1 /* SPDX-License-Identifier: (GPL-2.0 OR CDDL-1.0) */
2 /*
3  * vboxguest vmm-req and hgcm-call code, VBoxGuestR0LibHGCMInternal.cpp,
4  * VBoxGuestR0LibGenericRequest.cpp and RTErrConvertToErrno.cpp in vbox svn.
5  *
6  * Copyright (C) 2006-2016 Oracle Corporation
7  */
8 
9 #include <linux/errno.h>
10 #include <linux/io.h>
11 #include <linux/kernel.h>
12 #include <linux/mm.h>
13 #include <linux/module.h>
14 #include <linux/sizes.h>
15 #include <linux/slab.h>
16 #include <linux/uaccess.h>
17 #include <linux/vmalloc.h>
18 #include <linux/vbox_err.h>
19 #include <linux/vbox_utils.h>
20 #include "vboxguest_core.h"
21 
22 /* Get the pointer to the first parameter of a HGCM call request. */
23 #define VMMDEV_HGCM_CALL_PARMS(a) \
24 	((struct vmmdev_hgcm_function_parameter *)( \
25 		(u8 *)(a) + sizeof(struct vmmdev_hgcm_call)))
26 
27 /* The max parameter buffer size for a user request. */
28 #define VBG_MAX_HGCM_USER_PARM		(24 * SZ_1M)
29 /* The max parameter buffer size for a kernel request. */
30 #define VBG_MAX_HGCM_KERNEL_PARM	(16 * SZ_1M)
31 
32 #define VBG_DEBUG_PORT			0x504
33 
34 /* This protects vbg_log_buf and serializes VBG_DEBUG_PORT accesses */
35 static DEFINE_SPINLOCK(vbg_log_lock);
36 static char vbg_log_buf[128];
37 
38 #define VBG_LOG(name, pr_func) \
39 void name(const char *fmt, ...)						\
40 {									\
41 	unsigned long flags;						\
42 	va_list args;							\
43 	int i, count;							\
44 									\
45 	va_start(args, fmt);						\
46 	spin_lock_irqsave(&vbg_log_lock, flags);			\
47 									\
48 	count = vscnprintf(vbg_log_buf, sizeof(vbg_log_buf), fmt, args);\
49 	for (i = 0; i < count; i++)					\
50 		outb(vbg_log_buf[i], VBG_DEBUG_PORT);			\
51 									\
52 	pr_func("%s", vbg_log_buf);					\
53 									\
54 	spin_unlock_irqrestore(&vbg_log_lock, flags);			\
55 	va_end(args);							\
56 }									\
57 EXPORT_SYMBOL(name)
58 
59 VBG_LOG(vbg_info, pr_info);
60 VBG_LOG(vbg_warn, pr_warn);
61 VBG_LOG(vbg_err, pr_err);
62 VBG_LOG(vbg_err_ratelimited, pr_err_ratelimited);
63 #if defined(DEBUG) && !defined(CONFIG_DYNAMIC_DEBUG)
64 VBG_LOG(vbg_debug, pr_debug);
65 #endif
66 
vbg_req_alloc(size_t len,enum vmmdev_request_type req_type,u32 requestor)67 void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type,
68 		    u32 requestor)
69 {
70 	struct vmmdev_request_header *req;
71 	int order = get_order(PAGE_ALIGN(len));
72 
73 	req = (void *)__get_free_pages(GFP_KERNEL | GFP_DMA32, order);
74 	if (!req)
75 		return NULL;
76 
77 	memset(req, 0xaa, len);
78 
79 	req->size = len;
80 	req->version = VMMDEV_REQUEST_HEADER_VERSION;
81 	req->request_type = req_type;
82 	req->rc = VERR_GENERAL_FAILURE;
83 	req->reserved1 = 0;
84 	req->requestor = requestor;
85 
86 	return req;
87 }
88 
vbg_req_free(void * req,size_t len)89 void vbg_req_free(void *req, size_t len)
90 {
91 	if (!req)
92 		return;
93 
94 	free_pages((unsigned long)req, get_order(PAGE_ALIGN(len)));
95 }
96 
97 /* Note this function returns a VBox status code, not a negative errno!! */
vbg_req_perform(struct vbg_dev * gdev,void * req)98 int vbg_req_perform(struct vbg_dev *gdev, void *req)
99 {
100 	unsigned long phys_req = virt_to_phys(req);
101 
102 	outl(phys_req, gdev->io_port + VMMDEV_PORT_OFF_REQUEST);
103 	/*
104 	 * The host changes the request as a result of the outl, make sure
105 	 * the outl and any reads of the req happen in the correct order.
