LXR qemu/hw/vfio/pci-quirks.c

   1/*
   2 * device quirks for PCI devices
   3 *
   4 * Copyright Red Hat, Inc. 2012-2015
   5 *
   6 * Authors:
   7 *  Alex Williamson <alex.williamson@redhat.com>
   8 *
   9 * This work is licensed under the terms of the GNU GPL, version 2.  See
  10 * the COPYING file in the top-level directory.
  11 */
  12
  13#include "qemu/osdep.h"
  14#include "qemu/error-report.h"
  15#include "qemu/range.h"
  16#include "qapi/error.h"
  17#include "hw/nvram/fw_cfg.h"
  18#include "pci.h"
  19#include "trace.h"
  20
  21/* Use uin32_t for vendor & device so PCI_ANY_ID expands and cannot match hw */
  22static bool vfio_pci_is(VFIOPCIDevice *vdev, uint32_t vendor, uint32_t device)
  23{
  24    return (vendor == PCI_ANY_ID || vendor == vdev->vendor_id) &&
  25           (device == PCI_ANY_ID || device == vdev->device_id);
  26}
  27
  28static bool vfio_is_vga(VFIOPCIDevice *vdev)
  29{
  30    PCIDevice *pdev = &vdev->pdev;
  31    uint16_t class = pci_get_word(pdev->config + PCI_CLASS_DEVICE);
  32
  33    return class == PCI_CLASS_DISPLAY_VGA;
  34}
  35
  36/*
  37 * List of device ids/vendor ids for which to disable
  38 * option rom loading. This avoids the guest hangs during rom
  39 * execution as noticed with the BCM 57810 card for lack of a
  40 * more better way to handle such issues.
  41 * The  user can still override by specifying a romfile or
  42 * rombar=1.
  43 * Please see https://bugs.launchpad.net/qemu/+bug/1284874
  44 * for an analysis of the 57810 card hang. When adding
  45 * a new vendor id/device id combination below, please also add
  46 * your card/environment details and information that could
  47 * help in debugging to the bug tracking this issue
  48 */
  49static const struct {
  50    uint32_t vendor;
  51    uint32_t device;
  52} romblacklist[] = {
  53    { 0x14e4, 0x168e }, /* Broadcom BCM 57810 */
  54};
  55
  56bool vfio_blacklist_opt_rom(VFIOPCIDevice *vdev)
  57{
  58    int i;
  59
  60    for (i = 0 ; i < ARRAY_SIZE(romblacklist); i++) {
  61        if (vfio_pci_is(vdev, romblacklist[i].vendor, romblacklist[i].device)) {
  62            trace_vfio_quirk_rom_blacklisted(vdev->vbasedev.name,
  63                                             romblacklist[i].vendor,
  64                                             romblacklist[i].device);
  65            return true;
  66        }
  67    }
  68    return false;
  69}
  70
  71/*
  72 * Device specific region quirks (mostly backdoors to PCI config space)
  73 */
  74
  75/*
  76 * The generic window quirks operate on an address and data register,
  77 * vfio_generic_window_address_quirk handles the address register and
  78 * vfio_generic_window_data_quirk handles the data register.  These ops
  79 * pass reads and writes through to hardware until a value matching the
  80 * stored address match/mask is written.  When this occurs, the data
  81 * register access emulated PCI config space for the device rather than
  82 * passing through accesses.  This enables devices where PCI config space
  83 * is accessible behind a window register to maintain the virtualization
  84 * provided through vfio.
  85 */
  86typedef struct VFIOConfigWindowMatch {
  87    uint32_t match;
  88    uint32_t mask;
  89} VFIOConfigWindowMatch;
  90
  91typedef struct VFIOConfigWindowQuirk {
  92    struct VFIOPCIDevice *vdev;
  93
  94    uint32_t address_val;
  95
  96    uint32_t address_offset;
  97    uint32_t data_offset;
  98
  99    bool window_enabled;
 100    uint8_t bar;
 101
 102    MemoryRegion *addr_mem;
 103    MemoryRegion *data_mem;
 104
 105    uint32_t nr_matches;
 106    VFIOConfigWindowMatch matches[];
 107} VFIOConfigWindowQuirk;
 108
 109static uint64_t vfio_generic_window_quirk_address_read(void *opaque,
 110                                                       hwaddr addr,
 111                                                       unsigned size)
 112{
 113    VFIOConfigWindowQuirk *window = opaque;
 114    VFIOPCIDevice *vdev = window->vdev;
 115
 116    return vfio_region_read(&vdev->bars[window->bar].region,
 117                            addr + window->address_offset, size);
 118}
 119
 120static void vfio_generic_window_quirk_address_write(void *opaque, hwaddr addr,
 121                                                    uint64_t data,
 122                                                    unsigned size)
 123{
 124    VFIOConfigWindowQuirk *window = opaque;
 125    VFIOPCIDevice *vdev = window->vdev;
 126    int i;
 127
 128    window->window_enabled = false;
 129
 130    vfio_region_write(&vdev->bars[window->bar].region,
 131                      addr + window->address_offset, data, size);
 132
 133    for (i = 0; i < window->nr_matches; i++) {
 134        if ((data & ~window->matches[i].mask) == window->matches[i].match) {
 135            window->window_enabled = true;
 136            window->address_val = data & window->matches[i].mask;
 137            trace_vfio_quirk_generic_window_address_write(vdev->vbasedev.name,
 138                                    memory_region_name(window->addr_mem), data);
 139            break;
 140        }
 141    }
 142}
 143
 144static const MemoryRegionOps vfio_generic_window_address_quirk = {
 145    .read = vfio_generic_window_quirk_address_read,
 146    .write = vfio_generic_window_quirk_address_write,
 147    .endianness = DEVICE_LITTLE_ENDIAN,
 148};
 149
 150static uint64_t vfio_generic_window_quirk_data_read(void *opaque,
 151                                                    hwaddr addr, unsigned size)
 152{
 153    VFIOConfigWindowQuirk *window = opaque;
 154    VFIOPCIDevice *vdev = window->vdev;
 155    uint64_t data;
 156
 157    /* Always read data reg, discard if window enabled */
 158    data = vfio_region_read(&vdev->bars[window->bar].region,
 159                            addr + window->data_offset, size);
 160
 161    if (window->window_enabled) {
 162        data = vfio_pci_read_config(&vdev->pdev, window->address_val, size);
 163        trace_vfio_quirk_generic_window_data_read(vdev->vbasedev.name,
 164                                    memory_region_name(window->data_mem), data);
 165    }
 166
 167    return data;
 168}
 169
 170static void vfio_generic_window_quirk_data_write(void *opaque, hwaddr addr,
 171                                                 uint64_t data, unsigned size)
 172{
 173    VFIOConfigWindowQuirk *window = opaque;
 174    VFIOPCIDevice *vdev = window->vdev;
 175
 176    if (window->window_enabled) {
 177        vfio_pci_write_config(&vdev->pdev, window->address_val, data, size);
 178        trace_vfio_quirk_generic_window_data_write(vdev->vbasedev.name,
 179                                    memory_region_name(window->data_mem), data);
 180        return;
 181    }
 182
 183    vfio_region_write(&vdev->bars[window->bar].region,
 184                      addr + window->data_offset, data, size);
 185}
 186
 187static const MemoryRegionOps vfio_generic_window_data_quirk = {
 188    .read = vfio_generic_window_quirk_data_read,
 189    .write = vfio_generic_window_quirk_data_write,
 190    .endianness = DEVICE_LITTLE_ENDIAN,
 191};
 192
 193/*
 194 * The generic mirror quirk handles devices which expose PCI config space
 195 * through a region within a BAR.  When enabled, reads and writes are
 196 * redirected through to emulated PCI config space.  XXX if PCI config space
 197 * used memory regions, this could just be an alias.
 198 */
 199typedef struct VFIOConfigMirrorQuirk {
 200    struct VFIOPCIDevice *vdev;
 201    uint32_t offset;
 202    uint8_t bar;
 203    MemoryRegion *mem;
 204} VFIOConfigMirrorQuirk;
 205
 206static uint64_t vfio_generic_quirk_mirror_read(void *opaque,
 207                                               hwaddr addr, unsigned size)
 208{
 209    VFIOConfigMirrorQuirk *mirror = opaque;
 210    VFIOPCIDevice *vdev = mirror->vdev;
 211    uint64_t data;
 212
 213    /* Read and discard in case the hardware cares */
 214    (void)vfio_region_read(&vdev->bars[mirror->bar].region,
 215                           addr + mirror->offset, size);
 216
 217    data = vfio_pci_read_config(&vdev->pdev, addr, size);
 218    trace_vfio_quirk_generic_mirror_read(vdev->vbasedev.name,
 219                                         memory_region_name(mirror->mem),
 220                                         addr, data);
 221    return data;
 222}
 223
 224static void vfio_generic_quirk_mirror_write(void *opaque, hwaddr addr,
 225                                            uint64_t data, unsigned size)
 226{
 227    VFIOConfigMirrorQuirk *mirror = opaque;
 228    VFIOPCIDevice *vdev = mirror->vdev;
 229
 230    vfio_pci_write_config(&vdev->pdev, addr, data, size);
 231    trace_vfio_quirk_generic_mirror_write(vdev->vbasedev.name,
 232                                          memory_region_name(mirror->mem),
 233                                          addr, data);
 234}
 235
 236static const MemoryRegionOps vfio_generic_mirror_quirk = {
 237    .read = vfio_generic_quirk_mirror_read,
 238    .write = vfio_generic_quirk_mirror_write,
 239    .endianness = DEVICE_LITTLE_ENDIAN,
 240};
 241
 242/* Is range1 fully contained within range2?  */
 243static bool vfio_range_contained(uint64_t first1, uint64_t len1,
 244                                 uint64_t first2, uint64_t len2) {
 245    return (first1 >= first2 && first1 + len1 <= first2 + len2);
 246}
 247
 248#define PCI_VENDOR_ID_ATI               0x1002
 249
 250/*
 251 * Radeon HD cards (HD5450 & HD7850) report the upper byte of the I/O port BAR
 252 * through VGA register 0x3c3.  On newer cards, the I/O port BAR is always
 253 * BAR4 (older cards like the X550 used BAR1, but we don't care to support
 254 * those).  Note that on bare metal, a read of 0x3c3 doesn't always return the
 255 * I/O port BAR address.  Originally this was coded to return the virtual BAR
 256 * address only if the physical register read returns the actual BAR address,
 257 * but users have reported greater success if we return the virtual address
 258 * unconditionally.
