1 /* 2 * device quirks for PCI devices 3 * 4 * Copyright Red Hat, Inc. 2012-2015 5 * 6 * Authors: 7 * Alex Williamson <alex.williamson@redhat.com> 8 * 9 * This work is licensed under the terms of the GNU GPL, version 2. See 10 * the COPYING file in the top-level directory. 11 */ 12 13 #include "qemu/osdep.h" 14 #include "qemu/error-report.h" 15 #include "qemu/main-loop.h" 16 #include "qemu/range.h" 17 #include "qapi/error.h" 18 #include "qapi/visitor.h" 19 #include "hw/nvram/fw_cfg.h" 20 #include "pci.h" 21 #include "trace.h" 22 23 /* Use uin32_t for vendor & device so PCI_ANY_ID expands and cannot match hw */ 24 static bool vfio_pci_is(VFIOPCIDevice *vdev, uint32_t vendor, uint32_t device) 25 { 26 return (vendor == PCI_ANY_ID || vendor == vdev->vendor_id) && 27 (device == PCI_ANY_ID || device == vdev->device_id); 28 } 29 30 static bool vfio_is_vga(VFIOPCIDevice *vdev) 31 { 32 PCIDevice *pdev = &vdev->pdev; 33 uint16_t class = pci_get_word(pdev->config + PCI_CLASS_DEVICE); 34 35 return class == PCI_CLASS_DISPLAY_VGA; 36 } 37 38 /* 39 * List of device ids/vendor ids for which to disable 40 * option rom loading. This avoids the guest hangs during rom 41 * execution as noticed with the BCM 57810 card for lack of a 42 * more better way to handle such issues. 43 * The user can still override by specifying a romfile or 44 * rombar=1. 45 * Please see https://bugs.launchpad.net/qemu/+bug/1284874 46 * for an analysis of the 57810 card hang. When adding 47 * a new vendor id/device id combination below, please also add 48 * your card/environment details and information that could 49 * help in debugging to the bug tracking this issue 50 */ 51 static const struct { 52 uint32_t vendor; 53 uint32_t device; 54 } romblacklist[] = { 55 { 0x14e4, 0x168e }, /* Broadcom BCM 57810 */ 56 }; 57 58 bool vfio_blacklist_opt_rom(VFIOPCIDevice *vdev) 59 { 60 int i; 61 62 for (i = 0 ; i < ARRAY_SIZE(romblacklist); i++) { 63 if (vfio_pci_is(vdev, romblacklist[i].vendor, romblacklist[i].device)) { 64 trace_vfio_quirk_rom_blacklisted(vdev->vbasedev.name, 65 romblacklist[i].vendor, 66 romblacklist[i].device); 67 return true; 68 } 69 } 70 return false; 71 } 72 73 /* 74 * Device specific region quirks (mostly backdoors to PCI config space) 75 */ 76 77 /* 78 * The generic window quirks operate on an address and data register, 79 * vfio_generic_window_address_quirk handles the address register and 80 * vfio_generic_window_data_quirk handles the data register. These ops 81 * pass reads and writes through to hardware until a value matching the 82 * stored address match/mask is written. When this occurs, the data 83 * register access emulated PCI config space for the device rather than 84 * passing through accesses. This enables devices where PCI config space 85 * is accessible behind a window register to maintain the virtualization 86 * provided through vfio. 87 */ 88 typedef struct VFIOConfigWindowMatch { 89 uint32_t match; 90 uint32_t mask; 91 } VFIOConfigWindowMatch; 92 93 typedef struct VFIOConfigWindowQuirk { 94 struct VFIOPCIDevice *vdev; 95 96 uint32_t address_val; 97 98 uint32_t address_offset; 99 uint32_t data_offset; 100 101 bool window_enabled; 102 uint8_t bar; 103 104 MemoryRegion *addr_mem; 105 MemoryRegion *data_mem; 106 107 uint32_t nr_matches; 108 VFIOConfigWindowMatch matches[]; 109 } VFIOConfigWindowQuirk; 110 111 static uint64_t vfio_generic_window_quirk_address_read(void *opaque, 112 hwaddr addr, 113 unsigned size) 114 { 115 VFIOConfigWindowQuirk *window = opaque; 116 VFIOPCIDevice *vdev = window->vdev; 117 118 return vfio_region_read(&vdev->bars[window->bar].region, 119 addr + window->address_offset, size); 120 } 121 122 static void vfio_generic_window_quirk_address_write(void *opaque, hwaddr addr, 123 uint64_t data, 124 unsigned size) 125 { 126 VFIOConfigWindowQuirk *window = opaque; 127 VFIOPCIDevice *vdev = window->vdev; 128 int i; 129 130 window->window_enabled = false; 131 132 vfio_region_write(&vdev->bars[window->bar].region, 133 addr + window->address_offset, data, size); 134 135 for (i = 0; i < window->nr_matches; i++) { 136 if ((data & ~window->matches[i].mask) == window->matches[i].match) { 137 window->window_enabled = true; 138 window->address_val = data & window->matches[i].mask; 139 trace_vfio_quirk_generic_window_address_write(vdev->vbasedev.name, 140 memory_region_name(window->addr_mem), data); 141 break; 142 } 143 } 144 } 145 146 static const MemoryRegionOps vfio_generic_window_address_quirk = { 147 .read = vfio_generic_window_quirk_address_read, 148 .write = vfio_generic_window_quirk_address_write, 149 .endianness = DEVICE_LITTLE_ENDIAN, 150 }; 151 152 static uint64_t vfio_generic_window_quirk_data_read(void *opaque, 153 hwaddr addr, unsigned size) 154 { 155 VFIOConfigWindowQuirk *window = opaque; 156 VFIOPCIDevice *vdev = window->vdev; 157 uint64_t data; 158 159 /* Always read data reg, discard if window enabled */ 160 data = vfio_region_read(&vdev->bars[window->bar].region, 161 addr + window->data_offset, size); 162 163 if (window->window_enabled) { 164 data = vfio_pci_read_config(&vdev->pdev, window->address_val, size); 165 trace_vfio_quirk_generic_window_data_read(vdev->vbasedev.name, 166 memory_region_name(window->data_mem), data); 167 } 168 169 return data; 170 } 171 172 static void vfio_generic_window_quirk_data_write(void *opaque, hwaddr addr, 173 uint64_t data, unsigned size) 174 { 175 VFIOConfigWindowQuirk *window = opaque; 176 VFIOPCIDevice *vdev = window->vdev; 177 178 if (window->window_enabled) { 179 vfio_pci_write_config(&vdev->pdev, window->address_val, data, size); 180 trace_vfio_quirk_generic_window_data_write(vdev->vbasedev.name, 181 memory_region_name(window->data_mem), data); 182 return; 183 } 184 185 vfio_region_write(&vdev->bars[window->bar].region, 186 addr + window->data_offset, data, size); 187 } 188 189 static const MemoryRegionOps vfio_generic_window_data_quirk = { 190 .read = vfio_generic_window_quirk_data_read, 191 .write = vfio_generic_window_quirk_data_write, 192 .endianness = DEVICE_LITTLE_ENDIAN, 193 }; 194 195 /* 196 * The generic mirror quirk handles devices which expose PCI config space 197 * through a region within a BAR. When enabled, reads and writes are 198 * redirected through to emulated PCI config space. XXX if PCI config space 199 * used memory regions, this could just be an alias. 200 */ 201 typedef struct VFIOConfigMirrorQuirk { 202 struct VFIOPCIDevice *vdev; 203 uint32_t offset; 204 uint8_t bar; 205 MemoryRegion *mem; 206 uint8_t data[]; 207 } VFIOConfigMirrorQuirk; 208 209 static uint64_t vfio_generic_quirk_mirror_read(void *opaque, 210 hwaddr addr, unsigned size) 211 { 212 VFIOConfigMirrorQuirk *mirror = opaque; 213 VFIOPCIDevice *vdev = mirror->vdev; 214 uint64_t data; 215 216 /* Read and discard in case the hardware cares */ 217 (void)vfio_region_read(&vdev->bars[mirror->bar].region, 218 addr + mirror->offset, size); 219 220 data = vfio_pci_read_config(&vdev->pdev, addr, size); 221 trace_vfio_quirk_generic_mirror_read(vdev->vbasedev.name, 222 memory_region_name(mirror->mem), 223 addr, data); 224 return data; 225 } 226 227 static void vfio_generic_quirk_mirror_write(void *opaque, hwaddr addr, 228 uint64_t data, unsigned size) 229 { 230 VFIOConfigMirrorQuirk *mirror = opaque; 231 VFIOPCIDevice *vdev = mirror->vdev; 232 233 vfio_pci_write_config(&vdev->pdev, addr, data, size); 234 trace_vfio_quirk_generic_mirror_write(vdev->vbasedev.name, 235 memory_region_name(mirror->mem), 236 addr, data); 237 } 238 239 static const MemoryRegionOps vfio_generic_mirror_quirk = { 240 .read = vfio_generic_quirk_mirror_read, 241 .write = vfio_generic_quirk_mirror_write, 242 .endianness = DEVICE_LITTLE_ENDIAN, 243 }; 244 245 /* Is range1 fully contained within range2? */ 246 static bool vfio_range_contained(uint64_t first1, uint64_t len1, 247 uint64_t first2, uint64_t len2) { 248 return (first1 >= first2 && first1 + len1 <= first2 + len2); 249 } 250 251 #define PCI_VENDOR_ID_ATI 0x1002 252 253 /* 254 * Radeon HD cards (HD5450 & HD7850) report the upper byte of the I/O port BAR 255 * through VGA register 0x3c3. On newer cards, the I/O port BAR is always 256 * BAR4 (older cards like the X550 used BAR1, but we don't care to support 257 * those). Note that on bare metal, a read of 0x3c3 doesn't always return the 258 * I/O port BAR address. Originally this was coded to return the virtual BAR 259 * address only if the physical register read returns the actual BAR address, 260 * but users have reported greater success if we return the virtual address 261 * unconditionally. 