Loading...
1/*
2 * Copyright (C) 2011 Google, Inc.
3 * Copyright (C) 2012 Intel, Inc.
4 * Copyright (C) 2013 Intel, Inc.
5 * Copyright (C) 2014 Linaro Limited
6 *
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 */
17
18/* This source file contains the implementation of a special device driver
19 * that intends to provide a *very* fast communication channel between the
20 * guest system and the QEMU emulator.
21 *
22 * Usage from the guest is simply the following (error handling simplified):
23 *
24 * int fd = open("/dev/qemu_pipe",O_RDWR);
25 * .... write() or read() through the pipe.
26 *
27 * This driver doesn't deal with the exact protocol used during the session.
28 * It is intended to be as simple as something like:
29 *
30 * // do this _just_ after opening the fd to connect to a specific
31 * // emulator service.
32 * const char* msg = "<pipename>";
33 * if (write(fd, msg, strlen(msg)+1) < 0) {
34 * ... could not connect to <pipename> service
35 * close(fd);
36 * }
37 *
38 * // after this, simply read() and write() to communicate with the
39 * // service. Exact protocol details left as an exercise to the reader.
40 *
41 * This driver is very fast because it doesn't copy any data through
42 * intermediate buffers, since the emulator is capable of translating
43 * guest user addresses into host ones.
44 *
45 * Note that we must however ensure that each user page involved in the
46 * exchange is properly mapped during a transfer.
47 */
48
49#include <linux/module.h>
50#include <linux/interrupt.h>
51#include <linux/kernel.h>
52#include <linux/spinlock.h>
53#include <linux/miscdevice.h>
54#include <linux/platform_device.h>
55#include <linux/poll.h>
56#include <linux/sched.h>
57#include <linux/bitops.h>
58#include <linux/slab.h>
59#include <linux/io.h>
60#include <linux/goldfish.h>
61#include <linux/dma-mapping.h>
62#include <linux/mm.h>
63#include <linux/acpi.h>
64
65/*
66 * IMPORTANT: The following constants must match the ones used and defined
67 * in external/qemu/hw/goldfish_pipe.c in the Android source tree.
68 */
69
70/* pipe device registers */
71#define PIPE_REG_COMMAND 0x00 /* write: value = command */
72#define PIPE_REG_STATUS 0x04 /* read */
73#define PIPE_REG_CHANNEL 0x08 /* read/write: channel id */
74#define PIPE_REG_CHANNEL_HIGH 0x30 /* read/write: channel id */
75#define PIPE_REG_SIZE 0x0c /* read/write: buffer size */
76#define PIPE_REG_ADDRESS 0x10 /* write: physical address */
77#define PIPE_REG_ADDRESS_HIGH 0x34 /* write: physical address */
78#define PIPE_REG_WAKES 0x14 /* read: wake flags */
79#define PIPE_REG_PARAMS_ADDR_LOW 0x18 /* read/write: batch data address */
80#define PIPE_REG_PARAMS_ADDR_HIGH 0x1c /* read/write: batch data address */
81#define PIPE_REG_ACCESS_PARAMS 0x20 /* write: batch access */
82#define PIPE_REG_VERSION 0x24 /* read: device version */
83
84/* list of commands for PIPE_REG_COMMAND */
85#define CMD_OPEN 1 /* open new channel */
86#define CMD_CLOSE 2 /* close channel (from guest) */
87#define CMD_POLL 3 /* poll read/write status */
88
89/* List of bitflags returned in status of CMD_POLL command */
90#define PIPE_POLL_IN (1 << 0)
91#define PIPE_POLL_OUT (1 << 1)
92#define PIPE_POLL_HUP (1 << 2)
93
94/* The following commands are related to write operations */
95#define CMD_WRITE_BUFFER 4 /* send a user buffer to the emulator */
96#define CMD_WAKE_ON_WRITE 5 /* tell the emulator to wake us when writing
97 is possible */
98#define CMD_READ_BUFFER 6 /* receive a user buffer from the emulator */
99#define CMD_WAKE_ON_READ 7 /* tell the emulator to wake us when reading
100 * is possible */
101
102/* Possible status values used to signal errors - see goldfish_pipe_error_convert */
103#define PIPE_ERROR_INVAL -1
104#define PIPE_ERROR_AGAIN -2
105#define PIPE_ERROR_NOMEM -3
106#define PIPE_ERROR_IO -4
107
108/* Bit-flags used to signal events from the emulator */
109#define PIPE_WAKE_CLOSED (1 << 0) /* emulator closed pipe */
110#define PIPE_WAKE_READ (1 << 1) /* pipe can now be read from */
111#define PIPE_WAKE_WRITE (1 << 2) /* pipe can now be written to */
112
113struct access_params {
114 unsigned long channel;
115 u32 size;
116 unsigned long address;
117 u32 cmd;
118 u32 result;
119 /* reserved for future extension */
120 u32 flags;
121};
122
123/* The global driver data. Holds a reference to the i/o page used to
124 * communicate with the emulator, and a wake queue for blocked tasks
125 * waiting to be awoken.