 259 */
 260static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
 261                                        hwaddr addr, unsigned size)
 262{
 263    VFIOPCIDevice *vdev = opaque;
 264    uint64_t data = vfio_pci_read_config(&vdev->pdev,
 265                                         PCI_BASE_ADDRESS_4 + 1, size);
 266
 267    trace_vfio_quirk_ati_3c3_read(vdev->vbasedev.name, data);
 268
 269    return data;
 270}
 271
 272static const MemoryRegionOps vfio_ati_3c3_quirk = {
 273    .read = vfio_ati_3c3_quirk_read,
 274    .endianness = DEVICE_LITTLE_ENDIAN,
 275};
 276
 277static void vfio_vga_probe_ati_3c3_quirk(VFIOPCIDevice *vdev)
 278{
 279    VFIOQuirk *quirk;
 280
 281    /*
 282     * As long as the BAR is >= 256 bytes it will be aligned such that the
 283     * lower byte is always zero.  Filter out anything else, if it exists.
 284     */
 285    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 286        !vdev->bars[4].ioport || vdev->bars[4].region.size < 256) {
 287        return;
 288    }
 289
 290    quirk = g_malloc0(sizeof(*quirk));
 291    quirk->mem = g_new0(MemoryRegion, 1);
 292    quirk->nr_mem = 1;
 293
 294    memory_region_init_io(quirk->mem, OBJECT(vdev), &vfio_ati_3c3_quirk, vdev,
 295                          "vfio-ati-3c3-quirk", 1);
 296    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 297                                3 /* offset 3 bytes from 0x3c0 */, quirk->mem);
 298
 299    QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks,
 300                      quirk, next);
 301
 302    trace_vfio_quirk_ati_3c3_probe(vdev->vbasedev.name);
 303}
 304
 305/*
 306 * Newer ATI/AMD devices, including HD5450 and HD7850, have a mirror to PCI
 307 * config space through MMIO BAR2 at offset 0x4000.  Nothing seems to access
 308 * the MMIO space directly, but a window to this space is provided through
 309 * I/O port BAR4.  Offset 0x0 is the address register and offset 0x4 is the
 310 * data register.  When the address is programmed to a range of 0x4000-0x4fff
 311 * PCI configuration space is available.  Experimentation seems to indicate
 312 * that read-only may be provided by hardware.
 313 */
 314static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, int nr)
 315{
 316    VFIOQuirk *quirk;
 317    VFIOConfigWindowQuirk *window;
 318
 319    /* This windows doesn't seem to be used except by legacy VGA code */
 320    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 321        !vdev->vga || nr != 4) {
 322        return;
 323    }
 324
 325    quirk = g_malloc0(sizeof(*quirk));
 326    quirk->mem = g_new0(MemoryRegion, 2);
 327    quirk->nr_mem = 2;
 328    window = quirk->data = g_malloc0(sizeof(*window) +
 329                                     sizeof(VFIOConfigWindowMatch));
 330    window->vdev = vdev;
 331    window->address_offset = 0;
 332    window->data_offset = 4;
 333    window->nr_matches = 1;
 334    window->matches[0].match = 0x4000;
 335    window->matches[0].mask = vdev->config_size - 1;
 336    window->bar = nr;
 337    window->addr_mem = &quirk->mem[0];
 338    window->data_mem = &quirk->mem[1];
 339
 340    memory_region_init_io(window->addr_mem, OBJECT(vdev),
 341                          &vfio_generic_window_address_quirk, window,
 342                          "vfio-ati-bar4-window-address-quirk", 4);
 343    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 344                                        window->address_offset,
 345                                        window->addr_mem, 1);
 346
 347    memory_region_init_io(window->data_mem, OBJECT(vdev),
 348                          &vfio_generic_window_data_quirk, window,
 349                          "vfio-ati-bar4-window-data-quirk", 4);
 350    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 351                                        window->data_offset,
 352                                        window->data_mem, 1);
 353
 354    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 355
 356    trace_vfio_quirk_ati_bar4_probe(vdev->vbasedev.name);
 357}
 358
 359/*
 360 * Trap the BAR2 MMIO mirror to config space as well.
 361 */
 362static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, int nr)
 363{
 364    VFIOQuirk *quirk;
 365    VFIOConfigMirrorQuirk *mirror;
 366
 367    /* Only enable on newer devices where BAR2 is 64bit */
 368    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 369        !vdev->vga || nr != 2 || !vdev->bars[2].mem64) {
 370        return;
 371    }
 372
 373    quirk = g_malloc0(sizeof(*quirk));
 374    mirror = quirk->data = g_malloc0(sizeof(*mirror));
 375    mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 376    quirk->nr_mem = 1;
 377    mirror->vdev = vdev;
 378    mirror->offset = 0x4000;
 379    mirror->bar = nr;
 380
 381    memory_region_init_io(mirror->mem, OBJECT(vdev),
 382                          &vfio_generic_mirror_quirk, mirror,
 383                          "vfio-ati-bar2-4000-quirk", PCI_CONFIG_SPACE_SIZE);
 384    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 385                                        mirror->offset, mirror->mem, 1);
 386
 387    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 388
 389    trace_vfio_quirk_ati_bar2_probe(vdev->vbasedev.name);
 390}
 391
 392/*
 393 * Older ATI/AMD cards like the X550 have a similar window to that above.
 394 * I/O port BAR1 provides a window to a mirror of PCI config space located
 395 * in BAR2 at offset 0xf00.  We don't care to support such older cards, but
 396 * note it for future reference.
 397 */
 398
 399#define PCI_VENDOR_ID_NVIDIA                    0x10de
 400
 401/*
 402 * Nvidia has several different methods to get to config space, the
 403 * nouveu project has several of these documented here:
 404 * https://github.com/pathscale/envytools/tree/master/hwdocs
 405 *
 406 * The first quirk is actually not documented in envytools and is found
 407 * on 10de:01d1 (NVIDIA Corporation G72 [GeForce 7300 LE]).  This is an
 408 * NV46 chipset.  The backdoor uses the legacy VGA I/O ports to access
 409 * the mirror of PCI config space found at BAR0 offset 0x1800.  The access
 410 * sequence first writes 0x338 to I/O port 0x3d4.  The target offset is
 411 * then written to 0x3d0.  Finally 0x538 is written for a read and 0x738
 412 * is written for a write to 0x3d4.  The BAR0 offset is then accessible
 413 * through 0x3d0.  This quirk doesn't seem to be necessary on newer cards
 414 * that use the I/O port BAR5 window but it doesn't hurt to leave it.
