qemu/hw/vfio/pci-quirks.c
<<
>>
Prefs 
   1/*
   2 * device quirks for PCI devices
   3 *
   4 * Copyright Red Hat, Inc. 2012-2015
   5 *
   6 * Authors:
   7 *  Alex Williamson <alex.williamson@redhat.com>
   8 *
   9 * This work is licensed under the terms of the GNU GPL, version 2.  See
  10 * the COPYING file in the top-level directory.
  11 */
  12
  13#include "qemu/osdep.h"
  14#include "qemu/error-report.h"
  15#include "qemu/range.h"
  16#include "qapi/error.h"
  17#include "qapi/visitor.h"
  18#include "hw/nvram/fw_cfg.h"
  19#include "pci.h"
  20#include "trace.h"
  21
  22/* Use uin32_t for vendor & device so PCI_ANY_ID expands and cannot match hw */
  23static bool vfio_pci_is(VFIOPCIDevice *vdev, uint32_t vendor, uint32_t device)
  24{
  25    return (vendor == PCI_ANY_ID || vendor == vdev->vendor_id) &&
  26           (device == PCI_ANY_ID || device == vdev->device_id);
  27}
  28
  29static bool vfio_is_vga(VFIOPCIDevice *vdev)
  30{
  31    PCIDevice *pdev = &vdev->pdev;
  32    uint16_t class = pci_get_word(pdev->config + PCI_CLASS_DEVICE);
  33
  34    return class == PCI_CLASS_DISPLAY_VGA;
  35}
  36
  37/*
  38 * List of device ids/vendor ids for which to disable
  39 * option rom loading. This avoids the guest hangs during rom
  40 * execution as noticed with the BCM 57810 card for lack of a
  41 * more better way to handle such issues.
  42 * The  user can still override by specifying a romfile or
  43 * rombar=1.
  44 * Please see https://bugs.launchpad.net/qemu/+bug/1284874
  45 * for an analysis of the 57810 card hang. When adding
  46 * a new vendor id/device id combination below, please also add
  47 * your card/environment details and information that could
  48 * help in debugging to the bug tracking this issue
  49 */
  50static const struct {
  51    uint32_t vendor;
  52    uint32_t device;
  53} romblacklist[] = {
  54    { 0x14e4, 0x168e }, /* Broadcom BCM 57810 */
  55};
  56
  57bool vfio_blacklist_opt_rom(VFIOPCIDevice *vdev)
  58{
  59    int i;
  60
  61    for (i = 0 ; i < ARRAY_SIZE(romblacklist); i++) {
  62        if (vfio_pci_is(vdev, romblacklist[i].vendor, romblacklist[i].device)) {
  63            trace_vfio_quirk_rom_blacklisted(vdev->vbasedev.name,
  64                                             romblacklist[i].vendor,
  65                                             romblacklist[i].device);
  66            return true;
  67        }
  68    }
  69    return false;
  70}
  71
  72/*
  73 * Device specific region quirks (mostly backdoors to PCI config space)
  74 */
  75
  76/*
  77 * The generic window quirks operate on an address and data register,
  78 * vfio_generic_window_address_quirk handles the address register and
  79 * vfio_generic_window_data_quirk handles the data register.  These ops
  80 * pass reads and writes through to hardware until a value matching the
  81 * stored address match/mask is written.  When this occurs, the data
  82 * register access emulated PCI config space for the device rather than
  83 * passing through accesses.  This enables devices where PCI config space
  84 * is accessible behind a window register to maintain the virtualization
  85 * provided through vfio.
  86 */
  87typedef struct VFIOConfigWindowMatch {
  88    uint32_t match;
  89    uint32_t mask;
  90} VFIOConfigWindowMatch;
  91
  92typedef struct VFIOConfigWindowQuirk {
  93    struct VFIOPCIDevice *vdev;
  94
  95    uint32_t address_val;
  96
  97    uint32_t address_offset;
  98    uint32_t data_offset;
  99
 100    bool window_enabled;
 101    uint8_t bar;
 102
 103    MemoryRegion *addr_mem;
 104    MemoryRegion *data_mem;
 105
 106    uint32_t nr_matches;
 107    VFIOConfigWindowMatch matches[];
 108} VFIOConfigWindowQuirk;
 109
 110static uint64_t vfio_generic_window_quirk_address_read(void *opaque,
 111                                                       hwaddr addr,
 112                                                       unsigned size)
 113{
 114    VFIOConfigWindowQuirk *window = opaque;
 115    VFIOPCIDevice *vdev = window->vdev;
 116
 117    return vfio_region_read(&vdev->bars[window->bar].region,
 118                            addr + window->address_offset, size);
 119}
 120
 121static void vfio_generic_window_quirk_address_write(void *opaque, hwaddr addr,
 122                                                    uint64_t data,
 123                                                    unsigned size)
 124{
 125    VFIOConfigWindowQuirk *window = opaque;
 126    VFIOPCIDevice *vdev = window->vdev;
 127    int i;
 128
 129    window->window_enabled = false;
 130
 131    vfio_region_write(&vdev->bars[window->bar].region,
 132                      addr + window->address_offset, data, size);
 133
 134    for (i = 0; i < window->nr_matches; i++) {
 135        if ((data & ~window->matches[i].mask) == window->matches[i].match) {
 136            window->window_enabled = true;
 137            window->address_val = data & window->matches[i].mask;
 138            trace_vfio_quirk_generic_window_address_write(vdev->vbasedev.name,
 139                                    memory_region_name(window->addr_mem), data);
 140            break;
 141        }
 142    }
 143}
 144
 145static const MemoryRegionOps vfio_generic_window_address_quirk = {
 146    .read = vfio_generic_window_quirk_address_read,
 147    .write = vfio_generic_window_quirk_address_write,
 148    .endianness = DEVICE_LITTLE_ENDIAN,
 149};
 150
 151static uint64_t vfio_generic_window_quirk_data_read(void *opaque,
 152                                                    hwaddr addr, unsigned size)
 153{
 154    VFIOConfigWindowQuirk *window = opaque;
 155    VFIOPCIDevice *vdev = window->vdev;
 156    uint64_t data;
 157
 158    /* Always read data reg, discard if window enabled */
 159    data = vfio_region_read(&vdev->bars[window->bar].region,
 160                            addr + window->data_offset, size);
 161
 162    if (window->window_enabled) {
 163        data = vfio_pci_read_config(&vdev->pdev, window->address_val, size);
 164        trace_vfio_quirk_generic_window_data_read(vdev->vbasedev.name,
 165                                    memory_region_name(window->data_mem), data);
 166    }
 167
 168    return data;
 169}
 170
 171static void vfio_generic_window_quirk_data_write(void *opaque, hwaddr addr,
 172                                                 uint64_t data, unsigned size)
 173{
 174    VFIOConfigWindowQuirk *window = opaque;
 175    VFIOPCIDevice *vdev = window->vdev;
 176
 177    if (window->window_enabled) {
 178        vfio_pci_write_config(&vdev->pdev, window->address_val, data, size);
 179        trace_vfio_quirk_generic_window_data_write(vdev->vbasedev.name,
 180                                    memory_region_name(window->data_mem), data);
 181        return;
 182    }
 183
 184    vfio_region_write(&vdev->bars[window->bar].region,
 185                      addr + window->data_offset, data, size);
 186}
 187
 188static const MemoryRegionOps vfio_generic_window_data_quirk = {
 189    .read = vfio_generic_window_quirk_data_read,
 190    .write = vfio_generic_window_quirk_data_write,
 191    .endianness = DEVICE_LITTLE_ENDIAN,
 192};
 193
 194/*
 195 * The generic mirror quirk handles devices which expose PCI config space
 196 * through a region within a BAR.  When enabled, reads and writes are
 197 * redirected through to emulated PCI config space.  XXX if PCI config space
 198 * used memory regions, this could just be an alias.
 199 */
 200typedef struct VFIOConfigMirrorQuirk {
 201    struct VFIOPCIDevice *vdev;
 202    uint32_t offset;
 203    uint8_t bar;
 204    MemoryRegion *mem;
 205} VFIOConfigMirrorQuirk;
 206
 207static uint64_t vfio_generic_quirk_mirror_read(void *opaque,
 208                                               hwaddr addr, unsigned size)
 209{
 210    VFIOConfigMirrorQuirk *mirror = opaque;
 211    VFIOPCIDevice *vdev = mirror->vdev;
 212    uint64_t data;
 213
 214    /* Read and discard in case the hardware cares */
 215    (void)vfio_region_read(&vdev->bars[mirror->bar].region,
 216                           addr + mirror->offset, size);
 217
 218    data = vfio_pci_read_config(&vdev->pdev, addr, size);
 219    trace_vfio_quirk_generic_mirror_read(vdev->vbasedev.name,
 220                                         memory_region_name(mirror->mem),
 221                                         addr, data);
 222    return data;
 223}
 224
 225static void vfio_generic_quirk_mirror_write(void *opaque, hwaddr addr,
 226                                            uint64_t data, unsigned size)
 227{
 228    VFIOConfigMirrorQuirk *mirror = opaque;
 229    VFIOPCIDevice *vdev = mirror->vdev;
 230
 231    vfio_pci_write_config(&vdev->pdev, addr, data, size);
 232    trace_vfio_quirk_generic_mirror_write(vdev->vbasedev.name,
 233                                          memory_region_name(mirror->mem),
 234                                          addr, data);
 235}
 236
 237static const MemoryRegionOps vfio_generic_mirror_quirk = {
 238    .read = vfio_generic_quirk_mirror_read,
 239    .write = vfio_generic_quirk_mirror_write,
 240    .endianness = DEVICE_LITTLE_ENDIAN,
 241};
 242
 243/* Is range1 fully contained within range2?  */
 244static bool vfio_range_contained(uint64_t first1, uint64_t len1,
 245                                 uint64_t first2, uint64_t len2) {
 246    return (first1 >= first2 && first1 + len1 <= first2 + len2);
 247}
 248
 249#define PCI_VENDOR_ID_ATI               0x1002
 250
 251/*
 252 * Radeon HD cards (HD5450 & HD7850) report the upper byte of the I/O port BAR
 253 * through VGA register 0x3c3.  On newer cards, the I/O port BAR is always
 254 * BAR4 (older cards like the X550 used BAR1, but we don't care to support
 255 * those).  Note that on bare metal, a read of 0x3c3 doesn't always return the
 256 * I/O port BAR address.  Originally this was coded to return the virtual BAR
 257 * address only if the physical register read returns the actual BAR address,
 258 * but users have reported greater success if we return the virtual address
 259 * unconditionally.