126 */
127struct goldfish_pipe_dev {
128 spinlock_t lock;
129 unsigned char __iomem *base;
130 struct access_params *aps;
131 int irq;
132 u32 version;
133};
134
135static struct goldfish_pipe_dev pipe_dev[1];
136
137/* This data type models a given pipe instance */
138struct goldfish_pipe {
139 struct goldfish_pipe_dev *dev;
140 struct mutex lock;
141 unsigned long flags;
142 wait_queue_head_t wake_queue;
143};
144
145
146/* Bit flags for the 'flags' field */
147enum {
148 BIT_CLOSED_ON_HOST = 0, /* pipe closed by host */
149 BIT_WAKE_ON_WRITE = 1, /* want to be woken on writes */
150 BIT_WAKE_ON_READ = 2, /* want to be woken on reads */
151};
152
153
154static u32 goldfish_cmd_status(struct goldfish_pipe *pipe, u32 cmd)
155{
156 unsigned long flags;
157 u32 status;
158 struct goldfish_pipe_dev *dev = pipe->dev;
159
160 spin_lock_irqsave(&dev->lock, flags);
161 gf_write_ptr(pipe, dev->base + PIPE_REG_CHANNEL,
162 dev->base + PIPE_REG_CHANNEL_HIGH);
163 writel(cmd, dev->base + PIPE_REG_COMMAND);
164 status = readl(dev->base + PIPE_REG_STATUS);
165 spin_unlock_irqrestore(&dev->lock, flags);
166 return status;
167}
168
169static void goldfish_cmd(struct goldfish_pipe *pipe, u32 cmd)
170{
171 unsigned long flags;
172 struct goldfish_pipe_dev *dev = pipe->dev;
173
174 spin_lock_irqsave(&dev->lock, flags);
175 gf_write_ptr(pipe, dev->base + PIPE_REG_CHANNEL,
176 dev->base + PIPE_REG_CHANNEL_HIGH);
177 writel(cmd, dev->base + PIPE_REG_COMMAND);
178 spin_unlock_irqrestore(&dev->lock, flags);
179}
180
181/* This function converts an error code returned by the emulator through
182 * the PIPE_REG_STATUS i/o register into a valid negative errno value.
183 */
184static int goldfish_pipe_error_convert(int status)
185{
186 switch (status) {
187 case PIPE_ERROR_AGAIN:
188 return -EAGAIN;
189 case PIPE_ERROR_NOMEM:
190 return -ENOMEM;
191 case PIPE_ERROR_IO:
192 return -EIO;
193 default:
194 return -EINVAL;
195 }
196}
197
198/*
199 * Notice: QEMU will return 0 for un-known register access, indicating
200 * param_acess is supported or not
201 */
202static int valid_batchbuffer_addr(struct goldfish_pipe_dev *dev,
203 struct access_params *aps)
204{
205 u32 aph, apl;
206 u64 paddr;
207 aph = readl(dev->base + PIPE_REG_PARAMS_ADDR_HIGH);
208 apl = readl(dev->base + PIPE_REG_PARAMS_ADDR_LOW);
209
210 paddr = ((u64)aph << 32) | apl;
211 if (paddr != (__pa(aps)))
212 return 0;
213 return 1;
214}
215
216/* 0 on success */
217static int setup_access_params_addr(struct platform_device *pdev,
218 struct goldfish_pipe_dev *dev)
219{
220 dma_addr_t dma_handle;
221 struct access_params *aps;
222
223 aps = dmam_alloc_coherent(&pdev->dev, sizeof(struct access_params),
224 &dma_handle, GFP_KERNEL);
225 if (!aps)
226 return -ENOMEM;
227
228 writel(upper_32_bits(dma_handle), dev->base + PIPE_REG_PARAMS_ADDR_HIGH);
229 writel(lower_32_bits(dma_handle), dev->base + PIPE_REG_PARAMS_ADDR_LOW);
230
231 if (valid_batchbuffer_addr(dev, aps)) {
232 dev->aps = aps;
233 return 0;
234 } else
235 return -1;
236}
237
238/* A value that will not be set by qemu emulator */
239#define INITIAL_BATCH_RESULT (0xdeadbeaf)
240static int access_with_param(struct goldfish_pipe_dev *dev, const int cmd,
241 unsigned long address, unsigned long avail,
242 struct goldfish_pipe *pipe, int *status)
243{
244 struct access_params *aps = dev->aps;
245
246 if (aps == NULL)
247 return -1;
248
249 aps->result = INITIAL_BATCH_RESULT;
250 aps->channel = (unsigned long)pipe;
251 aps->size = avail;
252 aps->address = address;
253 aps->cmd = cmd;
254 writel(cmd, dev->base + PIPE_REG_ACCESS_PARAMS);
255 /*
256 * If the aps->result has not changed, that means
257 * that the batch command failed
258 */
259 if (aps->result == INITIAL_BATCH_RESULT)
260 return -1;
261 *status = aps->result;
262 return 0;
263}
264
265static ssize_t goldfish_pipe_read_write(struct file *filp, char __user *buffer,
266 size_t bufflen, int is_write)
267{
268 unsigned long irq_flags;
269 struct goldfish_pipe *pipe = filp->private_data;
270 struct goldfish_pipe_dev *dev = pipe->dev;
271 unsigned long address, address_end;
272 int count = 0, ret = -EINVAL;
273
274 /* If the emulator already closed the pipe, no need to go further */
275 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
276 return -EIO;
277
278 /* Null reads or writes succeeds */
279 if (unlikely(bufflen == 0))
280 return 0;
281
282 /* Check the buffer range for access */
283 if (!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ,
284 buffer, bufflen))
285 return -EFAULT;
286
287 /* Serialize access to the pipe */
288 if (mutex_lock_interruptible(&pipe->lock))
289 return -ERESTARTSYS;
290
291 address = (unsigned long)(void *)buffer;
292 address_end = address + bufflen;
293
294 while (address < address_end) {
295 unsigned long page_end = (address & PAGE_MASK) + PAGE_SIZE;
296 unsigned long next = page_end < address_end ? page_end
297 : address_end;
298 unsigned long avail = next - address;
299 int status, wakeBit;
300 struct page *page;
301
302 /* Either vaddr or paddr depending on the device version */
303 unsigned long xaddr;
304
305 /*
306 * We grab the pages on a page-by-page basis in case user
307 * space gives us a potentially huge buffer but the read only
308 * returns a small amount, then there's no need to pin that
309 * much memory to the process.