 415 */
 416typedef enum {NONE = 0, SELECT, WINDOW, READ, WRITE} VFIONvidia3d0State;
 417static const char *nv3d0_states[] = { "NONE", "SELECT",
 418                                      "WINDOW", "READ", "WRITE" };
 419
 420typedef struct VFIONvidia3d0Quirk {
 421    VFIOPCIDevice *vdev;
 422    VFIONvidia3d0State state;
 423    uint32_t offset;
 424} VFIONvidia3d0Quirk;
 425
 426static uint64_t vfio_nvidia_3d4_quirk_read(void *opaque,
 427                                           hwaddr addr, unsigned size)
 428{
 429    VFIONvidia3d0Quirk *quirk = opaque;
 430    VFIOPCIDevice *vdev = quirk->vdev;
 431
 432    quirk->state = NONE;
 433
 434    return vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 435                         addr + 0x14, size);
 436}
 437
 438static void vfio_nvidia_3d4_quirk_write(void *opaque, hwaddr addr,
 439                                        uint64_t data, unsigned size)
 440{
 441    VFIONvidia3d0Quirk *quirk = opaque;
 442    VFIOPCIDevice *vdev = quirk->vdev;
 443    VFIONvidia3d0State old_state = quirk->state;
 444
 445    quirk->state = NONE;
 446
 447    switch (data) {
 448    case 0x338:
 449        if (old_state == NONE) {
 450            quirk->state = SELECT;
 451            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 452                                              nv3d0_states[quirk->state]);
 453        }
 454        break;
 455    case 0x538:
 456        if (old_state == WINDOW) {
 457            quirk->state = READ;
 458            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 459                                              nv3d0_states[quirk->state]);
 460        }
 461        break;
 462    case 0x738:
 463        if (old_state == WINDOW) {
 464            quirk->state = WRITE;
 465            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 466                                              nv3d0_states[quirk->state]);
 467        }
 468        break;
 469    }
 470
 471    vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 472                   addr + 0x14, data, size);
 473}
 474
 475static const MemoryRegionOps vfio_nvidia_3d4_quirk = {
 476    .read = vfio_nvidia_3d4_quirk_read,
 477    .write = vfio_nvidia_3d4_quirk_write,
 478    .endianness = DEVICE_LITTLE_ENDIAN,
 479};
 480
 481static uint64_t vfio_nvidia_3d0_quirk_read(void *opaque,
 482                                           hwaddr addr, unsigned size)
 483{
 484    VFIONvidia3d0Quirk *quirk = opaque;
 485    VFIOPCIDevice *vdev = quirk->vdev;
 486    VFIONvidia3d0State old_state = quirk->state;
 487    uint64_t data = vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 488                                  addr + 0x10, size);
 489
 490    quirk->state = NONE;
 491
 492    if (old_state == READ &&
 493        (quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
 494        uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
 495
 496        data = vfio_pci_read_config(&vdev->pdev, offset, size);
 497        trace_vfio_quirk_nvidia_3d0_read(vdev->vbasedev.name,
 498                                         offset, size, data);
 499    }
 500
 501    return data;
 502}
 503
 504static void vfio_nvidia_3d0_quirk_write(void *opaque, hwaddr addr,
 505                                        uint64_t data, unsigned size)
 506{
 507    VFIONvidia3d0Quirk *quirk = opaque;
 508    VFIOPCIDevice *vdev = quirk->vdev;
 509    VFIONvidia3d0State old_state = quirk->state;
 510
 511    quirk->state = NONE;
 512
 513    if (old_state == SELECT) {
 514        quirk->offset = (uint32_t)data;
 515        quirk->state = WINDOW;
 516        trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 517                                          nv3d0_states[quirk->state]);
 518    } else if (old_state == WRITE) {
 519        if ((quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
 520            uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
 521
 522            vfio_pci_write_config(&vdev->pdev, offset, data, size);
 523            trace_vfio_quirk_nvidia_3d0_write(vdev->vbasedev.name,
 524                                              offset, data, size);
 525            return;
 526        }
 527    }
 528
 529    vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 530                   addr + 0x10, data, size);
 531}
 532
 533static const MemoryRegionOps vfio_nvidia_3d0_quirk = {
 534    .read = vfio_nvidia_3d0_quirk_read,
 535    .write = vfio_nvidia_3d0_quirk_write,
 536    .endianness = DEVICE_LITTLE_ENDIAN,
 537};
 538
 539static void vfio_vga_probe_nvidia_3d0_quirk(VFIOPCIDevice *vdev)
 540{
 541    VFIOQuirk *quirk;
 542    VFIONvidia3d0Quirk *data;
 543
 544    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 545        !vdev->bars[1].region.size) {
 546        return;
 547    }
 548
 549    quirk = g_malloc0(sizeof(*quirk));
 550    quirk->data = data = g_malloc0(sizeof(*data));
 551    quirk->mem = g_new0(MemoryRegion, 2);
 552    quirk->nr_mem = 2;
 553    data->vdev = vdev;
 554
 555    memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_nvidia_3d4_quirk,
 556                          data, "vfio-nvidia-3d4-quirk", 2);
 557    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 558                                0x14 /* 0x3c0 + 0x14 */, &quirk->mem[0]);
 559
 560    memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_nvidia_3d0_quirk,
 561                          data, "vfio-nvidia-3d0-quirk", 2);
 562    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 563                                0x10 /* 0x3c0 + 0x10 */, &quirk->mem[1]);
 564
 565    QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks,
 566                      quirk, next);
 567
 568    trace_vfio_quirk_nvidia_3d0_probe(vdev->vbasedev.name);
 569}
 570
 571/*
 572 * The second quirk is documented in envytools.  The I/O port BAR5 is just
 573 * a set of address/data ports to the MMIO BARs.  The BAR we care about is
 574 * again BAR0.  This backdoor is apparently a bit newer than the one above
 575 * so we need to not only trap 256 bytes @0x1800, but all of PCI config
 576 * space, including extended space is available at the 4k @0x88000.
 577 */
 578typedef struct VFIONvidiaBAR5Quirk {
 579    uint32_t master;
 580    uint32_t enable;
 581    MemoryRegion *addr_mem;
 582    MemoryRegion *data_mem;
 583    bool enabled;
 584    VFIOConfigWindowQuirk window; /* last for match data */
 585} VFIONvidiaBAR5Quirk;
 586
 587static void vfio_nvidia_bar5_enable(VFIONvidiaBAR5Quirk *bar5)
 588{
 589    VFIOPCIDevice *vdev = bar5->window.vdev;
 590
 591    if (((bar5->master & bar5->enable) & 0x1) == bar5->enabled) {
 592        return;
 593    }
 594
 595    bar5->enabled = !bar5->enabled;
 596    trace_vfio_quirk_nvidia_bar5_state(vdev->vbasedev.name,
 597                                       bar5->enabled ?  "Enable" : "Disable");
 598    memory_region_set_enabled(bar5->addr_mem, bar5->enabled);
 599    memory_region_set_enabled(bar5->data_mem, bar5->enabled);
 600}
 601
 602static uint64_t vfio_nvidia_bar5_quirk_master_read(void *opaque,
 603                                                   hwaddr addr, unsigned size)
 604{
 605    VFIONvidiaBAR5Quirk *bar5 = opaque;
 606    VFIOPCIDevice *vdev = bar5->window.vdev;
 607
 608    return vfio_region_read(&vdev->bars[5].region, addr, size);
 609}
 610
 611static void vfio_nvidia_bar5_quirk_master_write(void *opaque, hwaddr addr,
 612                                                uint64_t data, unsigned size)
 613{
 614    VFIONvidiaBAR5Quirk *bar5 = opaque;
 615    VFIOPCIDevice *vdev = bar5->window.vdev;
 616
 617    vfio_region_write(&vdev->bars[5].region, addr, data, size);
 618
 619    bar5->master = data;
 620    vfio_nvidia_bar5_enable(bar5);
 621}
 622
 623static const MemoryRegionOps vfio_nvidia_bar5_quirk_master = {
 624    .read = vfio_nvidia_bar5_quirk_master_read,
 625    .write = vfio_nvidia_bar5_quirk_master_write,
 626    .endianness = DEVICE_LITTLE_ENDIAN,
 627};
 628
 629static uint64_t vfio_nvidia_bar5_quirk_enable_read(void *opaque,
 630                                                   hwaddr addr, unsigned size)
 631{
 632    VFIONvidiaBAR5Quirk *bar5 = opaque;
 633    VFIOPCIDevice *vdev = bar5->window.vdev;
 634
 635    return vfio_region_read(&vdev->bars[5].region, addr + 4, size);
 636}
 637
 638static void vfio_nvidia_bar5_quirk_enable_write(void *opaque, hwaddr addr,
 639                                                uint64_t data, unsigned size)
 640{
 641    VFIONvidiaBAR5Quirk *bar5 = opaque;
 642    VFIOPCIDevice *vdev = bar5->window.vdev;
 643
 644    vfio_region_write(&vdev->bars[5].region, addr + 4, data, size);
 645
 646    bar5->enable = data;
 647    vfio_nvidia_bar5_enable(bar5);
 648}
 649
 650static const MemoryRegionOps vfio_nvidia_bar5_quirk_enable = {
 651    .read = vfio_nvidia_bar5_quirk_enable_read,
 652    .write = vfio_nvidia_bar5_quirk_enable_write,
 653    .endianness = DEVICE_LITTLE_ENDIAN,
 654};
 655
 656static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice *vdev, int nr)
 657{
 658    VFIOQuirk *quirk;
 659    VFIONvidiaBAR5Quirk *bar5;
 660    VFIOConfigWindowQuirk *window;
 661
 662    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 663        !vdev->vga || nr != 5 || !vdev->bars[5].ioport) {
 664        return;
 665    }
 666
 667    quirk = g_malloc0(sizeof(*quirk));
 668    quirk->mem = g_new0(MemoryRegion, 4);
 669    quirk->nr_mem = 4;
 670    bar5 = quirk->data = g_malloc0(sizeof(*bar5) +
 671                                   (sizeof(VFIOConfigWindowMatch) * 2));
 672    window = &bar5->window;
 673
 674    window->vdev = vdev;
 675    window->address_offset = 0x8;
 676    window->data_offset = 0xc;
 677    window->nr_matches = 2;
 678    window->matches[0].match = 0x1800;
 679    window->matches[0].mask = PCI_CONFIG_SPACE_SIZE - 1;
 680    window->matches[1].match = 0x88000;
 681    window->matches[1].mask = vdev->config_size - 1;
 682    window->bar = nr;
 683    window->addr_mem = bar5->addr_mem = &quirk->mem[0];
 684    window->data_mem = bar5->data_mem = &quirk->mem[1];
 685
 686    memory_region_init_io(window->addr_mem, OBJECT(vdev),
 687                          &vfio_generic_window_address_quirk, window,
 688                          "vfio-nvidia-bar5-window-address-quirk", 4);
 689    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 690                                        window->address_offset,
 691                                        window->addr_mem, 1);
 692    memory_region_set_enabled(window->addr_mem, false);
 693
 694    memory_region_init_io(window->data_mem, OBJECT(vdev),
 695                          &vfio_generic_window_data_quirk, window,
 696                          "vfio-nvidia-bar5-window-data-quirk", 4);
 697    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 698                                        window->data_offset,
 699                                        window->data_mem, 1);
 700    memory_region_set_enabled(window->data_mem, false);
 701
 702    memory_region_init_io(&quirk->mem[2], OBJECT(vdev),
 703                          &vfio_nvidia_bar5_quirk_master, bar5,
 704                          "vfio-nvidia-bar5-master-quirk", 4);
 705    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 706                                        0, &quirk->mem[2], 1);
 707
 708    memory_region_init_io(&quirk->mem[3], OBJECT(vdev),
 709                          &vfio_nvidia_bar5_quirk_enable, bar5,
 710                          "vfio-nvidia-bar5-enable-quirk", 4);
 711    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 712                                        4, &quirk->mem[3], 1);
 713
 714    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 715
 716    trace_vfio_quirk_nvidia_bar5_probe(vdev->vbasedev.name);
 717}
 718
 719/*
 720 * Finally, BAR0 itself.  We want to redirect any accesses to either
 721 * 0x1800 or 0x88000 through the PCI config space access functions.