 260 */
 261static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
 262                                        hwaddr addr, unsigned size)
 263{
 264    VFIOPCIDevice *vdev = opaque;
 265    uint64_t data = vfio_pci_read_config(&vdev->pdev,
 266                                         PCI_BASE_ADDRESS_4 + 1, size);
 267
 268    trace_vfio_quirk_ati_3c3_read(vdev->vbasedev.name, data);
 269
 270    return data;
 271}
 272
 273static const MemoryRegionOps vfio_ati_3c3_quirk = {
 274    .read = vfio_ati_3c3_quirk_read,
 275    .endianness = DEVICE_LITTLE_ENDIAN,
 276};
 277
 278static void vfio_vga_probe_ati_3c3_quirk(VFIOPCIDevice *vdev)
 279{
 280    VFIOQuirk *quirk;
 281
 282    /*
 283     * As long as the BAR is >= 256 bytes it will be aligned such that the
 284     * lower byte is always zero.  Filter out anything else, if it exists.
 285     */
 286    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 287        !vdev->bars[4].ioport || vdev->bars[4].region.size < 256) {
 288        return;
 289    }
 290
 291    quirk = g_malloc0(sizeof(*quirk));
 292    quirk->mem = g_new0(MemoryRegion, 1);
 293    quirk->nr_mem = 1;
 294
 295    memory_region_init_io(quirk->mem, OBJECT(vdev), &vfio_ati_3c3_quirk, vdev,
 296                          "vfio-ati-3c3-quirk", 1);
 297    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 298                                3 /* offset 3 bytes from 0x3c0 */, quirk->mem);
 299
 300    QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks,
 301                      quirk, next);
 302
 303    trace_vfio_quirk_ati_3c3_probe(vdev->vbasedev.name);
 304}
 305
 306/*
 307 * Newer ATI/AMD devices, including HD5450 and HD7850, have a mirror to PCI
 308 * config space through MMIO BAR2 at offset 0x4000.  Nothing seems to access
 309 * the MMIO space directly, but a window to this space is provided through
 310 * I/O port BAR4.  Offset 0x0 is the address register and offset 0x4 is the
 311 * data register.  When the address is programmed to a range of 0x4000-0x4fff
 312 * PCI configuration space is available.  Experimentation seems to indicate
 313 * that read-only may be provided by hardware.
 314 */
 315static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, int nr)
 316{
 317    VFIOQuirk *quirk;
 318    VFIOConfigWindowQuirk *window;
 319
 320    /* This windows doesn't seem to be used except by legacy VGA code */
 321    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 322        !vdev->vga || nr != 4) {
 323        return;
 324    }
 325
 326    quirk = g_malloc0(sizeof(*quirk));
 327    quirk->mem = g_new0(MemoryRegion, 2);
 328    quirk->nr_mem = 2;
 329    window = quirk->data = g_malloc0(sizeof(*window) +
 330                                     sizeof(VFIOConfigWindowMatch));
 331    window->vdev = vdev;
 332    window->address_offset = 0;
 333    window->data_offset = 4;
 334    window->nr_matches = 1;
 335    window->matches[0].match = 0x4000;
 336    window->matches[0].mask = vdev->config_size - 1;
 337    window->bar = nr;
 338    window->addr_mem = &quirk->mem[0];
 339    window->data_mem = &quirk->mem[1];
 340
 341    memory_region_init_io(window->addr_mem, OBJECT(vdev),
 342                          &vfio_generic_window_address_quirk, window,
 343                          "vfio-ati-bar4-window-address-quirk", 4);
 344    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 345                                        window->address_offset,
 346                                        window->addr_mem, 1);
 347
 348    memory_region_init_io(window->data_mem, OBJECT(vdev),
 349                          &vfio_generic_window_data_quirk, window,
 350                          "vfio-ati-bar4-window-data-quirk", 4);
 351    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 352                                        window->data_offset,
 353                                        window->data_mem, 1);
 354
 355    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 356
 357    trace_vfio_quirk_ati_bar4_probe(vdev->vbasedev.name);
 358}
 359
 360/*
 361 * Trap the BAR2 MMIO mirror to config space as well.
 362 */
 363static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, int nr)
 364{
 365    VFIOQuirk *quirk;
 366    VFIOConfigMirrorQuirk *mirror;
 367
 368    /* Only enable on newer devices where BAR2 is 64bit */
 369    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
 370        !vdev->vga || nr != 2 || !vdev->bars[2].mem64) {
 371        return;
 372    }
 373
 374    quirk = g_malloc0(sizeof(*quirk));
 375    mirror = quirk->data = g_malloc0(sizeof(*mirror));
 376    mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 377    quirk->nr_mem = 1;
 378    mirror->vdev = vdev;
 379    mirror->offset = 0x4000;
 380    mirror->bar = nr;
 381
 382    memory_region_init_io(mirror->mem, OBJECT(vdev),
 383                          &vfio_generic_mirror_quirk, mirror,
 384                          "vfio-ati-bar2-4000-quirk", PCI_CONFIG_SPACE_SIZE);
 385    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 386                                        mirror->offset, mirror->mem, 1);
 387
 388    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 389
 390    trace_vfio_quirk_ati_bar2_probe(vdev->vbasedev.name);
 391}
 392
 393/*
 394 * Older ATI/AMD cards like the X550 have a similar window to that above.
 395 * I/O port BAR1 provides a window to a mirror of PCI config space located
 396 * in BAR2 at offset 0xf00.  We don't care to support such older cards, but
 397 * note it for future reference.
 398 */
 399
 400#define PCI_VENDOR_ID_NVIDIA                    0x10de
 401
 402/*
 403 * Nvidia has several different methods to get to config space, the
 404 * nouveu project has several of these documented here:
 405 * https://github.com/pathscale/envytools/tree/master/hwdocs
 406 *
 407 * The first quirk is actually not documented in envytools and is found
 408 * on 10de:01d1 (NVIDIA Corporation G72 [GeForce 7300 LE]).  This is an
 409 * NV46 chipset.  The backdoor uses the legacy VGA I/O ports to access
 410 * the mirror of PCI config space found at BAR0 offset 0x1800.  The access
 411 * sequence first writes 0x338 to I/O port 0x3d4.  The target offset is
 412 * then written to 0x3d0.  Finally 0x538 is written for a read and 0x738
 413 * is written for a write to 0x3d4.  The BAR0 offset is then accessible
 414 * through 0x3d0.  This quirk doesn't seem to be necessary on newer cards
 415 * that use the I/O port BAR5 window but it doesn't hurt to leave it.
 416 */
 417typedef enum {NONE = 0, SELECT, WINDOW, READ, WRITE} VFIONvidia3d0State;
 418static const char *nv3d0_states[] = { "NONE", "SELECT",
 419                                      "WINDOW", "READ", "WRITE" };
 420
 421typedef struct VFIONvidia3d0Quirk {
 422    VFIOPCIDevice *vdev;
 423    VFIONvidia3d0State state;
 424    uint32_t offset;
 425} VFIONvidia3d0Quirk;
 426
 427static uint64_t vfio_nvidia_3d4_quirk_read(void *opaque,
 428                                           hwaddr addr, unsigned size)
 429{
 430    VFIONvidia3d0Quirk *quirk = opaque;
 431    VFIOPCIDevice *vdev = quirk->vdev;
 432
 433    quirk->state = NONE;
 434
 435    return vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 436                         addr + 0x14, size);
 437}
 438
 439static void vfio_nvidia_3d4_quirk_write(void *opaque, hwaddr addr,
 440                                        uint64_t data, unsigned size)
 441{
 442    VFIONvidia3d0Quirk *quirk = opaque;
 443    VFIOPCIDevice *vdev = quirk->vdev;
 444    VFIONvidia3d0State old_state = quirk->state;
 445
 446    quirk->state = NONE;
 447
 448    switch (data) {
 449    case 0x338:
 450        if (old_state == NONE) {
 451            quirk->state = SELECT;
 452            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 453                                              nv3d0_states[quirk->state]);
 454        }
 455        break;
 456    case 0x538:
 457        if (old_state == WINDOW) {
 458            quirk->state = READ;
 459            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 460                                              nv3d0_states[quirk->state]);
 461        }
 462        break;
 463    case 0x738:
 464        if (old_state == WINDOW) {
 465            quirk->state = WRITE;
 466            trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 467                                              nv3d0_states[quirk->state]);
 468        }
 469        break;
 470    }
 471
 472    vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 473                   addr + 0x14, data, size);
 474}
 475
 476static const MemoryRegionOps vfio_nvidia_3d4_quirk = {
 477    .read = vfio_nvidia_3d4_quirk_read,
 478    .write = vfio_nvidia_3d4_quirk_write,
 479    .endianness = DEVICE_LITTLE_ENDIAN,
 480};
 481
 482static uint64_t vfio_nvidia_3d0_quirk_read(void *opaque,
 483                                           hwaddr addr, unsigned size)
 484{
 485    VFIONvidia3d0Quirk *quirk = opaque;
 486    VFIOPCIDevice *vdev = quirk->vdev;
 487    VFIONvidia3d0State old_state = quirk->state;
 488    uint64_t data = vfio_vga_read(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 489                                  addr + 0x10, size);
 490
 491    quirk->state = NONE;
 492
 493    if (old_state == READ &&
 494        (quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
 495        uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
 496
 497        data = vfio_pci_read_config(&vdev->pdev, offset, size);
 498        trace_vfio_quirk_nvidia_3d0_read(vdev->vbasedev.name,
 499                                         offset, size, data);
 500    }
 501
 502    return data;
 503}
 504
 505static void vfio_nvidia_3d0_quirk_write(void *opaque, hwaddr addr,
 506                                        uint64_t data, unsigned size)
 507{
 508    VFIONvidia3d0Quirk *quirk = opaque;
 509    VFIOPCIDevice *vdev = quirk->vdev;
 510    VFIONvidia3d0State old_state = quirk->state;
 511
 512    quirk->state = NONE;
 513
 514    if (old_state == SELECT) {
 515        quirk->offset = (uint32_t)data;
 516        quirk->state = WINDOW;
 517        trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
 518                                          nv3d0_states[quirk->state]);
 519    } else if (old_state == WRITE) {
 520        if ((quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
 521            uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
 522
 523            vfio_pci_write_config(&vdev->pdev, offset, data, size);
 524            trace_vfio_quirk_nvidia_3d0_write(vdev->vbasedev.name,
 525                                              offset, data, size);
 526            return;
 527        }
 528    }
 529
 530    vfio_vga_write(&vdev->vga->region[QEMU_PCI_VGA_IO_HI],
 531                   addr + 0x10, data, size);
 532}
 533
 534static const MemoryRegionOps vfio_nvidia_3d0_quirk = {
 535    .read = vfio_nvidia_3d0_quirk_read,
 536    .write = vfio_nvidia_3d0_quirk_write,
 537    .endianness = DEVICE_LITTLE_ENDIAN,
 538};
 539
 540static void vfio_vga_probe_nvidia_3d0_quirk(VFIOPCIDevice *vdev)
 541{
 542    VFIOQuirk *quirk;
 543    VFIONvidia3d0Quirk *data;
 544
 545    if (vdev->no_geforce_quirks ||
 546        !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 547        !vdev->bars[1].region.size) {
 548        return;
 549    }
 550
 551    quirk = g_malloc0(sizeof(*quirk));
 552    quirk->data = data = g_malloc0(sizeof(*data));
 553    quirk->mem = g_new0(MemoryRegion, 2);
 554    quirk->nr_mem = 2;
 555    data->vdev = vdev;
 556
 557    memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_nvidia_3d4_quirk,
 558                          data, "vfio-nvidia-3d4-quirk", 2);
 559    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 560                                0x14 /* 0x3c0 + 0x14 */, &quirk->mem[0]);
 561
 562    memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_nvidia_3d0_quirk,
 563                          data, "vfio-nvidia-3d0-quirk", 2);
 564    memory_region_add_subregion(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].mem,
 565                                0x10 /* 0x3c0 + 0x10 */, &quirk->mem[1]);
 566
 567    QLIST_INSERT_HEAD(&vdev->vga->region[QEMU_PCI_VGA_IO_HI].quirks,
 568                      quirk, next);
 569
 570    trace_vfio_quirk_nvidia_3d0_probe(vdev->vbasedev.name);
 571}
 572
 573/*
 574 * The second quirk is documented in envytools.  The I/O port BAR5 is just
 575 * a set of address/data ports to the MMIO BARs.  The BAR we care about is
 576 * again BAR0.  This backdoor is apparently a bit newer than the one above
 577 * so we need to not only trap 256 bytes @0x1800, but all of PCI config
 578 * space, including extended space is available at the 4k @0x88000.