106 	 */
107 	mb();
108 
109 	return ((struct vmmdev_request_header *)req)->rc;
110 }
111 
hgcm_req_done(struct vbg_dev * gdev,struct vmmdev_hgcmreq_header * header)112 static bool hgcm_req_done(struct vbg_dev *gdev,
113 			  struct vmmdev_hgcmreq_header *header)
114 {
115 	unsigned long flags;
116 	bool done;
117 
118 	spin_lock_irqsave(&gdev->event_spinlock, flags);
119 	done = header->flags & VMMDEV_HGCM_REQ_DONE;
120 	spin_unlock_irqrestore(&gdev->event_spinlock, flags);
121 
122 	return done;
123 }
124 
vbg_hgcm_connect(struct vbg_dev * gdev,u32 requestor,struct vmmdev_hgcm_service_location * loc,u32 * client_id,int * vbox_status)125 int vbg_hgcm_connect(struct vbg_dev *gdev, u32 requestor,
126 		     struct vmmdev_hgcm_service_location *loc,
127 		     u32 *client_id, int *vbox_status)
128 {
129 	struct vmmdev_hgcm_connect *hgcm_connect = NULL;
130 	int rc;
131 
132 	hgcm_connect = vbg_req_alloc(sizeof(*hgcm_connect),
133 				     VMMDEVREQ_HGCM_CONNECT, requestor);
134 	if (!hgcm_connect)
135 		return -ENOMEM;
136 
137 	hgcm_connect->header.flags = 0;
138 	memcpy(&hgcm_connect->loc, loc, sizeof(*loc));
139 	hgcm_connect->client_id = 0;
140 
141 	rc = vbg_req_perform(gdev, hgcm_connect);
142 
143 	if (rc == VINF_HGCM_ASYNC_EXECUTE)
144 		wait_event(gdev->hgcm_wq,
145 			   hgcm_req_done(gdev, &hgcm_connect->header));
146 
147 	if (rc >= 0) {
148 		*client_id = hgcm_connect->client_id;
149 		rc = hgcm_connect->header.result;
150 	}
151 
152 	vbg_req_free(hgcm_connect, sizeof(*hgcm_connect));
153 
154 	*vbox_status = rc;
155 	return 0;
156 }
157 EXPORT_SYMBOL(vbg_hgcm_connect);
158 
vbg_hgcm_disconnect(struct vbg_dev * gdev,u32 requestor,u32 client_id,int * vbox_status)159 int vbg_hgcm_disconnect(struct vbg_dev *gdev, u32 requestor,
160 			u32 client_id, int *vbox_status)
161 {
162 	struct vmmdev_hgcm_disconnect *hgcm_disconnect = NULL;
163 	int rc;
164 
165 	hgcm_disconnect = vbg_req_alloc(sizeof(*hgcm_disconnect),
166 					VMMDEVREQ_HGCM_DISCONNECT,
167 					requestor);
168 	if (!hgcm_disconnect)
169 		return -ENOMEM;
170 
171 	hgcm_disconnect->header.flags = 0;
172 	hgcm_disconnect->client_id = client_id;
173 
174 	rc = vbg_req_perform(gdev, hgcm_disconnect);
175 
176 	if (rc == VINF_HGCM_ASYNC_EXECUTE)
177 		wait_event(gdev->hgcm_wq,
178 			   hgcm_req_done(gdev, &hgcm_disconnect->header));
179 
180 	if (rc >= 0)
181 		rc = hgcm_disconnect->header.result;
182 
183 	vbg_req_free(hgcm_disconnect, sizeof(*hgcm_disconnect));
184 
185 	*vbox_status = rc;
186 	return 0;
187 }
188 EXPORT_SYMBOL(vbg_hgcm_disconnect);
189 
hgcm_call_buf_size_in_pages(void * buf,u32 len)190 static u32 hgcm_call_buf_size_in_pages(void *buf, u32 len)
191 {
192 	u32 size = PAGE_ALIGN(len + ((unsigned long)buf & ~PAGE_MASK));
193 
194 	return size >> PAGE_SHIFT;
195 }
196 
hgcm_call_add_pagelist_size(void * buf,u32 len,size_t * extra)197 static void hgcm_call_add_pagelist_size(void *buf, u32 len, size_t *extra)
198 {
199 	u32 page_count;
200 
201 	page_count = hgcm_call_buf_size_in_pages(buf, len);
202 	*extra += offsetof(struct vmmdev_hgcm_pagelist, pages[page_count]);
203 }
204 
hgcm_call_preprocess_linaddr(const struct vmmdev_hgcm_function_parameter * src_parm,void ** bounce_buf_ret,size_t * extra)205 static int hgcm_call_preprocess_linaddr(
206 	const struct vmmdev_hgcm_function_parameter *src_parm,
207 	void **bounce_buf_ret, size_t *extra)
208 {
209 	void *buf, *bounce_buf;
210 	bool copy_in;
211 	u32 len;
212 	int ret;
213 
214 	buf = (void *)src_parm->u.pointer.u.linear_addr;
215 	len = src_parm->u.pointer.size;
216 	copy_in = src_parm->type != VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT;
217 
218 	if (len > VBG_MAX_HGCM_USER_PARM)
219 		return -E2BIG;
220 
221 	bounce_buf = kvmalloc(len, GFP_KERNEL);
222 	if (!bounce_buf)
223 		return -ENOMEM;
224 
225 	*bounce_buf_ret = bounce_buf;
226 
227 	if (copy_in) {
228 		ret = copy_from_user(bounce_buf, (void __user *)buf, len);
229 		if (ret)
230 			return -EFAULT;
231 	} else {
232 		memset(bounce_buf, 0, len);
233 	}
234 
235 	hgcm_call_add_pagelist_size(bounce_buf, len, extra);
236 	return 0;
237 }
238 
239 /**
240  * hgcm_call_preprocess - Preprocesses the HGCM call, validate parameters,
241  *	alloc bounce buffers and figure out how much extra storage we need for
242  *	page lists.