 722 */
 723static void vfio_nvidia_quirk_mirror_write(void *opaque, hwaddr addr,
 724                                           uint64_t data, unsigned size)
 725{
 726    VFIOConfigMirrorQuirk *mirror = opaque;
 727    VFIOPCIDevice *vdev = mirror->vdev;
 728    PCIDevice *pdev = &vdev->pdev;
 729
 730    vfio_generic_quirk_mirror_write(opaque, addr, data, size);
 731
 732    /*
 733     * Nvidia seems to acknowledge MSI interrupts by writing 0xff to the
 734     * MSI capability ID register.  Both the ID and next register are
 735     * read-only, so we allow writes covering either of those to real hw.
 736     */
 737    if ((pdev->cap_present & QEMU_PCI_CAP_MSI) &&
 738        vfio_range_contained(addr, size, pdev->msi_cap, PCI_MSI_FLAGS)) {
 739        vfio_region_write(&vdev->bars[mirror->bar].region,
 740                          addr + mirror->offset, data, size);
 741        trace_vfio_quirk_nvidia_bar0_msi_ack(vdev->vbasedev.name);
 742    }
 743}
 744
 745static const MemoryRegionOps vfio_nvidia_mirror_quirk = {
 746    .read = vfio_generic_quirk_mirror_read,
 747    .write = vfio_nvidia_quirk_mirror_write,
 748    .endianness = DEVICE_LITTLE_ENDIAN,
 749};
 750
 751static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice *vdev, int nr)
 752{
 753    VFIOQuirk *quirk;
 754    VFIOConfigMirrorQuirk *mirror;
 755
 756    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 757        !vfio_is_vga(vdev) || nr != 0) {
 758        return;
 759    }
 760
 761    quirk = g_malloc0(sizeof(*quirk));
 762    mirror = quirk->data = g_malloc0(sizeof(*mirror));
 763    mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 764    quirk->nr_mem = 1;
 765    mirror->vdev = vdev;
 766    mirror->offset = 0x88000;
 767    mirror->bar = nr;
 768
 769    memory_region_init_io(mirror->mem, OBJECT(vdev),
 770                          &vfio_nvidia_mirror_quirk, mirror,
 771                          "vfio-nvidia-bar0-88000-mirror-quirk",
 772                          vdev->config_size);
 773    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 774                                        mirror->offset, mirror->mem, 1);
 775
 776    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 777
 778    /* The 0x1800 offset mirror only seems to get used by legacy VGA */
 779    if (vdev->vga) {
 780        quirk = g_malloc0(sizeof(*quirk));
 781        mirror = quirk->data = g_malloc0(sizeof(*mirror));
 782        mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 783        quirk->nr_mem = 1;
 784        mirror->vdev = vdev;
 785        mirror->offset = 0x1800;
 786        mirror->bar = nr;
 787
 788        memory_region_init_io(mirror->mem, OBJECT(vdev),
 789                              &vfio_nvidia_mirror_quirk, mirror,
 790                              "vfio-nvidia-bar0-1800-mirror-quirk",
 791                              PCI_CONFIG_SPACE_SIZE);
 792        memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 793                                            mirror->offset, mirror->mem, 1);
 794
 795        QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 796    }
 797
 798    trace_vfio_quirk_nvidia_bar0_probe(vdev->vbasedev.name);
 799}
 800
 801/*
 802 * TODO - Some Nvidia devices provide config access to their companion HDA
 803 * device and even to their parent bridge via these config space mirrors.
 804 * Add quirks for those regions.
 805 */
 806
 807#define PCI_VENDOR_ID_REALTEK 0x10ec
 808
 809/*
 810 * RTL8168 devices have a backdoor that can access the MSI-X table.  At BAR2
 811 * offset 0x70 there is a dword data register, offset 0x74 is a dword address
 812 * register.  According to the Linux r8169 driver, the MSI-X table is addressed
 813 * when the "type" portion of the address register is set to 0x1.  This appears
 814 * to be bits 16:30.  Bit 31 is both a write indicator and some sort of
 815 * "address latched" indicator.  Bits 12:15 are a mask field, which we can
 816 * ignore because the MSI-X table should always be accessed as a dword (full
 817 * mask).  Bits 0:11 is offset within the type.
 818 *
 819 * Example trace:
 820 *
 821 * Read from MSI-X table offset 0
 822 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x1f000, 4) // store read addr
 823 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x8001f000 // latch
 824 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x70, 4) = 0xfee00398 // read data
 825 *
 826 * Write 0xfee00000 to MSI-X table offset 0
 827 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x70, 0xfee00000, 4) // write data
 828 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x8001f000, 4) // do write
 829 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x1f000 // complete
 830 */
 831typedef struct VFIOrtl8168Quirk {
 832    VFIOPCIDevice *vdev;
 833    uint32_t addr;
 834    uint32_t data;
 835    bool enabled;
 836} VFIOrtl8168Quirk;
 837
 838static uint64_t vfio_rtl8168_quirk_address_read(void *opaque,
 839                                                hwaddr addr, unsigned size)
 840{
 841    VFIOrtl8168Quirk *rtl = opaque;
 842    VFIOPCIDevice *vdev = rtl->vdev;
 843    uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x74, size);
 844
 845    if (rtl->enabled) {
 846        data = rtl->addr ^ 0x80000000U; /* latch/complete */
 847        trace_vfio_quirk_rtl8168_fake_latch(vdev->vbasedev.name, data);
 848    }
 849
 850    return data;
 851}
 852
 853static void vfio_rtl8168_quirk_address_write(void *opaque, hwaddr addr,
 854                                             uint64_t data, unsigned size)
 855{
 856    VFIOrtl8168Quirk *rtl = opaque;
 857    VFIOPCIDevice *vdev = rtl->vdev;
 858
 859    rtl->enabled = false;
 860
 861    if ((data & 0x7fff0000) == 0x10000) { /* MSI-X table */
 862        rtl->enabled = true;
 863        rtl->addr = (uint32_t)data;
 864
 865        if (data & 0x80000000U) { /* Do write */
 866            if (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX) {
 867                hwaddr offset = data & 0xfff;
 868                uint64_t val = rtl->data;
 869
 870                trace_vfio_quirk_rtl8168_msix_write(vdev->vbasedev.name,
 871                                                    (uint16_t)offset, val);
 872
 873                /* Write to the proper guest MSI-X table instead */
 874                memory_region_dispatch_write(&vdev->pdev.msix_table_mmio,
 875                                             offset, val, size,
 876                                             MEMTXATTRS_UNSPECIFIED);
 877            }
 878            return; /* Do not write guest MSI-X data to hardware */
 879        }
 880    }
 881
 882    vfio_region_write(&vdev->bars[2].region, addr + 0x74, data, size);
 883}
 884
 885static const MemoryRegionOps vfio_rtl_address_quirk = {
 886    .read = vfio_rtl8168_quirk_address_read,
 887    .write = vfio_rtl8168_quirk_address_write,
 888    .valid = {
 889        .min_access_size = 4,
 890        .max_access_size = 4,
 891        .unaligned = false,
 892    },
 893    .endianness = DEVICE_LITTLE_ENDIAN,
 894};
 895
 896static uint64_t vfio_rtl8168_quirk_data_read(void *opaque,
 897                                             hwaddr addr, unsigned size)
 898{
 899    VFIOrtl8168Quirk *rtl = opaque;
 900    VFIOPCIDevice *vdev = rtl->vdev;
 901    uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x70, size);
 902
 903    if (rtl->enabled && (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX)) {
 904        hwaddr offset = rtl->addr & 0xfff;
 905        memory_region_dispatch_read(&vdev->pdev.msix_table_mmio, offset,
 906                                    &data, size, MEMTXATTRS_UNSPECIFIED);
 907        trace_vfio_quirk_rtl8168_msix_read(vdev->vbasedev.name, offset, data);
 908    }
 909
 910    return data;
 911}
 912
 913static void vfio_rtl8168_quirk_data_write(void *opaque, hwaddr addr,
 914                                          uint64_t data, unsigned size)
 915{
 916    VFIOrtl8168Quirk *rtl = opaque;
 917    VFIOPCIDevice *vdev = rtl->vdev;
 918
 919    rtl->data = (uint32_t)data;
 920
 921    vfio_region_write(&vdev->bars[2].region, addr + 0x70, data, size);
 922}
 923
 924static const MemoryRegionOps vfio_rtl_data_quirk = {
 925    .read = vfio_rtl8168_quirk_data_read,
 926    .write = vfio_rtl8168_quirk_data_write,
 927    .valid = {
 928        .min_access_size = 4,
 929        .max_access_size = 4,
 930        .unaligned = false,
 931    },
 932    .endianness = DEVICE_LITTLE_ENDIAN,
 933};
 934
 935static void vfio_probe_rtl8168_bar2_quirk(VFIOPCIDevice *vdev, int nr)
 936{
 937    VFIOQuirk *quirk;
 938    VFIOrtl8168Quirk *rtl;
 939
 940    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_REALTEK, 0x8168) || nr != 2) {
 941        return;
 942    }
 943
 944    quirk = g_malloc0(sizeof(*quirk));
 945    quirk->mem = g_new0(MemoryRegion, 2);
 946    quirk->nr_mem = 2;
 947    quirk->data = rtl = g_malloc0(sizeof(*rtl));
 948    rtl->vdev = vdev;
 949
 950    memory_region_init_io(&quirk->mem[0], OBJECT(vdev),
 951                          &vfio_rtl_address_quirk, rtl,
 952                          "vfio-rtl8168-window-address-quirk", 4);
 953    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 954                                        0x74, &quirk->mem[0], 1);
 955
 956    memory_region_init_io(&quirk->mem[1], OBJECT(vdev),
 957                          &vfio_rtl_data_quirk, rtl,
 958                          "vfio-rtl8168-window-data-quirk", 4);
 959    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 960                                        0x70, &quirk->mem[1], 1);
 961
 962    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 963
 964    trace_vfio_quirk_rtl8168_probe(vdev->vbasedev.name);
 965}
 966
 967/*
 968 * Intel IGD support
 969 *
 970 * Obviously IGD is not a discrete device, this is evidenced not only by it
 971 * being integrated into the CPU, but by the various chipset and BIOS
 972 * dependencies that it brings along with it.  Intel is trying to move away
 973 * from this and Broadwell and newer devices can run in what Intel calls
 974 * "Universal Pass-Through" mode, or UPT.  Theoretically in UPT mode, nothing
 975 * more is required beyond assigning the IGD device to a VM.  There are
 976 * however support limitations to this mode.  It only supports IGD as a
 977 * secondary graphics device in the VM and it doesn't officially support any
 978 * physical outputs.