262 */ 263 static uint64_t vfio_ati_3c3_quirk_read(void *opaque, 264 hwaddr addr, unsigned size) 265 { 266 VFIOPCIDevice *vdev = opaque; 267 uint64_t data = vfio_pci_read_config(&vdev->pdev, 268 PCI_BASE_ADDRESS_4 + 1, size); 269 270 trace_vfio_quirk_ati_3c3_read(vdev->vbasedev.name, data); 271 272 return data; 273 } 274 275 static const MemoryRegionOps vfio_ati_3c3_quirk = { 276 .read = vfio_ati_3c3_quirk_read, 277 .endianness = DEVICE_LITTLE_ENDIAN, 278 }; 279 280 static VFIOQuirk *vfio_quirk_alloc(int nr_mem) 281 { 282 VFIOQuirk *quirk = g_new0(VFIOQuirk, 1); 283 QLIST_INIT(&quirk->ioeventfds); 284 quirk->mem = g_new0(MemoryRegion, nr_mem); 285 quirk->nr_mem = nr_mem; 286 287 return quirk; 288 } 289 290 static void vfio_ioeventfd_exit(VFIOIOEventFD *ioeventfd) 291 { 292 QLIST_REMOVE(ioeventfd, next); 293 memory_region_del_eventfd(ioeventfd->mr, ioeventfd->addr, ioeventfd->size, 294 true, ioeventfd->data, &ioeventfd->e); 295 qemu_set_fd_handler(event_notifier_get_fd(&ioeventfd->e), NULL, NULL, NULL); 296 event_notifier_cleanup(&ioeventfd->e); 297 trace_vfio_ioeventfd_exit(memory_region_name(ioeventfd->mr), 298 (uint64_t)ioeventfd->addr, ioeventfd->size, 299 ioeventfd->data); 300 g_free(ioeventfd); 301 } 302 303 static void vfio_drop_dynamic_eventfds(VFIOPCIDevice *vdev, VFIOQuirk *quirk) 304 { 305 VFIOIOEventFD *ioeventfd, *tmp; 306 307 QLIST_FOREACH_SAFE(ioeventfd, &quirk->ioeventfds, next, tmp) { 308 if (ioeventfd->dynamic) { 309 vfio_ioeventfd_exit(ioeventfd); 310 } 311 } 312 } 313 314 static void vfio_ioeventfd_handler(void *opaque) 315 { 316 VFIOIOEventFD *ioeventfd = opaque; 317 318 if (event_notifier_test_and_clear(&ioeventfd->e)) { 319 vfio_region_write(ioeventfd->region, ioeventfd->region_addr, 320 ioeventfd->data, ioeventfd->size); 321 trace_vfio_ioeventfd_handler(memory_region_name(ioeventfd->mr), 322 (uint64_t)ioeventfd->addr, ioeventfd->size, 323 ioeventfd->data); 324 } 325 } 326 327 static VFIOIOEventFD *vfio_ioeventfd_init(VFIOPCIDevice *vdev, 328 MemoryRegion *mr, hwaddr addr, 329 unsigned size, uint64_t data, 330 VFIORegion *region, 331 hwaddr region_addr, bool dynamic) 332 { 333 VFIOIOEventFD *ioeventfd; 334 335 if (vdev->no_kvm_ioeventfd) { 336 return NULL; 337 } 338 339 ioeventfd = g_malloc0(sizeof(*ioeventfd)); 340 341 if (event_notifier_init(&ioeventfd->e, 0)) { 342 g_free(ioeventfd); 343 return NULL; 344 } 345 346 /* 347 * MemoryRegion and relative offset, plus additional ioeventfd setup 348 * parameters for configuring and later tearing down KVM ioeventfd. 349 */ 350 ioeventfd->mr = mr; 351 ioeventfd->addr = addr; 352 ioeventfd->size = size; 353 ioeventfd->data = data; 354 ioeventfd->dynamic = dynamic; 355 /* 356 * VFIORegion and relative offset for implementing the userspace 357 * handler. data & size fields shared for both uses. 358 */ 359 ioeventfd->region = region; 360 ioeventfd->region_addr = region_addr; 361 362 qemu_set_fd_handler(event_notifier_get_fd(&ioeventfd->e), 363 vfio_ioeventfd_handler, NULL, ioeventfd); 364 memory_region_add_eventfd(ioeventfd->mr, ioeventfd->addr, ioeventfd->size, 365 true, ioeventfd->data, &ioeventfd->e); 366 trace_vfio_ioeventfd_init(memory_region_name(mr), (uint64_t)addr, 367 size, data); 368 369 return ioeventfd; 370 } 371 372 static void vfio_vga_probe_ati_3c3_quirk(VFIOPCIDevice *vdev) 373 { 374 VFIOQuirk *quirk; 375 376 /* 377 * As long as the BAR is >= 256 bytes it will be aligned such that the 378 * lower byte is always zero. Filter out anything else, if it exists. 379 */ 380 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) || 381 !vdev->bars[4].ioport || vdev->bars[4].region.size < 256) { 382 return; 383 } 384 385 quirk = vfio_quirk_alloc(1); 386 387 memory_region_init_io(quirk->mem, OBJECT(vdev), &vfio_ati_3c3_quirk, vdev, 388 "vfio-ati-3c3-quirk", 1); 389 memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem, 390 3 /* offset 3 bytes from 0x3c0 */, quirk->mem); 391 392 QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks, 393 quirk, next); 394 395 trace_vfio_quirk_ati_3c3_probe(vdev->vbasedev.name); 396 } 397 398 /* 399 * Newer ATI/AMD devices, including HD5450 and HD7850, have a mirror to PCI 400 * config space through MMIO BAR2 at offset 0x4000. Nothing seems to access 401 * the MMIO space directly, but a window to this space is provided through 402 * I/O port BAR4. Offset 0x0 is the address register and offset 0x4 is the 403 * data register. When the address is programmed to a range of 0x4000-0x4fff 404 * PCI configuration space is available. Experimentation seems to indicate 405 * that read-only may be provided by hardware. 406 */ 407 static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, int nr) 408 { 409 VFIOQuirk *quirk; 410 VFIOConfigWindowQuirk *window; 411 412 /* This windows doesn't seem to be used except by legacy VGA code */ 413 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) || 414 !vdev->vga || nr != 4) { 415 return; 416 } 417 418 quirk = vfio_quirk_alloc(2); 419 window = quirk->data = g_malloc0(sizeof(*window) + 420 sizeof(VFIOConfigWindowMatch)); 421 window->vdev = vdev; 422 window->address_offset = 0; 423 window->data_offset = 4; 424 window->nr_matches = 1; 425 window->matches[0].match = 0x4000; 426 window->matches[0].mask = vdev->config_size - 1; 427 window->bar = nr; 428 window->addr_mem = &quirk->mem[0]; 429 window->data_mem = &quirk->mem[1]; 430 431 memory_region_init_io(window->addr_mem, OBJECT(vdev), 432 &vfio_generic_window_address_quirk, window, 433 "vfio-ati-bar4-window-address-quirk", 4); 434 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 435 window->address_offset, 436 window->addr_mem, 1); 437 438 memory_region_init_io(window->data_mem, OBJECT(vdev), 439 &vfio_generic_window_data_quirk, window, 440 "vfio-ati-bar4-window-data-quirk", 4); 441 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 442 window->data_offset, 443 window->data_mem, 1); 444 445 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 446 447 trace_vfio_quirk_ati_bar4_probe(vdev->vbasedev.name); 448 } 449 450 /* 451 * Trap the BAR2 MMIO mirror to config space as well. 452 */ 453 static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, int nr) 454 { 455 VFIOQuirk *quirk; 456 VFIOConfigMirrorQuirk *mirror; 457 458 /* Only enable on newer devices where BAR2 is 64bit */ 459 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) || 460 !vdev->vga || nr != 2 || !vdev->bars[2].mem64) { 461 return; 462 } 463 464 quirk = vfio_quirk_alloc(1); 465 mirror = quirk->data = g_malloc0(sizeof(*mirror)); 466 mirror->mem = quirk->mem; 467 mirror->vdev = vdev; 468 mirror->offset = 0x4000; 469 mirror->bar = nr; 470 471 memory_region_init_io(mirror->mem, OBJECT(vdev), 472 &vfio_generic_mirror_quirk, mirror, 473 "vfio-ati-bar2-4000-quirk", PCI_CONFIG_SPACE_SIZE); 474 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 475 mirror->offset, mirror->mem, 1); 476 477 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 478 479 trace_vfio_quirk_ati_bar2_probe(vdev->vbasedev.name); 480 } 481 482 /* 483 * Older ATI/AMD cards like the X550 have a similar window to that above. 484 * I/O port BAR1 provides a window to a mirror of PCI config space located 485 * in BAR2 at offset 0xf00. We don't care to support such older cards, but 486 * note it for future reference. 487 */ 488 489 #define PCI_VENDOR_ID_NVIDIA 0x10de 490 491 /* 492 * Nvidia has several different methods to get to config space, the 493 * nouveu project has several of these documented here: 494 * https://github.com/pathscale/envytools/tree/master/hwdocs 495 * 496 * The first quirk is actually not documented in envytools and is found 497 * on 10de:01d1 (NVIDIA Corporation G72 [GeForce 7300 LE]). This is an 498 * NV46 chipset. The backdoor uses the legacy VGA I/O ports to access 499 * the mirror of PCI config space found at BAR0 offset 0x1800. The access 500 * sequence first writes 0x338 to I/O port 0x3d4. The target offset is 501 * then written to 0x3d0. Finally 0x538 is written for a read and 0x738 502 * is written for a write to 0x3d4. The BAR0 offset is then accessible 503 * through 0x3d0. This quirk doesn't seem to be necessary on newer cards 504 * that use the I/O port BAR5 window but it doesn't hurt to leave it. 505 */ 506 typedef enum {NONE = 0, SELECT, WINDOW, READ, WRITE} VFIONvidia3d0State; 507 static const char *nv3d0_states[] = { "NONE", "SELECT", 508 "WINDOW", "READ", "WRITE" }; 509 510 typedef struct VFIONvidia3d0Quirk { 511 VFIOPCIDevice *vdev; 512 VFIONvidia3d0State state; 513 uint32_t offset; 514 } VFIONvidia3d0Quirk; 515 516 static uint64_t vfio_nvidia_3d4_quirk_read(void *opaque, 517 hwaddr addr, unsigned size) 518 { 519 VFIONvidia3d0Quirk *quirk = opaque; 520 VFIOPCIDevice *vdev = quirk->vdev; 521 522 quirk->state = NONE; 523 524 return vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI], 525 addr + 0x14, size); 526 } 527 528 static void vfio_nvidia_3d4_quirk_write(void *opaque, hwaddr addr, 529 uint64_t data, unsigned size) 530 { 531 VFIONvidia3d0Quirk *quirk = opaque; 532 VFIOPCIDevice *vdev = quirk->vdev; 533 VFIONvidia3d0State old_state = quirk->state; 534 535 quirk->state = NONE; 536 537 switch (data) { 538 case 0x338: 539 if (old_state == NONE) { 540 quirk->state = SELECT; 541 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name, 542 nv3d0_states[quirk->state]); 543 } 544 break; 545 case 0x538: 546 if (old_state == WINDOW) { 547 quirk->state = READ; 548 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name, 549 nv3d0_states[quirk->state]); 550 } 551 break; 552 case 0x738: 553 if (old_state == WINDOW) { 554 quirk->state = WRITE; 555 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name, 