply_len: Length of the reply.
200  * @hb: Whether the high-bandwidth port is available.
201  *
202  * Return: The port status.
203  */
vmw_port_hb_in(struct rpc_channel * channel,char * reply,unsigned long reply_len,bool hb)204 static unsigned long vmw_port_hb_in(struct rpc_channel *channel, char *reply,
205 				    unsigned long reply_len, bool hb)
206 {
207 	unsigned long si, di, eax, ebx, ecx, edx;
208 
209 	/* HB port can't access encrypted memory */
210 	if (hb && !mem_encrypt_active()) {
211 		unsigned long bp = channel->cookie_low;
212 
213 		si = channel->cookie_high;
214 		di = (uintptr_t) reply;
215 
216 		VMW_PORT_HB_IN(
217 			(MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
218 			reply_len, si, di,
219 			VMWARE_HYPERVISOR_HB | (channel->channel_id << 16),
220 			VMW_HYPERVISOR_MAGIC, bp,
221 			eax, ebx, ecx, edx, si, di);
222 
223 		return ebx;
224 	}
225 
226 	/* HB port not available. Retrieve the message 4 bytes at a time. */
227 	ecx = MESSAGE_STATUS_SUCCESS << 16;
228 	while (reply_len) {
229 		unsigned int bytes = min_t(unsigned long, reply_len, 4);
230 
231 		si = channel->cookie_high;
232 		di = channel->cookie_low;
233 
234 		VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_RECVPAYLOAD << 16),
235 			 MESSAGE_STATUS_SUCCESS, si, di,
236 			 channel->channel_id << 16,
237 			 VMW_HYPERVISOR_MAGIC,
238 			 eax, ebx, ecx, edx, si, di);
239 
240 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
241 			break;
242 
243 		memcpy(reply, &ebx, bytes);
244 		reply_len -= bytes;
245 		reply += bytes;
246 	}
247 
248 	return ecx;
249 }
250 
251 
252 /**
253  * vmw_send_msg: Sends a message to the host
254  *
255  * @channel: RPC channel
256  * @logmsg: NULL terminated string
257  *
258  * Returns: 0 on success
259  */
vmw_send_msg(struct rpc_channel * channel,const char * msg)260 static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
261 {
262 	unsigned long eax, ebx, ecx, edx, si, di;
263 	size_t msg_len = strlen(msg);
264 	int retries = 0;
265 
266 	while (retries < RETRIES) {
267 		retries++;
268 
269 		/* Set up additional parameters */
270 		si  = channel->cookie_high;
271 		di  = channel->cookie_low;
272 
273 		VMW_PORT(VMW_PORT_CMD_SENDSIZE,
274 			msg_len, si, di,
275 			channel->channel_id << 16,
276 			VMW_HYPERVISOR_MAGIC,
277 			eax, ebx, ecx, edx, si, di);
278 
279 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
280 			/* Expected success. Give up. */
281 			return -EINVAL;
282 		}
283 
284 		/* Send msg */
285 		ebx = vmw_port_hb_out(channel, msg,
286 				      !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
287 
288 		if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) != 0) {
289 			return 0;
290 		} else if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) {
291 			/* A checkpoint occurred. Retry. */
292 			continue;
293 		} else {
294 			break;
295 		}
296 	}
297 
298 	return -EINVAL;
299 }
300 STACK_FRAME_NON_STANDARD(vmw_send_msg);
301 
302 
303 /**
304  * vmw_recv_msg: Receives a message from the host
305  *
306  * Note:  It is the caller's responsibility to call kfree() on msg.