 579 */
 580typedef struct VFIONvidiaBAR5Quirk {
 581    uint32_t master;
 582    uint32_t enable;
 583    MemoryRegion *addr_mem;
 584    MemoryRegion *data_mem;
 585    bool enabled;
 586    VFIOConfigWindowQuirk window; /* last for match data */
 587} VFIONvidiaBAR5Quirk;
 588
 589static void vfio_nvidia_bar5_enable(VFIONvidiaBAR5Quirk *bar5)
 590{
 591    VFIOPCIDevice *vdev = bar5->window.vdev;
 592
 593    if (((bar5->master & bar5->enable) & 0x1) == bar5->enabled) {
 594        return;
 595    }
 596
 597    bar5->enabled = !bar5->enabled;
 598    trace_vfio_quirk_nvidia_bar5_state(vdev->vbasedev.name,
 599                                       bar5->enabled ?  "Enable" : "Disable");
 600    memory_region_set_enabled(bar5->addr_mem, bar5->enabled);
 601    memory_region_set_enabled(bar5->data_mem, bar5->enabled);
 602}
 603
 604static uint64_t vfio_nvidia_bar5_quirk_master_read(void *opaque,
 605                                                   hwaddr addr, unsigned size)
 606{
 607    VFIONvidiaBAR5Quirk *bar5 = opaque;
 608    VFIOPCIDevice *vdev = bar5->window.vdev;
 609
 610    return vfio_region_read(&vdev->bars[5].region, addr, size);
 611}
 612
 613static void vfio_nvidia_bar5_quirk_master_write(void *opaque, hwaddr addr,
 614                                                uint64_t data, unsigned size)
 615{
 616    VFIONvidiaBAR5Quirk *bar5 = opaque;
 617    VFIOPCIDevice *vdev = bar5->window.vdev;
 618
 619    vfio_region_write(&vdev->bars[5].region, addr, data, size);
 620
 621    bar5->master = data;
 622    vfio_nvidia_bar5_enable(bar5);
 623}
 624
 625static const MemoryRegionOps vfio_nvidia_bar5_quirk_master = {
 626    .read = vfio_nvidia_bar5_quirk_master_read,
 627    .write = vfio_nvidia_bar5_quirk_master_write,
 628    .endianness = DEVICE_LITTLE_ENDIAN,
 629};
 630
 631static uint64_t vfio_nvidia_bar5_quirk_enable_read(void *opaque,
 632                                                   hwaddr addr, unsigned size)
 633{
 634    VFIONvidiaBAR5Quirk *bar5 = opaque;
 635    VFIOPCIDevice *vdev = bar5->window.vdev;
 636
 637    return vfio_region_read(&vdev->bars[5].region, addr + 4, size);
 638}
 639
 640static void vfio_nvidia_bar5_quirk_enable_write(void *opaque, hwaddr addr,
 641                                                uint64_t data, unsigned size)
 642{
 643    VFIONvidiaBAR5Quirk *bar5 = opaque;
 644    VFIOPCIDevice *vdev = bar5->window.vdev;
 645
 646    vfio_region_write(&vdev->bars[5].region, addr + 4, data, size);
 647
 648    bar5->enable = data;
 649    vfio_nvidia_bar5_enable(bar5);
 650}
 651
 652static const MemoryRegionOps vfio_nvidia_bar5_quirk_enable = {
 653    .read = vfio_nvidia_bar5_quirk_enable_read,
 654    .write = vfio_nvidia_bar5_quirk_enable_write,
 655    .endianness = DEVICE_LITTLE_ENDIAN,
 656};
 657
 658static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice *vdev, int nr)
 659{
 660    VFIOQuirk *quirk;
 661    VFIONvidiaBAR5Quirk *bar5;
 662    VFIOConfigWindowQuirk *window;
 663
 664    if (vdev->no_geforce_quirks ||
 665        !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 666        !vdev->vga || nr != 5 || !vdev->bars[5].ioport) {
 667        return;
 668    }
 669
 670    quirk = g_malloc0(sizeof(*quirk));
 671    quirk->mem = g_new0(MemoryRegion, 4);
 672    quirk->nr_mem = 4;
 673    bar5 = quirk->data = g_malloc0(sizeof(*bar5) +
 674                                   (sizeof(VFIOConfigWindowMatch) * 2));
 675    window = &bar5->window;
 676
 677    window->vdev = vdev;
 678    window->address_offset = 0x8;
 679    window->data_offset = 0xc;
 680    window->nr_matches = 2;
 681    window->matches[0].match = 0x1800;
 682    window->matches[0].mask = PCI_CONFIG_SPACE_SIZE - 1;
 683    window->matches[1].match = 0x88000;
 684    window->matches[1].mask = vdev->config_size - 1;
 685    window->bar = nr;
 686    window->addr_mem = bar5->addr_mem = &quirk->mem[0];
 687    window->data_mem = bar5->data_mem = &quirk->mem[1];
 688
 689    memory_region_init_io(window->addr_mem, OBJECT(vdev),
 690                          &vfio_generic_window_address_quirk, window,
 691                          "vfio-nvidia-bar5-window-address-quirk", 4);
 692    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 693                                        window->address_offset,
 694                                        window->addr_mem, 1);
 695    memory_region_set_enabled(window->addr_mem, false);
 696
 697    memory_region_init_io(window->data_mem, OBJECT(vdev),
 698                          &vfio_generic_window_data_quirk, window,
 699                          "vfio-nvidia-bar5-window-data-quirk", 4);
 700    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 701                                        window->data_offset,
 702                                        window->data_mem, 1);
 703    memory_region_set_enabled(window->data_mem, false);
 704
 705    memory_region_init_io(&quirk->mem[2], OBJECT(vdev),
 706                          &vfio_nvidia_bar5_quirk_master, bar5,
 707                          "vfio-nvidia-bar5-master-quirk", 4);
 708    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 709                                        0, &quirk->mem[2], 1);
 710
 711    memory_region_init_io(&quirk->mem[3], OBJECT(vdev),
 712                          &vfio_nvidia_bar5_quirk_enable, bar5,
 713                          "vfio-nvidia-bar5-enable-quirk", 4);
 714    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 715                                        4, &quirk->mem[3], 1);
 716
 717    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 718
 719    trace_vfio_quirk_nvidia_bar5_probe(vdev->vbasedev.name);
 720}
 721
 722/*
 723 * Finally, BAR0 itself.  We want to redirect any accesses to either
 724 * 0x1800 or 0x88000 through the PCI config space access functions.
 725 */
 726static void vfio_nvidia_quirk_mirror_write(void *opaque, hwaddr addr,
 727                                           uint64_t data, unsigned size)
 728{
 729    VFIOConfigMirrorQuirk *mirror = opaque;
 730    VFIOPCIDevice *vdev = mirror->vdev;
 731    PCIDevice *pdev = &vdev->pdev;
 732
 733    vfio_generic_quirk_mirror_write(opaque, addr, data, size);
 734
 735    /*
 736     * Nvidia seems to acknowledge MSI interrupts by writing 0xff to the
 737     * MSI capability ID register.  Both the ID and next register are
 738     * read-only, so we allow writes covering either of those to real hw.