556 nv3d0_states[quirk->state]); 557 } 558 break; 559 } 560 561 vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI], 562 addr + 0x14, data, size); 563 } 564 565 static const MemoryRegionOps vfio_nvidia_3d4_quirk = { 566 .read = vfio_nvidia_3d4_quirk_read, 567 .write = vfio_nvidia_3d4_quirk_write, 568 .endianness = DEVICE_LITTLE_ENDIAN, 569 }; 570 571 static uint64_t vfio_nvidia_3d0_quirk_read(void *opaque, 572 hwaddr addr, unsigned size) 573 { 574 VFIONvidia3d0Quirk *quirk = opaque; 575 VFIOPCIDevice *vdev = quirk->vdev; 576 VFIONvidia3d0State old_state = quirk->state; 577 uint64_t data = vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI], 578 addr + 0x10, size); 579 580 quirk->state = NONE; 581 582 if (old_state == READ && 583 (quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) { 584 uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1); 585 586 data = vfio_pci_read_config(&vdev->pdev, offset, size); 587 trace_vfio_quirk_nvidia_3d0_read(vdev->vbasedev.name, 588 offset, size, data); 589 } 590 591 return data; 592 } 593 594 static void vfio_nvidia_3d0_quirk_write(void *opaque, hwaddr addr, 595 uint64_t data, unsigned size) 596 { 597 VFIONvidia3d0Quirk *quirk = opaque; 598 VFIOPCIDevice *vdev = quirk->vdev; 599 VFIONvidia3d0State old_state = quirk->state; 600 601 quirk->state = NONE; 602 603 if (old_state == SELECT) { 604 quirk->offset = (uint32_t)data; 605 quirk->state = WINDOW; 606 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name, 607 nv3d0_states[quirk->state]); 608 } else if (old_state == WRITE) { 609 if ((quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) { 610 uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1); 611 612 vfio_pci_write_config(&vdev->pdev, offset, data, size); 613 trace_vfio_quirk_nvidia_3d0_write(vdev->vbasedev.name, 614 offset, data, size); 615 return; 616 } 617 } 618 619 vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI], 620 addr + 0x10, data, size); 621 } 622 623 static const MemoryRegionOps vfio_nvidia_3d0_quirk = { 624 .read = vfio_nvidia_3d0_quirk_read, 625 .write = vfio_nvidia_3d0_quirk_write, 626 .endianness = DEVICE_LITTLE_ENDIAN, 627 }; 628 629 static void vfio_vga_probe_nvidia_3d0_quirk(VFIOPCIDevice *vdev) 630 { 631 VFIOQuirk *quirk; 632 VFIONvidia3d0Quirk *data; 633 634 if (vdev->no_geforce_quirks || 635 !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) || 636 !vdev->bars[1].region.size) { 637 return; 638 } 639 640 quirk = vfio_quirk_alloc(2); 641 quirk->data = data = g_malloc0(sizeof(*data)); 642 data->vdev = vdev; 643 644 memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_nvidia_3d4_quirk, 645 data, "vfio-nvidia-3d4-quirk", 2); 646 memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem, 647 0x14 /* 0x3c0 + 0x14 */, &quirk->mem[0]); 648 649 memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_nvidia_3d0_quirk, 650 data, "vfio-nvidia-3d0-quirk", 2); 651 memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem, 652 0x10 /* 0x3c0 + 0x10 */, &quirk->mem[1]); 653 654 QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks, 655 quirk, next); 656 657 trace_vfio_quirk_nvidia_3d0_probe(vdev->vbasedev.name); 658 } 659 660 /* 661 * The second quirk is documented in envytools. The I/O port BAR5 is just 662 * a set of address/data ports to the MMIO BARs. The BAR we care about is 663 * again BAR0. This backdoor is apparently a bit newer than the one above 664 * so we need to not only trap 256 bytes @0x1800, but all of PCI config 665 * space, including extended space is available at the 4k @0x88000. 666 */ 667 typedef struct VFIONvidiaBAR5Quirk { 668 uint32_t master; 669 uint32_t enable; 670 MemoryRegion *addr_mem; 671 MemoryRegion *data_mem; 672 bool enabled; 673 VFIOConfigWindowQuirk window; /* last for match data */ 674 } VFIONvidiaBAR5Quirk; 675 676 static void vfio_nvidia_bar5_enable(VFIONvidiaBAR5Quirk *bar5) 677 { 678 VFIOPCIDevice *vdev = bar5->window.vdev; 679 680 if (((bar5->master & bar5->enable) & 0x1) == bar5->enabled) { 681 return; 682 } 683 684 bar5->enabled = !bar5->enabled; 685 trace_vfio_quirk_nvidia_bar5_state(vdev->vbasedev.name, 686 bar5->enabled ? "Enable" : "Disable"); 687 memory_region_set_enabled(bar5->addr_mem, bar5->enabled); 688 memory_region_set_enabled(bar5->data_mem, bar5->enabled); 689 } 690 691 static uint64_t vfio_nvidia_bar5_quirk_master_read(void *opaque, 692 hwaddr addr, unsigned size) 693 { 694 VFIONvidiaBAR5Quirk *bar5 = opaque; 695 VFIOPCIDevice *vdev = bar5->window.vdev; 696 697 return vfio_region_read(&vdev->bars[5].region, addr, size); 698 } 699 700 static void vfio_nvidia_bar5_quirk_master_write(void *opaque, hwaddr addr, 701 uint64_t data, unsigned size) 702 { 703 VFIONvidiaBAR5Quirk *bar5 = opaque; 704 VFIOPCIDevice *vdev = bar5->window.vdev; 705 706 vfio_region_write(&vdev->bars[5].region, addr, data, size); 707 708 bar5->master = data; 709 vfio_nvidia_bar5_enable(bar5); 710 } 711 712 static const MemoryRegionOps vfio_nvidia_bar5_quirk_master = { 713 .read = vfio_nvidia_bar5_quirk_master_read, 714 .write = vfio_nvidia_bar5_quirk_master_write, 715 .endianness = DEVICE_LITTLE_ENDIAN, 716 }; 717 718 static uint64_t vfio_nvidia_bar5_quirk_enable_read(void *opaque, 719 hwaddr addr, unsigned size) 720 { 721 VFIONvidiaBAR5Quirk *bar5 = opaque; 722 VFIOPCIDevice *vdev = bar5->window.vdev; 723 724 return vfio_region_read(&vdev->bars[5].region, addr + 4, size); 725 } 726 727 static void vfio_nvidia_bar5_quirk_enable_write(void *opaque, hwaddr addr, 728 uint64_t data, unsigned size) 729 { 730 VFIONvidiaBAR5Quirk *bar5 = opaque; 731 VFIOPCIDevice *vdev = bar5->window.vdev; 732 733 vfio_region_write(&vdev->bars[5].region, addr + 4, data, size); 734 735 bar5->enable = data; 736 vfio_nvidia_bar5_enable(bar5); 737 } 738 739 static const MemoryRegionOps vfio_nvidia_bar5_quirk_enable = { 740 .read = vfio_nvidia_bar5_quirk_enable_read, 741 .write = vfio_nvidia_bar5_quirk_enable_write, 742 .endianness = DEVICE_LITTLE_ENDIAN, 743 }; 744 745 static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice *vdev, int nr) 746 { 747 VFIOQuirk *quirk; 748 VFIONvidiaBAR5Quirk *bar5; 749 VFIOConfigWindowQuirk *window; 750 751 if (vdev->no_geforce_quirks || 752 !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) || 753 !vdev->vga || nr != 5 || !vdev->bars[5].ioport) { 754 return; 755 } 756 757 quirk = vfio_quirk_alloc(4); 758 bar5 = quirk->data = g_malloc0(sizeof(*bar5) + 759 (sizeof(VFIOConfigWindowMatch) * 2)); 760 window = &bar5->window; 761 762 window->vdev = vdev; 763 window->address_offset = 0x8; 764 window->data_offset = 0xc; 765 window->nr_matches = 2; 766 window->matches[0].match = 0x1800; 767 window->matches[0].mask = PCI_CONFIG_SPACE_SIZE - 1; 768 window->matches[1].match = 0x88000; 769 window->matches[1].mask = vdev->config_size - 1; 770 window->bar = nr; 771 window->addr_mem = bar5->addr_mem = &quirk->mem[0]; 772 window->data_mem = bar5->data_mem = &quirk->mem[1]; 773 774 memory_region_init_io(window->addr_mem, OBJECT(vdev), 775 &vfio_generic_window_address_quirk, window, 776 "vfio-nvidia-bar5-window-address-quirk", 4); 777 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 778 window->address_offset, 779 window->addr_mem, 1); 780 memory_region_set_enabled(window->addr_mem, false); 781 782 memory_region_init_io(window->data_mem, OBJECT(vdev), 783 &vfio_generic_window_data_quirk, window, 784 "vfio-nvidia-bar5-window-data-quirk", 4); 785 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 786 window->data_offset, 787 window->data_mem, 1); 788 memory_region_set_enabled(window->data_mem, false); 789 790 memory_region_init_io(&quirk->mem[2], OBJECT(vdev), 791 &vfio_nvidia_bar5_quirk_master, bar5, 792 "vfio-nvidia-bar5-master-quirk", 4); 793 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 794 0, &quirk->mem[2], 1); 795 796 memory_region_init_io(&quirk->mem[3], OBJECT(vdev), 797 &vfio_nvidia_bar5_quirk_enable, bar5, 798 "vfio-nvidia-bar5-enable-quirk", 4); 799 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 800 4, &quirk->mem[3], 1); 801 802 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 803 804 trace_vfio_quirk_nvidia_bar5_probe(vdev->vbasedev.name); 805 } 806 807 typedef struct LastDataSet { 808 VFIOQuirk *quirk; 809 hwaddr addr; 810 uint64_t data; 811 unsigned size; 812 int hits; 813 int added; 814 } LastDataSet; 815 816 #define MAX_DYN_IOEVENTFD 10 817 #define HITS_FOR_IOEVENTFD 10 818 819 /* 820 * Finally, BAR0 itself. We want to redirect any accesses to either 821 * 0x1800 or 0x88000 through the PCI config space access functions. 