310 */
311 down_read(¤t->mm->mmap_sem);
312 ret = get_user_pages(address, 1, !is_write, 0, &page, NULL);
313 up_read(¤t->mm->mmap_sem);
314 if (ret < 0)
315 break;
316
317 if (dev->version) {
318 /* Device version 1 or newer (qemu-android) expects the
319 * physical address.
320 */
321 xaddr = page_to_phys(page) | (address & ~PAGE_MASK);
322 } else {
323 /* Device version 0 (classic emulator) expects the
324 * virtual address.
325 */
326 xaddr = address;
327 }
328
329 /* Now, try to transfer the bytes in the current page */
330 spin_lock_irqsave(&dev->lock, irq_flags);
331 if (access_with_param(dev,
332 is_write ? CMD_WRITE_BUFFER : CMD_READ_BUFFER,
333 xaddr, avail, pipe, &status)) {
334 gf_write_ptr(pipe, dev->base + PIPE_REG_CHANNEL,
335 dev->base + PIPE_REG_CHANNEL_HIGH);
336 writel(avail, dev->base + PIPE_REG_SIZE);
337 gf_write_ptr((void *)xaddr,
338 dev->base + PIPE_REG_ADDRESS,
339 dev->base + PIPE_REG_ADDRESS_HIGH);
340 writel(is_write ? CMD_WRITE_BUFFER : CMD_READ_BUFFER,
341 dev->base + PIPE_REG_COMMAND);
342 status = readl(dev->base + PIPE_REG_STATUS);
343 }
344 spin_unlock_irqrestore(&dev->lock, irq_flags);
345
346 if (status > 0 && !is_write)
347 set_page_dirty(page);
348 put_page(page);
349
350 if (status > 0) { /* Correct transfer */
351 count += status;
352 address += status;
353 continue;
354 } else if (status == 0) { /* EOF */
355 ret = 0;
356 break;
357 } else if (status < 0 && count > 0) {
358 /*
359 * An error occurred and we already transferred
360 * something on one of the previous pages.
361 * Just return what we already copied and log this
362 * err.
363 *
364 * Note: This seems like an incorrect approach but
365 * cannot change it until we check if any user space
366 * ABI relies on this behavior.
367 */
368 if (status != PIPE_ERROR_AGAIN)
369 pr_info_ratelimited("goldfish_pipe: backend returned error %d on %s\n",
370 status, is_write ? "write" : "read");
371 ret = 0;
372 break;
373 }
374
375 /*
376 * If the error is not PIPE_ERROR_AGAIN, or if we are not in
377 * non-blocking mode, just return the error code.
378 */
379 if (status != PIPE_ERROR_AGAIN ||
380 (filp->f_flags & O_NONBLOCK) != 0) {
381 ret = goldfish_pipe_error_convert(status);
382 break;
383 }
384
385 /*
386 * The backend blocked the read/write, wait until the backend
387 * tells us it's ready to process more data.
388 */
389 wakeBit = is_write ? BIT_WAKE_ON_WRITE : BIT_WAKE_ON_READ;
390 set_bit(wakeBit, &pipe->flags);
391
392 /* Tell the emulator we're going to wait for a wake event */
393 goldfish_cmd(pipe,
394 is_write ? CMD_WAKE_ON_WRITE : CMD_WAKE_ON_READ);
395
396 /* Unlock the pipe, then wait for the wake signal */
397 mutex_unlock(&pipe->lock);
398
399 while (test_bit(wakeBit, &pipe->flags)) {
400 if (wait_event_interruptible(
401 pipe->wake_queue,
402 !test_bit(wakeBit, &pipe->flags)))
403 return -ERESTARTSYS;
404
405 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
406 return -EIO;
407 }
408
409 /* Try to re-acquire the lock */
410 if (mutex_lock_interruptible(&pipe->lock))
411 return -ERESTARTSYS;
412 }
413 mutex_unlock(&pipe->lock);
414
415 if (ret < 0)
416 return ret;
417 else
418 return count;
419}
420
421static ssize_t goldfish_pipe_read(struct file *filp, char __user *buffer,
422 size_t bufflen, loff_t *ppos)
423{
424 return goldfish_pipe_read_write(filp, buffer, bufflen, 0);
425}
426
427static ssize_t goldfish_pipe_write(struct file *filp,
428 const char __user *buffer, size_t bufflen,
429 loff_t *ppos)
430{
431 return goldfish_pipe_read_write(filp, (char __user *)buffer,
432 bufflen, 1);
433}
434
435
436static unsigned int goldfish_pipe_poll(struct file *filp, poll_table *wait)
437{
438 struct goldfish_pipe *pipe = filp->private_data;
439 unsigned int mask = 0;
440 int status;
441
442 mutex_lock(&pipe->lock);
443
444 poll_wait(filp, &pipe->wake_queue, wait);
445
446 status = goldfish_cmd_status(pipe, CMD_POLL);
447
448 mutex_unlock(&pipe->lock);
449
450 if (status & PIPE_POLL_IN)
451 mask |= POLLIN | POLLRDNORM;
452
453 if (status & PIPE_POLL_OUT)
454 mask |= POLLOUT | POLLWRNORM;
455
456 if (status & PIPE_POLL_HUP)
457 mask |= POLLHUP;
458
459 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
460 mask |= POLLERR;
461
462 return mask;
463}
464
465static irqreturn_t goldfish_pipe_interrupt(int irq, void *dev_id)
466{
467 struct goldfish_pipe_dev *dev = dev_id;
468 unsigned long irq_flags;
469 int count = 0;
470
471 /*
472 * We're going to read from the emulator a list of (channel,flags)
473 * pairs corresponding to the wake events that occurred on each
474 * blocked pipe (i.e. channel).