243  * @src_parm:         Pointer to source function call parameters
244  * @parm_count:       Number of function call parameters.
245  * @bounce_bufs_ret:  Where to return the allocated bouncebuffer array
246  * @extra:            Where to return the extra request space needed for
247  *                    physical page lists.
248  *
249  * Return: %0 or negative errno value.
250  */
hgcm_call_preprocess(const struct vmmdev_hgcm_function_parameter * src_parm,u32 parm_count,void *** bounce_bufs_ret,size_t * extra)251 static int hgcm_call_preprocess(
252 	const struct vmmdev_hgcm_function_parameter *src_parm,
253 	u32 parm_count, void ***bounce_bufs_ret, size_t *extra)
254 {
255 	void *buf, **bounce_bufs = NULL;
256 	u32 i, len;
257 	int ret;
258 
259 	for (i = 0; i < parm_count; i++, src_parm++) {
260 		switch (src_parm->type) {
261 		case VMMDEV_HGCM_PARM_TYPE_32BIT:
262 		case VMMDEV_HGCM_PARM_TYPE_64BIT:
263 			break;
264 
265 		case VMMDEV_HGCM_PARM_TYPE_LINADDR:
266 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
267 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
268 			if (!bounce_bufs) {
269 				bounce_bufs = kcalloc(parm_count,
270 						      sizeof(void *),
271 						      GFP_KERNEL);
272 				if (!bounce_bufs)
273 					return -ENOMEM;
274 
275 				*bounce_bufs_ret = bounce_bufs;
276 			}
277 
278 			ret = hgcm_call_preprocess_linaddr(src_parm,
279 							   &bounce_bufs[i],
280 							   extra);
281 			if (ret)
282 				return ret;
283 
284 			break;
285 
286 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL:
287 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_IN:
288 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_OUT:
289 			buf = (void *)src_parm->u.pointer.u.linear_addr;
290 			len = src_parm->u.pointer.size;
291 			if (WARN_ON(len > VBG_MAX_HGCM_KERNEL_PARM))
292 				return -E2BIG;
293 
294 			hgcm_call_add_pagelist_size(buf, len, extra);
295 			break;
296 
297 		default:
298 			return -EINVAL;
299 		}
300 	}
301 
302 	return 0;
303 }
304 
305 /**
306  * hgcm_call_linear_addr_type_to_pagelist_flags - Translates linear address
307  *	types to page list direction flags.
308  * @type:  The type.
309  *
310  * Return: page list flags.