 979 *
 980 * The code here attempts to enable what we'll call legacy mode assignment,
 981 * IGD retains most of the capabilities we expect for it to have on bare
 982 * metal.  To enable this mode, the IGD device must be assigned to the VM
 983 * at PCI address 00:02.0, it must have a ROM, it very likely needs VGA
 984 * support, we must have VM BIOS support for reserving and populating some
 985 * of the required tables, and we need to tweak the chipset with revisions
 986 * and IDs and an LPC/ISA bridge device.  The intention is to make all of
 987 * this happen automatically by installing the device at the correct VM PCI
 988 * bus address.  If any of the conditions are not met, we cross our fingers
 989 * and hope the user knows better.
 990 *
 991 * NB - It is possible to enable physical outputs in UPT mode by supplying
 992 * an OpRegion table.  We don't do this by default because the guest driver
 993 * behaves differently if an OpRegion is provided and no monitor is attached
 994 * vs no OpRegion and a monitor being attached or not.  Effectively, if a
 995 * headless setup is desired, the OpRegion gets in the way of that.
 996 */
 997
 998/*
 999 * This presumes the device is already known to be an Intel VGA device, so we
1000 * take liberties in which device ID bits match which generation.  This should

1001 * not be taken as an indication that all the devices are supported, or even
1002 * supportable, some of them don't even support VT-d.
1003 * See linux:include/drm/i915_pciids.h for IDs.
1004 */
1005static int igd_gen(VFIOPCIDevice *vdev)
1006{
1007    if ((vdev->device_id & 0xfff) == 0xa84) {
1008        return 8; /* Broxton */
1009    }
1010
1011    switch (vdev->device_id & 0xff00) {
1012    /* Old, untested, unavailable, unknown */
1013    case 0x0000:
1014    case 0x2500:
1015    case 0x2700:
1016    case 0x2900:
1017    case 0x2a00:
1018    case 0x2e00:
1019    case 0x3500:
1020    case 0xa000:
1021        return -1;
1022    /* SandyBridge, IvyBridge, ValleyView, Haswell */
1023    case 0x0100:
1024    case 0x0400:
1025    case 0x0a00:
1026    case 0x0c00:
1027    case 0x0d00:
1028    case 0x0f00:
1029        return 6;
1030    /* BroadWell, CherryView, SkyLake, KabyLake */
1031    case 0x1600:
1032    case 0x1900:
1033    case 0x2200:
1034    case 0x5900:
1035        return 8;
1036    }
1037
1038    return 8; /* Assume newer is compatible */
1039}
1040
1041typedef struct VFIOIGDQuirk {
1042    struct VFIOPCIDevice *vdev;
1043    uint32_t index;
1044    uint32_t bdsm;
1045} VFIOIGDQuirk;
1046
1047#define IGD_GMCH 0x50 /* Graphics Control Register */
1048#define IGD_BDSM 0x5c /* Base Data of Stolen Memory */
1049#define IGD_ASLS 0xfc /* ASL Storage Register */
1050
1051/*
1052 * The OpRegion includes the Video BIOS Table, which seems important for
1053 * telling the driver what sort of outputs it has.  Without this, the device
1054 * may work in the guest, but we may not get output.  This also requires BIOS
1055 * support to reserve and populate a section of guest memory sufficient for
1056 * the table and to write the base address of that memory to the ASLS register
1057 * of the IGD device.
1058 */
1059int vfio_pci_igd_opregion_init(VFIOPCIDevice *vdev,
1060                               struct vfio_region_info *info, Error **errp)
1061{
1062    int ret;
1063
1064    vdev->igd_opregion = g_malloc0(info->size);
1065    ret = pread(vdev->vbasedev.fd, vdev->igd_opregion,
1066                info->size, info->offset);
1067    if (ret != info->size) {
1068        error_setg(errp, "failed to read IGD OpRegion");
1069        g_free(vdev->igd_opregion);
1070        vdev->igd_opregion = NULL;
1071        return -EINVAL;
1072    }
1073
1074    /*
1075     * Provide fw_cfg with a copy of the OpRegion which the VM firmware is to
1076     * allocate 32bit reserved memory for, copy these contents into, and write
1077     * the reserved memory base address to the device ASLS register at 0xFC.
1078     * Alignment of this reserved region seems flexible, but using a 4k page
1079     * alignment seems to work well.  This interface assumes a single IGD
1080     * device, which may be at VM address 00:02.0 in legacy mode or another
1081     * address in UPT mode.
1082     *
1083     * NB, there may be future use cases discovered where the VM should have
1084     * direct interaction with the host OpRegion, in which case the write to
1085     * the ASLS register would trigger MemoryRegion setup to enable that.
1086     */
1087    fw_cfg_add_file(fw_cfg_find(), "etc/igd-opregion",
1088                    vdev->igd_opregion, info->size);
1089
1090    trace_vfio_pci_igd_opregion_enabled(vdev->vbasedev.name);
1091
1092    pci_set_long(vdev->pdev.config + IGD_ASLS, 0);
1093    pci_set_long(vdev->pdev.wmask + IGD_ASLS, ~0);
1094    pci_set_long(vdev->emulated_config_bits + IGD_ASLS, ~0);
1095
1096    return 0;
1097}
1098
1099/*
1100 * The rather short list of registers that we copy from the host devices.
1101 * The LPC/ISA bridge values are definitely needed to support the vBIOS, the
1102 * host bridge values may or may not be needed depending on the guest OS.
1103 * Since we're only munging revision and subsystem values on the host bridge,
1104 * we don't require our own device.  The LPC/ISA bridge needs to be our very
1105 * own though.
1106 */
1107typedef struct {
1108    uint8_t offset;
1109    uint8_t len;
1110} IGDHostInfo;
1111
1112static const IGDHostInfo igd_host_bridge_infos[] = {
1113    {PCI_REVISION_ID,         2},
1114    {PCI_SUBSYSTEM_VENDOR_ID, 2},
1115    {PCI_SUBSYSTEM_ID,        2},
1116};
1117
1118static const IGDHostInfo igd_lpc_bridge_infos[] = {
1119    {PCI_VENDOR_ID,           2},
1120    {PCI_DEVICE_ID,           2},
1121    {PCI_REVISION_ID,         2},
1122    {PCI_SUBSYSTEM_VENDOR_ID, 2},
1123    {PCI_SUBSYSTEM_ID,        2},
1124};
1125
1126static int vfio_pci_igd_copy(VFIOPCIDevice *vdev, PCIDevice *pdev,
1127                             struct vfio_region_info *info,
1128                             const IGDHostInfo *list, int len)
1129{
1130    int i, ret;
1131
1132    for (i = 0; i < len; i++) {
1133        ret = pread(vdev->vbasedev.fd, pdev->config + list[i].offset,
1134                    list[i].len, info->offset + list[i].offset);
1135        if (ret != list[i].len) {
1136            error_report("IGD copy failed: %m");
1137            return -errno;
1138        }
1139    }
1140
1141    return 0;
1142}
1143
1144/*
1145 * Stuff a few values into the host bridge.
1146 */
1147static int vfio_pci_igd_host_init(VFIOPCIDevice *vdev,
1148                                  struct vfio_region_info *info)
1149{
1150    PCIBus *bus;
1151    PCIDevice *host_bridge;
1152    int ret;
1153
1154    bus = pci_device_root_bus(&vdev->pdev);
1155    host_bridge = pci_find_device(bus, 0, PCI_DEVFN(0, 0));
1156
1157    if (!host_bridge) {
1158        error_report("Can't find host bridge");
1159        return -ENODEV;
1160    }
1161
1162    ret = vfio_pci_igd_copy(vdev, host_bridge, info, igd_host_bridge_infos,
1163                            ARRAY_SIZE(igd_host_bridge_infos));
1164    if (!ret) {
1165        trace_vfio_pci_igd_host_bridge_enabled(vdev->vbasedev.name);
1166    }
1167
1168    return ret;
1169}
1170
1171/*
1172 * IGD LPC/ISA bridge support code.  The vBIOS needs this, but we can't write
1173 * arbitrary values into just any bridge, so we must create our own.  We try
1174 * to handle if the user has created it for us, which they might want to do
1175 * to enable multifunction so we don't occupy the whole PCI slot.
