]> git.proxmox.com Git - mirror_qemu.git/blame - hw/vfio/pci-quirks.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
vfio/pci: Split quirks to a separate file
[mirror_qemu.git] / hw / vfio / pci-quirks.c
CommitLineData
c00d61d8
AW		 1/*
2 * device quirks for PCI devices
3 *
4 * Copyright Red Hat, Inc. 2012-2015
5 *
6 * Authors:
7 * Alex Williamson <alex.williamson@redhat.com>
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2. See
10 * the COPYING file in the top-level directory.
11 */
12
13#include "pci.h"
14#include "trace.h"
15#include "qemu/range.h"
16
17/*
18 * List of device ids/vendor ids for which to disable
19 * option rom loading. This avoids the guest hangs during rom
20 * execution as noticed with the BCM 57810 card for lack of a
21 * more better way to handle such issues.
22 * The user can still override by specifying a romfile or
23 * rombar=1.
24 * Please see https://bugs.launchpad.net/qemu/+bug/1284874
25 * for an analysis of the 57810 card hang. When adding
26 * a new vendor id/device id combination below, please also add
27 * your card/environment details and information that could
28 * help in debugging to the bug tracking this issue
29 */
30static const VFIORomBlacklistEntry romblacklist[] = {
31 /* Broadcom BCM 57810 */
32 { 0x14e4, 0x168e }
33};
34
35bool vfio_blacklist_opt_rom(VFIOPCIDevice *vdev)
36{
37 PCIDevice *pdev = &vdev->pdev;
38 uint16_t vendor_id, device_id;
39 int count = 0;
40
41 vendor_id = pci_get_word(pdev->config + PCI_VENDOR_ID);
42 device_id = pci_get_word(pdev->config + PCI_DEVICE_ID);
43
44 while (count < ARRAY_SIZE(romblacklist)) {
45 if (romblacklist[count].vendor_id == vendor_id &&
46 romblacklist[count].device_id == device_id) {
47 return true;
48 }
49 count++;
50 }
51
52 return false;
53}
54
55/*
56 * Device specific quirks
57 */
58
59/* Is range1 fully contained within range2? */
60static bool vfio_range_contained(uint64_t first1, uint64_t len1,
61 uint64_t first2, uint64_t len2) {
62 return (first1 >= first2 && first1 + len1 <= first2 + len2);
63}
64
65static bool vfio_flags_enabled(uint8_t flags, uint8_t mask)
66{
67 return (mask && (flags & mask) == mask);
68}
69
70static uint64_t vfio_generic_window_quirk_read(void *opaque,
71 hwaddr addr, unsigned size)
72{
73 VFIOQuirk *quirk = opaque;
74 VFIOPCIDevice *vdev = quirk->vdev;
75 uint64_t data;
76
77 if (vfio_flags_enabled(quirk->data.flags, quirk->data.read_flags) &&
78 ranges_overlap(addr, size,
79 quirk->data.data_offset, quirk->data.data_size)) {
80 hwaddr offset = addr - quirk->data.data_offset;
81
82 if (!vfio_range_contained(addr, size, quirk->data.data_offset,
83 quirk->data.data_size)) {
84 hw_error("%s: window data read not fully contained: %s",
85 __func__, memory_region_name(&quirk->mem));
86 }
87
88 data = vfio_pci_read_config(&vdev->pdev,
89 quirk->data.address_val + offset, size);
90
91 trace_vfio_generic_window_quirk_read(memory_region_name(&quirk->mem),
92 vdev->vbasedev.name,
93 quirk->data.bar,
94 addr, size, data);
95 } else {
96 data = vfio_region_read(&vdev->bars[quirk->data.bar].region,
97 addr + quirk->data.base_offset, size);
98 }
99
100 return data;
101}
102
103static void vfio_generic_window_quirk_write(void *opaque, hwaddr addr,
104 uint64_t data, unsigned size)
105{
106 VFIOQuirk *quirk = opaque;
107 VFIOPCIDevice *vdev = quirk->vdev;
108
109 if (ranges_overlap(addr, size,
110 quirk->data.address_offset, quirk->data.address_size)) {
111
112 if (addr != quirk->data.address_offset) {
113 hw_error("%s: offset write into address window: %s",
114 __func__, memory_region_name(&quirk->mem));
115 }
116
117 if ((data & ~quirk->data.address_mask) == quirk->data.address_match) {
118 quirk->data.flags |= quirk->data.write_flags |
119 quirk->data.read_flags;
120 quirk->data.address_val = data & quirk->data.address_mask;
121 } else {
122 quirk->data.flags &= ~(quirk->data.write_flags |