311  */
hgcm_call_linear_addr_type_to_pagelist_flags(enum vmmdev_hgcm_function_parameter_type type)312 static u32 hgcm_call_linear_addr_type_to_pagelist_flags(
313 	enum vmmdev_hgcm_function_parameter_type type)
314 {
315 	switch (type) {
316 	default:
317 		WARN_ON(1);
318 		fallthrough;
319 	case VMMDEV_HGCM_PARM_TYPE_LINADDR:
320 	case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL:
321 		return VMMDEV_HGCM_F_PARM_DIRECTION_BOTH;
322 
323 	case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
324 	case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_IN:
325 		return VMMDEV_HGCM_F_PARM_DIRECTION_TO_HOST;
326 
327 	case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
328 	case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_OUT:
329 		return VMMDEV_HGCM_F_PARM_DIRECTION_FROM_HOST;
330 	}
331 }
332 
hgcm_call_init_linaddr(struct vmmdev_hgcm_call * call,struct vmmdev_hgcm_function_parameter * dst_parm,void * buf,u32 len,enum vmmdev_hgcm_function_parameter_type type,u32 * off_extra)333 static void hgcm_call_init_linaddr(struct vmmdev_hgcm_call *call,
334 	struct vmmdev_hgcm_function_parameter *dst_parm, void *buf, u32 len,
335 	enum vmmdev_hgcm_function_parameter_type type, u32 *off_extra)
336 {
337 	struct vmmdev_hgcm_pagelist *dst_pg_lst;
338 	struct page *page;
339 	bool is_vmalloc;
340 	u32 i, page_count;
341 
342 	dst_parm->type = type;
343 
344 	if (len == 0) {
345 		dst_parm->u.pointer.size = 0;
346 		dst_parm->u.pointer.u.linear_addr = 0;
347 		return;
348 	}
349 
350 	dst_pg_lst = (void *)call + *off_extra;
351 	page_count = hgcm_call_buf_size_in_pages(buf, len);
352 	is_vmalloc = is_vmalloc_addr(buf);
353 
354 	dst_parm->type = VMMDEV_HGCM_PARM_TYPE_PAGELIST;
355 	dst_parm->u.page_list.size = len;
356 	dst_parm->u.page_list.offset = *off_extra;
357 	dst_pg_lst->flags = hgcm_call_linear_addr_type_to_pagelist_flags(type);
358 	dst_pg_lst->offset_first_page = (unsigned long)buf & ~PAGE_MASK;
359 	dst_pg_lst->page_count = page_count;
360 
361 	for (i = 0; i < page_count; i++) {
362 		if (is_vmalloc)
363 			page = vmalloc_to_page(buf);
364 		else
365 			page = virt_to_page(buf);
366 
367 		dst_pg_lst->pages[i] = page_to_phys(page);
368 		buf += PAGE_SIZE;
369 	}
370 
371 	*off_extra += offsetof(struct vmmdev_hgcm_pagelist, pages[page_count]);
372 }
373 
374 /**
375  * hgcm_call_init_call - Initializes the call request that we're sending
376  *	to the host.
377  * @call:            The call to initialize.
378  * @client_id:       The client ID of the caller.
379  * @function:        The function number of the function to call.
380  * @src_parm:        Pointer to source function call parameters.
381  * @parm_count:      Number of function call parameters.
382  * @bounce_bufs:     The bouncebuffer array.
383  */
hgcm_call_init_call(struct vmmdev_hgcm_call * call,u32 client_id,u32 function,const struct vmmdev_hgcm_function_parameter * src_parm,u32 parm_count,void ** bounce_bufs)384 static void hgcm_call_init_call(
385 	struct vmmdev_hgcm_call *call, u32 client_id, u32 function,
386 	const struct vmmdev_hgcm_function_parameter *src_parm,
387 	u32 parm_count, void **bounce_bufs)
388 {
389 	struct vmmdev_hgcm_function_parameter *dst_parm =
390 		VMMDEV_HGCM_CALL_PARMS(call);
391 	u32 i, off_extra = (uintptr_t)(dst_parm + parm_count) - (uintptr_t)call;
392 	void *buf;
393 
394 	call->header.flags = 0;
395 	call->header.result = VINF_SUCCESS;
396 	call->client_id = client_id;
397 	call->function = function;
398 	call->parm_count = parm_count;
399 
400 	for (i = 0; i < parm_count; i++, src_parm++, dst_parm++) {
401 		switch (src_parm->type) {
402 		case VMMDEV_HGCM_PARM_TYPE_32BIT:
403 		case VMMDEV_HGCM_PARM_TYPE_64BIT:
404 			*dst_parm = *src_parm;
405 			break;
406 
407 		case VMMDEV_HGCM_PARM_TYPE_LINADDR:
408 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
409 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
410 			hgcm_call_init_linaddr(call, dst_parm, bounce_bufs[i],
411 					       src_parm->u.pointer.size,
412 					       src_parm->type, &off_extra);
413 			break;
414 
415 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL:
416 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_IN:
417 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_OUT:
418 			buf = (void *)src_parm->u.pointer.u.linear_addr;
419 			hgcm_call_init_linaddr(call, dst_parm, buf,
420 					       src_parm->u.pointer.size,
421 					       src_parm->type, &off_extra);
422 			break;
423 
424 		default:
425 			WARN_ON(1);
426 			dst_parm->type = VMMDEV_HGCM_PARM_TYPE_INVALID;
427 		}
428 	}
429 }
430 
431 /**
432  * hgcm_cancel_call - Tries to cancel a pending HGCM call.
433  * @gdev:        The VBoxGuest device extension.
434  * @call:        The call to cancel.
435  *
436  * Return: VBox status code
437  */
hgcm_cancel_call(struct vbg_dev * gdev,struct vmmdev_hgcm_call * call)438 static int hgcm_cancel_call(struct vbg_dev *gdev, struct vmmdev_hgcm_call *call)
439 {
440 	int rc;
441 
442 	/*
443 	 * We use a pre-allocated request for cancellations, which is
444 	 * protected by cancel_req_mutex. This means that all cancellations
445 	 * get serialized, this should be fine since they should be rare.