1176 */
1177static void vfio_pci_igd_lpc_bridge_realize(PCIDevice *pdev, Error **errp)
1178{
1179    if (pdev->devfn != PCI_DEVFN(0x1f, 0)) {
1180        error_setg(errp, "VFIO dummy ISA/LPC bridge must have address 1f.0");
1181    }
1182}
1183
1184static void vfio_pci_igd_lpc_bridge_class_init(ObjectClass *klass, void *data)
1185{
1186    DeviceClass *dc = DEVICE_CLASS(klass);
1187    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1188
1189    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
1190    dc->desc = "VFIO dummy ISA/LPC bridge for IGD assignment";
1191    dc->hotpluggable = false;
1192    k->realize = vfio_pci_igd_lpc_bridge_realize;
1193    k->class_id = PCI_CLASS_BRIDGE_ISA;
1194}
1195
1196static TypeInfo vfio_pci_igd_lpc_bridge_info = {
1197    .name = "vfio-pci-igd-lpc-bridge",
1198    .parent = TYPE_PCI_DEVICE,
1199    .class_init = vfio_pci_igd_lpc_bridge_class_init,
1200};
1201
1202static void vfio_pci_igd_register_types(void)
1203{
1204    type_register_static(&vfio_pci_igd_lpc_bridge_info);
1205}
1206
1207type_init(vfio_pci_igd_register_types)
1208
1209static int vfio_pci_igd_lpc_init(VFIOPCIDevice *vdev,
1210                                 struct vfio_region_info *info)
1211{
1212    PCIDevice *lpc_bridge;
1213    int ret;
1214
1215    lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev),
1216                                 0, PCI_DEVFN(0x1f, 0));
1217    if (!lpc_bridge) {
1218        lpc_bridge = pci_create_simple(pci_device_root_bus(&vdev->pdev),
1219                                 PCI_DEVFN(0x1f, 0), "vfio-pci-igd-lpc-bridge");
1220    }
1221
1222    ret = vfio_pci_igd_copy(vdev, lpc_bridge, info, igd_lpc_bridge_infos,
1223                            ARRAY_SIZE(igd_lpc_bridge_infos));
1224    if (!ret) {
1225        trace_vfio_pci_igd_lpc_bridge_enabled(vdev->vbasedev.name);
1226    }
1227
1228    return ret;
1229}
1230
1231/*
1232 * IGD Gen8 and newer support up to 8MB for the GTT and use a 64bit PTE
1233 * entry, older IGDs use 2MB and 32bit.  Each PTE maps a 4k page.  Therefore
1234 * we either have 2M/4k * 4 = 2k or 8M/4k * 8 = 16k as the maximum iobar index
1235 * for programming the GTT.
1236 *
1237 * See linux:include/drm/i915_drm.h for shift and mask values.
1238 */
1239static int vfio_igd_gtt_max(VFIOPCIDevice *vdev)
1240{
1241    uint32_t gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch));
1242    int ggms, gen = igd_gen(vdev);
1243
1244    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch));
1245    ggms = (gmch >> (gen < 8 ? 8 : 6)) & 0x3;
1246    if (gen > 6) {
1247        ggms = 1 << ggms;
1248    }
1249
1250    ggms *= 1024 * 1024;
1251
1252    return (ggms / (4 * 1024)) * (gen < 8 ? 4 : 8);
1253}
1254
1255/*
1256 * The IGD ROM will make use of stolen memory (GGMS) for support of VESA modes.
1257 * Somehow the host stolen memory range is used for this, but how the ROM gets
1258 * it is a mystery, perhaps it's hardcoded into the ROM.  Thankfully though, it
1259 * reprograms the GTT through the IOBAR where we can trap it and transpose the
1260 * programming to the VM allocated buffer.  That buffer gets reserved by the VM
1261 * firmware via the fw_cfg entry added below.  Here we're just monitoring the
1262 * IOBAR address and data registers to detect a write sequence targeting the
1263 * GTTADR.  This code is developed by observed behavior and doesn't have a
1264 * direct spec reference, unfortunately.
1265 */
1266static uint64_t vfio_igd_quirk_data_read(void *opaque,
1267                                         hwaddr addr, unsigned size)
1268{
1269    VFIOIGDQuirk *igd = opaque;
1270    VFIOPCIDevice *vdev = igd->vdev;
1271
1272    igd->index = ~0;
1273
1274    return vfio_region_read(&vdev->bars[4].region, addr + 4, size);
1275}
1276
1277static void vfio_igd_quirk_data_write(void *opaque, hwaddr addr,
1278                                      uint64_t data, unsigned size)
1279{
1280    VFIOIGDQuirk *igd = opaque;
1281    VFIOPCIDevice *vdev = igd->vdev;
1282    uint64_t val = data;
1283    int gen = igd_gen(vdev);
1284
1285    /*
1286     * Programming the GGMS starts at index 0x1 and uses every 4th index (ie.
1287     * 0x1, 0x5, 0x9, 0xd,...).  For pre-Gen8 each 4-byte write is a whole PTE
1288     * entry, with 0th bit enable set.  For Gen8 and up, PTEs are 64bit, so
1289     * entries 0x5 & 0xd are the high dword, in our case zero.  Each PTE points
1290     * to a 4k page, which we translate to a page from the VM allocated region,
1291     * pointed to by the BDSM register.  If this is not set, we fail.
1292     *
1293     * We trap writes to the full configured GTT size, but we typically only
1294     * see the vBIOS writing up to (nearly) the 1MB barrier.  In fact it often
1295     * seems to miss the last entry for an even 1MB GTT.  Doing a gratuitous
1296     * write of that last entry does work, but is hopefully unnecessary since
1297     * we clear the previous GTT on initialization.
1298     */
1299    if ((igd->index % 4 == 1) && igd->index < vfio_igd_gtt_max(vdev)) {
1300        if (gen < 8 || (igd->index % 8 == 1)) {
1301            uint32_t base;
1302
1303            base = pci_get_long(vdev->pdev.config + IGD_BDSM);
1304            if (!base) {
1305                hw_error("vfio-igd: Guest attempted to program IGD GTT before "
1306                         "BIOS reserved stolen memory.  Unsupported BIOS?");
1307            }
1308
1309            val = data - igd->bdsm + base;
1310        } else {
1311            val = 0; /* upper 32bits of pte, we only enable below 4G PTEs */
1312        }
1313
1314        trace_vfio_pci_igd_bar4_write(vdev->vbasedev.name,
1315                                      igd->index, data, val);
1316    }
1317
1318    vfio_region_write(&vdev->bars[4].region, addr + 4, val, size);
1319
1320    igd->index = ~0;
1321}
1322
1323static const MemoryRegionOps vfio_igd_data_quirk = {
1324    .read = vfio_igd_quirk_data_read,
1325    .write = vfio_igd_quirk_data_write,
1326    .endianness = DEVICE_LITTLE_ENDIAN,
1327};
1328
1329static uint64_t vfio_igd_quirk_index_read(void *opaque,
1330                                          hwaddr addr, unsigned size)
1331{
1332    VFIOIGDQuirk *igd = opaque;
1333    VFIOPCIDevice *vdev = igd->vdev;
1334
1335    igd->index = ~0;
1336
1337    return vfio_region_read(&vdev->bars[4].region, addr, size);
1338}
1339
1340static void vfio_igd_quirk_index_write(void *opaque, hwaddr addr,
1341                                       uint64_t data, unsigned size)
1342{
1343    VFIOIGDQuirk *igd = opaque;
1344    VFIOPCIDevice *vdev = igd->vdev;
1345
1346    igd->index = data;
1347
1348    vfio_region_write(&vdev->bars[4].region, addr, data, size);
1349}
1350
1351static const MemoryRegionOps vfio_igd_index_quirk = {
1352    .read = vfio_igd_quirk_index_read,
1353    .write = vfio_igd_quirk_index_write,
1354    .endianness = DEVICE_LITTLE_ENDIAN,
1355};
1356
1357static void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
1358{
1359    struct vfio_region_info *rom = NULL, *opregion = NULL,
1360                            *host = NULL, *lpc = NULL;
1361    VFIOQuirk *quirk;
1362    VFIOIGDQuirk *igd;
1363    PCIDevice *lpc_bridge;
1364    int i, ret, ggms_mb, gms_mb = 0, gen;
1365    uint64_t *bdsm_size;
1366    uint32_t gmch;
1367    uint16_t cmd_orig, cmd;
1368    Error *err = NULL;
1369
1370    /*
1371     * This must be an Intel VGA device at address 00:02.0 for us to even
1372     * consider enabling legacy mode.  The vBIOS has dependencies on the
1373     * PCI bus address.
1374     */
1375    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
1376        !vfio_is_vga(vdev) || nr != 4 ||
1377        &vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
1378                                       0, PCI_DEVFN(0x2, 0))) {
1379        return;
1380    }
1381
1382    /*
1383     * We need to create an LPC/ISA bridge at PCI bus address 00:1f.0 that we
1384     * can stuff host values into, so if there's already one there and it's not
1385     * one we can hack on, legacy mode is no-go.  Sorry Q35.
