LXR linux/drivers/lguest/core.c

   1/*P:400
   2 * This contains run_guest() which actually calls into the Host<->Guest
   3 * Switcher and analyzes the return, such as determining if the Guest wants the
   4 * Host to do something.  This file also contains useful helper routines.
   5:*/
   6#include <linux/module.h>
   7#include <linux/stringify.h>
   8#include <linux/stddef.h>
   9#include <linux/io.h>
  10#include <linux/mm.h>
  11#include <linux/vmalloc.h>
  12#include <linux/cpu.h>
  13#include <linux/freezer.h>
  14#include <linux/highmem.h>
  15#include <linux/slab.h>
  16#include <asm/paravirt.h>
  17#include <asm/pgtable.h>
  18#include <asm/uaccess.h>
  19#include <asm/poll.h>
  20#include <asm/asm-offsets.h>
  21#include "lg.h"
  22
  23unsigned long switcher_addr;
  24struct page **lg_switcher_pages;
  25static struct vm_struct *switcher_vma;
  26
  27/* This One Big lock protects all inter-guest data structures. */
  28DEFINE_MUTEX(lguest_lock);
  29
  30/*H:010
  31 * We need to set up the Switcher at a high virtual address.  Remember the
  32 * Switcher is a few hundred bytes of assembler code which actually changes the
  33 * CPU to run the Guest, and then changes back to the Host when a trap or
  34 * interrupt happens.
  35 *
  36 * The Switcher code must be at the same virtual address in the Guest as the
  37 * Host since it will be running as the switchover occurs.
  38 *
  39 * Trying to map memory at a particular address is an unusual thing to do, so
  40 * it's not a simple one-liner.
  41 */
  42static __init int map_switcher(void)
  43{
  44        int i, err;
  45
  46        /*
  47         * Map the Switcher in to high memory.
  48         *
  49         * It turns out that if we choose the address 0xFFC00000 (4MB under the
  50         * top virtual address), it makes setting up the page tables really
  51         * easy.
  52         */
  53
  54        /* We assume Switcher text fits into a single page. */
  55        if (end_switcher_text - start_switcher_text > PAGE_SIZE) {
  56                printk(KERN_ERR "lguest: switcher text too large (%zu)\n",
  57                       end_switcher_text - start_switcher_text);
  58                return -EINVAL;
  59        }
  60
  61        /*
  62         * We allocate an array of struct page pointers.  map_vm_area() wants
  63         * this, rather than just an array of pages.
  64         */
  65        lg_switcher_pages = kmalloc(sizeof(lg_switcher_pages[0])
  66                                    * TOTAL_SWITCHER_PAGES,
  67                                    GFP_KERNEL);
  68        if (!lg_switcher_pages) {
  69                err = -ENOMEM;
  70                goto out;
  71        }
  72
  73        /*
  74         * Now we actually allocate the pages.  The Guest will see these pages,
  75         * so we make sure they're zeroed.
  76         */
  77        for (i = 0; i < TOTAL_SWITCHER_PAGES; i++) {
  78                lg_switcher_pages[i] = alloc_page(GFP_KERNEL|__GFP_ZERO);
  79                if (!lg_switcher_pages[i]) {
  80                        err = -ENOMEM;
  81                        goto free_some_pages;
  82                }
  83        }
  84
  85        /*
  86         * We place the Switcher underneath the fixmap area, which is the
  87         * highest virtual address we can get.  This is important, since we
  88         * tell the Guest it can't access this memory, so we want its ceiling
  89         * as high as possible.
  90         */
  91        switcher_addr = FIXADDR_START - (TOTAL_SWITCHER_PAGES+1)*PAGE_SIZE;
  92
  93        /*
  94         * Now we reserve the "virtual memory area" we want.  We might
  95         * not get it in theory, but in practice it's worked so far.
  96         * The end address needs +1 because __get_vm_area allocates an
  97         * extra guard page, so we need space for that.
  98         */
  99        switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
 100                                     VM_ALLOC, switcher_addr, switcher_addr
 101                                     + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
 102        if (!switcher_vma) {
 103                err = -ENOMEM;
 104                printk("lguest: could not map switcher pages high\n");
 105                goto free_pages;
 106        }
 107
 108        /*
 109         * This code actually sets up the pages we've allocated to appear at
 110         * switcher_addr.  map_vm_area() takes the vma we allocated above, the
 111         * kind of pages we're mapping (kernel pages), and a pointer to our
 112         * array of struct pages.