446 	 */
447 	mutex_lock(&gdev->cancel_req_mutex);
448 	gdev->cancel_req->phys_req_to_cancel = virt_to_phys(call);
449 	rc = vbg_req_perform(gdev, gdev->cancel_req);
450 	mutex_unlock(&gdev->cancel_req_mutex);
451 
452 	if (rc == VERR_NOT_IMPLEMENTED) {
453 		call->header.flags |= VMMDEV_HGCM_REQ_CANCELLED;
454 		call->header.header.request_type = VMMDEVREQ_HGCM_CANCEL;
455 
456 		rc = vbg_req_perform(gdev, call);
457 		if (rc == VERR_INVALID_PARAMETER)
458 			rc = VERR_NOT_FOUND;
459 	}
460 
461 	if (rc >= 0)
462 		call->header.flags |= VMMDEV_HGCM_REQ_CANCELLED;
463 
464 	return rc;
465 }
466 
467 /**
468  * vbg_hgcm_do_call - Performs the call and completion wait.
469  * @gdev:        The VBoxGuest device extension.
470  * @call:        The call to execute.
471  * @timeout_ms:  Timeout in ms.
472  * @interruptible: whether this call is interruptible
473  * @leak_it:     Where to return the leak it / free it, indicator.
474  *               Cancellation fun.
475  *
476  * Return: %0 or negative errno value.
477  */
vbg_hgcm_do_call(struct vbg_dev * gdev,struct vmmdev_hgcm_call * call,u32 timeout_ms,bool interruptible,bool * leak_it)478 static int vbg_hgcm_do_call(struct vbg_dev *gdev, struct vmmdev_hgcm_call *call,
479 			    u32 timeout_ms, bool interruptible, bool *leak_it)
480 {
481 	int rc, cancel_rc, ret;
482 	long timeout;
483 
484 	*leak_it = false;
485 
486 	rc = vbg_req_perform(gdev, call);
487 
488 	/*
489 	 * If the call failed, then pretend success. Upper layers will
490 	 * interpret the result code in the packet.
491 	 */
492 	if (rc < 0) {
493 		call->header.result = rc;
494 		return 0;
495 	}
496 
497 	if (rc != VINF_HGCM_ASYNC_EXECUTE)
498 		return 0;
499 
500 	/* Host decided to process the request asynchronously, wait for it */
501 	if (timeout_ms == U32_MAX)
502 		timeout = MAX_SCHEDULE_TIMEOUT;
503 	else
504 		timeout = msecs_to_jiffies(timeout_ms);
505 
506 	if (interruptible) {
507 		timeout = wait_event_interruptible_timeout(gdev->hgcm_wq,
508 							   hgcm_req_done(gdev, &call->header),
509 							   timeout);
510 	} else {
511 		timeout = wait_event_timeout(gdev->hgcm_wq,
512 					     hgcm_req_done(gdev, &call->header),
513 					     timeout);
514 	}
515 
516 	/* timeout > 0 means hgcm_req_done has returned true, so success */
517 	if (timeout > 0)
518 		return 0;
519 
520 	if (timeout == 0)
521 		ret = -ETIMEDOUT;
522 	else
523 		ret = -EINTR;
524 
525 	/* Cancel the request */
526 	cancel_rc = hgcm_cancel_call(gdev, call);
527 	if (cancel_rc >= 0)
528 		return ret;
529 
530 	/*
531 	 * Failed to cancel, this should mean that the cancel has lost the
532 	 * race with normal completion, wait while the host completes it.
533 	 */
534 	if (cancel_rc == VERR_NOT_FOUND || cancel_rc == VERR_SEM_DESTROYED)
535 		timeout = msecs_to_jiffies(500);
536 	else
537 		timeout = msecs_to_jiffies(2000);
538 
539 	timeout = wait_event_timeout(gdev->hgcm_wq,
540 				     hgcm_req_done(gdev, &call->header),
541 				     timeout);
542 
543 	if (WARN_ON(timeout == 0)) {
544 		/* We really should never get here */
545 		vbg_err("%s: Call timedout and cancellation failed, leaking the request\n",
546 			__func__);
547 		*leak_it = true;
548 		return ret;
549 	}
550 
551 	/* The call has completed normally after all */
552 	return 0;
553 }
554 
555 /**
556  * hgcm_call_copy_back_result - Copies the result of the call back to
557  *	the caller info structure and user buffers.
558  * @call:            HGCM call request.
559  * @dst_parm:        Pointer to function call parameters destination.
560  * @parm_count:      Number of function call parameters.
561  * @bounce_bufs:     The bouncebuffer array.
562  *
563  * Return: %0 or negative errno value.