 739     */
 740    if ((pdev->cap_present & QEMU_PCI_CAP_MSI) &&
 741        vfio_range_contained(addr, size, pdev->msi_cap, PCI_MSI_FLAGS)) {
 742        vfio_region_write(&vdev->bars[mirror->bar].region,
 743                          addr + mirror->offset, data, size);
 744        trace_vfio_quirk_nvidia_bar0_msi_ack(vdev->vbasedev.name);
 745    }
 746}
 747
 748static const MemoryRegionOps vfio_nvidia_mirror_quirk = {
 749    .read = vfio_generic_quirk_mirror_read,
 750    .write = vfio_nvidia_quirk_mirror_write,
 751    .endianness = DEVICE_LITTLE_ENDIAN,
 752};
 753
 754static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice *vdev, int nr)
 755{
 756    VFIOQuirk *quirk;
 757    VFIOConfigMirrorQuirk *mirror;
 758
 759    if (vdev->no_geforce_quirks ||
 760        !vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
 761        !vfio_is_vga(vdev) || nr != 0) {
 762        return;
 763    }
 764
 765    quirk = g_malloc0(sizeof(*quirk));
 766    mirror = quirk->data = g_malloc0(sizeof(*mirror));
 767    mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 768    quirk->nr_mem = 1;
 769    mirror->vdev = vdev;
 770    mirror->offset = 0x88000;
 771    mirror->bar = nr;
 772
 773    memory_region_init_io(mirror->mem, OBJECT(vdev),
 774                          &vfio_nvidia_mirror_quirk, mirror,
 775                          "vfio-nvidia-bar0-88000-mirror-quirk",
 776                          vdev->config_size);
 777    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 778                                        mirror->offset, mirror->mem, 1);
 779
 780    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 781
 782    /* The 0x1800 offset mirror only seems to get used by legacy VGA */
 783    if (vdev->vga) {
 784        quirk = g_malloc0(sizeof(*quirk));
 785        mirror = quirk->data = g_malloc0(sizeof(*mirror));
 786        mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
 787        quirk->nr_mem = 1;
 788        mirror->vdev = vdev;
 789        mirror->offset = 0x1800;
 790        mirror->bar = nr;
 791
 792        memory_region_init_io(mirror->mem, OBJECT(vdev),
 793                              &vfio_nvidia_mirror_quirk, mirror,
 794                              "vfio-nvidia-bar0-1800-mirror-quirk",
 795                              PCI_CONFIG_SPACE_SIZE);
 796        memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 797                                            mirror->offset, mirror->mem, 1);
 798
 799        QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 800    }
 801
 802    trace_vfio_quirk_nvidia_bar0_probe(vdev->vbasedev.name);
 803}
 804
 805/*
 806 * TODO - Some Nvidia devices provide config access to their companion HDA
 807 * device and even to their parent bridge via these config space mirrors.
 808 * Add quirks for those regions.
 809 */
 810
 811#define PCI_VENDOR_ID_REALTEK 0x10ec
 812
 813/*
 814 * RTL8168 devices have a backdoor that can access the MSI-X table.  At BAR2
 815 * offset 0x70 there is a dword data register, offset 0x74 is a dword address
 816 * register.  According to the Linux r8169 driver, the MSI-X table is addressed
 817 * when the "type" portion of the address register is set to 0x1.  This appears
 818 * to be bits 16:30.  Bit 31 is both a write indicator and some sort of
 819 * "address latched" indicator.  Bits 12:15 are a mask field, which we can
 820 * ignore because the MSI-X table should always be accessed as a dword (full
 821 * mask).  Bits 0:11 is offset within the type.
 822 *
 823 * Example trace:
 824 *
 825 * Read from MSI-X table offset 0
 826 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x1f000, 4) // store read addr
 827 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x8001f000 // latch
 828 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x70, 4) = 0xfee00398 // read data
 829 *
 830 * Write 0xfee00000 to MSI-X table offset 0
 831 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x70, 0xfee00000, 4) // write data
 832 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x8001f000, 4) // do write
 833 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x1f000 // complete
 834 */
 835typedef struct VFIOrtl8168Quirk {
 836    VFIOPCIDevice *vdev;
 837    uint32_t addr;
 838    uint32_t data;
 839    bool enabled;
 840} VFIOrtl8168Quirk;
 841
 842static uint64_t vfio_rtl8168_quirk_address_read(void *opaque,
 843                                                hwaddr addr, unsigned size)
 844{
 845    VFIOrtl8168Quirk *rtl = opaque;
 846    VFIOPCIDevice *vdev = rtl->vdev;
 847    uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x74, size);
 848
 849    if (rtl->enabled) {
 850        data = rtl->addr ^ 0x80000000U; /* latch/complete */
 851        trace_vfio_quirk_rtl8168_fake_latch(vdev->vbasedev.name, data);
 852    }
 853
 854    return data;
 855}
 856
 857static void vfio_rtl8168_quirk_address_write(void *opaque, hwaddr addr,
 858                                             uint64_t data, unsigned size)
 859{
 860    VFIOrtl8168Quirk *rtl = opaque;
 861    VFIOPCIDevice *vdev = rtl->vdev;
 862
 863    rtl->enabled = false;
 864
 865    if ((data & 0x7fff0000) == 0x10000) { /* MSI-X table */
 866        rtl->enabled = true;
 867        rtl->addr = (uint32_t)data;
 868
 869        if (data & 0x80000000U) { /* Do write */
 870            if (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX) {
 871                hwaddr offset = data & 0xfff;
 872                uint64_t val = rtl->data;
 873
 874                trace_vfio_quirk_rtl8168_msix_write(vdev->vbasedev.name,
 875                                                    (uint16_t)offset, val);
 876
 877                /* Write to the proper guest MSI-X table instead */
 878                memory_region_dispatch_write(&vdev->pdev.msix_table_mmio,
 879                                             offset, val, size,
 880                                             MEMTXATTRS_UNSPECIFIED);
 881            }
 882            return; /* Do not write guest MSI-X data to hardware */
 883        }
 884    }
 885
 886    vfio_region_write(&vdev->bars[2].region, addr + 0x74, data, size);
 887}
 888
 889static const MemoryRegionOps vfio_rtl_address_quirk = {
 890    .read = vfio_rtl8168_quirk_address_read,
 891    .write = vfio_rtl8168_quirk_address_write,
 892    .valid = {
 893        .min_access_size = 4,
 894        .max_access_size = 4,
 895        .unaligned = false,
 896    },
 897    .endianness = DEVICE_LITTLE_ENDIAN,
 898};
 899
 900static uint64_t vfio_rtl8168_quirk_data_read(void *opaque,
 901                                             hwaddr addr, unsigned size)
 902{
 903    VFIOrtl8168Quirk *rtl = opaque;
 904    VFIOPCIDevice *vdev = rtl->vdev;
 905    uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x70, size);
 906
 907    if (rtl->enabled && (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX)) {
 908        hwaddr offset = rtl->addr & 0xfff;
 909        memory_region_dispatch_read(&vdev->pdev.msix_table_mmio, offset,
 910                                    &data, size, MEMTXATTRS_UNSPECIFIED);
 911        trace_vfio_quirk_rtl8168_msix_read(vdev->vbasedev.name, offset, data);
 912    }
 913
 914    return data;
 915}
 916
 917static void vfio_rtl8168_quirk_data_write(void *opaque, hwaddr addr,
 918                                          uint64_t data, unsigned size)
 919{
 920    VFIOrtl8168Quirk *rtl = opaque;
 921    VFIOPCIDevice *vdev = rtl->vdev;
 922
 923    rtl->data = (uint32_t)data;
 924
 925    vfio_region_write(&vdev->bars[2].region, addr + 0x70, data, size);
 926}
 927
 928static const MemoryRegionOps vfio_rtl_data_quirk = {
 929    .read = vfio_rtl8168_quirk_data_read,
 930    .write = vfio_rtl8168_quirk_data_write,
 931    .valid = {
 932        .min_access_size = 4,
 933        .max_access_size = 4,
 934        .unaligned = false,
 935    },
 936    .endianness = DEVICE_LITTLE_ENDIAN,
 937};
 938
 939static void vfio_probe_rtl8168_bar2_quirk(VFIOPCIDevice *vdev, int nr)
 940{
 941    VFIOQuirk *quirk;
 942    VFIOrtl8168Quirk *rtl;
 943
 944    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_REALTEK, 0x8168) || nr != 2) {
 945        return;
 946    }
 947
 948    quirk = g_malloc0(sizeof(*quirk));
 949    quirk->mem = g_new0(MemoryRegion, 2);
 950    quirk->nr_mem = 2;
 951    quirk->data = rtl = g_malloc0(sizeof(*rtl));
 952    rtl->vdev = vdev;
 953
 954    memory_region_init_io(&quirk->mem[0], OBJECT(vdev),
 955                          &vfio_rtl_address_quirk, rtl,
 956                          "vfio-rtl8168-window-address-quirk", 4);
 957    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 958                                        0x74, &quirk->mem[0], 1);
 959
 960    memory_region_init_io(&quirk->mem[1], OBJECT(vdev),
 961                          &vfio_rtl_data_quirk, rtl,
 962                          "vfio-rtl8168-window-data-quirk", 4);
 963    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
 964                                        0x70, &quirk->mem[1], 1);
 965
 966    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 967
 968    trace_vfio_quirk_rtl8168_probe(vdev->vbasedev.name);
 969}
 970
 971/*
 972 * Intel IGD support
 973 *
 974 * Obviously IGD is not a discrete device, this is evidenced not only by it
 975 * being integrated into the CPU, but by the various chipset and BIOS
 976 * dependencies that it brings along with it.  Intel is trying to move away
 977 * from this and Broadwell and newer devices can run in what Intel calls
 978 * "Universal Pass-Through" mode, or UPT.  Theoretically in UPT mode, nothing
 979 * more is required beyond assigning the IGD device to a VM.  There are
 980 * however support limitations to this mode.  It only supports IGD as a
 981 * secondary graphics device in the VM and it doesn't officially support any
 982 * physical outputs.
 983 *
 984 * The code here attempts to enable what we'll call legacy mode assignment,
 985 * IGD retains most of the capabilities we expect for it to have on bare
 986 * metal.  To enable this mode, the IGD device must be assigned to the VM
 987 * at PCI address 00:02.0, it must have a ROM, it very likely needs VGA
 988 * support, we must have VM BIOS support for reserving and populating some
 989 * of the required tables, and we need to tweak the chipset with revisions
 990 * and IDs and an LPC/ISA bridge device.  The intention is to make all of
 991 * this happen automatically by installing the device at the correct VM PCI
 992 * bus address.  If any of the conditions are not met, we cross our fingers
 993 * and hope the user knows better.