475 */
476 spin_lock_irqsave(&dev->lock, irq_flags);
477 for (;;) {
478 /* First read the channel, 0 means the end of the list */
479 struct goldfish_pipe *pipe;
480 unsigned long wakes;
481 unsigned long channel = 0;
482
483#ifdef CONFIG_64BIT
484 channel = (u64)readl(dev->base + PIPE_REG_CHANNEL_HIGH) << 32;
485
486 if (channel == 0)
487 break;
488#endif
489 channel |= readl(dev->base + PIPE_REG_CHANNEL);
490
491 if (channel == 0)
492 break;
493
494 /* Convert channel to struct pipe pointer + read wake flags */
495 wakes = readl(dev->base + PIPE_REG_WAKES);
496 pipe = (struct goldfish_pipe *)(ptrdiff_t)channel;
497
498 /* Did the emulator just closed a pipe? */
499 if (wakes & PIPE_WAKE_CLOSED) {
500 set_bit(BIT_CLOSED_ON_HOST, &pipe->flags);
501 wakes |= PIPE_WAKE_READ | PIPE_WAKE_WRITE;
502 }
503 if (wakes & PIPE_WAKE_READ)
504 clear_bit(BIT_WAKE_ON_READ, &pipe->flags);
505 if (wakes & PIPE_WAKE_WRITE)
506 clear_bit(BIT_WAKE_ON_WRITE, &pipe->flags);
507
508 wake_up_interruptible(&pipe->wake_queue);
509 count++;
510 }
511 spin_unlock_irqrestore(&dev->lock, irq_flags);
512
513 return (count == 0) ? IRQ_NONE : IRQ_HANDLED;
514}
515
516/**
517 * goldfish_pipe_open - open a channel to the AVD
518 * @inode: inode of device
519 * @file: file struct of opener
520 *
521 * Create a new pipe link between the emulator and the use application.
522 * Each new request produces a new pipe.
523 *
524 * Note: we use the pipe ID as a mux. All goldfish emulations are 32bit
525 * right now so this is fine. A move to 64bit will need this addressing
526 */
527static int goldfish_pipe_open(struct inode *inode, struct file *file)
528{
529 struct goldfish_pipe *pipe;
530 struct goldfish_pipe_dev *dev = pipe_dev;
531 int32_t status;
532
533 /* Allocate new pipe kernel object */
534 pipe = kzalloc(sizeof(*pipe), GFP_KERNEL);
535 if (pipe == NULL)
536 return -ENOMEM;
537
538 pipe->dev = dev;
539 mutex_init(&pipe->lock);
540 init_waitqueue_head(&pipe->wake_queue);
541
542 /*
543 * Now, tell the emulator we're opening a new pipe. We use the
544 * pipe object's address as the channel identifier for simplicity.
545 */
546
547 status = goldfish_cmd_status(pipe, CMD_OPEN);
548 if (status < 0) {
549 kfree(pipe);
550 return status;
551 }
552
553 /* All is done, save the pipe into the file's private data field */
554 file->private_data = pipe;
555 return 0;
556}
557
558static int goldfish_pipe_release(struct inode *inode, struct file *filp)
559{
560 struct goldfish_pipe *pipe = filp->private_data;
561
562 /* The guest is closing the channel, so tell the emulator right now */
563 goldfish_cmd(pipe, CMD_CLOSE);
564 kfree(pipe);
565 filp->private_data = NULL;
566 return 0;
567}
568
569static const struct file_operations goldfish_pipe_fops = {
570 .owner = THIS_MODULE,
571 .read = goldfish_pipe_read,
572 .write = goldfish_pipe_write,
573 .poll = goldfish_pipe_poll,
574 .open = goldfish_pipe_open,
575 .release = goldfish_pipe_release,
576};
577
578static struct miscdevice goldfish_pipe_device = {
579 .minor = MISC_DYNAMIC_MINOR,
580 .name = "goldfish_pipe",
581 .fops = &goldfish_pipe_fops,
582};
583
584static int goldfish_pipe_probe(struct platform_device *pdev)
585{
586 int err;
587 struct resource *r;
588 struct goldfish_pipe_dev *dev = pipe_dev;
589
590 /* not thread safe, but this should not happen */
591 WARN_ON(dev->base != NULL);
592
593 spin_lock_init(&dev->lock);
594
595 r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
596 if (r == NULL || resource_size(r) < PAGE_SIZE) {
597 dev_err(&pdev->dev, "can't allocate i/o page\n");
598 return -EINVAL;
599 }
600 dev->base = devm_ioremap(&pdev->dev, r->start, PAGE_SIZE);
601 if (dev->base == NULL) {
602 dev_err(&pdev->dev, "ioremap failed\n");
603 return -EINVAL;
604 }
605
606 r = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
607 if (r == NULL) {
608 err = -EINVAL;
609 goto error;
610 }
611 dev->irq = r->start;
612
613 err = devm_request_irq(&pdev->dev, dev->irq, goldfish_pipe_interrupt,
614 IRQF_SHARED, "goldfish_pipe", dev);
615 if (err) {
616 dev_err(&pdev->dev, "unable to allocate IRQ\n");
617 goto error;
618 }
619
620 err = misc_register(&goldfish_pipe_device);
621 if (err) {
622 dev_err(&pdev->dev, "unable to register device\n");
623 goto error;
624 }
625 setup_access_params_addr(pdev, dev);
626
627 /* Although the pipe device in the classic Android emulator does not
628 * recognize the 'version' register, it won't treat this as an error
629 * either and will simply return 0, which is fine.