564  */
hgcm_call_copy_back_result(const struct vmmdev_hgcm_call * call,struct vmmdev_hgcm_function_parameter * dst_parm,u32 parm_count,void ** bounce_bufs)565 static int hgcm_call_copy_back_result(
566 	const struct vmmdev_hgcm_call *call,
567 	struct vmmdev_hgcm_function_parameter *dst_parm,
568 	u32 parm_count, void **bounce_bufs)
569 {
570 	const struct vmmdev_hgcm_function_parameter *src_parm =
571 		VMMDEV_HGCM_CALL_PARMS(call);
572 	void __user *p;
573 	int ret;
574 	u32 i;
575 
576 	/* Copy back parameters. */
577 	for (i = 0; i < parm_count; i++, src_parm++, dst_parm++) {
578 		switch (dst_parm->type) {
579 		case VMMDEV_HGCM_PARM_TYPE_32BIT:
580 		case VMMDEV_HGCM_PARM_TYPE_64BIT:
581 			*dst_parm = *src_parm;
582 			break;
583 
584 		case VMMDEV_HGCM_PARM_TYPE_PAGELIST:
585 			dst_parm->u.page_list.size = src_parm->u.page_list.size;
586 			break;
587 
588 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
589 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL:
590 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_IN:
591 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_KERNEL_OUT:
592 			dst_parm->u.pointer.size = src_parm->u.pointer.size;
593 			break;
594 
595 		case VMMDEV_HGCM_PARM_TYPE_LINADDR:
596 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
597 			dst_parm->u.pointer.size = src_parm->u.pointer.size;
598 
599 			p = (void __user *)dst_parm->u.pointer.u.linear_addr;
600 			ret = copy_to_user(p, bounce_bufs[i],
601 					   min(src_parm->u.pointer.size,
602 					       dst_parm->u.pointer.size));
603 			if (ret)
604 				return -EFAULT;
605 			break;
606 
607 		default:
608 			WARN_ON(1);
609 			return -EINVAL;
610 		}
611 	}
612 
613 	return 0;
614 }
615 
vbg_hgcm_call(struct vbg_dev * gdev,u32 requestor,u32 client_id,u32 function,u32 timeout_ms,struct vmmdev_hgcm_function_parameter * parms,u32 parm_count,int * vbox_status)616 int vbg_hgcm_call(struct vbg_dev *gdev, u32 requestor, u32 client_id,
617 		  u32 function, u32 timeout_ms,
618 		  struct vmmdev_hgcm_function_parameter *parms, u32 parm_count,
619 		  int *vbox_status)
620 {
621 	struct vmmdev_hgcm_call *call;
622 	void **bounce_bufs = NULL;
623 	bool leak_it;
624 	size_t size;
625 	int i, ret;
626 
627 	size = sizeof(struct vmmdev_hgcm_call) +
628 		   parm_count * sizeof(struct vmmdev_hgcm_function_parameter);
629 	/*
630 	 * Validate and buffer the parameters for the call. This also increases
631 	 * call_size with the amount of extra space needed for page lists.
632 	 */
633 	ret = hgcm_call_preprocess(parms, parm_count, &bounce_bufs, &size);
634 	if (ret) {
635 		/* Even on error bounce bufs may still have been allocated */
636 		goto free_bounce_bufs;
637 	}
638 
639 	call = vbg_req_alloc(size, VMMDEVREQ_HGCM_CALL, requestor);
640 	if (!call) {
641 		ret = -ENOMEM;
642 		goto free_bounce_bufs;
643 	}
644 
645 	hgcm_call_init_call(call, client_id, function, parms, parm_count,
646 			    bounce_bufs);
647 
648 	ret = vbg_hgcm_do_call(gdev, call, timeout_ms,
649 			       requestor & VMMDEV_REQUESTOR_USERMODE, &leak_it);
650 	if (ret == 0) {
651 		*vbox_status = call->header.result;
652 		ret = hgcm_call_copy_back_result(call, parms, parm_count,
653 						 bounce_bufs);
654 	}
655 
656 	if (!leak_it)
657 		vbg_req_free(call, size);
658 
659 free_bounce_bufs:
660 	if (bounce_bufs) {
661 		for (i = 0; i < parm_count; i++)
662 			kvfree(bounce_bufs[i]);
663 		kfree(bounce_bufs);
664 	}
665 
666 	return ret;
667 }
668 EXPORT_SYMBOL(vbg_hgcm_call);
669 
670 #ifdef CONFIG_COMPAT
vbg_hgcm_call32(struct vbg_dev * gdev,u32 requestor,u32 client_id,u32 function,u32 timeout_ms,struct vmmdev_hgcm_function_parameter32 * parm32,u32 parm_count,int * vbox_status)671 int vbg_hgcm_call32(
