1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2017 ARM Ltd.
4 * Author: Marc Zyngier <marc.zyngier@arm.com>
5 */
6
7#include <linux/interrupt.h>
8#include <linux/irq.h>
9#include <linux/irqdomain.h>
10#include <linux/kvm_host.h>
11#include <linux/irqchip/arm-gic-v3.h>
12
13#include "vgic.h"
14
15/*
16 * How KVM uses GICv4 (insert rude comments here):
17 *
18 * The vgic-v4 layer acts as a bridge between several entities:
19 * - The GICv4 ITS representation offered by the ITS driver
20 * - VFIO, which is in charge of the PCI endpoint
21 * - The virtual ITS, which is the only thing the guest sees
22 *
23 * The configuration of VLPIs is triggered by a callback from VFIO,
24 * instructing KVM that a PCI device has been configured to deliver
25 * MSIs to a vITS.
26 *
27 * kvm_vgic_v4_set_forwarding() is thus called with the routing entry,
28 * and this is used to find the corresponding vITS data structures
29 * (ITS instance, device, event and irq) using a process that is
30 * extremely similar to the injection of an MSI.
31 *
32 * At this stage, we can link the guest's view of an LPI (uniquely
33 * identified by the routing entry) and the host irq, using the GICv4
34 * driver mapping operation. Should the mapping succeed, we've then
35 * successfully upgraded the guest's LPI to a VLPI. We can then start
36 * with updating GICv4's view of the property table and generating an
37 * INValidation in order to kickstart the delivery of this VLPI to the
38 * guest directly, without software intervention. Well, almost.
39 *
40 * When the PCI endpoint is deconfigured, this operation is reversed
41 * with VFIO calling kvm_vgic_v4_unset_forwarding().
42 *
43 * Once the VLPI has been mapped, it needs to follow any change the
44 * guest performs on its LPI through the vITS. For that, a number of
45 * command handlers have hooks to communicate these changes to the HW:
46 * - Any invalidation triggers a call to its_prop_update_vlpi()
47 * - The INT command results in a irq_set_irqchip_state(), which
48 * generates an INT on the corresponding VLPI.
49 * - The CLEAR command results in a irq_set_irqchip_state(), which
50 * generates an CLEAR on the corresponding VLPI.
51 * - DISCARD translates into an unmap, similar to a call to
52 * kvm_vgic_v4_unset_forwarding().
53 * - MOVI is translated by an update of the existing mapping, changing
54 * the target vcpu, resulting in a VMOVI being generated.
55 * - MOVALL is translated by a string of mapping updates (similar to
56 * the handling of MOVI). MOVALL is horrible.
57 *
58 * Note that a DISCARD/MAPTI sequence emitted from the guest without
59 * reprogramming the PCI endpoint after MAPTI does not result in a
60 * VLPI being mapped, as there is no callback from VFIO (the guest
61 * will get the interrupt via the normal SW injection). Fixing this is
62 * not trivial, and requires some horrible messing with the VFIO
63 * internals. Not fun. Don't do that.
64 *
65 * Then there is the scheduling. Each time a vcpu is about to run on a
66 * physical CPU, KVM must tell the corresponding redistributor about
67 * it. And if we've migrated our vcpu from one CPU to another, we must
68 * tell the ITS (so that the messages reach the right redistributor).
69 * This is done in two steps: first issue a irq_set_affinity() on the
70 * irq corresponding to the vcpu, then call its_make_vpe_resident().
71 * You must be in a non-preemptible context. On exit, a call to
72 * its_make_vpe_non_resident() tells the redistributor that we're done
73 * with the vcpu.
74 *
75 * Finally, the doorbell handling: Each vcpu is allocated an interrupt
76 * which will fire each time a VLPI is made pending whilst the vcpu is
77 * not running. Each time the vcpu gets blocked, the doorbell
78 * interrupt gets enabled. When the vcpu is unblocked (for whatever
79 * reason), the doorbell interrupt is disabled.