1386     */
1387    lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev),
1388                                 0, PCI_DEVFN(0x1f, 0));
1389    if (lpc_bridge && !object_dynamic_cast(OBJECT(lpc_bridge),
1390                                           "vfio-pci-igd-lpc-bridge")) {
1391        error_report("IGD device %s cannot support legacy mode due to existing "
1392                     "devices at address 1f.0", vdev->vbasedev.name);
1393        return;
1394    }
1395
1396    /*
1397     * IGD is not a standard, they like to change their specs often.  We
1398     * only attempt to support back to SandBridge and we hope that newer
1399     * devices maintain compatibility with generation 8.
1400     */
1401    gen = igd_gen(vdev);
1402    if (gen != 6 && gen != 8) {
1403        error_report("IGD device %s is unsupported in legacy mode, "
1404                     "try SandyBridge or newer", vdev->vbasedev.name);
1405        return;
1406    }
1407
1408    /*
1409     * Most of what we're doing here is to enable the ROM to run, so if
1410     * there's no ROM, there's no point in setting up this quirk.
1411     * NB. We only seem to get BIOS ROMs, so a UEFI VM would need CSM support.
1412     */
1413    ret = vfio_get_region_info(&vdev->vbasedev,
1414                               VFIO_PCI_ROM_REGION_INDEX, &rom);
1415    if ((ret || !rom->size) && !vdev->pdev.romfile) {
1416        error_report("IGD device %s has no ROM, legacy mode disabled",
1417                     vdev->vbasedev.name);
1418        goto out;
1419    }
1420
1421    /*
1422     * Ignore the hotplug corner case, mark the ROM failed, we can't
1423     * create the devices we need for legacy mode in the hotplug scenario.
1424     */
1425    if (vdev->pdev.qdev.hotplugged) {
1426        error_report("IGD device %s hotplugged, ROM disabled, "
1427                     "legacy mode disabled", vdev->vbasedev.name);
1428        vdev->rom_read_failed = true;
1429        goto out;
1430    }
1431
1432    /*
1433     * Check whether we have all the vfio device specific regions to
1434     * support legacy mode (added in Linux v4.6).  If not, bail.
1435     */
1436    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1437                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1438                        VFIO_REGION_SUBTYPE_INTEL_IGD_OPREGION, &opregion);
1439    if (ret) {
1440        error_report("IGD device %s does not support OpRegion access,"
1441                     "legacy mode disabled", vdev->vbasedev.name);
1442        goto out;
1443    }
1444
1445    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1446                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1447                        VFIO_REGION_SUBTYPE_INTEL_IGD_HOST_CFG, &host);
1448    if (ret) {
1449        error_report("IGD device %s does not support host bridge access,"
1450                     "legacy mode disabled", vdev->vbasedev.name);
1451        goto out;
1452    }
1453
1454    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1455                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1456                        VFIO_REGION_SUBTYPE_INTEL_IGD_LPC_CFG, &lpc);
1457    if (ret) {
1458        error_report("IGD device %s does not support LPC bridge access,"
1459                     "legacy mode disabled", vdev->vbasedev.name);
1460        goto out;
1461    }
1462
1463    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
1464
1465    /*
1466     * If IGD VGA Disable is clear (expected) and VGA is not already enabled,
1467     * try to enable it.  Probably shouldn't be using legacy mode without VGA,
1468     * but also no point in us enabling VGA if disabled in hardware.
1469     */
1470    if (!(gmch & 0x2) && !vdev->vga && vfio_populate_vga(vdev, &err)) {
1471        error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name);
1472        error_report("IGD device %s failed to enable VGA access, "
1473                     "legacy mode disabled", vdev->vbasedev.name);
1474        goto out;
1475    }
1476
1477    /* Create our LPC/ISA bridge */
1478    ret = vfio_pci_igd_lpc_init(vdev, lpc);
1479    if (ret) {
1480        error_report("IGD device %s failed to create LPC bridge, "
1481                     "legacy mode disabled", vdev->vbasedev.name);
1482        goto out;
1483    }
1484
1485    /* Stuff some host values into the VM PCI host bridge */
1486    ret = vfio_pci_igd_host_init(vdev, host);
1487    if (ret) {
1488        error_report("IGD device %s failed to modify host bridge, "
1489                     "legacy mode disabled", vdev->vbasedev.name);
1490        goto out;
1491    }
1492
1493    /* Setup OpRegion access */
1494    ret = vfio_pci_igd_opregion_init(vdev, opregion, &err);
1495    if (ret) {
1496        error_append_hint(&err, "IGD legacy mode disabled\n");
1497        error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name);
1498        goto out;
1499    }
1500
1501    /* Setup our quirk to munge GTT addresses to the VM allocated buffer */
1502    quirk = g_malloc0(sizeof(*quirk));
1503    quirk->mem = g_new0(MemoryRegion, 2);
1504    quirk->nr_mem = 2;
1505    igd = quirk->data = g_malloc0(sizeof(*igd));
1506    igd->vdev = vdev;
1507    igd->index = ~0;
1508    igd->bdsm = vfio_pci_read_config(&vdev->pdev, IGD_BDSM, 4);
1509    igd->bdsm &= ~((1 << 20) - 1); /* 1MB aligned */
1510
1511    memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_igd_index_quirk,
1512                          igd, "vfio-igd-index-quirk", 4);
1513    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
1514                                        0, &quirk->mem[0], 1);
1515
1516    memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_igd_data_quirk,
1517                          igd, "vfio-igd-data-quirk", 4);
1518    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
1519                                        4, &quirk->mem[1], 1);
1520
1521    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
1522
1523    /* Determine the size of stolen memory needed for GTT */
1524    ggms_mb = (gmch >> (gen < 8 ? 8 : 6)) & 0x3;
1525    if (gen > 6) {
1526        ggms_mb = 1 << ggms_mb;
1527    }
1528
1529    /*
1530     * Assume we have no GMS memory, but allow it to be overrided by device
1531     * option (experimental).  The spec doesn't actually allow zero GMS when
1532     * when IVD (IGD VGA Disable) is clear, but the claim is that it's unused,
1533     * so let's not waste VM memory for it.
1534     */
1535    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
1536
1537    if (vdev->igd_gms) {
1538        if (vdev->igd_gms <= 0x10) {
1539            gms_mb = vdev->igd_gms * 32;
1540            gmch |= vdev->igd_gms << (gen < 8 ? 3 : 8);
1541        } else {
1542            error_report("Unsupported IGD GMS value 0x%x", vdev->igd_gms);
1543            vdev->igd_gms = 0;
1544        }
1545    }
1546
1547    /*
1548     * Request reserved memory for stolen memory via fw_cfg.  VM firmware
1549     * must allocate a 1MB aligned reserved memory region below 4GB with
1550     * the requested size (in bytes) for use by the Intel PCI class VGA
1551     * device at VM address 00:02.0.  The base address of this reserved
1552     * memory region must be written to the device BDSM regsiter at PCI
1553     * config offset 0x5C.
1554     */
1555    bdsm_size = g_malloc(sizeof(*bdsm_size));
1556    *bdsm_size = cpu_to_le64((ggms_mb + gms_mb) * 1024 * 1024);
1557    fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
1558                    bdsm_size, sizeof(*bdsm_size));
1559
1560    /* GMCH is read-only, emulated */
1561    pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
1562    pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
1563    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
1564
1565    /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
1566    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
1567    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
1568    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
1569
1570    /*
1571     * This IOBAR gives us access to GTTADR, which allows us to write to
1572     * the GTT itself.  So let's go ahead and write zero to all the GTT
1573     * entries to avoid spurious DMA faults.  Be sure I/O access is enabled
1574     * before talking to the device.
1575     */
1576    if (pread(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig),
1577              vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) {
1578        error_report("IGD device %s - failed to read PCI command register",
1579                     vdev->vbasedev.name);
1580    }
1581
1582    cmd = cmd_orig | PCI_COMMAND_IO;
1583
1584    if (pwrite(vdev->vbasedev.fd, &cmd, sizeof(cmd),
1585               vdev->config_offset + PCI_COMMAND) != sizeof(cmd)) {
1586        error_report("IGD device %s - failed to write PCI command register",
1587                     vdev->vbasedev.name);
1588    }
1589
1590    for (i = 1; i < vfio_igd_gtt_max(vdev); i += 4) {
1591        vfio_region_write(&vdev->bars[4].region, 0, i, 4);
1592        vfio_region_write(&vdev->bars[4].region, 4, 0, 4);
1593    }
1594
1595    if (pwrite(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig),
1596               vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) {
1597        error_report("IGD device %s - failed to restore PCI command register",
1598                     vdev->vbasedev.name);
1599    }
1600
1601    trace_vfio_pci_igd_bdsm_enabled(vdev->vbasedev.name, ggms_mb + gms_mb);
1602
1603out:
1604    g_free(rom);
1605    g_free(opregion);
1606    g_free(host);
1607    g_free(lpc);
1608}
1609
1610/*
1611 * Common quirk probe entry points.