 994 *
 995 * NB - It is possible to enable physical outputs in UPT mode by supplying
 996 * an OpRegion table.  We don't do this by default because the guest driver
 997 * behaves differently if an OpRegion is provided and no monitor is attached
 998 * vs no OpRegion and a monitor being attached or not.  Effectively, if a
 999 * headless setup is desired, the OpRegion gets in the way of that.
1000 */

1001
1002/*
1003 * This presumes the device is already known to be an Intel VGA device, so we
1004 * take liberties in which device ID bits match which generation.  This should
1005 * not be taken as an indication that all the devices are supported, or even
1006 * supportable, some of them don't even support VT-d.
1007 * See linux:include/drm/i915_pciids.h for IDs.
1008 */
1009static int igd_gen(VFIOPCIDevice *vdev)
1010{
1011    if ((vdev->device_id & 0xfff) == 0xa84) {
1012        return 8; /* Broxton */
1013    }
1014
1015    switch (vdev->device_id & 0xff00) {
1016    /* Old, untested, unavailable, unknown */
1017    case 0x0000:
1018    case 0x2500:
1019    case 0x2700:
1020    case 0x2900:
1021    case 0x2a00:
1022    case 0x2e00:
1023    case 0x3500:
1024    case 0xa000:
1025        return -1;
1026    /* SandyBridge, IvyBridge, ValleyView, Haswell */
1027    case 0x0100:
1028    case 0x0400:
1029    case 0x0a00:
1030    case 0x0c00:
1031    case 0x0d00:
1032    case 0x0f00:
1033        return 6;
1034    /* BroadWell, CherryView, SkyLake, KabyLake */
1035    case 0x1600:
1036    case 0x1900:
1037    case 0x2200:
1038    case 0x5900:
1039        return 8;
1040    }
1041
1042    return 8; /* Assume newer is compatible */
1043}
1044
1045typedef struct VFIOIGDQuirk {
1046    struct VFIOPCIDevice *vdev;
1047    uint32_t index;
1048    uint32_t bdsm;
1049} VFIOIGDQuirk;
1050
1051#define IGD_GMCH 0x50 /* Graphics Control Register */
1052#define IGD_BDSM 0x5c /* Base Data of Stolen Memory */
1053#define IGD_ASLS 0xfc /* ASL Storage Register */
1054
1055/*
1056 * The OpRegion includes the Video BIOS Table, which seems important for
1057 * telling the driver what sort of outputs it has.  Without this, the device
1058 * may work in the guest, but we may not get output.  This also requires BIOS
1059 * support to reserve and populate a section of guest memory sufficient for
1060 * the table and to write the base address of that memory to the ASLS register
1061 * of the IGD device.
1062 */
1063int vfio_pci_igd_opregion_init(VFIOPCIDevice *vdev,
1064                               struct vfio_region_info *info, Error **errp)
1065{
1066    int ret;
1067
1068    vdev->igd_opregion = g_malloc0(info->size);
1069    ret = pread(vdev->vbasedev.fd, vdev->igd_opregion,
1070                info->size, info->offset);
1071    if (ret != info->size) {
1072        error_setg(errp, "failed to read IGD OpRegion");
1073        g_free(vdev->igd_opregion);
1074        vdev->igd_opregion = NULL;
1075        return -EINVAL;
1076    }
1077
1078    /*
1079     * Provide fw_cfg with a copy of the OpRegion which the VM firmware is to
1080     * allocate 32bit reserved memory for, copy these contents into, and write
1081     * the reserved memory base address to the device ASLS register at 0xFC.
1082     * Alignment of this reserved region seems flexible, but using a 4k page
1083     * alignment seems to work well.  This interface assumes a single IGD
1084     * device, which may be at VM address 00:02.0 in legacy mode or another
1085     * address in UPT mode.
1086     *
1087     * NB, there may be future use cases discovered where the VM should have
1088     * direct interaction with the host OpRegion, in which case the write to
1089     * the ASLS register would trigger MemoryRegion setup to enable that.
1090     */
1091    fw_cfg_add_file(fw_cfg_find(), "etc/igd-opregion",
1092                    vdev->igd_opregion, info->size);
1093
1094    trace_vfio_pci_igd_opregion_enabled(vdev->vbasedev.name);
1095
1096    pci_set_long(vdev->pdev.config + IGD_ASLS, 0);
1097    pci_set_long(vdev->pdev.wmask + IGD_ASLS, ~0);
1098    pci_set_long(vdev->emulated_config_bits + IGD_ASLS, ~0);
1099
1100    return 0;
1101}
1102
1103/*
1104 * The rather short list of registers that we copy from the host devices.
1105 * The LPC/ISA bridge values are definitely needed to support the vBIOS, the
1106 * host bridge values may or may not be needed depending on the guest OS.
1107 * Since we're only munging revision and subsystem values on the host bridge,
1108 * we don't require our own device.  The LPC/ISA bridge needs to be our very
1109 * own though.
1110 */
1111typedef struct {
1112    uint8_t offset;
1113    uint8_t len;
1114} IGDHostInfo;
1115
1116static const IGDHostInfo igd_host_bridge_infos[] = {
1117    {PCI_REVISION_ID,         2},
1118    {PCI_SUBSYSTEM_VENDOR_ID, 2},
1119    {PCI_SUBSYSTEM_ID,        2},
1120};
1121
1122static const IGDHostInfo igd_lpc_bridge_infos[] = {
1123    {PCI_VENDOR_ID,           2},
1124    {PCI_DEVICE_ID,           2},
1125    {PCI_REVISION_ID,         2},
1126    {PCI_SUBSYSTEM_VENDOR_ID, 2},
1127    {PCI_SUBSYSTEM_ID,        2},
1128};
1129
1130static int vfio_pci_igd_copy(VFIOPCIDevice *vdev, PCIDevice *pdev,
1131                             struct vfio_region_info *info,
1132                             const IGDHostInfo *list, int len)
1133{
1134    int i, ret;
1135
1136    for (i = 0; i < len; i++) {
1137        ret = pread(vdev->vbasedev.fd, pdev->config + list[i].offset,
1138                    list[i].len, info->offset + list[i].offset);
1139        if (ret != list[i].len) {
1140            error_report("IGD copy failed: %m");
1141            return -errno;
1142        }
1143    }
1144
1145    return 0;
1146}
1147
1148/*
1149 * Stuff a few values into the host bridge.
1150 */
1151static int vfio_pci_igd_host_init(VFIOPCIDevice *vdev,
1152                                  struct vfio_region_info *info)
1153{
1154    PCIBus *bus;
1155    PCIDevice *host_bridge;
1156    int ret;
1157
1158    bus = pci_device_root_bus(&vdev->pdev);
1159    host_bridge = pci_find_device(bus, 0, PCI_DEVFN(0, 0));
1160
1161    if (!host_bridge) {
1162        error_report("Can't find host bridge");
1163        return -ENODEV;
1164    }
1165
1166    ret = vfio_pci_igd_copy(vdev, host_bridge, info, igd_host_bridge_infos,
1167                            ARRAY_SIZE(igd_host_bridge_infos));
1168    if (!ret) {
1169        trace_vfio_pci_igd_host_bridge_enabled(vdev->vbasedev.name);
1170    }
1171
1172    return ret;
1173}
1174
1175/*
1176 * IGD LPC/ISA bridge support code.  The vBIOS needs this, but we can't write
1177 * arbitrary values into just any bridge, so we must create our own.  We try
1178 * to handle if the user has created it for us, which they might want to do
1179 * to enable multifunction so we don't occupy the whole PCI slot.
1180 */
1181static void vfio_pci_igd_lpc_bridge_realize(PCIDevice *pdev, Error **errp)
1182{
1183    if (pdev->devfn != PCI_DEVFN(0x1f, 0)) {
1184        error_setg(errp, "VFIO dummy ISA/LPC bridge must have address 1f.0");
1185    }
1186}
1187
1188static void vfio_pci_igd_lpc_bridge_class_init(ObjectClass *klass, void *data)
1189{
1190    DeviceClass *dc = DEVICE_CLASS(klass);
1191    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1192
1193    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
1194    dc->desc = "VFIO dummy ISA/LPC bridge for IGD assignment";
1195    dc->hotpluggable = false;
1196    k->realize = vfio_pci_igd_lpc_bridge_realize;
1197    k->class_id = PCI_CLASS_BRIDGE_ISA;
1198}
1199
1200static TypeInfo vfio_pci_igd_lpc_bridge_info = {
1201    .name = "vfio-pci-igd-lpc-bridge",
1202    .parent = TYPE_PCI_DEVICE,
1203    .class_init = vfio_pci_igd_lpc_bridge_class_init,
1204    .interfaces = (InterfaceInfo[]) {
1205        { INTERFACE_CONVENTIONAL_PCI_DEVICE },
1206        { },
1207    },
1208};
1209
1210static void vfio_pci_igd_register_types(void)
1211{
1212    type_register_static(&vfio_pci_igd_lpc_bridge_info);
1213}
1214
1215type_init(vfio_pci_igd_register_types)
1216
1217static int vfio_pci_igd_lpc_init(VFIOPCIDevice *vdev,
1218                                 struct vfio_region_info *info)
1219{
1220    PCIDevice *lpc_bridge;
1221    int ret;
1222
1223    lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev),
1224                                 0, PCI_DEVFN(0x1f, 0));
1225    if (!lpc_bridge) {
1226        lpc_bridge = pci_create_simple(pci_device_root_bus(&vdev->pdev),
1227                                 PCI_DEVFN(0x1f, 0), "vfio-pci-igd-lpc-bridge");
1228    }
1229
1230    ret = vfio_pci_igd_copy(vdev, lpc_bridge, info, igd_lpc_bridge_infos,
1231                            ARRAY_SIZE(igd_lpc_bridge_infos));
1232    if (!ret) {
1233        trace_vfio_pci_igd_lpc_bridge_enabled(vdev->vbasedev.name);
1234    }
1235
1236    return ret;
1237}
1238
1239/*
1240 * IGD Gen8 and newer support up to 8MB for the GTT and use a 64bit PTE
1241 * entry, older IGDs use 2MB and 32bit.  Each PTE maps a 4k page.  Therefore
1242 * we either have 2M/4k * 4 = 2k or 8M/4k * 8 = 16k as the maximum iobar index
1243 * for programming the GTT.