630 */
631 dev->version = readl(dev->base + PIPE_REG_VERSION);
632 return 0;
633
634error:
635 dev->base = NULL;
636 return err;
637}
638
639static int goldfish_pipe_remove(struct platform_device *pdev)
640{
641 struct goldfish_pipe_dev *dev = pipe_dev;
642 misc_deregister(&goldfish_pipe_device);
643 dev->base = NULL;
644 return 0;
645}
646
647static const struct acpi_device_id goldfish_pipe_acpi_match[] = {
648 { "GFSH0003", 0 },
649 { },
650};
651MODULE_DEVICE_TABLE(acpi, goldfish_pipe_acpi_match);
652
653static const struct of_device_id goldfish_pipe_of_match[] = {
654 { .compatible = "google,android-pipe", },
655 {},
656};
657MODULE_DEVICE_TABLE(of, goldfish_pipe_of_match);
658
659static struct platform_driver goldfish_pipe = {
660 .probe = goldfish_pipe_probe,
661 .remove = goldfish_pipe_remove,
662 .driver = {
663 .name = "goldfish_pipe",
664 .owner = THIS_MODULE,
665 .of_match_table = goldfish_pipe_of_match,
666 .acpi_match_table = ACPI_PTR(goldfish_pipe_acpi_match),
667 }
668};
669
670module_platform_driver(goldfish_pipe);
671MODULE_AUTHOR("David Turner <digit@google.com>");
672MODULE_LICENSE("GPL");
1/*
2 * Copyright (C) 2011 Google, Inc.
3 * Copyright (C) 2012 Intel, Inc.
4 * Copyright (C) 2013 Intel, Inc.
5 *
6 * This software is licensed under the terms of the GNU General Public
7 * License version 2, as published by the Free Software Foundation, and
8 * may be copied, distributed, and modified under those terms.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 */
16
17/* This source file contains the implementation of a special device driver
18 * that intends to provide a *very* fast communication channel between the
19 * guest system and the QEMU emulator.
20 *
21 * Usage from the guest is simply the following (error handling simplified):
22 *
23 * int fd = open("/dev/qemu_pipe",O_RDWR);
24 * .... write() or read() through the pipe.
25 *
26 * This driver doesn't deal with the exact protocol used during the session.
27 * It is intended to be as simple as something like:
28 *
29 * // do this _just_ after opening the fd to connect to a specific
30 * // emulator service.
31 * const char* msg = "<pipename>";
32 * if (write(fd, msg, strlen(msg)+1) < 0) {
33 * ... could not connect to <pipename> service
34 * close(fd);
35 * }
36 *
37 * // after this, simply read() and write() to communicate with the
38 * // service. Exact protocol details left as an exercise to the reader.
39 *
40 * This driver is very fast because it doesn't copy any data through
41 * intermediate buffers, since the emulator is capable of translating
42 * guest user addresses into host ones.
43 *
44 * Note that we must however ensure that each user page involved in the
45 * exchange is properly mapped during a transfer.
46 */
47
48#include <linux/module.h>
49#include <linux/interrupt.h>
50#include <linux/kernel.h>
51#include <linux/spinlock.h>
52#include <linux/miscdevice.h>
53#include <linux/platform_device.h>
54#include <linux/poll.h>
55#include <linux/sched.h>
56#include <linux/bitops.h>
57#include <linux/slab.h>
58#include <linux/io.h>
59
60/*
61 * IMPORTANT: The following constants must match the ones used and defined
62 * in external/qemu/hw/goldfish_pipe.c in the Android source tree.
63 */
64
65/* pipe device registers */
66#define PIPE_REG_COMMAND 0x00 /* write: value = command */
67#define PIPE_REG_STATUS 0x04 /* read */
68#define PIPE_REG_CHANNEL 0x08 /* read/write: channel id */
69#define PIPE_REG_SIZE 0x0c /* read/write: buffer size */
70#define PIPE_REG_ADDRESS 0x10 /* write: physical address */
71#define PIPE_REG_WAKES 0x14 /* read: wake flags */
72#define PIPE_REG_PARAMS_ADDR_LOW 0x18 /* read/write: batch data address */
73#define PIPE_REG_PARAMS_ADDR_HIGH 0x1c /* read/write: batch data address */
74#define PIPE_REG_ACCESS_PARAMS 0x20 /* write: batch access */
75
76/* list of commands for PIPE_REG_COMMAND */
77#define CMD_OPEN 1 /* open new channel */
78#define CMD_CLOSE 2 /* close channel (from guest) */
79#define CMD_POLL 3 /* poll read/write status */
80
81/* List of bitflags returned in status of CMD_POLL command */
82#define PIPE_POLL_IN (1 << 0)
83#define PIPE_POLL_OUT (1 << 1)
84#define PIPE_POLL_HUP (1 << 2)
85
86/* The following commands are related to write operations */
87#define CMD_WRITE_BUFFER 4 /* send a user buffer to the emulator */
88#define CMD_WAKE_ON_WRITE 5 /* tell the emulator to wake us when writing
89 is possible */
90
91/* The following commands are related to read operations, they must be
92 * listed in the same order than the corresponding write ones, since we
93 * will use (CMD_READ_BUFFER - CMD_WRITE_BUFFER) as a special offset
94 * in goldfish_pipe_read_write() below.
95 */
96#define CMD_READ_BUFFER 6 /* receive a user buffer from the emulator */
97#define CMD_WAKE_ON_READ 7 /* tell the emulator to wake us when reading
98 * is possible */
99
100/* Possible status values used to signal errors - see goldfish_pipe_error_convert */
101#define PIPE_ERROR_INVAL -1
102#define PIPE_ERROR_AGAIN -2
103#define PIPE_ERROR_NOMEM -3
104#define PIPE_ERROR_IO -4
105
106/* Bit-flags used to signal events from the emulator */
107#define PIPE_WAKE_CLOSED (1 << 0) /* emulator closed pipe */
108#define PIPE_WAKE_READ (1 << 1) /* pipe can now be read from */
109#define PIPE_WAKE_WRITE (1 << 2) /* pipe can now be written to */
110
111struct access_params {
112 u32 channel;
113 u32 size;
114 u32 address;
115 u32 cmd;
116 u32 result;
117 /* reserved for future extension */
118 u32 flags;
119};
120
121/* The global driver data. Holds a reference to the i/o page used to
122 * communicate with the emulator, and a wake queue for blocked tasks
123 * waiting to be awoken.