1612 */
1613void vfio_vga_quirk_setup(VFIOPCIDevice *vdev)
1614{
1615    vfio_vga_probe_ati_3c3_quirk(vdev);
1616    vfio_vga_probe_nvidia_3d0_quirk(vdev);
1617}
1618
1619void vfio_vga_quirk_exit(VFIOPCIDevice *vdev)
1620{
1621    VFIOQuirk *quirk;
1622    int i, j;
1623
1624    for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) {
1625        QLIST_FOREACH(quirk, &vdev->vga->region[i].quirks, next) {
1626            for (j = 0; j < quirk->nr_mem; j++) {
1627                memory_region_del_subregion(&vdev->vga->region[i].mem,
1628                                            &quirk->mem[j]);
1629            }
1630        }
1631    }
1632}
1633
1634void vfio_vga_quirk_finalize(VFIOPCIDevice *vdev)
1635{
1636    int i, j;
1637
1638    for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) {
1639        while (!QLIST_EMPTY(&vdev->vga->region[i].quirks)) {
1640            VFIOQuirk *quirk = QLIST_FIRST(&vdev->vga->region[i].quirks);
1641            QLIST_REMOVE(quirk, next);
1642            for (j = 0; j < quirk->nr_mem; j++) {
1643                object_unparent(OBJECT(&quirk->mem[j]));
1644            }
1645            g_free(quirk->mem);
1646            g_free(quirk->data);
1647            g_free(quirk);
1648        }
1649    }
1650}
1651
1652void vfio_bar_quirk_setup(VFIOPCIDevice *vdev, int nr)
1653{
1654    vfio_probe_ati_bar4_quirk(vdev, nr);
1655    vfio_probe_ati_bar2_quirk(vdev, nr);
1656    vfio_probe_nvidia_bar5_quirk(vdev, nr);
1657    vfio_probe_nvidia_bar0_quirk(vdev, nr);
1658    vfio_probe_rtl8168_bar2_quirk(vdev, nr);
1659    vfio_probe_igd_bar4_quirk(vdev, nr);
1660}
1661
1662void vfio_bar_quirk_exit(VFIOPCIDevice *vdev, int nr)
1663{
1664    VFIOBAR *bar = &vdev->bars[nr];
1665    VFIOQuirk *quirk;
1666    int i;
1667
1668    QLIST_FOREACH(quirk, &bar->quirks, next) {
1669        for (i = 0; i < quirk->nr_mem; i++) {
1670            memory_region_del_subregion(bar->region.mem, &quirk->mem[i]);
1671        }
1672    }
1673}
1674
1675void vfio_bar_quirk_finalize(VFIOPCIDevice *vdev, int nr)
1676{
1677    VFIOBAR *bar = &vdev->bars[nr];
1678    int i;
1679
1680    while (!QLIST_EMPTY(&bar->quirks)) {
1681        VFIOQuirk *quirk = QLIST_FIRST(&bar->quirks);
1682        QLIST_REMOVE(quirk, next);
1683        for (i = 0; i < quirk->nr_mem; i++) {
1684            object_unparent(OBJECT(&quirk->mem[i]));
1685        }
1686        g_free(quirk->mem);
1687        g_free(quirk->data);
1688        g_free(quirk);
1689    }
1690}
1691
1692/*
1693 * Reset quirks
1694 */
1695
1696/*
1697 * AMD Radeon PCI config reset, based on Linux:
1698 *   drivers/gpu/drm/radeon/ci_smc.c:ci_is_smc_running()
1699 *   drivers/gpu/drm/radeon/radeon_device.c:radeon_pci_config_reset
1700 *   drivers/gpu/drm/radeon/ci_smc.c:ci_reset_smc()
1701 *   drivers/gpu/drm/radeon/ci_smc.c:ci_stop_smc_clock()
1702 * IDs: include/drm/drm_pciids.h
1703 * Registers: http://cgit.freedesktop.org/~agd5f/linux/commit/?id=4e2aa447f6f0
1704 *
1705 * Bonaire and Hawaii GPUs do not respond to a bus reset.  This is a bug in the
1706 * hardware that should be fixed on future ASICs.  The symptom of this is that
1707 * once the accerlated driver loads, Windows guests will bsod on subsequent
1708 * attmpts to load the driver, such as after VM reset or shutdown/restart.  To
1709 * work around this, we do an AMD specific PCI config reset, followed by an SMC
1710 * reset.  The PCI config reset only works if SMC firmware is running, so we
1711 * have a dependency on the state of the device as to whether this reset will
1712 * be effective.  There are still cases where we won't be able to kick the
1713 * device into working, but this greatly improves the usability overall.  The
1714 * config reset magic is relatively common on AMD GPUs, but the setup and SMC
1715 * poking is largely ASIC specific.
1716 */
1717static bool vfio_radeon_smc_is_running(VFIOPCIDevice *vdev)
1718{
1719    uint32_t clk, pc_c;
1720
1721    /*
1722     * Registers 200h and 204h are index and data registers for accessing
1723     * indirect configuration registers within the device.
1724     */
1725    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4);
1726    clk = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1727    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000370, 4);
1728    pc_c = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1729
1730    return (!(clk & 1) && (0x20100 <= pc_c));
1731}
1732
1733/*
1734 * The scope of a config reset is controlled by a mode bit in the misc register
1735 * and a fuse, exposed as a bit in another register.  The fuse is the default
1736 * (0 = GFX, 1 = whole GPU), the misc bit is a toggle, with the forumula
1737 * scope = !(misc ^ fuse), where the resulting scope is defined the same as
1738 * the fuse.  A truth table therefore tells us that if misc == fuse, we need
1739 * to flip the value of the bit in the misc register.
1740 */
1741static void vfio_radeon_set_gfx_only_reset(VFIOPCIDevice *vdev)
1742{
1743    uint32_t misc, fuse;
1744    bool a, b;
1745
1746    vfio_region_write(&vdev->bars[5].region, 0x200, 0xc00c0000, 4);
1747    fuse = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1748    b = fuse & 64;
1749
1750    vfio_region_write(&vdev->bars[5].region, 0x200, 0xc0000010, 4);
1751    misc = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1752    a = misc & 2;
1753
1754    if (a == b) {
1755        vfio_region_write(&vdev->bars[5].region, 0x204, misc ^ 2, 4);
1756        vfio_region_read(&vdev->bars[5].region, 0x204, 4); /* flush */
1757    }
1758}
1759
1760static int vfio_radeon_reset(VFIOPCIDevice *vdev)
1761{
1762    PCIDevice *pdev = &vdev->pdev;
1763    int i, ret = 0;
1764    uint32_t data;
1765
1766    /* Defer to a kernel implemented reset */
1767    if (vdev->vbasedev.reset_works) {
1768        trace_vfio_quirk_ati_bonaire_reset_skipped(vdev->vbasedev.name);
1769        return -ENODEV;
1770    }
1771
1772    /* Enable only memory BAR access */
1773    vfio_pci_write_config(pdev, PCI_COMMAND, PCI_COMMAND_MEMORY, 2);
1774
1775    /* Reset only works if SMC firmware is loaded and running */
1776    if (!vfio_radeon_smc_is_running(vdev)) {
1777        ret = -EINVAL;
1778        trace_vfio_quirk_ati_bonaire_reset_no_smc(vdev->vbasedev.name);
1779        goto out;
1780    }
1781
1782    /* Make sure only the GFX function is reset */
1783    vfio_radeon_set_gfx_only_reset(vdev);
1784
1785    /* AMD PCI config reset */
1786    vfio_pci_write_config(pdev, 0x7c, 0x39d5e86b, 4);
1787    usleep(100);
1788
1789    /* Read back the memory size to make sure we're out of reset */
1790    for (i = 0; i < 100000; i++) {
1791        if (vfio_region_read(&vdev->bars[5].region, 0x5428, 4) != 0xffffffff) {
1792            goto reset_smc;
1793        }
1794        usleep(1);
1795    }
1796
1797    trace_vfio_quirk_ati_bonaire_reset_timeout(vdev->vbasedev.name);
1798
1799reset_smc:
1800    /* Reset SMC */
1801    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000000, 4);
1802    data = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1803    data |= 1;
1804    vfio_region_write(&vdev->bars[5].region, 0x204, data, 4);
1805
1806    /* Disable SMC clock */
1807    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4);
1808    data = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1809    data |= 1;
1810    vfio_region_write(&vdev->bars[5].region, 0x204, data, 4);
1811
1812    trace_vfio_quirk_ati_bonaire_reset_done(vdev->vbasedev.name);
1813
1814out:
1815    /* Restore PCI command register */
1816    vfio_pci_write_config(pdev, PCI_COMMAND, 0, 2);
1817
1818    return ret;
1819}
1820
1821void vfio_setup_resetfn_quirk(VFIOPCIDevice *vdev)
1822{
1823    switch (vdev->vendor_id) {
1824    case 0x1002:
1825        switch (vdev->device_id) {
1826        /* Bonaire */
1827        case 0x6649: /* Bonaire [FirePro W5100] */
1828        case 0x6650:
1829        case 0x6651:
1830        case 0x6658: /* Bonaire XTX [Radeon R7 260X] */
1831        case 0x665c: /* Bonaire XT [Radeon HD 7790/8770 / R9 260 OEM] */
1832        case 0x665d: /* Bonaire [Radeon R7 200 Series] */
1833        /* Hawaii */
1834        case 0x67A0: /* Hawaii XT GL [FirePro W9100] */
1835        case 0x67A1: /* Hawaii PRO GL [FirePro W8100] */
1836        case 0x67A2:
1837        case 0x67A8:
1838        case 0x67A9:
1839        case 0x67AA:
1840        case 0x67B0: /* Hawaii XT [Radeon R9 290X] */
1841        case 0x67B1: /* Hawaii PRO [Radeon R9 290] */
1842        case 0x67B8:
1843        case 0x67B9:
1844        case 0x67BA:
1845        case 0x67BE:
1846            vdev->resetfn = vfio_radeon_reset;
1847            trace_vfio_quirk_ati_bonaire_reset(vdev->vbasedev.name);
1848            break;
1849        }
1850        break;
1851    }
1852}
1853