 113         */
 114        err = map_vm_area(switcher_vma, PAGE_KERNEL_EXEC, lg_switcher_pages);
 115        if (err) {
 116                printk("lguest: map_vm_area failed: %i\n", err);
 117                goto free_vma;
 118        }
 119
 120        /*
 121         * Now the Switcher is mapped at the right address, we can't fail!
 122         * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
 123         */
 124        memcpy(switcher_vma->addr, start_switcher_text,
 125               end_switcher_text - start_switcher_text);
 126
 127        printk(KERN_INFO "lguest: mapped switcher at %p\n",
 128               switcher_vma->addr);
 129        /* And we succeeded... */
 130        return 0;
 131
 132free_vma:
 133        vunmap(switcher_vma->addr);
 134free_pages:
 135        i = TOTAL_SWITCHER_PAGES;
 136free_some_pages:
 137        for (--i; i >= 0; i--)
 138                __free_pages(lg_switcher_pages[i], 0);
 139        kfree(lg_switcher_pages);
 140out:
 141        return err;
 142}
 143/*:*/
 144
 145/* Cleaning up the mapping when the module is unloaded is almost... too easy. */
 146static void unmap_switcher(void)
 147{
 148        unsigned int i;
 149
 150        /* vunmap() undoes *both* map_vm_area() and __get_vm_area(). */
 151        vunmap(switcher_vma->addr);
 152        /* Now we just need to free the pages we copied the switcher into */
 153        for (i = 0; i < TOTAL_SWITCHER_PAGES; i++)
 154                __free_pages(lg_switcher_pages[i], 0);
 155        kfree(lg_switcher_pages);
 156}
 157
 158/*H:032
 159 * Dealing With Guest Memory.
 160 *
 161 * Before we go too much further into the Host, we need to grok the routines
 162 * we use to deal with Guest memory.
 163 *
 164 * When the Guest gives us (what it thinks is) a physical address, we can use
 165 * the normal copy_from_user() & copy_to_user() on the corresponding place in
 166 * the memory region allocated by the Launcher.
 167 *
 168 * But we can't trust the Guest: it might be trying to access the Launcher
 169 * code.  We have to check that the range is below the pfn_limit the Launcher
 170 * gave us.  We have to make sure that addr + len doesn't give us a false
 171 * positive by overflowing, too.
 172 */
 173bool lguest_address_ok(const struct lguest *lg,
 174                       unsigned long addr, unsigned long len)
 175{
 176        return addr+len <= lg->pfn_limit * PAGE_SIZE && (addr+len >= addr);
 177}
 178
 179/*
 180 * This routine copies memory from the Guest.  Here we can see how useful the
 181 * kill_lguest() routine we met in the Launcher can be: we return a random
 182 * value (all zeroes) instead of needing to return an error.
 183 */
 184void __lgread(struct lg_cpu *cpu, void *b, unsigned long addr, unsigned bytes)
 185{
 186        if (!lguest_address_ok(cpu->lg, addr, bytes)
 187            || copy_from_user(b, cpu->lg->mem_base + addr, bytes) != 0) {
 188                /* copy_from_user should do this, but as we rely on it... */
 189                memset(b, 0, bytes);
 190                kill_guest(cpu, "bad read address %#lx len %u", addr, bytes);
 191        }
 192}
 193
 194/* This is the write (copy into Guest) version. */
 195void __lgwrite(struct lg_cpu *cpu, unsigned long addr, const void *b,
 196               unsigned bytes)
 197{
 198        if (!lguest_address_ok(cpu->lg, addr, bytes)
 199            || copy_to_user(cpu->lg->mem_base + addr, b, bytes) != 0)
 200                kill_guest(cpu, "bad write address %#lx len %u", addr, bytes);
 201}
 202/*:*/
 203
 204/*H:030
 205 * Let's jump straight to the the main loop which runs the Guest.
 206 * Remember, this is called by the Launcher reading /dev/lguest, and we keep
 207 * going around and around until something interesting happens.
 208 */
 209int run_guest(struct lg_cpu *cpu, unsigned long __user *user)
 210{
 211        /* If the launcher asked for a register with LHREQ_GETREG */
 212        if (cpu->reg_read) {
 213                if (put_user(*cpu->reg_read, user))
 214                        return -EFAULT;
 215                cpu->reg_read = NULL;
 216                return sizeof(*cpu->reg_read);
 217        }
 218
 219        /* We stop running once the Guest is dead. */
 220        while (!cpu->lg->dead) {
 221                unsigned int irq;
 222                bool more;
 223
 224                /* First we run any hypercalls the Guest wants done. */
 225                if (cpu->hcall)
 226                        do_hypercalls(cpu);
 227
 228                /* Do we have to tell the Launcher about a trap? */
 229                if (cpu->pending.trap) {
 230                        if (copy_to_user(user, &cpu->pending,
 231                                         sizeof(cpu->pending)))
 232                                return -EFAULT;
 233                        return sizeof(cpu->pending);
 234                }
 235
 236                /*
 237                 * All long-lived kernel loops need to check with this horrible
 238                 * thing called the freezer.  If the Host is trying to suspend,
 239                 * it stops us.