124 */
125struct goldfish_pipe_dev {
126 spinlock_t lock;
127 unsigned char __iomem *base;
128 struct access_params *aps;
129 int irq;
130};
131
132static struct goldfish_pipe_dev pipe_dev[1];
133
134/* This data type models a given pipe instance */
135struct goldfish_pipe {
136 struct goldfish_pipe_dev *dev;
137 struct mutex lock;
138 unsigned long flags;
139 wait_queue_head_t wake_queue;
140};
141
142
143/* Bit flags for the 'flags' field */
144enum {
145 BIT_CLOSED_ON_HOST = 0, /* pipe closed by host */
146 BIT_WAKE_ON_WRITE = 1, /* want to be woken on writes */
147 BIT_WAKE_ON_READ = 2, /* want to be woken on reads */
148};
149
150
151static u32 goldfish_cmd_status(struct goldfish_pipe *pipe, u32 cmd)
152{
153 unsigned long flags;
154 u32 status;
155 struct goldfish_pipe_dev *dev = pipe->dev;
156
157 spin_lock_irqsave(&dev->lock, flags);
158 writel((u32)pipe, dev->base + PIPE_REG_CHANNEL);
159 writel(cmd, dev->base + PIPE_REG_COMMAND);
160 status = readl(dev->base + PIPE_REG_STATUS);
161 spin_unlock_irqrestore(&dev->lock, flags);
162 return status;
163}
164
165static void goldfish_cmd(struct goldfish_pipe *pipe, u32 cmd)
166{
167 unsigned long flags;
168 struct goldfish_pipe_dev *dev = pipe->dev;
169
170 spin_lock_irqsave(&dev->lock, flags);
171 writel((u32)pipe, dev->base + PIPE_REG_CHANNEL);
172 writel(cmd, dev->base + PIPE_REG_COMMAND);
173 spin_unlock_irqrestore(&dev->lock, flags);
174}
175
176/* This function converts an error code returned by the emulator through
177 * the PIPE_REG_STATUS i/o register into a valid negative errno value.
178 */
179static int goldfish_pipe_error_convert(int status)
180{
181 switch (status) {
182 case PIPE_ERROR_AGAIN:
183 return -EAGAIN;
184 case PIPE_ERROR_NOMEM:
185 return -ENOMEM;
186 case PIPE_ERROR_IO:
187 return -EIO;
188 default:
189 return -EINVAL;
190 }
191}
192
193/*
194 * Notice: QEMU will return 0 for un-known register access, indicating
195 * param_acess is supported or not
196 */
197static int valid_batchbuffer_addr(struct goldfish_pipe_dev *dev,
198 struct access_params *aps)
199{
200 u32 aph, apl;
201 u64 paddr;
202 aph = readl(dev->base + PIPE_REG_PARAMS_ADDR_HIGH);
203 apl = readl(dev->base + PIPE_REG_PARAMS_ADDR_LOW);
204
205 paddr = ((u64)aph << 32) | apl;
206 if (paddr != (__pa(aps)))
207 return 0;
208 return 1;
209}
210
211/* 0 on success */
212static int setup_access_params_addr(struct platform_device *pdev,
213 struct goldfish_pipe_dev *dev)
214{
215 u64 paddr;
216 struct access_params *aps;
217
218 aps = devm_kzalloc(&pdev->dev, sizeof(struct access_params), GFP_KERNEL);
219 if (!aps)
220 return -1;
221
222 /* FIXME */
223 paddr = __pa(aps);
224 writel((u32)(paddr >> 32), dev->base + PIPE_REG_PARAMS_ADDR_HIGH);
225 writel((u32)paddr, dev->base + PIPE_REG_PARAMS_ADDR_LOW);
226
227 if (valid_batchbuffer_addr(dev, aps)) {
228 dev->aps = aps;
229 return 0;
230 } else
231 return -1;
232}
233
234/* A value that will not be set by qemu emulator */
235#define INITIAL_BATCH_RESULT (0xdeadbeaf)
236static int access_with_param(struct goldfish_pipe_dev *dev, const int cmd,
237 unsigned long address, unsigned long avail,
238 struct goldfish_pipe *pipe, int *status)
239{
240 struct access_params *aps = dev->aps;
241
242 if (aps == NULL)
243 return -1;
244
245 aps->result = INITIAL_BATCH_RESULT;
246 aps->channel = (unsigned long)pipe;
247 aps->size = avail;
248 aps->address = address;
249 aps->cmd = cmd;
250 writel(cmd, dev->base + PIPE_REG_ACCESS_PARAMS);
251 /*
252 * If the aps->result has not changed, that means
253 * that the batch command failed
254 */
255 if (aps->result == INITIAL_BATCH_RESULT)
256 return -1;
257 *status = aps->result;
258 return 0;
259}
260
261/* This function is used for both reading from and writing to a given
262 * pipe.