307  *
308  * @channel:  channel opened by vmw_open_channel
309  * @msg:  [OUT] message received from the host
310  * @msg_len: message length
311  */
vmw_recv_msg(struct rpc_channel * channel,void ** msg,size_t * msg_len)312 static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
313 			size_t *msg_len)
314 {
315 	unsigned long eax, ebx, ecx, edx, si, di;
316 	char *reply;
317 	size_t reply_len;
318 	int retries = 0;
319 
320 
321 	*msg_len = 0;
322 	*msg = NULL;
323 
324 	while (retries < RETRIES) {
325 		retries++;
326 
327 		/* Set up additional parameters */
328 		si  = channel->cookie_high;
329 		di  = channel->cookie_low;
330 
331 		VMW_PORT(VMW_PORT_CMD_RECVSIZE,
332 			0, si, di,
333 			channel->channel_id << 16,
334 			VMW_HYPERVISOR_MAGIC,
335 			eax, ebx, ecx, edx, si, di);
336 
337 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
338 			DRM_ERROR("Failed to get reply size for host message.\n");
339 			return -EINVAL;
340 		}
341 
342 		/* No reply available.  This is okay. */
343 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_DORECV) == 0)
344 			return 0;
345 
346 		reply_len = ebx;
347 		reply     = kzalloc(reply_len + 1, GFP_KERNEL);
348 		if (!reply) {
349 			DRM_ERROR("Cannot allocate memory for host message reply.\n");
350 			return -ENOMEM;
351 		}
352 
353 
354 		/* Receive buffer */
355 		ebx = vmw_port_hb_in(channel, reply, reply_len,
356 				     !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
357 		if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) {
358 			kfree(reply);
359 			reply = NULL;
360 			if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) {
361 				/* A checkpoint occurred. Retry. */
362 				continue;
363 			}
364 
365 			return -EINVAL;
366 		}
367 
368 		reply[reply_len] = '\0';
369 
370 
371 		/* Ack buffer */
372 		si  = channel->cookie_high;
373 		di  = channel->cookie_low;
374 
375 		VMW_PORT(VMW_PORT_CMD_RECVSTATUS,
376 			MESSAGE_STATUS_SUCCESS, si, di,
377 			channel->channel_id << 16,
378 			VMW_HYPERVISOR_MAGIC,
379 			eax, ebx, ecx, edx, si, di);
380 
381 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
382 			kfree(reply);
383 			reply = NULL;
384 			if ((HIGH_WORD(ecx) & MESSAGE_STATUS_CPT) != 0) {
385 				/* A checkpoint occurred. Retry. */
386 				continue;
387 			}
388 
389 			return -EINVAL;
390 		}
391 
392 		break;
393 	}
394 
395 	if (!reply)
396 		return -EINVAL;
397 
398 	*msg_len = reply_len;
399 	*msg     = reply;
400 
401 	return 0;
402 }
403 STACK_FRAME_NON_STANDARD(vmw_recv_msg);
404 
405 
406 /**
407  * vmw_host_get_guestinfo: Gets a GuestInfo parameter
408  *
409  * Gets the value of a  GuestInfo.* parameter.  The value returned will be in
410  * a string, and it is up to the caller to post-process.
411  *
412  * @guest_info_param:  Parameter to get, e.g. GuestInfo.svga.gl3
413  * @buffer: if NULL, *reply_len will contain reply size.
414  * @length: size of the reply_buf.  Set to size of reply upon return
415  *
416  * Returns: 0 on success
417  */
vmw_host_get_guestinfo(const char * guest_info_param,char * buffer,size_t * length)418 int vmw_host_get_guestinfo(const char *guest_info_param,
419 			   char *buffer, size_t *length)
420 {
421 	struct rpc_channel channel;
422 	char *msg, *reply = NULL;
423 	size_t reply_len = 0;
424 
425 	if (!vmw_msg_enabled)
426 		return -ENODEV;
427 
428 	if (!guest_info_param || !length)
429 		return -EINVAL;
430 
431 	msg = kasprintf(GFP_KERNEL, "info-get %s", guest_info_param);
432 	if (!msg) {
433 		DRM_ERROR("Cannot allocate memory to get guest info \"%s\".",
434 			  guest_info_param);
435 		return -ENOMEM;
436 	}
437 
438 	if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
439 		goto out_open;
440 
441 	if (vmw_send_msg(&channel, msg) ||
442 	    vmw_recv_msg(&channel, (void *) &reply, &reply_len))
443 		goto out_msg;
444 