1244 *
1245 * See linux:include/drm/i915_drm.h for shift and mask values.
1246 */
1247static int vfio_igd_gtt_max(VFIOPCIDevice *vdev)
1248{
1249    uint32_t gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch));
1250    int ggms, gen = igd_gen(vdev);
1251
1252    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, sizeof(gmch));
1253    ggms = (gmch >> (gen < 8 ? 8 : 6)) & 0x3;
1254    if (gen > 6) {
1255        ggms = 1 << ggms;
1256    }
1257
1258    ggms *= 1024 * 1024;
1259
1260    return (ggms / (4 * 1024)) * (gen < 8 ? 4 : 8);
1261}
1262
1263/*
1264 * The IGD ROM will make use of stolen memory (GGMS) for support of VESA modes.
1265 * Somehow the host stolen memory range is used for this, but how the ROM gets
1266 * it is a mystery, perhaps it's hardcoded into the ROM.  Thankfully though, it
1267 * reprograms the GTT through the IOBAR where we can trap it and transpose the
1268 * programming to the VM allocated buffer.  That buffer gets reserved by the VM
1269 * firmware via the fw_cfg entry added below.  Here we're just monitoring the
1270 * IOBAR address and data registers to detect a write sequence targeting the
1271 * GTTADR.  This code is developed by observed behavior and doesn't have a
1272 * direct spec reference, unfortunately.
1273 */
1274static uint64_t vfio_igd_quirk_data_read(void *opaque,
1275                                         hwaddr addr, unsigned size)
1276{
1277    VFIOIGDQuirk *igd = opaque;
1278    VFIOPCIDevice *vdev = igd->vdev;
1279
1280    igd->index = ~0;
1281
1282    return vfio_region_read(&vdev->bars[4].region, addr + 4, size);
1283}
1284
1285static void vfio_igd_quirk_data_write(void *opaque, hwaddr addr,
1286                                      uint64_t data, unsigned size)
1287{
1288    VFIOIGDQuirk *igd = opaque;
1289    VFIOPCIDevice *vdev = igd->vdev;
1290    uint64_t val = data;
1291    int gen = igd_gen(vdev);
1292
1293    /*
1294     * Programming the GGMS starts at index 0x1 and uses every 4th index (ie.
1295     * 0x1, 0x5, 0x9, 0xd,...).  For pre-Gen8 each 4-byte write is a whole PTE
1296     * entry, with 0th bit enable set.  For Gen8 and up, PTEs are 64bit, so
1297     * entries 0x5 & 0xd are the high dword, in our case zero.  Each PTE points
1298     * to a 4k page, which we translate to a page from the VM allocated region,
1299     * pointed to by the BDSM register.  If this is not set, we fail.
1300     *
1301     * We trap writes to the full configured GTT size, but we typically only
1302     * see the vBIOS writing up to (nearly) the 1MB barrier.  In fact it often
1303     * seems to miss the last entry for an even 1MB GTT.  Doing a gratuitous
1304     * write of that last entry does work, but is hopefully unnecessary since
1305     * we clear the previous GTT on initialization.
1306     */
1307    if ((igd->index % 4 == 1) && igd->index < vfio_igd_gtt_max(vdev)) {
1308        if (gen < 8 || (igd->index % 8 == 1)) {
1309            uint32_t base;
1310
1311            base = pci_get_long(vdev->pdev.config + IGD_BDSM);
1312            if (!base) {
1313                hw_error("vfio-igd: Guest attempted to program IGD GTT before "
1314                         "BIOS reserved stolen memory.  Unsupported BIOS?");
1315            }
1316
1317            val = data - igd->bdsm + base;
1318        } else {
1319            val = 0; /* upper 32bits of pte, we only enable below 4G PTEs */
1320        }
1321
1322        trace_vfio_pci_igd_bar4_write(vdev->vbasedev.name,
1323                                      igd->index, data, val);
1324    }
1325
1326    vfio_region_write(&vdev->bars[4].region, addr + 4, val, size);
1327
1328    igd->index = ~0;
1329}
1330
1331static const MemoryRegionOps vfio_igd_data_quirk = {
1332    .read = vfio_igd_quirk_data_read,
1333    .write = vfio_igd_quirk_data_write,
1334    .endianness = DEVICE_LITTLE_ENDIAN,
1335};
1336
1337static uint64_t vfio_igd_quirk_index_read(void *opaque,
1338                                          hwaddr addr, unsigned size)
1339{
1340    VFIOIGDQuirk *igd = opaque;
1341    VFIOPCIDevice *vdev = igd->vdev;
1342
1343    igd->index = ~0;
1344
1345    return vfio_region_read(&vdev->bars[4].region, addr, size);
1346}
1347
1348static void vfio_igd_quirk_index_write(void *opaque, hwaddr addr,
1349                                       uint64_t data, unsigned size)
1350{
1351    VFIOIGDQuirk *igd = opaque;
1352    VFIOPCIDevice *vdev = igd->vdev;
1353
1354    igd->index = data;
1355
1356    vfio_region_write(&vdev->bars[4].region, addr, data, size);
1357}
1358
1359static const MemoryRegionOps vfio_igd_index_quirk = {
1360    .read = vfio_igd_quirk_index_read,
1361    .write = vfio_igd_quirk_index_write,
1362    .endianness = DEVICE_LITTLE_ENDIAN,
1363};
1364
1365static void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
1366{
1367    struct vfio_region_info *rom = NULL, *opregion = NULL,
1368                            *host = NULL, *lpc = NULL;
1369    VFIOQuirk *quirk;
1370    VFIOIGDQuirk *igd;
1371    PCIDevice *lpc_bridge;
1372    int i, ret, ggms_mb, gms_mb = 0, gen;
1373    uint64_t *bdsm_size;
1374    uint32_t gmch;
1375    uint16_t cmd_orig, cmd;
1376    Error *err = NULL;
1377
1378    /*
1379     * This must be an Intel VGA device at address 00:02.0 for us to even
1380     * consider enabling legacy mode.  The vBIOS has dependencies on the
1381     * PCI bus address.
1382     */
1383    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
1384        !vfio_is_vga(vdev) || nr != 4 ||
1385        &vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
1386                                       0, PCI_DEVFN(0x2, 0))) {
1387        return;
1388    }
1389
1390    /*
1391     * We need to create an LPC/ISA bridge at PCI bus address 00:1f.0 that we
1392     * can stuff host values into, so if there's already one there and it's not
1393     * one we can hack on, legacy mode is no-go.  Sorry Q35.
1394     */
1395    lpc_bridge = pci_find_device(pci_device_root_bus(&vdev->pdev),
1396                                 0, PCI_DEVFN(0x1f, 0));
1397    if (lpc_bridge && !object_dynamic_cast(OBJECT(lpc_bridge),
1398                                           "vfio-pci-igd-lpc-bridge")) {
1399        error_report("IGD device %s cannot support legacy mode due to existing "
1400                     "devices at address 1f.0", vdev->vbasedev.name);
1401        return;
1402    }
1403
1404    /*
1405     * IGD is not a standard, they like to change their specs often.  We
1406     * only attempt to support back to SandBridge and we hope that newer
1407     * devices maintain compatibility with generation 8.
1408     */
1409    gen = igd_gen(vdev);
1410    if (gen != 6 && gen != 8) {
1411        error_report("IGD device %s is unsupported in legacy mode, "
1412                     "try SandyBridge or newer", vdev->vbasedev.name);
1413        return;
1414    }
1415
1416    /*
1417     * Most of what we're doing here is to enable the ROM to run, so if
1418     * there's no ROM, there's no point in setting up this quirk.
1419     * NB. We only seem to get BIOS ROMs, so a UEFI VM would need CSM support.
1420     */
1421    ret = vfio_get_region_info(&vdev->vbasedev,
1422                               VFIO_PCI_ROM_REGION_INDEX, &rom);
1423    if ((ret || !rom->size) && !vdev->pdev.romfile) {
1424        error_report("IGD device %s has no ROM, legacy mode disabled",
1425                     vdev->vbasedev.name);
1426        goto out;
1427    }
1428
1429    /*
1430     * Ignore the hotplug corner case, mark the ROM failed, we can't
1431     * create the devices we need for legacy mode in the hotplug scenario.
1432     */
1433    if (vdev->pdev.qdev.hotplugged) {
1434        error_report("IGD device %s hotplugged, ROM disabled, "
1435                     "legacy mode disabled", vdev->vbasedev.name);
1436        vdev->rom_read_failed = true;
1437        goto out;
1438    }
1439
1440    /*
1441     * Check whether we have all the vfio device specific regions to
1442     * support legacy mode (added in Linux v4.6).  If not, bail.
1443     */
1444    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1445                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1446                        VFIO_REGION_SUBTYPE_INTEL_IGD_OPREGION, &opregion);
1447    if (ret) {
1448        error_report("IGD device %s does not support OpRegion access,"
1449                     "legacy mode disabled", vdev->vbasedev.name);
1450        goto out;
1451    }
1452
1453    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1454                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1455                        VFIO_REGION_SUBTYPE_INTEL_IGD_HOST_CFG, &host);
1456    if (ret) {
1457        error_report("IGD device %s does not support host bridge access,"
1458                     "legacy mode disabled", vdev->vbasedev.name);
1459        goto out;
1460    }
1461
1462    ret = vfio_get_dev_region_info(&vdev->vbasedev,
1463                        VFIO_REGION_TYPE_PCI_VENDOR_TYPE | PCI_VENDOR_ID_INTEL,
1464                        VFIO_REGION_SUBTYPE_INTEL_IGD_LPC_CFG, &lpc);
1465    if (ret) {
1466        error_report("IGD device %s does not support LPC bridge access,"
1467                     "legacy mode disabled", vdev->vbasedev.name);
1468        goto out;
1469    }
1470
1471    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
1472
1473    /*
1474     * If IGD VGA Disable is clear (expected) and VGA is not already enabled,
1475     * try to enable it.  Probably shouldn't be using legacy mode without VGA,
1476     * but also no point in us enabling VGA if disabled in hardware.