123 quirk->data.read_flags);
124 }
125 }
126
127 if (vfio_flags_enabled(quirk->data.flags, quirk->data.write_flags) &&
128 ranges_overlap(addr, size,
129 quirk->data.data_offset, quirk->data.data_size)) {
130 hwaddr offset = addr - quirk->data.data_offset;
131
132 if (!vfio_range_contained(addr, size, quirk->data.data_offset,
133 quirk->data.data_size)) {
134 hw_error("%s: window data write not fully contained: %s",
135 __func__, memory_region_name(&quirk->mem));
136 }
137
138 vfio_pci_write_config(&vdev->pdev,
139 quirk->data.address_val + offset, data, size);
140 trace_vfio_generic_window_quirk_write(memory_region_name(&quirk->mem),
141 vdev->vbasedev.name,
142 quirk->data.bar,
143 addr, data, size);
144 return;
145 }
146
147 vfio_region_write(&vdev->bars[quirk->data.bar].region,
148 addr + quirk->data.base_offset, data, size);
149}
150
151static const MemoryRegionOps vfio_generic_window_quirk = {
152 .read = vfio_generic_window_quirk_read,
153 .write = vfio_generic_window_quirk_write,
154 .endianness = DEVICE_LITTLE_ENDIAN,
155};
156
157static uint64_t vfio_generic_quirk_read(void *opaque,
158 hwaddr addr, unsigned size)
159{
160 VFIOQuirk *quirk = opaque;
161 VFIOPCIDevice *vdev = quirk->vdev;
162 hwaddr base = quirk->data.address_match & TARGET_PAGE_MASK;
163 hwaddr offset = quirk->data.address_match & ~TARGET_PAGE_MASK;
164 uint64_t data;
165
166 if (vfio_flags_enabled(quirk->data.flags, quirk->data.read_flags) &&
167 ranges_overlap(addr, size, offset, quirk->data.address_mask + 1)) {
168 if (!vfio_range_contained(addr, size, offset,
169 quirk->data.address_mask + 1)) {
170 hw_error("%s: read not fully contained: %s",
171 __func__, memory_region_name(&quirk->mem));
172 }
173
174 data = vfio_pci_read_config(&vdev->pdev, addr - offset, size);
175
176 trace_vfio_generic_quirk_read(memory_region_name(&quirk->mem),
177 vdev->vbasedev.name, quirk->data.bar,
178 addr + base, size, data);
179 } else {
180 data = vfio_region_read(&vdev->bars[quirk->data.bar].region,
181 addr + base, size);
182 }
183
184 return data;
185}
186
187static void vfio_generic_quirk_write(void *opaque, hwaddr addr,
188 uint64_t data, unsigned size)
189{
190 VFIOQuirk *quirk = opaque;
191 VFIOPCIDevice *vdev = quirk->vdev;
192 hwaddr base = quirk->data.address_match & TARGET_PAGE_MASK;
193 hwaddr offset = quirk->data.address_match & ~TARGET_PAGE_MASK;
194
195 if (vfio_flags_enabled(quirk->data.flags, quirk->data.write_flags) &&
196 ranges_overlap(addr, size, offset, quirk->data.address_mask + 1)) {
197 if (!vfio_range_contained(addr, size, offset,
198 quirk->data.address_mask + 1)) {
199 hw_error("%s: write not fully contained: %s",
200 __func__, memory_region_name(&quirk->mem));
201 }
202
203 vfio_pci_write_config(&vdev->pdev, addr - offset, data, size);
204
205 trace_vfio_generic_quirk_write(memory_region_name(&quirk->mem),
206 vdev->vbasedev.name, quirk->data.bar,
207 addr + base, data, size);
208 } else {
209 vfio_region_write(&vdev->bars[quirk->data.bar].region,
210 addr + base, data, size);
211 }
212}
213
214static const MemoryRegionOps vfio_generic_quirk = {
215 .read = vfio_generic_quirk_read,
216 .write = vfio_generic_quirk_write,
217 .endianness = DEVICE_LITTLE_ENDIAN,
218};
219
220#define PCI_VENDOR_ID_ATI 0x1002
221
222/*
223 * Radeon HD cards (HD5450 & HD7850) report the upper byte of the I/O port BAR
224 * through VGA register 0x3c3. On newer cards, the I/O port BAR is always
225 * BAR4 (older cards like the X550 used BAR1, but we don't care to support
226 * those). Note that on bare metal, a read of 0x3c3 doesn't always return the
227 * I/O port BAR address. Originally this was coded to return the virtual BAR
228 * address only if the physical register read returns the actual BAR address,
229 * but users have reported greater success if we return the virtual address
230 * unconditionally.