822 */ 823 static void vfio_nvidia_quirk_mirror_write(void *opaque, hwaddr addr, 824 uint64_t data, unsigned size) 825 { 826 VFIOConfigMirrorQuirk *mirror = opaque; 827 VFIOPCIDevice *vdev = mirror->vdev; 828 PCIDevice *pdev = &vdev->pdev; 829 LastDataSet *last = (LastDataSet *)&mirror->data; 830 831 vfio_generic_quirk_mirror_write(opaque, addr, data, size); 832 833 /* 834 * Nvidia seems to acknowledge MSI interrupts by writing 0xff to the 835 * MSI capability ID register. Both the ID and next register are 836 * read-only, so we allow writes covering either of those to real hw. 837 */ 838 if ((pdev->cap_present & QEMU_PCI_CAP_MSI) && 839 vfio_range_contained(addr, size, pdev->msi_cap, PCI_MSI_FLAGS)) { 840 vfio_region_write(&vdev->bars[mirror->bar].region, 841 addr + mirror->offset, data, size); 842 trace_vfio_quirk_nvidia_bar0_msi_ack(vdev->vbasedev.name); 843 } 844 845 /* 846 * Automatically add an ioeventfd to handle any repeated write with the 847 * same data and size above the standard PCI config space header. This is 848 * primarily expected to accelerate the MSI-ACK behavior, such as noted 849 * above. Current hardware/drivers should trigger an ioeventfd at config 850 * offset 0x704 (region offset 0x88704), with data 0x0, size 4. 851 * 852 * The criteria of 10 successive hits is arbitrary but reliably adds the 853 * MSI-ACK region. Note that as some writes are bypassed via the ioeventfd, 854 * the remaining ones have a greater chance of being seen successively. 855 * To avoid the pathological case of burning up all of QEMU's open file 856 * handles, arbitrarily limit this algorithm from adding no more than 10 857 * ioeventfds, print an error if we would have added an 11th, and then 858 * stop counting. 859 */ 860 if (!vdev->no_kvm_ioeventfd && 861 addr >= PCI_STD_HEADER_SIZEOF && last->added <= MAX_DYN_IOEVENTFD) { 862 if (addr != last->addr || data != last->data || size != last->size) { 863 last->addr = addr; 864 last->data = data; 865 last->size = size; 866 last->hits = 1; 867 } else if (++last->hits >= HITS_FOR_IOEVENTFD) { 868 if (last->added < MAX_DYN_IOEVENTFD) { 869 VFIOIOEventFD *ioeventfd; 870 ioeventfd = vfio_ioeventfd_init(vdev, mirror->mem, addr, size, 871 data, &vdev->bars[mirror->bar].region, 872 mirror->offset + addr, true); 873 if (ioeventfd) { 874 VFIOQuirk *quirk = last->quirk; 875 876 QLIST_INSERT_HEAD(&quirk->ioeventfds, ioeventfd, next); 877 last->added++; 878 } 879 } else { 880 last->added++; 881 warn_report("NVIDIA ioeventfd queue full for %s, unable to " 882 "accelerate 0x%"HWADDR_PRIx", data 0x%"PRIx64", " 883 "size %u", vdev->vbasedev.name, addr, data, size); 884 } 885 } 886 } 887 } 888 889 static const MemoryRegionOps vfio_nvidia_mirror_quirk = { 890 .read = vfio_generic_quirk_mirror_read, 891 .write = vfio_nvidia_quirk_mirror_write, 892 .endianness = DEVICE_LITTLE_ENDIAN, 893 }; 894 895 static void vfio_nvidia_bar0_quirk_reset(VFIOPCIDevice *vdev, VFIOQuirk *quirk) 896 { 897 VFIOConfigMirrorQuirk *mirror = quirk->data; 898 LastDataSet *last = (LastDataSet *)&mirror->data; 899 900 last->addr = last->data = last->size = last->hits = last->added = 0; 901 902 vfio_drop_dynamic_eventfds(vdev, quirk); 903 } 904 905 static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice *vdev, int nr) 906 { 907 VFIOQuirk *quirk; 908 VFIOConfigMirrorQuirk *mirror; 909 LastDataSet *last; 910 911 if (vdev->no_geforce_quirks || 912 !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) || 913 !vfio_is_vga(vdev) || nr != 0) { 914 return; 915 } 916 917 quirk = vfio_quirk_alloc(1); 918 quirk->reset = vfio_nvidia_bar0_quirk_reset; 919 mirror = quirk->data = g_malloc0(sizeof(*mirror) + sizeof(LastDataSet)); 920 mirror->mem = quirk->mem; 921 mirror->vdev = vdev; 922 mirror->offset = 0x88000; 923 mirror->bar = nr; 924 last = (LastDataSet *)&mirror->data; 925 last->quirk = quirk; 926 927 memory_region_init_io(mirror->mem, OBJECT(vdev), 928 &vfio_nvidia_mirror_quirk, mirror, 929 "vfio-nvidia-bar0-88000-mirror-quirk", 930 vdev->config_size); 931 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 932 mirror->offset, mirror->mem, 1); 933 934 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 935 936 /* The 0x1800 offset mirror only seems to get used by legacy VGA */ 937 if (vdev->vga) { 938 quirk = vfio_quirk_alloc(1); 939 quirk->reset = vfio_nvidia_bar0_quirk_reset; 940 mirror = quirk->data = g_malloc0(sizeof(*mirror) + sizeof(LastDataSet)); 941 mirror->mem = quirk->mem; 942 mirror->vdev = vdev; 943 mirror->offset = 0x1800; 944 mirror->bar = nr; 945 last = (LastDataSet *)&mirror->data; 946 last->quirk = quirk; 947 948 memory_region_init_io(mirror->mem, OBJECT(vdev), 949 &vfio_nvidia_mirror_quirk, mirror, 950 "vfio-nvidia-bar0-1800-mirror-quirk", 951 PCI_CONFIG_SPACE_SIZE); 952 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 953 mirror->offset, mirror->mem, 1); 954 955 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 956 } 957 958 trace_vfio_quirk_nvidia_bar0_probe(vdev->vbasedev.name); 959 } 960 961 /* 962 * TODO - Some Nvidia devices provide config access to their companion HDA 963 * device and even to their parent bridge via these config space mirrors. 964 * Add quirks for those regions. 965 */ 966 967 #define PCI_VENDOR_ID_REALTEK 0x10ec 968 969 /* 970 * RTL8168 devices have a backdoor that can access the MSI-X table. At BAR2 971 * offset 0x70 there is a dword data register, offset 0x74 is a dword address 972 * register. According to the Linux r8169 driver, the MSI-X table is addressed 973 * when the "type" portion of the address register is set to 0x1. This appears 974 * to be bits 16:30. Bit 31 is both a write indicator and some sort of 975 * "address latched" indicator. Bits 12:15 are a mask field, which we can 976 * ignore because the MSI-X table should always be accessed as a dword (full 977 * mask). Bits 0:11 is offset within the type. 978 * 979 * Example trace: 980 * 981 * Read from MSI-X table offset 0 982 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x1f000, 4) // store read addr 983 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x8001f000 // latch 984 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x70, 4) = 0xfee00398 // read data 985 * 986 * Write 0xfee00000 to MSI-X table offset 0 987 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x70, 0xfee00000, 4) // write data 988 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x8001f000, 4) // do write 989 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x1f000 // complete 990 */ 991 typedef struct VFIOrtl8168Quirk { 992 VFIOPCIDevice *vdev; 993 uint32_t addr; 994 uint32_t data; 995 bool enabled; 996 } VFIOrtl8168Quirk; 997 998 static uint64_t vfio_rtl8168_quirk_address_read(void *opaque, 999 hwaddr addr, unsigned size) 1000 { 1001 VFIOrtl8168Quirk *rtl = opaque; 1002 VFIOPCIDevice *vdev = rtl->vdev; 1003 uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x74, size); 1004 1005 if (rtl->enabled) { 1006 data = rtl->addr ^ 0x80000000U; /* latch/complete */ 1007 trace_vfio_quirk_rtl8168_fake_latch(vdev->vbasedev.name, data); 1008 } 1009 1010 return data; 1011 } 1012 1013 static void vfio_rtl8168_quirk_address_write(void *opaque, hwaddr addr, 1014 uint64_t data, unsigned size) 1015 { 1016 VFIOrtl8168Quirk *rtl = opaque; 1017 VFIOPCIDevice *vdev = rtl->vdev; 1018 1019 rtl->enabled = false; 1020 1021 if ((data & 0x7fff0000) == 0x10000) { /* MSI-X table */ 1022 rtl->enabled = true; 1023 rtl->addr = (uint32_t)data; 1024 1025 if (data & 0x80000000U) { /* Do write */ 1026 if (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX) { 1027 hwaddr offset = data & 0xfff; 1028 uint64_t val = rtl->data; 1029 1030 trace_vfio_quirk_rtl8168_msix_write(vdev->vbasedev.name, 1031 (uint16_t)offset, val); 1032 1033 /* Write to the proper guest MSI-X table instead */ 1034 memory_region_dispatch_write(&vdev->pdev.msix_table_mmio, 1035 offset, val, size, 1036 MEMTXATTRS_UNSPECIFIED); 1037 } 1038 return; /* Do not write guest MSI-X data to hardware */ 1039 } 1040 } 1041 1042 vfio_region_write(&vdev->bars[2].region, addr + 0x74, data, size); 1043 } 1044 1045 static const MemoryRegionOps vfio_rtl_address_quirk = { 1046 .read = vfio_rtl8168_quirk_address_read, 1047 .write = vfio_rtl8168_quirk_address_write, 1048 .valid = { 1049 .min_access_size = 4, 1050 .max_access_size = 4, 1051 .unaligned = false, 1052 }, 1053 .endianness = DEVICE_LITTLE_ENDIAN, 1054 }; 1055 1056 static uint64_t vfio_rtl8168_quirk_data_read(void *opaque, 1057 hwaddr addr, unsigned size) 1058 { 1059 VFIOrtl8168Quirk *rtl = opaque; 1060 VFIOPCIDevice *vdev = rtl->vdev; 1061 uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x70, size); 1062 1063 if (rtl->enabled && (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX)) { 1064 hwaddr offset = rtl->addr & 0xfff; 1065 memory_region_dispatch_read(&vdev->pdev.msix_table_mmio, offset, 1066 &data, size, MEMTXATTRS_UNSPECIFIED); 1067 trace_vfio_quirk_rtl8168_msix_read(vdev->vbasedev.name, offset, data); 1068 } 1069 1070 return data; 1071 } 1072 1073 static void vfio_rtl8168_quirk_data_write(void *opaque, hwaddr addr, 1074 uint64_t data, unsigned size) 1075 { 1076 VFIOrtl8168Quirk *rtl = opaque; 1077 VFIOPCIDevice *vdev = rtl->vdev; 1078 1079 rtl->data = (uint32_t)data; 1080 1081 vfio_region_write(&vdev->bars[2].region, addr + 0x70, data, size); 1082 } 1083 1084 static const MemoryRegionOps vfio_rtl_data_quirk = { 1085 .read = vfio_rtl8168_quirk_data_read, 1086 .write = vfio_rtl8168_quirk_data_write, 1087 .valid = { 1088 .min_access_size = 4, 1089 .max_access_size = 4, 1090 .unaligned = false, 1091 }, 1092 .endianness = DEVICE_LITTLE_ENDIAN, 1093 }; 1094 1095 