80 */
81
82#define DB_IRQ_FLAGS (IRQ_NOAUTOEN | IRQ_DISABLE_UNLAZY | IRQ_NO_BALANCING)
83
84static irqreturn_t vgic_v4_doorbell_handler(int irq, void *info)
85{
86 struct kvm_vcpu *vcpu = info;
87
88 /* We got the message, no need to fire again */
89 if (!kvm_vgic_global_state.has_gicv4_1 &&
90 !irqd_irq_disabled(d: &irq_to_desc(irq)->irq_data))
91 disable_irq_nosync(irq);
92
93 /*
94 * The v4.1 doorbell can fire concurrently with the vPE being
95 * made non-resident. Ensure we only update pending_last
96 * *after* the non-residency sequence has completed.
97 */
98 raw_spin_lock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock);
99 vcpu->arch.vgic_cpu.vgic_v3.its_vpe.pending_last = true;
100 raw_spin_unlock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock);
101
102 kvm_make_request(req: KVM_REQ_IRQ_PENDING, vcpu);
103 kvm_vcpu_kick(vcpu);
104
105 return IRQ_HANDLED;
106}
107
108static void vgic_v4_sync_sgi_config(struct its_vpe *vpe, struct vgic_irq *irq)
109{
110 vpe->sgi_config[irq->intid].enabled = irq->enabled;
111 vpe->sgi_config[irq->intid].group = irq->group;
112 vpe->sgi_config[irq->intid].priority = irq->priority;
113}
114
115static void vgic_v4_enable_vsgis(struct kvm_vcpu *vcpu)
116{
117 struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
118 int i;
119
120 /*
121 * With GICv4.1, every virtual SGI can be directly injected. So
122 * let's pretend that they are HW interrupts, tied to a host
123 * IRQ. The SGI code will do its magic.
124 */
125 for (i = 0; i < VGIC_NR_SGIS; i++) {
126 struct vgic_irq *irq = vgic_get_vcpu_irq(vcpu, intid: i);
127 struct irq_desc *desc;
128 unsigned long flags;
129 int ret;
130
131 raw_spin_lock_irqsave(&irq->irq_lock, flags);
132
133 if (irq->hw)
134 goto unlock;
135
136 irq->hw = true;
137 irq->host_irq = irq_find_mapping(domain: vpe->sgi_domain, hwirq: i);
138
139 /* Transfer the full irq state to the vPE */
140 vgic_v4_sync_sgi_config(vpe, irq);
141 desc = irq_to_desc(irq: irq->host_irq);
142 ret = irq_domain_activate_irq(irq_data: irq_desc_get_irq_data(desc),
143 early: false);
144 if (!WARN_ON(ret)) {
145 /* Transfer pending state */
146 ret = irq_set_irqchip_state(irq: irq->host_irq,
147 which: IRQCHIP_STATE_PENDING,
148 state: irq->pending_latch);
149 WARN_ON(ret);
150 irq->pending_latch = false;
151 }
152 unlock:
153 raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
154 vgic_put_irq(kvm: vcpu->kvm, irq);
155 }
156}
157
158static void vgic_v4_disable_vsgis(struct kvm_vcpu *vcpu)
159{
160 int i;
161
162 for (i = 0; i < VGIC_NR_SGIS; i++) {
163 struct vgic_irq *irq = vgic_get_vcpu_irq(vcpu, intid: i);
164 struct irq_desc *desc;
165 unsigned long flags;
166 bool pending;
167 int ret;
168
169 raw_spin_lock_irqsave(&irq->irq_lock, flags);
170
171 if (!irq->hw)
172 goto unlock;
173
174 irq->hw = false;
175 ret = irq_get_irqchip_state(irq: irq->host_irq,
176 which: IRQCHIP_STATE_PENDING,
177 state: &pending);
178 WARN_ON(ret);
179
180 irq->pending_latch = pending;
181
182 desc = irq_to_desc(irq: irq->host_irq);
183 irq_domain_deactivate_irq(irq_data: irq_desc_get_irq_data(desc));
184 unlock:
185 raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
186 vgic_put_irq(kvm: vcpu->kvm, irq);
187 }
188}
189
190void vgic_v4_configure_vsgis(struct kvm *kvm)
191{
192 struct vgic_dist *dist = &kvm->arch.vgic;
193 struct kvm_vcpu *vcpu;
194 unsigned long i;
195
196 lockdep_assert_held(&kvm->arch.config_lock);
197
198 kvm_arm_halt_guest(kvm);
199
200 kvm_for_each_vcpu(i, vcpu, kvm) {
201 if (dist->nassgireq)
202 vgic_v4_enable_vsgis(vcpu);
203 else
204 vgic_v4_disable_vsgis(vcpu);
205 }
206
207 kvm_arm_resume_guest(kvm);
208}
209
210/*
211 * Must be called with GICv4.1 and the vPE unmapped, which
212 * indicates the invalidation of any VPT caches associated
213 * with the vPE, thus we can get the VLPI state by peeking
214 * at the VPT.