231 */
232static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
233 hwaddr addr, unsigned size)
234{
235 VFIOQuirk *quirk = opaque;
236 VFIOPCIDevice *vdev = quirk->vdev;
237 uint64_t data = vfio_pci_read_config(&vdev->pdev,
238 PCI_BASE_ADDRESS_0 + (4 * 4) + 1,
239 size);
240 trace_vfio_ati_3c3_quirk_read(data);
241
242 return data;
243}
244
245static const MemoryRegionOps vfio_ati_3c3_quirk = {
246 .read = vfio_ati_3c3_quirk_read,
247 .endianness = DEVICE_LITTLE_ENDIAN,
248};
249
250static void vfio_vga_probe_ati_3c3_quirk(VFIOPCIDevice *vdev)
251{
252 PCIDevice *pdev = &vdev->pdev;
253 VFIOQuirk *quirk;
254
255 if (pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_ATI) {
256 return;
257 }
258
259 /*
260 * As long as the BAR is >= 256 bytes it will be aligned such that the
261 * lower byte is always zero. Filter out anything else, if it exists.
262 */
263 if (!vdev->bars[4].ioport || vdev->bars[4].region.size < 256) {
264 return;
265 }
266
267 quirk = g_malloc0(sizeof(*quirk));
268 quirk->vdev = vdev;
269
270 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_ati_3c3_quirk, quirk,
271 "vfio-ati-3c3-quirk", 1);
272 memory_region_add_subregion(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].mem,
273 3 /* offset 3 bytes from 0x3c0 */, &quirk->mem);
274
275 QLIST_INSERT_HEAD(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].quirks,
276 quirk, next);
277
278 trace_vfio_vga_probe_ati_3c3_quirk(vdev->vbasedev.name);
279}
280
281/*
282 * Newer ATI/AMD devices, including HD5450 and HD7850, have a window to PCI
283 * config space through MMIO BAR2 at offset 0x4000. Nothing seems to access
284 * the MMIO space directly, but a window to this space is provided through
285 * I/O port BAR4. Offset 0x0 is the address register and offset 0x4 is the
286 * data register. When the address is programmed to a range of 0x4000-0x4fff
287 * PCI configuration space is available. Experimentation seems to indicate
288 * that only read-only access is provided, but we drop writes when the window
289 * is enabled to config space nonetheless.
290 */
291static void vfio_probe_ati_bar4_window_quirk(VFIOPCIDevice *vdev, int nr)
292{
293 PCIDevice *pdev = &vdev->pdev;
294 VFIOQuirk *quirk;
295
296 if (!vdev->has_vga || nr != 4 ||
297 pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_ATI) {
298 return;
299 }
300
301 quirk = g_malloc0(sizeof(*quirk));
302 quirk->vdev = vdev;
303 quirk->data.address_size = 4;
304 quirk->data.data_offset = 4;
305 quirk->data.data_size = 4;
306 quirk->data.address_match = 0x4000;
307 quirk->data.address_mask = PCIE_CONFIG_SPACE_SIZE - 1;
308 quirk->data.bar = nr;
309 quirk->data.read_flags = quirk->data.write_flags = 1;
310
311 memory_region_init_io(&quirk->mem, OBJECT(vdev),
312 &vfio_generic_window_quirk, quirk,
313 "vfio-ati-bar4-window-quirk", 8);
314 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
315 quirk->data.base_offset, &quirk->mem, 1);
316
317 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
318
319 trace_vfio_probe_ati_bar4_window_quirk(vdev->vbasedev.name);
320}
321
322/*
323 * Trap the BAR2 MMIO window to config space as well.