1477     */
1478    if (!(gmch & 0x2) && !vdev->vga && vfio_populate_vga(vdev, &err)) {
1479        error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name);
1480        error_report("IGD device %s failed to enable VGA access, "
1481                     "legacy mode disabled", vdev->vbasedev.name);
1482        goto out;
1483    }
1484
1485    /* Create our LPC/ISA bridge */
1486    ret = vfio_pci_igd_lpc_init(vdev, lpc);
1487    if (ret) {
1488        error_report("IGD device %s failed to create LPC bridge, "
1489                     "legacy mode disabled", vdev->vbasedev.name);
1490        goto out;
1491    }
1492
1493    /* Stuff some host values into the VM PCI host bridge */
1494    ret = vfio_pci_igd_host_init(vdev, host);
1495    if (ret) {
1496        error_report("IGD device %s failed to modify host bridge, "
1497                     "legacy mode disabled", vdev->vbasedev.name);
1498        goto out;
1499    }
1500
1501    /* Setup OpRegion access */
1502    ret = vfio_pci_igd_opregion_init(vdev, opregion, &err);
1503    if (ret) {
1504        error_append_hint(&err, "IGD legacy mode disabled\n");
1505        error_reportf_err(err, ERR_PREFIX, vdev->vbasedev.name);
1506        goto out;
1507    }
1508
1509    /* Setup our quirk to munge GTT addresses to the VM allocated buffer */
1510    quirk = g_malloc0(sizeof(*quirk));
1511    quirk->mem = g_new0(MemoryRegion, 2);
1512    quirk->nr_mem = 2;
1513    igd = quirk->data = g_malloc0(sizeof(*igd));
1514    igd->vdev = vdev;
1515    igd->index = ~0;
1516    igd->bdsm = vfio_pci_read_config(&vdev->pdev, IGD_BDSM, 4);
1517    igd->bdsm &= ~((1 << 20) - 1); /* 1MB aligned */
1518
1519    memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_igd_index_quirk,
1520                          igd, "vfio-igd-index-quirk", 4);
1521    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
1522                                        0, &quirk->mem[0], 1);
1523
1524    memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_igd_data_quirk,
1525                          igd, "vfio-igd-data-quirk", 4);
1526    memory_region_add_subregion_overlap(vdev->bars[nr].region.mem,
1527                                        4, &quirk->mem[1], 1);
1528
1529    QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
1530
1531    /* Determine the size of stolen memory needed for GTT */
1532    ggms_mb = (gmch >> (gen < 8 ? 8 : 6)) & 0x3;
1533    if (gen > 6) {
1534        ggms_mb = 1 << ggms_mb;
1535    }
1536
1537    /*
1538     * Assume we have no GMS memory, but allow it to be overrided by device
1539     * option (experimental).  The spec doesn't actually allow zero GMS when
1540     * when IVD (IGD VGA Disable) is clear, but the claim is that it's unused,
1541     * so let's not waste VM memory for it.
1542     */
1543    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
1544
1545    if (vdev->igd_gms) {
1546        if (vdev->igd_gms <= 0x10) {
1547            gms_mb = vdev->igd_gms * 32;
1548            gmch |= vdev->igd_gms << (gen < 8 ? 3 : 8);
1549        } else {
1550            error_report("Unsupported IGD GMS value 0x%x", vdev->igd_gms);
1551            vdev->igd_gms = 0;
1552        }
1553    }
1554
1555    /*
1556     * Request reserved memory for stolen memory via fw_cfg.  VM firmware
1557     * must allocate a 1MB aligned reserved memory region below 4GB with
1558     * the requested size (in bytes) for use by the Intel PCI class VGA
1559     * device at VM address 00:02.0.  The base address of this reserved
1560     * memory region must be written to the device BDSM regsiter at PCI
1561     * config offset 0x5C.
1562     */
1563    bdsm_size = g_malloc(sizeof(*bdsm_size));
1564    *bdsm_size = cpu_to_le64((ggms_mb + gms_mb) * 1024 * 1024);
1565    fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
1566                    bdsm_size, sizeof(*bdsm_size));
1567
1568    /* GMCH is read-only, emulated */
1569    pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
1570    pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
1571    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
1572
1573    /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
1574    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
1575    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
1576    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
1577
1578    /*
1579     * This IOBAR gives us access to GTTADR, which allows us to write to
1580     * the GTT itself.  So let's go ahead and write zero to all the GTT
1581     * entries to avoid spurious DMA faults.  Be sure I/O access is enabled
1582     * before talking to the device.
1583     */
1584    if (pread(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig),
1585              vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) {
1586        error_report("IGD device %s - failed to read PCI command register",
1587                     vdev->vbasedev.name);
1588    }
1589
1590    cmd = cmd_orig | PCI_COMMAND_IO;
1591
1592    if (pwrite(vdev->vbasedev.fd, &cmd, sizeof(cmd),
1593               vdev->config_offset + PCI_COMMAND) != sizeof(cmd)) {
1594        error_report("IGD device %s - failed to write PCI command register",
1595                     vdev->vbasedev.name);
1596    }
1597
1598    for (i = 1; i < vfio_igd_gtt_max(vdev); i += 4) {
1599        vfio_region_write(&vdev->bars[4].region, 0, i, 4);
1600        vfio_region_write(&vdev->bars[4].region, 4, 0, 4);
1601    }
1602
1603    if (pwrite(vdev->vbasedev.fd, &cmd_orig, sizeof(cmd_orig),
1604               vdev->config_offset + PCI_COMMAND) != sizeof(cmd_orig)) {
1605        error_report("IGD device %s - failed to restore PCI command register",
1606                     vdev->vbasedev.name);
1607    }
1608
1609    trace_vfio_pci_igd_bdsm_enabled(vdev->vbasedev.name, ggms_mb + gms_mb);
1610
1611out:
1612    g_free(rom);
1613    g_free(opregion);
1614    g_free(host);
1615    g_free(lpc);
1616}
1617
1618/*
1619 * Common quirk probe entry points.
1620 */
1621void vfio_vga_quirk_setup(VFIOPCIDevice *vdev)
1622{
1623    vfio_vga_probe_ati_3c3_quirk(vdev);
1624    vfio_vga_probe_nvidia_3d0_quirk(vdev);
1625}
1626
1627void vfio_vga_quirk_exit(VFIOPCIDevice *vdev)
1628{
1629    VFIOQuirk *quirk;
1630    int i, j;
1631
1632    for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) {
1633        QLIST_FOREACH(quirk, &vdev->vga->region[i].quirks, next) {
1634            for (j = 0; j < quirk->nr_mem; j++) {
1635                memory_region_del_subregion(&vdev->vga->region[i].mem,
1636                                            &quirk->mem[j]);
1637            }
1638        }
1639    }
1640}
1641
1642void vfio_vga_quirk_finalize(VFIOPCIDevice *vdev)
1643{
1644    int i, j;
1645
1646    for (i = 0; i < ARRAY_SIZE(vdev->vga->region); i++) {
1647        while (!QLIST_EMPTY(&vdev->vga->region[i].quirks)) {
1648            VFIOQuirk *quirk = QLIST_FIRST(&vdev->vga->region[i].quirks);
1649            QLIST_REMOVE(quirk, next);
1650            for (j = 0; j < quirk->nr_mem; j++) {
1651                object_unparent(OBJECT(&quirk->mem[j]));
1652            }
1653            g_free(quirk->mem);
1654            g_free(quirk->data);
1655            g_free(quirk);
1656        }
1657    }
1658}
1659
1660void vfio_bar_quirk_setup(VFIOPCIDevice *vdev, int nr)
1661{
1662    vfio_probe_ati_bar4_quirk(vdev, nr);
1663    vfio_probe_ati_bar2_quirk(vdev, nr);
1664    vfio_probe_nvidia_bar5_quirk(vdev, nr);
1665    vfio_probe_nvidia_bar0_quirk(vdev, nr);
1666    vfio_probe_rtl8168_bar2_quirk(vdev, nr);
1667    vfio_probe_igd_bar4_quirk(vdev, nr);
1668}
1669
1670void vfio_bar_quirk_exit(VFIOPCIDevice *vdev, int nr)
1671{
1672    VFIOBAR *bar = &vdev->bars[nr];
1673    VFIOQuirk *quirk;
1674    int i;
1675
1676    QLIST_FOREACH(quirk, &bar->quirks, next) {
1677        for (i = 0; i < quirk->nr_mem; i++) {
1678            memory_region_del_subregion(bar->region.mem, &quirk->mem[i]);
1679        }
1680    }
1681}
1682
1683void vfio_bar_quirk_finalize(VFIOPCIDevice *vdev, int nr)
1684{
1685    VFIOBAR *bar = &vdev->bars[nr];
1686    int i;
1687
1688    while (!QLIST_EMPTY(&bar->quirks)) {
1689        VFIOQuirk *quirk = QLIST_FIRST(&bar->quirks);
1690        QLIST_REMOVE(quirk, next);
1691        for (i = 0; i < quirk->nr_mem; i++) {
1692            object_unparent(OBJECT(&quirk->mem[i]));
1693        }
1694        g_free(quirk->mem);
1695        g_free(quirk->data);
1696        g_free(quirk);
1697    }
1698}
1699
1700/*
1701 * Reset quirks
1702 */
1703
1704/*
1705 * AMD Radeon PCI config reset, based on Linux:
1706 *   drivers/gpu/drm/radeon/ci_smc.c:ci_is_smc_running()
1707 *   drivers/gpu/drm/radeon/radeon_device.c:radeon_pci_config_reset
1708 *   drivers/gpu/drm/radeon/ci_smc.c:ci_reset_smc()
1709 *   drivers/gpu/drm/radeon/ci_smc.c:ci_stop_smc_clock()
1710 * IDs: include/drm/drm_pciids.h
1711 * Registers: http://cgit.freedesktop.org/~agd5f/linux/commit/?id=4e2aa447f6f0
1712 *
1713 * Bonaire and Hawaii GPUs do not respond to a bus reset.  This is a bug in the
1714 * hardware that should be fixed on future ASICs.  The symptom of this is that
1715 * once the accerlated driver loads, Windows guests will bsod on subsequent
1716 * attmpts to load the driver, such as after VM reset or shutdown/restart.  To
1717 * work around this, we do an AMD specific PCI config reset, followed by an SMC
1718 * reset.  The PCI config reset only works if SMC firmware is running, so we
1719 * have a dependency on the state of the device as to whether this reset will
1720 * be effective.  There are still cases where we won't be able to kick the
1721 * device into working, but this greatly improves the usability overall.  The
1722 * config reset magic is relatively common on AMD GPUs, but the setup and SMC
1723 * poking is largely ASIC specific.