 240                 */
 241                try_to_freeze();
 242
 243                /* Check for signals */
 244                if (signal_pending(current))
 245                        return -ERESTARTSYS;
 246
 247                /*
 248                 * Check if there are any interrupts which can be delivered now:
 249                 * if so, this sets up the hander to be executed when we next
 250                 * run the Guest.
 251                 */
 252                irq = interrupt_pending(cpu, &more);
 253                if (irq < LGUEST_IRQS)
 254                        try_deliver_interrupt(cpu, irq, more);
 255
 256                /*
 257                 * Just make absolutely sure the Guest is still alive.  One of
 258                 * those hypercalls could have been fatal, for example.
 259                 */
 260                if (cpu->lg->dead)
 261                        break;
 262
 263                /*
 264                 * If the Guest asked to be stopped, we sleep.  The Guest's
 265                 * clock timer will wake us.
 266                 */
 267                if (cpu->halted) {
 268                        set_current_state(TASK_INTERRUPTIBLE);
 269                        /*
 270                         * Just before we sleep, make sure no interrupt snuck in
 271                         * which we should be doing.
 272                         */
 273                        if (interrupt_pending(cpu, &more) < LGUEST_IRQS)
 274                                set_current_state(TASK_RUNNING);
 275                        else
 276                                schedule();
 277                        continue;
 278                }
 279
 280                /*
 281                 * OK, now we're ready to jump into the Guest.  First we put up
 282                 * the "Do Not Disturb" sign:
 283                 */
 284                local_irq_disable();
 285
 286                /* Actually run the Guest until something happens. */
 287                lguest_arch_run_guest(cpu);
 288
 289                /* Now we're ready to be interrupted or moved to other CPUs */
 290                local_irq_enable();
 291
 292                /* Now we deal with whatever happened to the Guest. */
 293                lguest_arch_handle_trap(cpu);
 294        }
 295
 296        /* Special case: Guest is 'dead' but wants a reboot. */
 297        if (cpu->lg->dead == ERR_PTR(-ERESTART))
 298                return -ERESTART;
 299
 300        /* The Guest is dead => "No such file or directory" */
 301        return -ENOENT;
 302}
 303
 304/*H:000
 305 * Welcome to the Host!
 306 *
 307 * By this point your brain has been tickled by the Guest code and numbed by
 308 * the Launcher code; prepare for it to be stretched by the Host code.  This is
 309 * the heart.  Let's begin at the initialization routine for the Host's lg
 310 * module.
 311 */
 312static int __init init(void)
 313{
 314        int err;
 315
 316        /* Lguest can't run under Xen, VMI or itself.  It does Tricky Stuff. */
 317        if (get_kernel_rpl() != 0) {
 318                printk("lguest is afraid of being a guest\n");
 319                return -EPERM;
 320        }
 321
 322        /* First we put the Switcher up in very high virtual memory. */
 323        err = map_switcher();
 324        if (err)
 325                goto out;
 326
 327        /* We might need to reserve an interrupt vector. */
 328        err = init_interrupts();
 329        if (err)
 330                goto unmap;
 331
 332        /* /dev/lguest needs to be registered. */
 333        err = lguest_device_init();
 334        if (err)
 335                goto free_interrupts;
 336
 337        /* Finally we do some architecture-specific setup. */
 338        lguest_arch_host_init();
 339
 340        /* All good! */
 341        return 0;
 342
 343free_interrupts:
 344        free_interrupts();
 345unmap:
 346        unmap_switcher();
 347out:
 348        return err;
 349}
 350
 351/* Cleaning up is just the same code, backwards.  With a little French. */
 352static void __exit fini(void)
 353{
 354        lguest_device_remove();
 355        free_interrupts();
 356        unmap_switcher();
 357
 358        lguest_arch_host_fini();
 359}
 360/*:*/
 361
 362/*
 363 * The Host side of lguest can be a module.  This is a nice way for people to
 364 * play with it.
 365 */
 366module_init(init);
 367module_exit(fini);
 368MODULE_LICENSE("GPL");
 369MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
 370