324 */
325static void vfio_probe_ati_bar2_4000_quirk(VFIOPCIDevice *vdev, int nr)
326{
327 PCIDevice *pdev = &vdev->pdev;
328 VFIOQuirk *quirk;
329
330 /* Only enable on newer devices where BAR2 is 64bit */
331 if (!vdev->has_vga || nr != 2 || !vdev->bars[2].mem64 ||
332 pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_ATI) {
333 return;
334 }
335
336 quirk = g_malloc0(sizeof(*quirk));
337 quirk->vdev = vdev;
338 quirk->data.flags = quirk->data.read_flags = quirk->data.write_flags = 1;
339 quirk->data.address_match = 0x4000;
340 quirk->data.address_mask = PCIE_CONFIG_SPACE_SIZE - 1;
341 quirk->data.bar = nr;
342
343 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_generic_quirk, quirk,
344 "vfio-ati-bar2-4000-quirk",
345 TARGET_PAGE_ALIGN(quirk->data.address_mask + 1));
346 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
347 quirk->data.address_match & TARGET_PAGE_MASK,
348 &quirk->mem, 1);
349
350 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
351
352 trace_vfio_probe_ati_bar2_4000_quirk(vdev->vbasedev.name);
353}
354
355/*
356 * Older ATI/AMD cards like the X550 have a similar window to that above.
357 * I/O port BAR1 provides a window to a mirror of PCI config space located
358 * in BAR2 at offset 0xf00. We don't care to support such older cards, but
359 * note it for future reference.
360 */
361
362#define PCI_VENDOR_ID_NVIDIA 0x10de
363
364/*
365 * Nvidia has several different methods to get to config space, the
366 * nouveu project has several of these documented here:
367 * https://github.com/pathscale/envytools/tree/master/hwdocs
368 *
369 * The first quirk is actually not documented in envytools and is found
370 * on 10de:01d1 (NVIDIA Corporation G72 [GeForce 7300 LE]). This is an
371 * NV46 chipset. The backdoor uses the legacy VGA I/O ports to access
372 * the mirror of PCI config space found at BAR0 offset 0x1800. The access
373 * sequence first writes 0x338 to I/O port 0x3d4. The target offset is
374 * then written to 0x3d0. Finally 0x538 is written for a read and 0x738
375 * is written for a write to 0x3d4. The BAR0 offset is then accessible
376 * through 0x3d0. This quirk doesn't seem to be necessary on newer cards
377 * that use the I/O port BAR5 window but it doesn't hurt to leave it.
378 */
379enum {
380 NV_3D0_NONE = 0,
381 NV_3D0_SELECT,
382 NV_3D0_WINDOW,
383 NV_3D0_READ,
384 NV_3D0_WRITE,
385};
386
387static uint64_t vfio_nvidia_3d0_quirk_read(void *opaque,
388 hwaddr addr, unsigned size)
389{
390 VFIOQuirk *quirk = opaque;
391 VFIOPCIDevice *vdev = quirk->vdev;
392 PCIDevice *pdev = &vdev->pdev;
393 uint64_t data = vfio_vga_read(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
394 addr + quirk->data.base_offset, size);
395
396 if (quirk->data.flags == NV_3D0_READ && addr == quirk->data.data_offset) {
397 data = vfio_pci_read_config(pdev, quirk->data.address_val, size);
398 trace_vfio_nvidia_3d0_quirk_read(size, data);
399 }
400
401 quirk->data.flags = NV_3D0_NONE;
402
403 return data;
404}
405
406static void vfio_nvidia_3d0_quirk_write(void *opaque, hwaddr addr,
407 uint64_t data, unsigned size)
408{
409 VFIOQuirk *quirk = opaque;
410 VFIOPCIDevice *vdev = quirk->vdev;
411 PCIDevice *pdev = &vdev->pdev;
412
413 switch (quirk->data.flags) {
414 case NV_3D0_NONE:
415 if (addr == quirk->data.address_offset && data == 0x338) {
416 quirk->data.flags = NV_3D0_SELECT;
417 }
418 break;
419 case NV_3D0_SELECT:
420 quirk->data.flags = NV_3D0_NONE;
421 if (addr == quirk->data.data_offset &&
422 (data & ~quirk->data.address_mask) == quirk->data.address_match) {
423 quirk->data.flags = NV_3D0_WINDOW;