263 */
264static ssize_t goldfish_pipe_read_write(struct file *filp, char __user *buffer,
265 size_t bufflen, int is_write)
266{
267 unsigned long irq_flags;
268 struct goldfish_pipe *pipe = filp->private_data;
269 struct goldfish_pipe_dev *dev = pipe->dev;
270 const int cmd_offset = is_write ? 0
271 : (CMD_READ_BUFFER - CMD_WRITE_BUFFER);
272 unsigned long address, address_end;
273 int ret = 0;
274
275 /* If the emulator already closed the pipe, no need to go further */
276 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
277 return -EIO;
278
279 /* Null reads or writes succeeds */
280 if (unlikely(bufflen) == 0)
281 return 0;
282
283 /* Check the buffer range for access */
284 if (!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ,
285 buffer, bufflen))
286 return -EFAULT;
287
288 /* Serialize access to the pipe */
289 if (mutex_lock_interruptible(&pipe->lock))
290 return -ERESTARTSYS;
291
292 address = (unsigned long)(void *)buffer;
293 address_end = address + bufflen;
294
295 while (address < address_end) {
296 unsigned long page_end = (address & PAGE_MASK) + PAGE_SIZE;
297 unsigned long next = page_end < address_end ? page_end
298 : address_end;
299 unsigned long avail = next - address;
300 int status, wakeBit;
301
302 /* Ensure that the corresponding page is properly mapped */
303 /* FIXME: this isn't safe or sufficient - use get_user_pages */
304 if (is_write) {
305 char c;
306 /* Ensure that the page is mapped and readable */
307 if (__get_user(c, (char __user *)address)) {
308 if (!ret)
309 ret = -EFAULT;
310 break;
311 }
312 } else {
313 /* Ensure that the page is mapped and writable */
314 if (__put_user(0, (char __user *)address)) {
315 if (!ret)
316 ret = -EFAULT;
317 break;
318 }
319 }
320
321 /* Now, try to transfer the bytes in the current page */
322 spin_lock_irqsave(&dev->lock, irq_flags);
323 if (access_with_param(dev, CMD_WRITE_BUFFER + cmd_offset,
324 address, avail, pipe, &status)) {
325 writel((u32)pipe, dev->base + PIPE_REG_CHANNEL);
326 writel(avail, dev->base + PIPE_REG_SIZE);
327 writel(address, dev->base + PIPE_REG_ADDRESS);
328 writel(CMD_WRITE_BUFFER + cmd_offset,
329 dev->base + PIPE_REG_COMMAND);
330 status = readl(dev->base + PIPE_REG_STATUS);
331 }
332 spin_unlock_irqrestore(&dev->lock, irq_flags);
333
334 if (status > 0) { /* Correct transfer */
335 ret += status;
336 address += status;
337 continue;
338 }
339
340 if (status == 0) /* EOF */
341 break;
342
343 /* An error occured. If we already transfered stuff, just
344 * return with its count. We expect the next call to return
345 * an error code */
346 if (ret > 0)
347 break;
348
349 /* If the error is not PIPE_ERROR_AGAIN, or if we are not in
350 * non-blocking mode, just return the error code.
351 */
352 if (status != PIPE_ERROR_AGAIN ||
353 (filp->f_flags & O_NONBLOCK) != 0) {
354 ret = goldfish_pipe_error_convert(status);
355 break;
356 }
357
358 /* We will have to wait until more data/space is available.
359 * First, mark the pipe as waiting for a specific wake signal.
360 */
361 wakeBit = is_write ? BIT_WAKE_ON_WRITE : BIT_WAKE_ON_READ;
362 set_bit(wakeBit, &pipe->flags);
363
364 /* Tell the emulator we're going to wait for a wake event */
365 goldfish_cmd(pipe, CMD_WAKE_ON_WRITE + cmd_offset);
366
367 /* Unlock the pipe, then wait for the wake signal */
368 mutex_unlock(&pipe->lock);
369
370 while (test_bit(wakeBit, &pipe->flags)) {
371 if (wait_event_interruptible(
372 pipe->wake_queue,
373 !test_bit(wakeBit, &pipe->flags)))
374 return -ERESTARTSYS;
375
376 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
377 return -EIO;
378 }
379
380 /* Try to re-acquire the lock */
381 if (mutex_lock_interruptible(&pipe->lock))
382 return -ERESTARTSYS;
383
384 /* Try the transfer again */
385 continue;
386 }
387 mutex_unlock(&pipe->lock);
388 return ret;
389}
390
391static ssize_t goldfish_pipe_read(struct file *filp, char __user *buffer,
392 size_t bufflen, loff_t *ppos)
393{
394 return goldfish_pipe_read_write(filp, buffer, bufflen, 0);
395}
396
397static ssize_t goldfish_pipe_write(struct file *filp,
398 const char __user *buffer, size_t bufflen,
399 loff_t *ppos)
400{
401 return goldfish_pipe_read_write(filp, (char __user *)buffer,
402 bufflen, 1);
403}
404
405
406static unsigned int goldfish_pipe_poll(struct file *filp, poll_table *wait)
407{
408 struct goldfish_pipe *pipe = filp->private_data;
409 unsigned int mask = 0;
410 int status;
411
412 mutex_lock(&pipe->lock);
413
414 poll_wait(filp, &pipe->wake_queue, wait);
415
416 status = goldfish_cmd_status(pipe, CMD_POLL);
417
418 mutex_unlock(&pipe->lock);
419
420 if (status & PIPE_POLL_IN)
421 mask |= POLLIN | POLLRDNORM;
422
423 if (status & PIPE_POLL_OUT)
424 mask |= POLLOUT | POLLWRNORM;
425
426 if (status & PIPE_POLL_HUP)
427 mask |= POLLHUP;
428
429 if (test_bit(BIT_CLOSED_ON_HOST, &pipe->flags))
430 mask |= POLLERR;
431
432 return mask;
433}
434
435static irqreturn_t goldfish_pipe_interrupt(int irq, void *dev_id)
436{
437 struct goldfish_pipe_dev *dev = dev_id;
438 unsigned long irq_flags;
439 int count = 0;
440
441 /* We're going to read from the emulator a list of (channel,flags)
442 * pairs corresponding to the wake events that occured on each
443 * blocked pipe (i.e. channel).