static void vfio_probe_rtl8168_bar2_quirk(VFIOPCIDevice *vdev, int nr) 1096 { 1097 VFIOQuirk *quirk; 1098 VFIOrtl8168Quirk *rtl; 1099 1100 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_REALTEK, 0x8168) || nr != 2) { 1101 return; 1102 } 1103 1104 quirk = vfio_quirk_alloc(2); 1105 quirk->data = rtl = g_malloc0(sizeof(*rtl)); 1106 rtl->vdev = vdev; 1107 1108 memory_region_init_io(&quirk->mem[0], OBJECT(vdev), 1109 &vfio_rtl_address_quirk, rtl, 1110 "vfio-rtl8168-window-address-quirk", 4); 1111 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 1112 0x74, &quirk->mem[0], 1); 1113 1114 memory_region_init_io(&quirk->mem[1], OBJECT(vdev), 1115 &vfio_rtl_data_quirk, rtl, 1116 "vfio-rtl8168-window-data-quirk", 4); 1117 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 1118 0x70, &quirk->mem[1], 1); 1119 1120 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 1121 1122 trace_vfio_quirk_rtl8168_probe(vdev->vbasedev.name); 1123 } 1124 1125 /* 1126 * Intel IGD support 1127 * 1128 * Obviously IGD is not a discrete device, this is evidenced not only by it 1129 * being integrated into the CPU, but by the various chipset and BIOS 1130 * dependencies that it brings along with it. Intel is trying to move away 1131 * from this and Broadwell and newer devices can run in what Intel calls 1132 * "Universal Pass-Through" mode, or UPT. Theoretically in UPT mode, nothing 1133 * more is required beyond assigning the IGD device to a VM. There are 1134 * however support limitations to this mode. It only supports IGD as a 1135 * secondary graphics device in the VM and it doesn't officially support any 1136 * physical outputs. 1137 * 1138 * The code here attempts to enable what we'll call legacy mode assignment, 1139 * IGD retains most of the capabilities we expect for it to have on bare 1140 * metal. To enable this mode, the IGD device must be assigned to the VM 1141 * at PCI address 00:02.0, it must have a ROM, it very likely needs VGA 1142 * support, we must have VM BIOS support for reserving and populating some 1143 * of the required tables, and we need to tweak the chipset with revisions 1144 * and IDs and an LPC/ISA bridge device. The intention is to make all of 1145 * this happen automatically by installing the device at the correct VM PCI 1146 * bus address. If any of the conditions are not met, we cross our fingers 1147 * and hope the user knows better. 1148 * 1149 * NB - It is possible to enable physical outputs in UPT mode by supplying 1150 * an OpRegion table. We don't do this by default because the guest driver 1151 * behaves differently if an OpRegion is provided and no monitor is attached 1152 * vs no OpRegion and a monitor being attached or not. Effectively, if a 1153 * headless setup is desired, the OpRegion gets in the way of that. 1154 */ 1155 1156 /* 1157 * This presumes the device is already known to be an Intel VGA device, so we 1158 * take liberties in which device ID bits match which generation. This should 1159 * not be taken as an indication that all the devices are supported, or even 1160 * supportable, some of them don't even support VT-d. 1161 * See linux:include/drm/i915_pciids.h for IDs. 1162 */ 1163 static int igd_gen(VFIOPCIDevice *vdev) 1164 { 1165 if ((vdev->device_id & 0xfff) == 0xa84) { 1166 return 8; /* Broxton */ 1167 } 1168 1169 switch (vdev->device_id & 0xff00) { 1170 /* Old, untested, unavailable, unknown */ 1171 case 0x0000: 1172 case 0x2500: 1173 case 0x2700: 1174 case 0x2900: 1175 case 0x2a00: 1176 case 0x2e00: 1177 case 0x3500: 1178 case 0xa000: 1179 return -1; 1180 /* SandyBridge, IvyBridge, ValleyView, Haswell */ 1181 case 0x0100: 1182 case 0x0400: 1183 case 0x0a00: 1184 case 0x0c00: 1185 case 0x0d00: 1186 case 0x0f00: 1187 return 6; 1188 /* BroadWell, CherryView, SkyLake, KabyLake */ 1189 case 0x1600: 1190 case 0x1900: 1191 case 0x2200: 1192 case 0x5900: 1193 return 8; 1194 } 1195 1196 return 8; /* Assume newer is compatible */ 1197 } 1198 1199 typedef struct VFIOIGDQuirk { 1200 struct VFIOPCIDevice *vdev; 1201 uint32_t index; 1202 uint32_t bdsm; 1203 } VFIOIGDQuirk; 1204 1205 #define IGD_GMCH 0x50 /* Graphics Control Register */ 1206 #define IGD_BDSM 0x5c /* Base Data of Stolen Memory */ 1207 #define IGD_ASLS 0xfc /* ASL Storage Register */ 1208 1209 /* 1210 * The OpRegion includes the Video BIOS Table, which seems important for 1211 * telling the driver what sort of outputs it has. Without this, the device 1212 * may work in the guest, but we may not get output. This also requires BIOS 1213 * support to reserve and populate a section of guest memory sufficient for 1214 * the table and to write the base address of that memory to the ASLS register 1215 * of the IGD device. 1216 */ 1217 int vfio_pci_igd_opregion_init(VFIOPCIDevice *vdev, 1218 struct vfio_region_info *info, Error **errp) 1219 { 1220 int ret; 1221 1222 vdev->igd_opregion = g_malloc0(info->size); 1223 ret = pread(vdev->vbasedev.fd, vdev->igd_opregion, 1224 info->size, info->offset); 1225 if (ret != info->size) { 1226 error_setg(errp, "failed to read IGD OpRegion"); 1227 g_free(vdev->igd_opregion); 1228 vdev->igd_opregion = NULL; 1229 return -EINVAL; 1230 } 1231 1232 /* 1233 * Provide fw_cfg with a copy of the OpRegion which the VM firmware is to 1234 * allocate 32bit reserved memory for, copy these contents into, and write 1235 * the reserved memory base address to the device ASLS register at 0xFC. 1236 * Alignment of this reserved region seems flexible, but using a 4k page 1237 * alignment seems to work well. This interface assumes a single IGD 1238 * device, which may be at VM address 00:02.0 in legacy mode or another 1239 * address in UPT mode. 1240 * 1241 * NB, there may be future use cases discovered where the VM should have 1242 * direct interaction with the host OpRegion, in which case the write to 1243 * the ASLS register would trigger MemoryRegion setup to enable that. 1244 */ 1245 fw_cfg_add_file(fw_cfg_find(), "etc/igd-opregion", 1246 vdev->igd_opregion, info->size); 1247 1248 trace_vfio_pci_igd_opregion_enabled(vdev->vbasedev.name); 1249 1250 pci_set_long(vdev->pdev.config + IGD_ASLS, 0); 1251 pci_set_long(vdev->pdev.wmask + IGD_ASLS, ~0); 1252 pci_set_long(vdev->emulated_config_bits + IGD_ASLS, ~0); 1253 1254 return 0; 1255 } 1256 1257 /* 1258 * The rather short list of registers that we copy from the host devices. 1259 * The LPC/ISA bridge values are definitely needed to support the vBIOS, the 1260 * host bridge values may or may not be needed depending on the guest OS. 1261 * Since we're only munging revision and subsystem values on the host bridge, 1262 * we don't require our own device. The LPC/ISA bridge needs to be our very 1263 * own though. 1264 */ 1265 typedef struct { 1266 uint8_t offset; 1267 uint8_t len; 1268 } IGDHostInfo; 1269 1270 static const IGDHostInfo igd_host_bridge_infos[] = { 1271 {PCI_REVISION_ID, 2}, 1272 {PCI_SUBSYSTEM_VENDOR_ID, 2}, 1273 {PCI_SUBSYSTEM_ID, 2}, 1274 }; 1275 1276 static const IGDHostInfo igd_lpc_bridge_infos[] = { 1277 {PCI_VENDOR_ID, 2}, 1278 {PCI_DEVICE_ID, 2}, 1279 {PCI_REVISION_ID, 2}, 1280 {PCI_SUBSYSTEM_VENDOR_ID, 2}, 1281 {PCI_SUBSYSTEM_ID, 2}, 1282 }; 1283 1284 static int vfio_pci_igd_copy(VFIOPCIDevice *vdev, PCIDevice *pdev, 1285 struct vfio_region_info *info, 1286 const IGDHostInfo *list, int len) 1287 { 1288 int i, ret; 1289 1290 for (i = 0; i < len; i++) { 1291 ret = pread(vdev->vbasedev.fd, pdev->config + list[i].offset, 1292 list[i].len, info->offset + list[i].offset); 1293 if (ret != list[i].len) { 1294 error_report("IGD copy failed: %m"); 1295 return -errno; 1296 } 1297 } 1298 1299 return 0; 1300 } 1301 1302 /* 1303 * Stuff a few values into the host bridge. 1304 */ 1305 static int vfio_pci_igd_host_init(VFIOPCIDevice *vdev, 1306 struct vfio_region_info *info) 1307 { 1308 PCIBus *bus; 1309 PCIDevice *host_bridge; 1310 int ret; 1311 1312 bus = pci_device_root_bus(&vdev->pdev); 1313 host_bridge = pci_find_device(bus, 0, PCI_DEVFN(0, 0)); 1314 1315 if (!host_bridge) { 1316 error_report("Can't find host bridge"); 1317 return -ENODEV; 1318 } 1319 1320 ret = vfio_pci_igd_copy(vdev, host_bridge, info, igd_host_bridge_infos, 1321 ARRAY_SIZE(igd_host_bridge_infos)); 1322 if (!ret) { 1323 trace_vfio_pci_igd_host_bridge_enabled(vdev->vbasedev.name); 1324 } 1325 1326 return ret; 1327 } 1328 1329 /* 1330 * IGD LPC/ISA bridge support code. The vBIOS needs this, but we can't write 1331 * arbitrary values into just any bridge, so we must create our own. We try 1332 * to handle if the user has created it for us, which they might want to do 1333 * to enable multifunction so we don't occupy the whole PCI slot. 1334 */ 1335 static void vfio_pci_igd_lpc_bridge_realize(PCIDevice *pdev, Error **errp) 1336 { 1337 if (pdev->devfn != PCI_DEVFN(0x1f, 0)) { 1338 error_setg(errp, "VFIO dummy ISA/LPC bridge must have address 1f.0"); 1339 } 1340 } 1341 1342 static void vfio_pci_igd_lpc_bridge_class_init(ObjectClass *klass, void *data) 1343 { 1344 DeviceClass *dc = DEVICE_CLASS(klass); 1345 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); 1346 1347 set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories); 