424 quirk->data.address_val = data & quirk->data.address_mask;
425 }
426 break;
427 case NV_3D0_WINDOW:
428 quirk->data.flags = NV_3D0_NONE;
429 if (addr == quirk->data.address_offset) {
430 if (data == 0x538) {
431 quirk->data.flags = NV_3D0_READ;
432 } else if (data == 0x738) {
433 quirk->data.flags = NV_3D0_WRITE;
434 }
435 }
436 break;
437 case NV_3D0_WRITE:
438 quirk->data.flags = NV_3D0_NONE;
439 if (addr == quirk->data.data_offset) {
440 vfio_pci_write_config(pdev, quirk->data.address_val, data, size);
441 trace_vfio_nvidia_3d0_quirk_write(data, size);
442 return;
443 }
444 break;
445 }
446
447 vfio_vga_write(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
448 addr + quirk->data.base_offset, data, size);
449}
450
451static const MemoryRegionOps vfio_nvidia_3d0_quirk = {
452 .read = vfio_nvidia_3d0_quirk_read,
453 .write = vfio_nvidia_3d0_quirk_write,
454 .endianness = DEVICE_LITTLE_ENDIAN,
455};
456
457static void vfio_vga_probe_nvidia_3d0_quirk(VFIOPCIDevice *vdev)
458{
459 PCIDevice *pdev = &vdev->pdev;
460 VFIOQuirk *quirk;
461
462 if (pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_NVIDIA ||
463 !vdev->bars[1].region.size) {
464 return;
465 }
466
467 quirk = g_malloc0(sizeof(*quirk));
468 quirk->vdev = vdev;
469 quirk->data.base_offset = 0x10;
470 quirk->data.address_offset = 4;
471 quirk->data.address_size = 2;
472 quirk->data.address_match = 0x1800;
473 quirk->data.address_mask = PCI_CONFIG_SPACE_SIZE - 1;
474 quirk->data.data_offset = 0;
475 quirk->data.data_size = 4;
476
477 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_nvidia_3d0_quirk,
478 quirk, "vfio-nvidia-3d0-quirk", 6);
479 memory_region_add_subregion(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].mem,
480 quirk->data.base_offset, &quirk->mem);
481
482 QLIST_INSERT_HEAD(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].quirks,
483 quirk, next);
484
485 trace_vfio_vga_probe_nvidia_3d0_quirk(vdev->vbasedev.name);
486}
487
488/*
489 * The second quirk is documented in envytools. The I/O port BAR5 is just
490 * a set of address/data ports to the MMIO BARs. The BAR we care about is
491 * again BAR0. This backdoor is apparently a bit newer than the one above
492 * so we need to not only trap 256 bytes @0x1800, but all of PCI config
493 * space, including extended space is available at the 4k @0x88000.
494 */
495enum {
496 NV_BAR5_ADDRESS = 0x1,
497 NV_BAR5_ENABLE = 0x2,
498 NV_BAR5_MASTER = 0x4,
499 NV_BAR5_VALID = 0x7,
500};
501
502static void vfio_nvidia_bar5_window_quirk_write(void *opaque, hwaddr addr,
503 uint64_t data, unsigned size)
504{
505 VFIOQuirk *quirk = opaque;
506
507 switch (addr) {
508 case 0x0:
509 if (data & 0x1) {
510 quirk->data.flags |= NV_BAR5_MASTER;
511 } else {
512 quirk->data.flags &= ~NV_BAR5_MASTER;
513 }
514 break;
515 case 0x4:
516 if (data & 0x1) {
517 quirk->data.flags |= NV_BAR5_ENABLE;
518 } else {
519 quirk->data.flags &= ~NV_BAR5_ENABLE;
520 }
521 break;
522 case 0x8:
523 if (quirk->data.flags & NV_BAR5_MASTER) {
524 if ((data & ~0xfff) == 0x88000) {
525 quirk->data.flags |= NV_BAR5_ADDRESS;
526 quirk->data.address_val = data & 0xfff;
527 } else if ((data & ~0xff) == 0x1800) {
528 quirk->data.flags |= NV_BAR5_ADDRESS;
529 quirk->data.address_val = data & 0xff;
530 } else {
531 quirk->data.flags &= ~NV_BAR5_ADDRESS;
532 }
533 }
534 break;
535 }
536
537 vfio_generic_window_quirk_write(opaque, addr, data, size);
538}
539
540static const MemoryRegionOps vfio_nvidia_bar5_window_quirk = {
541 .read = vfio_generic_window_quirk_read,
542 .write = vfio_nvidia_bar5_window_quirk_write,
543 .valid.min_access_size = 4,
544 .endianness = DEVICE_LITTLE_ENDIAN,