444 */
445 spin_lock_irqsave(&dev->lock, irq_flags);
446 for (;;) {
447 /* First read the channel, 0 means the end of the list */
448 struct goldfish_pipe *pipe;
449 unsigned long wakes;
450 unsigned long channel = readl(dev->base + PIPE_REG_CHANNEL);
451
452 if (channel == 0)
453 break;
454
455 /* Convert channel to struct pipe pointer + read wake flags */
456 wakes = readl(dev->base + PIPE_REG_WAKES);
457 pipe = (struct goldfish_pipe *)(ptrdiff_t)channel;
458
459 /* Did the emulator just closed a pipe? */
460 if (wakes & PIPE_WAKE_CLOSED) {
461 set_bit(BIT_CLOSED_ON_HOST, &pipe->flags);
462 wakes |= PIPE_WAKE_READ | PIPE_WAKE_WRITE;
463 }
464 if (wakes & PIPE_WAKE_READ)
465 clear_bit(BIT_WAKE_ON_READ, &pipe->flags);
466 if (wakes & PIPE_WAKE_WRITE)
467 clear_bit(BIT_WAKE_ON_WRITE, &pipe->flags);
468
469 wake_up_interruptible(&pipe->wake_queue);
470 count++;
471 }
472 spin_unlock_irqrestore(&dev->lock, irq_flags);
473
474 return (count == 0) ? IRQ_NONE : IRQ_HANDLED;
475}
476
477/**
478 * goldfish_pipe_open - open a channel to the AVD
479 * @inode: inode of device
480 * @file: file struct of opener
481 *
482 * Create a new pipe link between the emulator and the use application.
483 * Each new request produces a new pipe.
484 *
485 * Note: we use the pipe ID as a mux. All goldfish emulations are 32bit
486 * right now so this is fine. A move to 64bit will need this addressing
487 */
488static int goldfish_pipe_open(struct inode *inode, struct file *file)
489{
490 struct goldfish_pipe *pipe;
491 struct goldfish_pipe_dev *dev = pipe_dev;
492 int32_t status;
493
494 /* Allocate new pipe kernel object */
495 pipe = kzalloc(sizeof(*pipe), GFP_KERNEL);
496 if (pipe == NULL)
497 return -ENOMEM;
498
499 pipe->dev = dev;
500 mutex_init(&pipe->lock);
501 init_waitqueue_head(&pipe->wake_queue);
502
503 /*
504 * Now, tell the emulator we're opening a new pipe. We use the
505 * pipe object's address as the channel identifier for simplicity.
506 */
507
508 status = goldfish_cmd_status(pipe, CMD_OPEN);
509 if (status < 0) {
510 kfree(pipe);
511 return status;
512 }
513
514 /* All is done, save the pipe into the file's private data field */
515 file->private_data = pipe;
516 return 0;
517}
518
519static int goldfish_pipe_release(struct inode *inode, struct file *filp)
520{
521 struct goldfish_pipe *pipe = filp->private_data;
522
523 /* The guest is closing the channel, so tell the emulator right now */
524 goldfish_cmd(pipe, CMD_CLOSE);
525 kfree(pipe);
526 filp->private_data = NULL;
527 return 0;
528}
529
530static const struct file_operations goldfish_pipe_fops = {
531 .owner = THIS_MODULE,
532 .read = goldfish_pipe_read,
533 .write = goldfish_pipe_write,
534 .poll = goldfish_pipe_poll,
535 .open = goldfish_pipe_open,
536 .release = goldfish_pipe_release,
537};
538
539static struct miscdevice goldfish_pipe_device = {
540 .minor = MISC_DYNAMIC_MINOR,
541 .name = "goldfish_pipe",
542 .fops = &goldfish_pipe_fops,
543};
544
545static int goldfish_pipe_probe(struct platform_device *pdev)
546{
547 int err;
548 struct resource *r;
549 struct goldfish_pipe_dev *dev = pipe_dev;
550
551 /* not thread safe, but this should not happen */
552 WARN_ON(dev->base != NULL);
553
554 spin_lock_init(&dev->lock);
555
556 r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
557 if (r == NULL || resource_size(r) < PAGE_SIZE) {
558 dev_err(&pdev->dev, "can't allocate i/o page\n");
559 return -EINVAL;
560 }
561 dev->base = devm_ioremap(&pdev->dev, r->start, PAGE_SIZE);
562 if (dev->base == NULL) {
563 dev_err(&pdev->dev, "ioremap failed\n");
564 return -EINVAL;
565 }
566
567 r = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
568 if (r == NULL) {
569 err = -EINVAL;
570 goto error;
571 }
572 dev->irq = r->start;
573
574 err = devm_request_irq(&pdev->dev, dev->irq, goldfish_pipe_interrupt,
575 IRQF_SHARED, "goldfish_pipe", dev);
576 if (err) {
577 dev_err(&pdev->dev, "unable to allocate IRQ\n");
578 goto error;
579 }
580
581 err = misc_register(&goldfish_pipe_device);
582 if (err) {
583 dev_err(&pdev->dev, "unable to register device\n");
584 goto error;
585 }
586 setup_access_params_addr(pdev, dev);
587 return 0;
588
589error:
590 dev->base = NULL;
591 return err;
592}
593
594static int goldfish_pipe_remove(struct platform_device *pdev)
595{
596 struct goldfish_pipe_dev *dev = pipe_dev;
597 misc_deregister(&goldfish_pipe_device);
598 dev->base = NULL;
599 return 0;
600}
601
602static struct platform_driver goldfish_pipe = {
603 .probe = goldfish_pipe_probe,
604 .remove = goldfish_pipe_remove,
605 .driver = {
606 .name = "goldfish_pipe"
607 }
608};
609
610module_platform_driver(goldfish_pipe);
611MODULE_AUTHOR("David Turner <digit@google.com>");
612MODULE_LICENSE("GPL");