672 	struct vbg_dev *gdev, u32 requestor, u32 client_id, u32 function,
673 	u32 timeout_ms, struct vmmdev_hgcm_function_parameter32 *parm32,
674 	u32 parm_count, int *vbox_status)
675 {
676 	struct vmmdev_hgcm_function_parameter *parm64 = NULL;
677 	u32 i, size;
678 	int ret = 0;
679 
680 	/* KISS allocate a temporary request and convert the parameters. */
681 	size = parm_count * sizeof(struct vmmdev_hgcm_function_parameter);
682 	parm64 = kzalloc(size, GFP_KERNEL);
683 	if (!parm64)
684 		return -ENOMEM;
685 
686 	for (i = 0; i < parm_count; i++) {
687 		switch (parm32[i].type) {
688 		case VMMDEV_HGCM_PARM_TYPE_32BIT:
689 			parm64[i].type = VMMDEV_HGCM_PARM_TYPE_32BIT;
690 			parm64[i].u.value32 = parm32[i].u.value32;
691 			break;
692 
693 		case VMMDEV_HGCM_PARM_TYPE_64BIT:
694 			parm64[i].type = VMMDEV_HGCM_PARM_TYPE_64BIT;
695 			parm64[i].u.value64 = parm32[i].u.value64;
696 			break;
697 
698 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
699 		case VMMDEV_HGCM_PARM_TYPE_LINADDR:
700 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
701 			parm64[i].type = parm32[i].type;
702 			parm64[i].u.pointer.size = parm32[i].u.pointer.size;
703 			parm64[i].u.pointer.u.linear_addr =
704 			    parm32[i].u.pointer.u.linear_addr;
705 			break;
706 
707 		default:
708 			ret = -EINVAL;
709 		}
710 		if (ret < 0)
711 			goto out_free;
712 	}
713 
714 	ret = vbg_hgcm_call(gdev, requestor, client_id, function, timeout_ms,
715 			    parm64, parm_count, vbox_status);
716 	if (ret < 0)
717 		goto out_free;
718 
719 	/* Copy back. */
720 	for (i = 0; i < parm_count; i++, parm32++, parm64++) {
721 		switch (parm64[i].type) {
722 		case VMMDEV_HGCM_PARM_TYPE_32BIT:
723 			parm32[i].u.value32 = parm64[i].u.value32;
724 			break;
725 
726 		case VMMDEV_HGCM_PARM_TYPE_64BIT:
727 			parm32[i].u.value64 = parm64[i].u.value64;
728 			break;
729 
730 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
731 		case VMMDEV_HGCM_PARM_TYPE_LINADDR:
732 		case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
733 			parm32[i].u.pointer.size = parm64[i].u.pointer.size;
734 			break;
735 
736 		default:
737 			WARN_ON(1);
738 			ret = -EINVAL;
739 		}
740 	}
741 
742 out_free:
743 	kfree(parm64);
744 	return ret;
745 }
746 #endif
747 
748 static const int vbg_status_code_to_errno_table[] = {
749 	[-VERR_ACCESS_DENIED]                            = -EPERM,
750 	[-VERR_FILE_NOT_FOUND]                           = -ENOENT,
751 	[-VERR_PROCESS_NOT_FOUND]                        = -ESRCH,
752 	[-VERR_INTERRUPTED]                              = -EINTR,
753 	[-VERR_DEV_IO_ERROR]                             = -EIO,
754 	[-VERR_TOO_MUCH_DATA]                            = -E2BIG,
755 	[-VERR_BAD_EXE_FORMAT]                           = -ENOEXEC,
756 	[-VERR_INVALID_HANDLE]                           = -EBADF,
757 	[-VERR_TRY_AGAIN]                                = -EAGAIN,
758 	[-VERR_NO_MEMORY]                                = -ENOMEM,
759 	[-VERR_INVALID_POINTER]                          = -EFAULT,
760 	[-VERR_RESOURCE_BUSY]                            = -EBUSY,
761 	[-VERR_ALREADY_EXISTS]                           = -EEXIST,
762 	[-VERR_NOT_SAME_DEVICE]                          = -EXDEV,
763 	[-VERR_NOT_A_DIRECTORY]                          = -ENOTDIR,
764 	[-VERR_PATH_NOT_FOUND]                           = -ENOTDIR,
765 	[-VERR_INVALID_NAME]                             = -ENOENT,
766 	[-VERR_IS_A_DIRECTORY]                           = -EISDIR,
767 	[-VERR_INVALID_PARAMETER]                        = -EINVAL,
768 	[-VERR_TOO_MANY_OPEN_FILES]                      = -ENFILE,
769 	[-VERR_INVALID_FUNCTION]                         = -ENOTTY,