445 	vmw_close_channel(&channel);
446 	if (buffer && reply && reply_len > 0) {
447 		/* Remove reply code, which are the first 2 characters of
448 		 * the reply
449 		 */
450 		reply_len = max(reply_len - 2, (size_t) 0);
451 		reply_len = min(reply_len, *length);
452 
453 		if (reply_len > 0)
454 			memcpy(buffer, reply + 2, reply_len);
455 	}
456 
457 	*length = reply_len;
458 
459 	kfree(reply);
460 	kfree(msg);
461 
462 	return 0;
463 
464 out_msg:
465 	vmw_close_channel(&channel);
466 	kfree(reply);
467 out_open:
468 	*length = 0;
469 	kfree(msg);
470 	DRM_ERROR("Failed to get guest info \"%s\".", guest_info_param);
471 
472 	return -EINVAL;
473 }
474 
475 
476 
477 /**
478  * vmw_host_log: Sends a log message to the host
479  *
480  * @log: NULL terminated string
481  *
482  * Returns: 0 on success
483  */
vmw_host_log(const char * log)484 int vmw_host_log(const char *log)
485 {
486 	struct rpc_channel channel;
487 	char *msg;
488 	int ret = 0;
489 
490 
491 	if (!vmw_msg_enabled)
492 		return -ENODEV;
493 
494 	if (!log)
495 		return ret;
496 
497 	msg = kasprintf(GFP_KERNEL, "log %s", log);
498 	if (!msg) {
499 		DRM_ERROR("Cannot allocate memory for host log message.\n");
500 		return -ENOMEM;
501 	}
502 
503 	if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
504 		goto out_open;
505 
506 	if (vmw_send_msg(&channel, msg))
507 		goto out_msg;
508 
509 	vmw_close_channel(&channel);
510 	kfree(msg);
511 
512 	return 0;
513 
514 out_msg:
515 	vmw_close_channel(&channel);
516 out_open:
517 	kfree(msg);
518 	DRM_ERROR("Failed to send host log message.\n");
519 
520 	return -EINVAL;
521 }
522 
523 
524 /**
525  * vmw_msg_ioctl: Sends and receveives a message to/from host from/to user-space
526  *
527  * Sends a message from user-space to host.
528  * Can also receive a result from host and return that to user-space.
529  *
530  * @dev: Identifies the drm device.
531  * @data: Pointer to the ioctl argument.
532  * @file_priv: Identifies the caller.
533  * Return: Zero on success, negative error code on error.
534  */
535 
vmw_msg_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)536 int vmw_msg_ioctl(struct drm_device *dev, void *data,
537 		  struct drm_file *file_priv)
538 {
539 	struct drm_vmw_msg_arg *arg =
540 		(struct drm_vmw_msg_arg *) data;
541 	struct rpc_channel channel;
542 	char *msg;
543 	int length;
544 
545 	msg = kmalloc(MAX_USER_MSG_LENGTH, GFP_KERNEL);
546 	if (!msg) {
547 		DRM_ERROR("Cannot allocate memory for log message.\n");
548 		return -ENOMEM;
549 	}
550 
551 	length = strncpy_from_user(msg, (void __user *)((unsigned long)arg->send),
552 				   MAX_USER_MSG_LENGTH);
553 	if (length < 0 || length >= MAX_USER_MSG_LENGTH) {
554 		DRM_ERROR("Userspace message access failure.\n");
555 		kfree(msg);
556 		return -EINVAL;
557 	}
558 
559 
560 	if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM)) {
561 		DRM_ERROR("Failed to open channel.\n");
562 		goto out_open;
563 	}
564 
565 	if (vmw_send_msg(&channel, msg)) {
566 		DRM_ERROR("Failed to send message to host.\n");
567 		goto out_msg;
568 	}
569 
570 	if (!arg->send_only) {
571 		char *reply = NULL;
572 		size_t reply_len = 0;
573 
574 		if (vmw_recv_msg(&channel, (void *) &reply, &reply_len)) {
575 			DRM_ERROR("Failed to receive message from host.\n");
576 			goto out_msg;
577 		}
578 		if (reply && reply_len > 0) {
579 			if (copy_to_user((void __user *)((unsigned long)arg->receive),
580 							 reply, reply_len)) {
581 				DRM_ERROR("Failed to copy message to userspace.\n");
582 				kfree(reply);
583 				goto out_msg;
584 			}
585 			arg->receive_len = (__u32)reply_len;
586 		}
587 		kfree(reply);
588 	}
589 
590 	vmw_close_channel(&channel);
591 	kfree(msg);
592 
593 	return 0;
594 
595 out_msg:
596 	vmw_close_channel(&channel);
597 out_open:
598 	kfree(msg);
599 
600 	return -EINVAL;
601 }
602