1348 dc->desc = "VFIO dummy ISA/LPC bridge for IGD assignment"; 1349 dc->hotpluggable = false; 1350 k->realize = vfio_pci_igd_lpc_bridge_realize; 1351 k->class_id = PCI_CLASS_BRIDGE_ISA; 1352 } 1353 1354 static TypeInfo vfio_pci_igd_lpc_bridge_info = { 1355 .name = "vfio-pci-igd-lpc-bridge", 1356 .parent = TYPE_PCI_DEVICE, 1357 .class_init = vfio_pci_igd_lpc_bridge_class_init, 1358 .interfaces = (InterfaceInfo[]) { 1359 { INTERFACE_CONVENTIONAL_PCI_DEVICE }, 1360 { }, 1361 }, 1362 }; 1363 1364 static void vfio_pci_igd_register_types(void) 1365 { 1366 type_register_static(&vfio_pci_igd_lpc_bridge_info); 1367 } 1368 1369 type_init(vfio_pci_igd_register_types) 1370 1371 static int vfio_pci_igd_lpc_init(VFIOPCIDevice *vdev, 1372 struct vfio_region_info *info) 1373 { 1374 PCIDevice *lpc_bridge; 1375 int ret; 1376 1377 lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev), 1378 0, PCI_DEVFN(0x1f, 0)); 1379 if (!lpc_bridge) { 1380 lpc_bridge = pci_create_simple(pci_device_root_bus(&vdev->pdev), 1381 PCI_DEVFN(0x1f, 0), "vfio-pci-igd-lpc-bridge"); 1382 } 1383 1384 ret = vfio_pci_igd_copy(vdev, lpc_bridge, info, igd_lpc_bridge_infos, 1385 ARRAY_SIZE(igd_lpc_bridge_infos)); 1386 if (!ret) { 1387 trace_vfio_pci_igd_lpc_bridge_enabled(vdev->vbasedev.name); 1388 } 1389 1390 return ret; 1391 } 1392 1393 /* 1394 * IGD Gen8 and newer support up to 8MB for the GTT and use a 64bit PTE 1395 * entry, older IGDs use 2MB and 32bit. Each PTE maps a 4k page. Therefore 1396 * we either have 2M/4k * 4 = 2k or 8M/4k * 8 = 16k as the maximum iobar index 1397 * for programming the GTT. 1398 * 1399 * See linux:include/drm/i915_drm.h for shift and mask values. 1400 */ 1401 static int vfio_igd_gtt_max(VFIOPCIDevice *vdev) 1402 { 1403 uint32_t gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch)); 1404 int ggms, gen = igd_gen(vdev); 1405 1406 gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch)); 1407 ggms = (gmch >> (gen < 8 ? 8 : 6)) & 0x3; 1408 if (gen > 6) { 1409 ggms = 1 << ggms; 1410 } 1411 1412 ggms *= 1024 * 1024; 1413 1414 return (ggms / (4 * 1024)) * (gen < 8 ? 4 : 8); 1415 } 1416 1417 /* 1418 * The IGD ROM will make use of stolen memory (GGMS) for support of VESA modes. 1419 * Somehow the host stolen memory range is used for this, but how the ROM gets 1420 * it is a mystery, perhaps it's hardcoded into the ROM. Thankfully though, it 1421 * reprograms the GTT through the IOBAR where we can trap it and transpose the 1422 * programming to the VM allocated buffer. That buffer gets reserved by the VM 1423 * firmware via the fw_cfg entry added below. Here we're just monitoring the 1424 * IOBAR address and data registers to detect a write sequence targeting the 1425 * GTTADR. This code is developed by observed behavior and doesn't have a 1426 * direct spec reference, unfortunately. 1427 */ 1428 static uint64_t vfio_igd_quirk_data_read(void *opaque, 1429 hwaddr addr, unsigned size) 1430 { 1431 VFIOIGDQuirk *igd = opaque; 1432 VFIOPCIDevice *vdev = igd->vdev; 1433 1434 igd->index = ~0; 1435 1436 return vfio_region_read(&vdev->bars[4].region, addr + 4, size); 1437 } 1438 1439 static void vfio_igd_quirk_data_write(void *opaque, hwaddr addr, 1440 uint64_t data, unsigned size) 1441 { 1442 VFIOIGDQuirk *igd = opaque; 1443 VFIOPCIDevice *vdev = igd->vdev; 1444 uint64_t val = data; 1445 int gen = igd_gen(vdev); 1446 1447 /* 1448 * Programming the GGMS starts at index 0x1 and uses every 4th index (ie. 1449 * 0x1, 0x5, 0x9, 0xd,...). For pre-Gen8 each 4-byte write is a whole PTE 1450 * entry, with 0th bit enable set. For Gen8 and up, PTEs are 64bit, so 1451 * entries 0x5 & 0xd are the high dword, in our case zero. Each PTE points 1452 * to a 4k page, which we translate to a page from the VM allocated region, 1453 * pointed to by the BDSM register. If this is not set, we fail. 1454 * 1455 * We trap writes to the full configured GTT size, but we typically only 1456 * see the vBIOS writing up to (nearly) the 1MB barrier. In fact it often 1457 * seems to miss the last entry for an even 1MB GTT. Doing a gratuitous 1458 * write of that last entry does work, but is hopefully unnecessary since 1459 * we clear the previous GTT on initialization. 1460 */ 1461 if ((igd->index % 4 == 1) && igd->index < vfio_igd_gtt_max(vdev)) { 1462 if (gen < 8 || (igd->index % 8 == 1)) { 1463 uint32_t base; 1464 1465 base = pci_get_long(vdev->pdev.config + IGD_BDSM); 1466 if (!base) { 1467 hw_error("vfio-igd: Guest attempted to program IGD GTT before " 1468 "BIOS reserved stolen memory. Unsupported BIOS?"); 1469 } 1470 1471 val = data - igd->bdsm + base; 1472 } else { 1473 val = 0; /* upper 32bits of pte, we only enable below 4G PTEs */ 1474 } 1475 1476 trace_vfio_pci_igd_bar4_write(vdev->vbasedev.name, 1477 igd->index, data, val); 1478 } 1479 1480 vfio_region_write(&vdev->bars[4].region, addr + 4, val, size); 1481 1482 igd->index = ~0; 1483 } 1484 1485 static const MemoryRegionOps vfio_igd_data_quirk = { 1486 .read = vfio_igd_quirk_data_read, 1487 .write = vfio_igd_quirk_data_write, 1488 .endianness = DEVICE_LITTLE_ENDIAN, 1489 }; 1490 1491 static uint64_t vfio_igd_quirk_index_read(void *opaque, 1492 hwaddr addr, unsigned size) 1493 { 1494 VFIOIGDQuirk *igd = opaque; 1495 VFIOPCIDevice *vdev = igd->vdev; 1496 1497 igd->index = ~0; 1498 1499 return vfio_region_read(&vdev->bars[4].region, addr, size); 1500 } 1501 1502 static void vfio_igd_quirk_index_write(void *opaque, hwaddr addr, 1503 uint64_t data, unsigned size) 1504 { 1505 VFIOIGDQuirk *igd = opaque; 1506 VFIOPCIDevice *vdev = igd->vdev; 1507 1508 igd->index = data; 1509 1510 vfio_region_write(&vdev->bars[4].region, addr, data, size); 1511 } 1512 1513 static const MemoryRegionOps vfio_igd_index_quirk = { 1514 .read = vfio_igd_quirk_index_read, 1515 .write = vfio_igd_quirk_index_write, 1516 .endianness = DEVICE_LITTLE_ENDIAN, 1517 }; 1518 1519 static void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr) 1520 { 1521 struct vfio_region_info *rom = NULL, *opregion = NULL, 1522 *host = NULL, *lpc = NULL; 1523 VFIOQuirk *quirk; 1524 VFIOIGDQuirk *igd; 1525 PCIDevice *lpc_bridge; 1526 int i, ret, ggms_mb, gms_mb = 0, gen; 1527 uint64_t *bdsm_size; 1528 uint32_t gmch; 1529 uint16_t cmd_orig, cmd; 1530 Error *err = NULL; 1531 1532 /* 1533 * This must be an Intel VGA device at address 00:02.0 for us to even 1534 * consider enabling legacy mode. The vBIOS has dependencies on the 1535 * PCI bus address. 1536 */ 1537 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) || 1538 !vfio_is_vga(vdev) || nr != 4 || 1539 &vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev), 1540 0, PCI_DEVFN(0x2, 0))) { 1541 return; 1542 } 1543 1544 /* 1545 * We need to create an LPC/ISA bridge at PCI bus address 00:1f.0 that we 1546 * can stuff host values into, so if there's already one there and it's not 1547 * one we can hack on, legacy mode is no-go. Sorry Q35. 1548 */ 1549 lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev), 1550 0, PCI_DEVFN(0x1f, 0)); 1551 if (lpc_bridge && !object_dynamic_cast(OBJECT(lpc_bridge), 1552 "vfio-pci-igd-lpc-bridge")) { 1553 error_report("IGD device %s cannot support legacy mode due to existing " 1554 "devices at address 1f.0", vdev->vbasedev.name); 1555 return; 1556 } 1557 1558 /* 1559 * IGD is not a standard, they like to change their specs often. We 1560 * only attempt to support back to SandBridge and we hope that newer 1561 * devices maintain compatibility with generation 8. 1562 */ 1563 gen = igd_gen(vdev); 1564 if (gen != 6 && gen != 8) { 1565 error_report("IGD device %s is unsupported in legacy mode, " 1566 "try SandyBridge or newer", vdev->vbasedev.name); 1567 return; 1568 } 1569 1570 /* 1571 * Most of what we're doing here is to enable the ROM to run, so if 1572 * there's no ROM, there's no point in setting up this quirk. 1573 * NB. We only seem to get BIOS ROMs, so a UEFI VM would need CSM support. 1574 */ 1575 ret = vfio_get_region_info(&vdev->vbasedev, 1576 VFIO_PCI_ROM_REGION_INDEX, &rom); 1577 if ((ret || !rom->size) && !vdev->pdev.romfile) { 1578 error_report("IGD device %s has no ROM, legacy mode disabled", 1579 vdev->vbasedev.name); 1580 goto out; 1581 } 1582 1583 /* 1584 * Ignore the hotplug corner case, mark the ROM failed, we can't 1585 * create the devices we need for legacy mode in the hotplug scenario. 