215 */
216void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val)
217{
218 struct its_vpe *vpe = &irq->target_vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
219 int mask = BIT(irq->intid % BITS_PER_BYTE);
220 void *va;
221 u8 *ptr;
222
223 va = page_address(vpe->vpt_page);
224 ptr = va + irq->intid / BITS_PER_BYTE;
225
226 *val = !!(*ptr & mask);
227}
228
229int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq)
230{
231 return request_irq(irq, handler: vgic_v4_doorbell_handler, flags: 0, name: "vcpu", dev: vcpu);
232}
233
234/**
235 * vgic_v4_init - Initialize the GICv4 data structures
236 * @kvm: Pointer to the VM being initialized
237 *
238 * We may be called each time a vITS is created, or when the
239 * vgic is initialized. In both cases, the number of vcpus
240 * should now be fixed.
241 */
242int vgic_v4_init(struct kvm *kvm)
243{
244 struct vgic_dist *dist = &kvm->arch.vgic;
245 struct kvm_vcpu *vcpu;
246 int nr_vcpus, ret;
247 unsigned long i;
248
249 lockdep_assert_held(&kvm->arch.config_lock);
250
251 if (!kvm_vgic_global_state.has_gicv4)
252 return 0; /* Nothing to see here... move along. */
253
254 if (dist->its_vm.vpes)
255 return 0;
256
257 nr_vcpus = atomic_read(v: &kvm->online_vcpus);
258
259 dist->its_vm.vpes = kcalloc(nr_vcpus, sizeof(*dist->its_vm.vpes),
260 GFP_KERNEL_ACCOUNT);
261 if (!dist->its_vm.vpes)
262 return -ENOMEM;
263
264 dist->its_vm.nr_vpes = nr_vcpus;
265
266 kvm_for_each_vcpu(i, vcpu, kvm)
267 dist->its_vm.vpes[i] = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
268
269 ret = its_alloc_vcpu_irqs(&dist->its_vm);
270 if (ret < 0) {
271 kvm_err("VPE IRQ allocation failure\n");
272 kfree(objp: dist->its_vm.vpes);
273 dist->its_vm.nr_vpes = 0;
274 dist->its_vm.vpes = NULL;
275 return ret;
276 }
277
278 kvm_for_each_vcpu(i, vcpu, kvm) {
279 int irq = dist->its_vm.vpes[i]->irq;
280 unsigned long irq_flags = DB_IRQ_FLAGS;
281
282 /*
283 * Don't automatically enable the doorbell, as we're
284 * flipping it back and forth when the vcpu gets
285 * blocked. Also disable the lazy disabling, as the
286 * doorbell could kick us out of the guest too
287 * early...
288 *
289 * On GICv4.1, the doorbell is managed in HW and must
290 * be left enabled.
291 */
292 if (kvm_vgic_global_state.has_gicv4_1)
293 irq_flags &= ~IRQ_NOAUTOEN;
294 irq_set_status_flags(irq, set: irq_flags);
295
296 ret = vgic_v4_request_vpe_irq(vcpu, irq);
297 if (ret) {
298 kvm_err("failed to allocate vcpu IRQ%d\n", irq);
299 /*
300 * Trick: adjust the number of vpes so we know
301 * how many to nuke on teardown...