770 	[-VERR_SHARING_VIOLATION]                        = -ETXTBSY,
771 	[-VERR_FILE_TOO_BIG]                             = -EFBIG,
772 	[-VERR_DISK_FULL]                                = -ENOSPC,
773 	[-VERR_SEEK_ON_DEVICE]                           = -ESPIPE,
774 	[-VERR_WRITE_PROTECT]                            = -EROFS,
775 	[-VERR_BROKEN_PIPE]                              = -EPIPE,
776 	[-VERR_DEADLOCK]                                 = -EDEADLK,
777 	[-VERR_FILENAME_TOO_LONG]                        = -ENAMETOOLONG,
778 	[-VERR_FILE_LOCK_FAILED]                         = -ENOLCK,
779 	[-VERR_NOT_IMPLEMENTED]                          = -ENOSYS,
780 	[-VERR_NOT_SUPPORTED]                            = -ENOSYS,
781 	[-VERR_DIR_NOT_EMPTY]                            = -ENOTEMPTY,
782 	[-VERR_TOO_MANY_SYMLINKS]                        = -ELOOP,
783 	[-VERR_NO_MORE_FILES]				 = -ENODATA,
784 	[-VERR_NO_DATA]                                  = -ENODATA,
785 	[-VERR_NET_NO_NETWORK]                           = -ENONET,
786 	[-VERR_NET_NOT_UNIQUE_NAME]                      = -ENOTUNIQ,
787 	[-VERR_NO_TRANSLATION]                           = -EILSEQ,
788 	[-VERR_NET_NOT_SOCKET]                           = -ENOTSOCK,
789 	[-VERR_NET_DEST_ADDRESS_REQUIRED]                = -EDESTADDRREQ,
790 	[-VERR_NET_MSG_SIZE]                             = -EMSGSIZE,
791 	[-VERR_NET_PROTOCOL_TYPE]                        = -EPROTOTYPE,
792 	[-VERR_NET_PROTOCOL_NOT_AVAILABLE]               = -ENOPROTOOPT,
793 	[-VERR_NET_PROTOCOL_NOT_SUPPORTED]               = -EPROTONOSUPPORT,
794 	[-VERR_NET_SOCKET_TYPE_NOT_SUPPORTED]            = -ESOCKTNOSUPPORT,
795 	[-VERR_NET_OPERATION_NOT_SUPPORTED]              = -EOPNOTSUPP,
796 	[-VERR_NET_PROTOCOL_FAMILY_NOT_SUPPORTED]        = -EPFNOSUPPORT,
797 	[-VERR_NET_ADDRESS_FAMILY_NOT_SUPPORTED]         = -EAFNOSUPPORT,
798 	[-VERR_NET_ADDRESS_IN_USE]                       = -EADDRINUSE,
799 	[-VERR_NET_ADDRESS_NOT_AVAILABLE]                = -EADDRNOTAVAIL,
800 	[-VERR_NET_DOWN]                                 = -ENETDOWN,
801 	[-VERR_NET_UNREACHABLE]                          = -ENETUNREACH,
802 	[-VERR_NET_CONNECTION_RESET]                     = -ENETRESET,
803 	[-VERR_NET_CONNECTION_ABORTED]                   = -ECONNABORTED,
804 	[-VERR_NET_CONNECTION_RESET_BY_PEER]             = -ECONNRESET,
805 	[-VERR_NET_NO_BUFFER_SPACE]                      = -ENOBUFS,
806 	[-VERR_NET_ALREADY_CONNECTED]                    = -EISCONN,
807 	[-VERR_NET_NOT_CONNECTED]                        = -ENOTCONN,
808 	[-VERR_NET_SHUTDOWN]                             = -ESHUTDOWN,
809 	[-VERR_NET_TOO_MANY_REFERENCES]                  = -ETOOMANYREFS,
810 	[-VERR_TIMEOUT]                                  = -ETIMEDOUT,
811 	[-VERR_NET_CONNECTION_REFUSED]                   = -ECONNREFUSED,
812 	[-VERR_NET_HOST_DOWN]                            = -EHOSTDOWN,
813 	[-VERR_NET_HOST_UNREACHABLE]                     = -EHOSTUNREACH,
814 	[-VERR_NET_ALREADY_IN_PROGRESS]                  = -EALREADY,
815 	[-VERR_NET_IN_PROGRESS]                          = -EINPROGRESS,
816 	[-VERR_MEDIA_NOT_PRESENT]                        = -ENOMEDIUM,
817 	[-VERR_MEDIA_NOT_RECOGNIZED]                     = -EMEDIUMTYPE,
818 };
819 
vbg_status_code_to_errno(int rc)820 int vbg_status_code_to_errno(int rc)
821 {
822 	if (rc >= 0)
823 		return 0;
824 
825 	rc = -rc;
826 	if (rc >= ARRAY_SIZE(vbg_status_code_to_errno_table) ||
827 	    vbg_status_code_to_errno_table[rc] == 0) {
828 		vbg_warn("%s: Unhandled err %d\n", __func__, -rc);
829 		return -EPROTO;
830 	}
831 
832 	return vbg_status_code_to_errno_table[rc];
833 }
834 EXPORT_SYMBOL(vbg_status_code_to_errno);
835