1586 */ 1587 if (vdev->pdev.qdev.hotplugged) { 1588 error_report("IGD device %s hotplugged, ROM disabled, " 1589 "legacy mode disabled", vdev->vbasedev.name); 1590 vdev->rom_read_failed = true; 1591 goto out; 1592 } 1593 1594 /* 1595 * Check whether we have all the vfio device specific regions to 1596 * support legacy mode (added in Linux v4.6). If not, bail. 1597 */ 1598 ret = vfio_get_dev_region_info(&vdev->vbasedev, 1599 VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL, 1600 VFIO_REGION_SUBTYPE_INTEL_IGD_OPREGION, &opregion); 1601 if (ret) { 1602 error_report("IGD device %s does not support OpRegion access," 1603 "legacy mode disabled", vdev->vbasedev.name); 1604 goto out; 1605 } 1606 1607 ret = vfio_get_dev_region_info(&vdev->vbasedev, 1608 VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL, 1609 VFIO_REGION_SUBTYPE_INTEL_IGD_HOST_CFG, &host); 1610 if (ret) { 1611 error_report("IGD device %s does not support host bridge access," 1612 "legacy mode disabled", vdev->vbasedev.name); 1613 goto out; 1614 } 1615 1616 ret = vfio_get_dev_region_info(&vdev->vbasedev, 1617 VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL, 1618 VFIO_REGION_SUBTYPE_INTEL_IGD_LPC_CFG, &lpc); 1619 if (ret) { 1620 error_report("IGD device %s does not support LPC bridge access," 1621 "legacy mode disabled", vdev->vbasedev.name); 1622 goto out; 1623 } 1624 1625 gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4); 1626 1627 /* 1628 * If IGD VGA Disable is clear (expected) and VGA is not already enabled, 1629 * try to enable it. Probably shouldn't be using legacy mode without VGA, 1630 * but also no point in us enabling VGA if disabled in hardware. 1631 */ 1632 if (!(gmch & 0x2) && !vdev->vga && vfio_populate_vga(vdev, &err)) { 1633 error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name); 1634 error_report("IGD device %s failed to enable VGA access, " 1635 "legacy mode disabled", vdev->vbasedev.name); 1636 goto out; 1637 } 1638 1639 /* Create our LPC/ISA bridge */ 1640 ret = vfio_pci_igd_lpc_init(vdev, lpc); 1641 if (ret) { 1642 error_report("IGD device %s failed to create LPC bridge, " 1643 "legacy mode disabled", vdev->vbasedev.name); 1644 goto out; 1645 } 1646 1647 /* Stuff some host values into the VM PCI host bridge */ 1648 ret = vfio_pci_igd_host_init(vdev, host); 1649 if (ret) { 1650 error_report("IGD device %s failed to modify host bridge, " 1651 "legacy mode disabled", vdev->vbasedev.name); 1652 goto out; 1653 } 1654 1655 /* Setup OpRegion access */ 1656 ret = vfio_pci_igd_opregion_init(vdev, opregion, &err); 1657 if (ret) { 1658 error_append_hint(&err, "IGD legacy mode disabled\n"); 1659 error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name); 1660 goto out; 1661 } 1662 1663 /* Setup our quirk to munge GTT addresses to the VM allocated buffer */ 1664 quirk = vfio_quirk_alloc(2); 1665 igd = quirk->data = g_malloc0(sizeof(*igd)); 1666 igd->vdev = vdev; 1667 igd->index = ~0; 1668 igd->bdsm = vfio_pci_read_config(&vdev->pdev, IGD_BDSM, 4); 1669 igd->bdsm &= ~((1 << 20) - 1); /* 1MB aligned */ 1670 1671 memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_igd_index_quirk, 1672 igd, "vfio-igd-index-quirk", 4); 1673 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 1674 0, &quirk->mem[0], 1); 1675 1676 memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_igd_data_quirk, 1677 igd, "vfio-igd-data-quirk", 4); 1678 memory_region_add_subregion_overlap(vdev->bars[nr].region.mem, 1679 4, &quirk->mem[1], 1); 1680 1681 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next); 1682 1683 /* Determine the size of stolen memory needed for GTT */ 1684 ggms_mb = (gmch >> (gen < 8 ? 8 : 6)) & 0x3; 1685 if (gen > 6) { 1686 ggms_mb = 1 << ggms_mb; 1687 } 1688 1689 /* 1690 * Assume we have no GMS memory, but allow it to be overrided by device 1691 * option (experimental). The spec doesn't actually allow zero GMS when 1692 * when IVD (IGD VGA Disable) is clear, but the claim is that it's unused, 1693 * so let's not waste VM memory for it. 1694 */ 1695 gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8)); 1696 1697 if (vdev->igd_gms) { 1698 if (vdev->igd_gms <= 0x10) { 1699 gms_mb = vdev->igd_gms * 32; 1700 gmch |= vdev->igd_gms << (gen < 8 ? 3 : 8); 1701 } else { 1702 error_report("Unsupported IGD GMS value 0x%x", vdev->igd_gms); 1703 vdev->igd_gms = 0; 1704 } 1705 } 1706 1707 /* 1708 * Request reserved memory for stolen memory via fw_cfg. VM firmware 1709 * must allocate a 1MB aligned reserved memory region below 4GB with 1710 * the requested size (in bytes) for use by the Intel PCI class VGA 1711 * device at VM address 00:02.0. The base address of this reserved 1712 * memory region must be written to the device BDSM regsiter at PCI 1713 * config offset 0x5C. 1714 */ 1715 bdsm_size = g_malloc(sizeof(*bdsm_size)); 1716 *bdsm_size = cpu_to_le64((ggms_mb + gms_mb) * 1024 * 1024); 1717 fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size", 1718 bdsm_size, sizeof(*bdsm_size)); 1719 1720 /* GMCH is read-only, emulated */ 1721 pci_set_long(vdev->pdev.config + IGD_GMCH, gmch); 1722 pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0); 1723 pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0); 1724 1725 /* BDSM is read-write, emulated. The BIOS needs to be able to write it */ 1726 pci_set_long(vdev->pdev.config + IGD_BDSM, 0); 1727 pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0); 1728 pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0); 1729 1730 /* 1731 * This IOBAR gives us access to GTTADR, which allows us to write to 1732 * the GTT itself. So let's go ahead and write zero to all the GTT 1733 * entries to avoid spurious DMA faults. Be sure I/O access is enabled 1734 * before talking to the device. 1735 */ 1736 if (pread(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig), 1737 vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) { 1738 error_report("IGD device %s - failed to read PCI command register", 1739 vdev->vbasedev.name); 1740 } 1741 1742 cmd = cmd_orig | PCI_COMMAND_IO; 1743 1744 if (pwrite(vdev->vbasedev.fd, &cmd, sizeof(cmd), 1745 vdev->config_offset + PCI_COMMAND) != sizeof(cmd)) { 1746 error_report("IGD device %s - failed to write PCI command register", 1747 vdev->vbasedev.name); 1748 } 1749 1750 for (i = 1; i < vfio_igd_gtt_max(vdev); i += 4) { 1751 vfio_region_write(&vdev->bars[4].region, 0, i, 4); 1752 vfio_region_write(&vdev->bars[4].region, 4, 0, 4); 1753 } 1754 1755 if (pwrite(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig), 1756 vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) { 1757 error_report("IGD device %s - failed to restore PCI command register", 1758 vdev->vbasedev.name); 1759 } 1760 1761 trace_vfio_pci_igd_bdsm_enabled(vdev->vbasedev.name, ggms_mb + gms_mb); 1762 1763 out: 1764 g_free(rom); 1765 g_free(opregion); 1766 g_free(host); 1767 g_free(lpc); 1768 } 1769 1770 /* 1771 * Common quirk probe entry points. 1772 */ 1773 void vfio_vga_quirk_setup(VFIOPCIDevice *vdev) 1774 { 1775 vfio_vga_probe_ati_3c3_quirk(vdev); 1776 vfio_vga_probe_nvidia_3d0_quirk(vdev); 1777 } 1778 1779 void vfio_vga_quirk_exit(VFIOPCIDevice *vdev) 1780 { 1781 VFIOQuirk *quirk; 1782 int i, j; 1783 1784 for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) { 1785 QLIST_FOREACH(quirk, &vdev->vga->region[i].quirks, next) { 1786 for (j = 0; j < quirk->nr_mem; j++) { 1787 memory_region_del_subregion(&vdev->vga->region[i].mem, 1788 &quirk->mem[j]); 1789 } 1790 } 1791 } 1792 } 1793 1794 void vfio_vga_quirk_finalize(VFIOPCIDevice *vdev) 1795 { 1796 int i, j; 1797 1798 for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) { 1799 while (!QLIST_EMPTY(&vdev->vga->region[i].quirks)) { 1800 VFIOQuirk *quirk = QLIST_FIRST(&vdev->vga->region[i].quirks); 1801 QLIST_REMOVE(quirk, next); 1802 for (j = 0; j < quirk->nr_mem; j++) { 1803 object_unparent(OBJECT(&quirk->mem[j])); 1804 } 1805 g_free(quirk->mem); 1806 g_free(quirk->data); 1807 g_free(quirk); 1808 } 1809 } 1810 } 1811 1812 void vfio_bar_quirk_setup(VFIOPCIDevice *vdev, int nr) 1813 { 1814 vfio_probe_ati_bar4_quirk(vdev, nr); 1815 vfio_probe_ati_bar2_quirk(vdev, nr); 1816 vfio_probe_nvidia_bar5_quirk(vdev, nr); 1817 vfio_probe_nvidia_bar0_quirk(vdev, nr); 1818 vfio_probe_rtl8168_bar2_quirk(vdev, nr); 1819 vfio_probe_igd_bar4_quirk(vdev, nr); 1820 } 1821 1822 void vfio_bar_quirk_exit(VFIOPCIDevice *vdev, int nr) 1823 { 1824 VFIOBAR *bar = &vdev->bars[nr]; 1825 VFIOQuirk *quirk; 1826 int i; 1827 1828 QLIST_FOREACH(quirk, &bar->quirks, next) { 1829 while (!QLIST_EMPTY(&quirk->ioeventfds)) { 1830 vfio_ioeventfd_exit(QLIST_FIRST(&quirk->ioeventfds)); 1831 } 1832 1833 for (i = 0; i < quirk->nr_mem; i++) { 1834 memory_region_del_subregion(bar->region.mem, &quirk->mem[i]); 1835 } 1836 } 1837 } 1838 1839 void vfio_bar_quirk_finalize(VFIOPCIDevice *vdev, int nr) 1840 { 1841 VFIOBAR *bar = &vdev->bars[nr]; 1842 int i; 1843 1844 while (!QLIST_EMPTY(&bar->quirks)) { 1845 VFIOQuirk *quirk = QLIST_FIRST(&bar->quirks); 1846 QLIST_REMOVE(quirk, next); 1847 for (i = 0; i < quirk->nr_mem; i++) { 1848 object_unparent(OBJECT(&quirk->mem[i])); 1849 } 1850 g_free(quirk->mem); 1851 g_free(quirk->data); 1852 g_free(quirk); 1853 } 1854 } 1855 1856 /* 1857 * Reset quirks 1858 */ 1859 void vfio_quirk_reset(VFIOPCIDevice *vdev) 1860 { 1861 int i; 1862 1863 for (i = 0; i < PCI_ROM_SLOT; i++) { 1864 VFIOQuirk *quirk; 1865 VFIOBAR *bar = &vdev->bars[i]; 1866 1867 QLIST_FOREACH(quirk, &bar->quirks, next) { 1868 if (quirk->reset) { 1869 quirk->reset(vdev, quirk); 1870 } 1871 } 1872 } 1873 } 1874 1875 /* 1876 * AMD Radeon PCI config reset, based on Linux: 1877 * drivers/gpu/drm/radeon/ci_smc.c:ci_is_smc_running() 1878 * drivers/gpu/drm/radeon/radeon_device.c:radeon_pci_config_reset 1879 * drivers/gpu/drm/radeon/ci_smc.c:ci_reset_smc() 1880 * drivers/gpu/drm/radeon/ci_smc.c:ci_stop_smc_clock() 1881 * IDs: include/drm/drm_pciids.h 1882 * Registers: http://cgit.freedesktop.org/~agd5f/linux/commit/?id=4e2aa447f6f0 1883 * 1884 * Bonaire and Hawaii GPUs do not respond to a bus reset. This is a bug in the 1885 * hardware that should be fixed on future ASICs. The symptom of this is that 1886 * once the accerlated driver loads, Windows guests will bsod on subsequent 1887 * attmpts to load the driver, such as after VM reset or shutdown/restart. To 1888 * work around this, we do an AMD specific PCI config reset, followed by an SMC 1889 * reset. The PCI config reset only works if SMC firmware is running, so we 1890 * have a dependency on the state of the device as to whether this reset will 1891 * be effective. There are still cases where we won't be able to kick the 1892 * device into working, but this greatly improves the usability overall. The 1893 * config reset magic is relatively common on AMD GPUs, but the setup and SMC 1894 * poking is largely ASIC specific. 