302 */
303 dist->its_vm.nr_vpes = i;
304 break;
305 }
306 }
307
308 if (ret)
309 vgic_v4_teardown(kvm);
310
311 return ret;
312}
313
314/**
315 * vgic_v4_teardown - Free the GICv4 data structures
316 * @kvm: Pointer to the VM being destroyed
317 */
318void vgic_v4_teardown(struct kvm *kvm)
319{
320 struct its_vm *its_vm = &kvm->arch.vgic.its_vm;
321 int i;
322
323 lockdep_assert_held(&kvm->arch.config_lock);
324
325 if (!its_vm->vpes)
326 return;
327
328 for (i = 0; i < its_vm->nr_vpes; i++) {
329 struct kvm_vcpu *vcpu = kvm_get_vcpu(kvm, i);
330 int irq = its_vm->vpes[i]->irq;
331
332 irq_clear_status_flags(irq, DB_IRQ_FLAGS);
333 free_irq(irq, vcpu);
334 }
335
336 its_free_vcpu_irqs(its_vm);
337 kfree(objp: its_vm->vpes);
338 its_vm->nr_vpes = 0;
339 its_vm->vpes = NULL;
340}
341
342static inline bool vgic_v4_want_doorbell(struct kvm_vcpu *vcpu)
343{
344 if (vcpu_get_flag(vcpu, IN_WFI))
345 return true;
346
347 if (likely(!vcpu_has_nv(vcpu)))
348 return false;
349
350 /*
351 * GICv4 hardware is only ever used for the L1. Mark the vPE (i.e. the
352 * L1 context) nonresident and request a doorbell to kick us out of the
353 * L2 when an IRQ becomes pending.
354 */
355 return vcpu_get_flag(vcpu, IN_NESTED_ERET);
356}
357
358int vgic_v4_put(struct kvm_vcpu *vcpu)
359{
360 struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
361
362 if (!vgic_supports_direct_irqs(kvm: vcpu->kvm) || !vpe->resident)
363 return 0;
364
365 return its_make_vpe_non_resident(vpe, vgic_v4_want_doorbell(vcpu));
366}
367
368int vgic_v4_load(struct kvm_vcpu *vcpu)
369{
370 struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
371 int err;
372
373 if (!vgic_supports_direct_irqs(kvm: vcpu->kvm) || vpe->resident)
374 return 0;
375
376 if (vcpu_get_flag(vcpu, IN_WFI))
377 return 0;
378
379 /*
380 * Before making the VPE resident, make sure the redistributor
381 * corresponding to our current CPU expects us here. See the
382 * doc in drivers/irqchip/irq-gic-v4.c to understand how this
383 * turns into a VMOVP command at the ITS level.
384 */
385 err = irq_set_affinity(irq: vpe->irq, cpumask_of(smp_processor_id()));
386 if (err)
387 return err;
388
389 err = its_make_vpe_resident(vpe, false, vcpu->kvm->arch.vgic.enabled);
390 if (err)
391 return err;
392
393 /*
394 * Now that the VPE is resident, let's get rid of a potential
395 * doorbell interrupt that would still be pending. This is a
396 * GICv4.0 only "feature"...
397 */
398 if (!kvm_vgic_global_state.has_gicv4_1)
399 err = irq_set_irqchip_state(irq: vpe->irq, which: IRQCHIP_STATE_PENDING, state: false);
400
401 return err;
402}
403
404void vgic_v4_commit(struct kvm_vcpu *vcpu)
405{
406 struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe;
407
408 /*
409 * No need to wait for the vPE to be ready across a shallow guest
410 * exit, as only a vcpu_put will invalidate it.
411 */
412 if (!vpe->ready)
413 its_commit_vpe(vpe);
414}
415
416static struct vgic_its *vgic_get_its(struct kvm *kvm,
417 struct kvm_kernel_irq_routing_entry *irq_entry)
418{
419 struct kvm_msi msi = (struct kvm_msi) {
420 .address_lo = irq_entry->msi.address_lo,
421 .address_hi = irq_entry->msi.address_hi,
422 .data = irq_entry->msi.data,
423 .flags = irq_entry->msi.flags,
424 .devid = irq_entry->msi.devid,
425 };
426
427 return vgic_msi_to_its(kvm, msi: &msi);
428}
429
430int kvm_vgic_v4_set_forwarding(struct kvm *kvm, int virq,
431 struct kvm_kernel_irq_routing_entry *irq_entry)
432{
433 struct vgic_its *its;
434 struct vgic_irq *irq;
435 struct its_vlpi_map map;
436 unsigned long flags;
437 int ret = 0;
438
439 if (!vgic_supports_direct_msis(kvm))
440 return 0;
441
442 /*
443 * Get the ITS, and escape early on error (not a valid
444 * doorbell for any of our vITSs).