1724 */
1725static bool vfio_radeon_smc_is_running(VFIOPCIDevice *vdev)
1726{
1727    uint32_t clk, pc_c;
1728
1729    /*
1730     * Registers 200h and 204h are index and data registers for accessing
1731     * indirect configuration registers within the device.
1732     */
1733    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4);
1734    clk = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1735    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000370, 4);
1736    pc_c = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1737
1738    return (!(clk & 1) && (0x20100 <= pc_c));
1739}
1740
1741/*
1742 * The scope of a config reset is controlled by a mode bit in the misc register
1743 * and a fuse, exposed as a bit in another register.  The fuse is the default
1744 * (0 = GFX, 1 = whole GPU), the misc bit is a toggle, with the forumula
1745 * scope = !(misc ^ fuse), where the resulting scope is defined the same as
1746 * the fuse.  A truth table therefore tells us that if misc == fuse, we need
1747 * to flip the value of the bit in the misc register.
1748 */
1749static void vfio_radeon_set_gfx_only_reset(VFIOPCIDevice *vdev)
1750{
1751    uint32_t misc, fuse;
1752    bool a, b;
1753
1754    vfio_region_write(&vdev->bars[5].region, 0x200, 0xc00c0000, 4);
1755    fuse = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1756    b = fuse & 64;
1757
1758    vfio_region_write(&vdev->bars[5].region, 0x200, 0xc0000010, 4);
1759    misc = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1760    a = misc & 2;
1761
1762    if (a == b) {
1763        vfio_region_write(&vdev->bars[5].region, 0x204, misc ^ 2, 4);
1764        vfio_region_read(&vdev->bars[5].region, 0x204, 4); /* flush */
1765    }
1766}
1767
1768static int vfio_radeon_reset(VFIOPCIDevice *vdev)
1769{
1770    PCIDevice *pdev = &vdev->pdev;
1771    int i, ret = 0;
1772    uint32_t data;
1773
1774    /* Defer to a kernel implemented reset */
1775    if (vdev->vbasedev.reset_works) {
1776        trace_vfio_quirk_ati_bonaire_reset_skipped(vdev->vbasedev.name);
1777        return -ENODEV;
1778    }
1779
1780    /* Enable only memory BAR access */
1781    vfio_pci_write_config(pdev, PCI_COMMAND, PCI_COMMAND_MEMORY, 2);
1782
1783    /* Reset only works if SMC firmware is loaded and running */
1784    if (!vfio_radeon_smc_is_running(vdev)) {
1785        ret = -EINVAL;
1786        trace_vfio_quirk_ati_bonaire_reset_no_smc(vdev->vbasedev.name);
1787        goto out;
1788    }
1789
1790    /* Make sure only the GFX function is reset */
1791    vfio_radeon_set_gfx_only_reset(vdev);
1792
1793    /* AMD PCI config reset */
1794    vfio_pci_write_config(pdev, 0x7c, 0x39d5e86b, 4);
1795    usleep(100);
1796
1797    /* Read back the memory size to make sure we're out of reset */
1798    for (i = 0; i < 100000; i++) {
1799        if (vfio_region_read(&vdev->bars[5].region, 0x5428, 4) != 0xffffffff) {
1800            goto reset_smc;
1801        }
1802        usleep(1);
1803    }
1804
1805    trace_vfio_quirk_ati_bonaire_reset_timeout(vdev->vbasedev.name);
1806
1807reset_smc:
1808    /* Reset SMC */
1809    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000000, 4);
1810    data = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1811    data |= 1;
1812    vfio_region_write(&vdev->bars[5].region, 0x204, data, 4);
1813
1814    /* Disable SMC clock */
1815    vfio_region_write(&vdev->bars[5].region, 0x200, 0x80000004, 4);
1816    data = vfio_region_read(&vdev->bars[5].region, 0x204, 4);
1817    data |= 1;
1818    vfio_region_write(&vdev->bars[5].region, 0x204, data, 4);
1819
1820    trace_vfio_quirk_ati_bonaire_reset_done(vdev->vbasedev.name);
1821
1822out:
1823    /* Restore PCI command register */
1824    vfio_pci_write_config(pdev, PCI_COMMAND, 0, 2);
1825
1826    return ret;
1827}
1828
1829void vfio_setup_resetfn_quirk(VFIOPCIDevice *vdev)
1830{
1831    switch (vdev->vendor_id) {
1832    case 0x1002:
1833        switch (vdev->device_id) {
1834        /* Bonaire */
1835        case 0x6649: /* Bonaire [FirePro W5100] */
1836        case 0x6650:
1837        case 0x6651:
1838        case 0x6658: /* Bonaire XTX [Radeon R7 260X] */
1839        case 0x665c: /* Bonaire XT [Radeon HD 7790/8770 / R9 260 OEM] */
1840        case 0x665d: /* Bonaire [Radeon R7 200 Series] */
1841        /* Hawaii */
1842        case 0x67A0: /* Hawaii XT GL [FirePro W9100] */
1843        case 0x67A1: /* Hawaii PRO GL [FirePro W8100] */
1844        case 0x67A2:
1845        case 0x67A8:
1846        case 0x67A9:
1847        case 0x67AA:
1848        case 0x67B0: /* Hawaii XT [Radeon R9 290X] */
1849        case 0x67B1: /* Hawaii PRO [Radeon R9 290] */
1850        case 0x67B8:
1851        case 0x67B9:
1852        case 0x67BA:
1853        case 0x67BE:
1854            vdev->resetfn = vfio_radeon_reset;
1855            trace_vfio_quirk_ati_bonaire_reset(vdev->vbasedev.name);
1856            break;
1857        }
1858        break;
1859    }
1860}
1861
1862/*
1863 * The NVIDIA GPUDirect P2P Vendor capability allows the user to specify
1864 * devices as a member of a clique.  Devices within the same clique ID
1865 * are capable of direct P2P.  It's the user's responsibility that this
1866 * is correct.  The spec says that this may reside at any unused config
1867 * offset, but reserves and recommends hypervisors place this at C8h.
1868 * The spec also states that the hypervisor should place this capability
1869 * at the end of the capability list, thus next is defined as 0h.
1870 *
1871 * +----------------+----------------+----------------+----------------+
1872 * | sig 7:0 ('P')  |  vndr len (8h) |    next (0h)   |   cap id (9h)  |
1873 * +----------------+----------------+----------------+----------------+
1874 * | rsvd 15:7(0h),id 6:3,ver 2:0(0h)|          sig 23:8 ('P2')        |
1875 * +---------------------------------+---------------------------------+
1876 *
1877 * https://lists.gnu.org/archive/html/qemu-devel/2017-08/pdfUda5iEpgOS.pdf
1878 */
1879static void get_nv_gpudirect_clique_id(Object *obj, Visitor *v,
1880                                       const char *name, void *opaque,
1881                                       Error **errp)
1882{
1883    DeviceState *dev = DEVICE(obj);
1884    Property *prop = opaque;
1885    uint8_t *ptr = qdev_get_prop_ptr(dev, prop);
1886
1887    visit_type_uint8(v, name, ptr, errp);
1888}
1889
1890static void set_nv_gpudirect_clique_id(Object *obj, Visitor *v,
1891                                       const char *name, void *opaque,
1892                                       Error **errp)
1893{
1894    DeviceState *dev = DEVICE(obj);
1895    Property *prop = opaque;
1896    uint8_t value, *ptr = qdev_get_prop_ptr(dev, prop);
1897    Error *local_err = NULL;
1898
1899    if (dev->realized) {
1900        qdev_prop_set_after_realize(dev, name, errp);
1901        return;
1902    }
1903
1904    visit_type_uint8(v, name, &value, &local_err);
1905    if (local_err) {
1906        error_propagate(errp, local_err);
1907        return;
1908    }
1909
1910    if (value & ~0xF) {
1911        error_setg(errp, "Property %s: valid range 0-15", name);
1912        return;
1913    }
1914
1915    *ptr = value;
1916}
1917
1918const PropertyInfo qdev_prop_nv_gpudirect_clique = {
1919    .name = "uint4",
1920    .description = "NVIDIA GPUDirect Clique ID (0 - 15)",
1921    .get = get_nv_gpudirect_clique_id,
1922    .set = set_nv_gpudirect_clique_id,
1923};
1924
1925static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
1926{
1927    PCIDevice *pdev = &vdev->pdev;
1928    int ret, pos = 0xC8;
1929
1930    if (vdev->nv_gpudirect_clique == 0xFF) {
1931        return 0;
1932    }
1933
1934    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID)) {
1935        error_setg(errp, "NVIDIA GPUDirect Clique ID: invalid device vendor");
1936        return -EINVAL;
1937    }
1938
1939    if (pci_get_byte(pdev->config + PCI_CLASS_DEVICE + 1) !=
1940        PCI_BASE_CLASS_DISPLAY) {
1941        error_setg(errp, "NVIDIA GPUDirect Clique ID: unsupported PCI class");
1942        return -EINVAL;
1943    }
1944
1945    ret = pci_add_capability(pdev, PCI_CAP_ID_VNDR, pos, 8, errp);
1946    if (ret < 0) {
1947        error_prepend(errp, "Failed to add NVIDIA GPUDirect cap: ");
1948        return ret;
1949    }
1950
1951    memset(vdev->emulated_config_bits + pos, 0xFF, 8);
1952    pos += PCI_CAP_FLAGS;
1953    pci_set_byte(pdev->config + pos++, 8);
1954    pci_set_byte(pdev->config + pos++, 'P');
1955    pci_set_byte(pdev->config + pos++, '2');
1956    pci_set_byte(pdev->config + pos++, 'P');
1957    pci_set_byte(pdev->config + pos++, vdev->nv_gpudirect_clique << 3);
1958    pci_set_byte(pdev->config + pos, 0);
1959
1960    return 0;
1961}
1962
1963int vfio_add_virt_caps(VFIOPCIDevice *vdev, Error **errp)
1964{
1965    int ret;
1966
1967    ret = vfio_add_nv_gpudirect_cap(vdev, errp);
1968    if (ret) {
1969        return ret;
1970    }
1971
1972    return 0;
1973}
1974
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.