1895 */ 1896 static bool vfio_radeon_smc_is_running(VFIOPCIDevice *vdev) 1897 { 1898 uint32_t clk, pc_c; 1899 1900 /* 1901 * Registers 200h and 204h are index and data registers for accessing 1902 * indirect configuration registers within the device. 1903 */ 1904 vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4); 1905 clk = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1906 vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000370, 4); 1907 pc_c = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1908 1909 return (!(clk & 1) && (0x20100 <= pc_c)); 1910 } 1911 1912 /* 1913 * The scope of a config reset is controlled by a mode bit in the misc register 1914 * and a fuse, exposed as a bit in another register. The fuse is the default 1915 * (0 = GFX, 1 = whole GPU), the misc bit is a toggle, with the forumula 1916 * scope = !(misc ^ fuse), where the resulting scope is defined the same as 1917 * the fuse. A truth table therefore tells us that if misc == fuse, we need 1918 * to flip the value of the bit in the misc register. 1919 */ 1920 static void vfio_radeon_set_gfx_only_reset(VFIOPCIDevice *vdev) 1921 { 1922 uint32_t misc, fuse; 1923 bool a, b; 1924 1925 vfio_region_write(&vdev->bars[5].region, 0x200, 0xc00c0000, 4); 1926 fuse = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1927 b = fuse & 64; 1928 1929 vfio_region_write(&vdev->bars[5].region, 0x200, 0xc0000010, 4); 1930 misc = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1931 a = misc & 2; 1932 1933 if (a == b) { 1934 vfio_region_write(&vdev->bars[5].region, 0x204, misc ^ 2, 4); 1935 vfio_region_read(&vdev->bars[5].region, 0x204, 4); /* flush */ 1936 } 1937 } 1938 1939 static int vfio_radeon_reset(VFIOPCIDevice *vdev) 1940 { 1941 PCIDevice *pdev = &vdev->pdev; 1942 int i, ret = 0; 1943 uint32_t data; 1944 1945 /* Defer to a kernel implemented reset */ 1946 if (vdev->vbasedev.reset_works) { 1947 trace_vfio_quirk_ati_bonaire_reset_skipped(vdev->vbasedev.name); 1948 return -ENODEV; 1949 } 1950 1951 /* Enable only memory BAR access */ 1952 vfio_pci_write_config(pdev, PCI_COMMAND, PCI_COMMAND_MEMORY, 2); 1953 1954 /* Reset only works if SMC firmware is loaded and running */ 1955 if (!vfio_radeon_smc_is_running(vdev)) { 1956 ret = -EINVAL; 1957 trace_vfio_quirk_ati_bonaire_reset_no_smc(vdev->vbasedev.name); 1958 goto out; 1959 } 1960 1961 /* Make sure only the GFX function is reset */ 1962 vfio_radeon_set_gfx_only_reset(vdev); 1963 1964 /* AMD PCI config reset */ 1965 vfio_pci_write_config(pdev, 0x7c, 0x39d5e86b, 4); 1966 usleep(100); 1967 1968 /* Read back the memory size to make sure we're out of reset */ 1969 for (i = 0; i < 100000; i++) { 1970 if (vfio_region_read(&vdev->bars[5].region, 0x5428, 4) != 0xffffffff) { 1971 goto reset_smc; 1972 } 1973 usleep(1); 1974 } 1975 1976 trace_vfio_quirk_ati_bonaire_reset_timeout(vdev->vbasedev.name); 1977 1978 reset_smc: 1979 /* Reset SMC */ 1980 vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000000, 4); 1981 data = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1982 data |= 1; 1983 vfio_region_write(&vdev->bars[5].region, 0x204, data, 4); 1984 1985 /* Disable SMC clock */ 1986 vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4); 1987 data = vfio_region_read(&vdev->bars[5].region, 0x204, 4); 1988 data |= 1; 1989 vfio_region_write(&vdev->bars[5].region, 0x204, data, 4); 1990 1991 trace_vfio_quirk_ati_bonaire_reset_done(vdev->vbasedev.name); 1992 1993 out: 1994 /* Restore PCI command register */ 1995 vfio_pci_write_config(pdev, PCI_COMMAND, 0, 2); 1996 1997 return ret; 1998 } 1999 2000 void vfio_setup_resetfn_quirk(VFIOPCIDevice *vdev) 2001 { 2002 switch (vdev->vendor_id) { 2003 case 0x1002: 2004 switch (vdev->device_id) { 2005 /* Bonaire */ 2006 case 0x6649: /* Bonaire [FirePro W5100] */ 2007 case 0x6650: 2008 case 0x6651: 2009 case 0x6658: /* Bonaire XTX [Radeon R7 260X] */ 2010 case 0x665c: /* Bonaire XT [Radeon HD 7790/8770 / R9 260 OEM] */ 2011 case 0x665d: /* Bonaire [Radeon R7 200 Series] */ 2012 /* Hawaii */ 2013 case 0x67A0: /* Hawaii XT GL [FirePro W9100] */ 2014 case 0x67A1: /* Hawaii PRO GL [FirePro W8100] */ 2015 case 0x67A2: 2016 case 0x67A8: 2017 case 0x67A9: 2018 case 0x67AA: 2019 case 0x67B0: /* Hawaii XT [Radeon R9 290X] */ 2020 case 0x67B1: /* Hawaii PRO [Radeon R9 290] */ 2021 case 0x67B8: 2022 case 0x67B9: 2023 case 0x67BA: 2024 case 0x67BE: 2025 vdev->resetfn = vfio_radeon_reset; 2026 trace_vfio_quirk_ati_bonaire_reset(vdev->vbasedev.name); 2027 break; 2028 } 2029 break; 2030 } 2031 } 2032 2033 /* 2034 * The NVIDIA GPUDirect P2P Vendor capability allows the user to specify 2035 * devices as a member of a clique. Devices within the same clique ID 2036 * are capable of direct P2P. It's the user's responsibility that this 2037 * is correct. The spec says that this may reside at any unused config 2038 * offset, but reserves and recommends hypervisors place this at C8h. 2039 * The spec also states that the hypervisor should place this capability 2040 * at the end of the capability list, thus next is defined as 0h. 2041 * 2042 * +----------------+----------------+----------------+----------------+ 2043 * | sig 7:0 ('P') | vndr len (8h) | next (0h) | cap id (9h) | 2044 * +----------------+----------------+----------------+----------------+ 2045 * | rsvd 15:7(0h),id 6:3,ver 2:0(0h)| sig 23:8 ('P2') | 2046 * +---------------------------------+---------------------------------+ 2047 * 2048 * https://lists.gnu.org/archive/html/qemu-devel/2017-08/pdfUda5iEpgOS.pdf 2049 */ 2050 static void get_nv_gpudirect_clique_id(Object *obj, Visitor *v, 2051 const char *name, void *opaque, 2052 Error **errp) 2053 { 2054 DeviceState *dev = DEVICE(obj); 2055 Property *prop = opaque; 2056 uint8_t *ptr = qdev_get_prop_ptr(dev, prop); 2057 2058 visit_type_uint8(v, name, ptr, errp); 2059 } 2060 2061 static void set_nv_gpudirect_clique_id(Object *obj, Visitor *v, 2062 const char *name, void *opaque, 2063 Error **errp) 2064 { 2065 DeviceState *dev = DEVICE(obj); 2066 Property *prop = opaque; 2067 uint8_t value, *ptr = qdev_get_prop_ptr(dev, prop); 2068 Error *local_err = NULL; 2069 2070 if (dev->realized) { 2071 qdev_prop_set_after_realize(dev, name, errp); 2072 return; 2073 } 2074 2075 visit_type_uint8(v, name, &value, &local_err); 2076 if (local_err) { 2077 error_propagate(errp, local_err); 2078 return; 2079 } 2080 2081 if (value & ~0xF) { 2082 error_setg(errp, "Property %s: valid range 0-15", name); 2083 return; 2084 } 2085 2086 *ptr = value; 2087 } 2088 2089 const PropertyInfo qdev_prop_nv_gpudirect_clique = { 2090 .name = "uint4", 2091 .description = "NVIDIA GPUDirect Clique ID (0 - 15)", 2092 .get = get_nv_gpudirect_clique_id, 2093 .set = set_nv_gpudirect_clique_id, 2094 }; 2095 2096 static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) 2097 { 2098 PCIDevice *pdev = &vdev->pdev; 2099 int ret, pos = 0xC8; 2100 2101 if (vdev->nv_gpudirect_clique == 0xFF) { 2102 return 0; 2103 } 2104 2105 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID)) { 2106 error_setg(errp, "NVIDIA GPUDirect Clique ID: invalid device vendor"); 2107 return -EINVAL; 2108 } 2109 2110 if (pci_get_byte(pdev->config + PCI_CLASS_DEVICE + 1) != 2111 PCI_BASE_CLASS_DISPLAY) { 2112 error_setg(errp, "NVIDIA GPUDirect Clique ID: unsupported PCI class"); 2113 return -EINVAL; 2114 } 2115 2116 ret = pci_add_capability(pdev, PCI_CAP_ID_VNDR, pos, 8, errp); 2117 if (ret < 0) { 2118 error_prepend(errp, "Failed to add NVIDIA GPUDirect cap: "); 2119 return ret; 2120 } 2121 2122 memset(vdev->emulated_config_bits + pos, 0xFF, 8); 2123 pos += PCI_CAP_FLAGS; 2124 pci_set_byte(pdev->config + pos++, 8); 2125 pci_set_byte(pdev->config + pos++, 'P'); 2126 pci_set_byte(pdev->config + pos++, '2'); 2127 pci_set_byte(pdev->config + pos++, 'P'); 2128 pci_set_byte(pdev->config + pos++, vdev->nv_gpudirect_clique << 3); 2129 pci_set_byte(pdev->config + pos, 0); 2130 2131 return 0; 2132 } 2133 2134 int vfio_add_virt_caps(VFIOPCIDevice *vdev, Error **errp) 2135 { 2136 int ret; 2137 2138 ret = vfio_add_nv_gpudirect_cap(vdev, errp); 2139 if (ret) { 2140 return ret; 2141 } 2142 2143 return 0; 2144 } 2145