445 */
446 its = vgic_get_its(kvm, irq_entry);
447 if (IS_ERR(ptr: its))
448 return 0;
449
450 guard(mutex)(T: &its->its_lock);
451
452 /*
453 * Perform the actual DevID/EventID -> LPI translation.
454 *
455 * Silently exit if translation fails as the guest (or userspace!) has
456 * managed to do something stupid. Emulated LPI injection will still
457 * work if the guest figures itself out at a later time.
458 */
459 if (vgic_its_resolve_lpi(kvm, its, devid: irq_entry->msi.devid,
460 eventid: irq_entry->msi.data, irq: &irq))
461 return 0;
462
463 raw_spin_lock_irqsave(&irq->irq_lock, flags);
464
465 /* Silently exit if the vLPI is already mapped */
466 if (irq->hw)
467 goto out_unlock_irq;
468
469 /*
470 * Emit the mapping request. If it fails, the ITS probably
471 * isn't v4 compatible, so let's silently bail out. Holding
472 * the ITS lock should ensure that nothing can modify the
473 * target vcpu.
474 */
475 map = (struct its_vlpi_map) {
476 .vm = &kvm->arch.vgic.its_vm,
477 .vpe = &irq->target_vcpu->arch.vgic_cpu.vgic_v3.its_vpe,
478 .vintid = irq->intid,
479 .properties = ((irq->priority & 0xfc) |
480 (irq->enabled ? LPI_PROP_ENABLED : 0) |
481 LPI_PROP_GROUP1),
482 .db_enabled = true,
483 };
484
485 ret = its_map_vlpi(virq, &map);
486 if (ret)
487 goto out_unlock_irq;
488
489 irq->hw = true;
490 irq->host_irq = virq;
491 atomic_inc(v: &map.vpe->vlpi_count);
492
493 /* Transfer pending state */
494 if (!irq->pending_latch)
495 goto out_unlock_irq;
496
497 ret = irq_set_irqchip_state(irq: irq->host_irq, which: IRQCHIP_STATE_PENDING,
498 state: irq->pending_latch);
499 WARN_RATELIMIT(ret, "IRQ %d", irq->host_irq);
500
501 /*
502 * Clear pending_latch and communicate this state
503 * change via vgic_queue_irq_unlock.
504 */
505 irq->pending_latch = false;
506 vgic_queue_irq_unlock(kvm, irq, flags);
507 return ret;
508
509out_unlock_irq:
510 raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
511 return ret;
512}
513
514static struct vgic_irq *__vgic_host_irq_get_vlpi(struct kvm *kvm, int host_irq)
515{
516 struct vgic_irq *irq;
517 unsigned long idx;
518
519 guard(rcu)();
520 xa_for_each(&kvm->arch.vgic.lpi_xa, idx, irq) {
521 if (!irq->hw || irq->host_irq != host_irq)
522 continue;
523
524 if (!vgic_try_get_irq_ref(irq))
525 return NULL;
526
527 return irq;
528 }
529
530 return NULL;
531}
532
533void kvm_vgic_v4_unset_forwarding(struct kvm *kvm, int host_irq)
534{
535 struct vgic_irq *irq;
536 unsigned long flags;
537
538 if (!vgic_supports_direct_msis(kvm))
539 return;
540
541 irq = __vgic_host_irq_get_vlpi(kvm, host_irq);
542 if (!irq)
543 return;
544
545 raw_spin_lock_irqsave(&irq->irq_lock, flags);
546 WARN_ON(irq->hw && irq->host_irq != host_irq);
547 if (irq->hw) {
548 atomic_dec(v: &irq->target_vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vlpi_count);
549 irq->hw = false;
550 its_unmap_vlpi(host_irq);
551 }
552
553 raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
554 vgic_put_irq(kvm, irq);
555}
556

source code of linux/arch/arm64/kvm/vgic/vgic-v4.c