545};
546
547static void vfio_probe_nvidia_bar5_window_quirk(VFIOPCIDevice *vdev, int nr)
548{
549 PCIDevice *pdev = &vdev->pdev;
550 VFIOQuirk *quirk;
551
552 if (!vdev->has_vga || nr != 5 ||
553 pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_NVIDIA) {
554 return;
555 }
556
557 quirk = g_malloc0(sizeof(*quirk));
558 quirk->vdev = vdev;
559 quirk->data.read_flags = quirk->data.write_flags = NV_BAR5_VALID;
560 quirk->data.address_offset = 0x8;
561 quirk->data.address_size = 0; /* actually 4, but avoids generic code */
562 quirk->data.data_offset = 0xc;
563 quirk->data.data_size = 4;
564 quirk->data.bar = nr;
565
566 memory_region_init_io(&quirk->mem, OBJECT(vdev),
567 &vfio_nvidia_bar5_window_quirk, quirk,
568 "vfio-nvidia-bar5-window-quirk", 16);
569 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
570 0, &quirk->mem, 1);
571
572 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
573
574 trace_vfio_probe_nvidia_bar5_window_quirk(vdev->vbasedev.name);
575}
576
577static void vfio_nvidia_88000_quirk_write(void *opaque, hwaddr addr,
578 uint64_t data, unsigned size)
579{
580 VFIOQuirk *quirk = opaque;
581 VFIOPCIDevice *vdev = quirk->vdev;
582 PCIDevice *pdev = &vdev->pdev;
583 hwaddr base = quirk->data.address_match & TARGET_PAGE_MASK;
584
585 vfio_generic_quirk_write(opaque, addr, data, size);
586
587 /*
588 * Nvidia seems to acknowledge MSI interrupts by writing 0xff to the
589 * MSI capability ID register. Both the ID and next register are
590 * read-only, so we allow writes covering either of those to real hw.
591 * NB - only fixed for the 0x88000 MMIO window.
592 */
593 if ((pdev->cap_present & QEMU_PCI_CAP_MSI) &&
594 vfio_range_contained(addr, size, pdev->msi_cap, PCI_MSI_FLAGS)) {
595 vfio_region_write(&vdev->bars[quirk->data.bar].region,
596 addr + base, data, size);
597 }
598}
599
600static const MemoryRegionOps vfio_nvidia_88000_quirk = {
601 .read = vfio_generic_quirk_read,
602 .write = vfio_nvidia_88000_quirk_write,
603 .endianness = DEVICE_LITTLE_ENDIAN,
604};
605
606/*
607 * Finally, BAR0 itself. We want to redirect any accesses to either
608 * 0x1800 or 0x88000 through the PCI config space access functions.
609 *
610 * NB - quirk at a page granularity or else they don't seem to work when
611 * BARs are mmap'd
612 *
613 * Here's offset 0x88000...
614 */
615static void vfio_probe_nvidia_bar0_88000_quirk(VFIOPCIDevice *vdev, int nr)
616{
617 PCIDevice *pdev = &vdev->pdev;
618 VFIOQuirk *quirk;
619 uint16_t vendor, class;
620
621 vendor = pci_get_word(pdev->config + PCI_VENDOR_ID);
622 class = pci_get_word(pdev->config + PCI_CLASS_DEVICE);
623
624 if (nr != 0 || vendor != PCI_VENDOR_ID_NVIDIA ||
625 class != PCI_CLASS_DISPLAY_VGA) {
626 return;
627 }
628
629 quirk = g_malloc0(sizeof(*quirk));
630 quirk->vdev = vdev;
631 quirk->data.flags = quirk->data.read_flags = quirk->data.write_flags = 1;
632 quirk->data.address_match = 0x88000;
633 quirk->data.address_mask = PCIE_CONFIG_SPACE_SIZE - 1;
634 quirk->data.bar = nr;
635
636 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_nvidia_88000_quirk,
637 quirk, "vfio-nvidia-bar0-88000-quirk",
638 TARGET_PAGE_ALIGN(quirk->data.address_mask + 1));
639 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
640 quirk->data.address_match & TARGET_PAGE_MASK,
641 &quirk->mem, 1);
642
643 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
644
645 trace_vfio_probe_nvidia_bar0_88000_quirk(vdev->vbasedev.name);
646}
647
648/*
649 * And here's the same for BAR0 offset 0x1800...
650 */
651static void vfio_probe_nvidia_bar0_1800_quirk(VFIOPCIDevice *vdev, int nr)
652{
653 PCIDevice *pdev = &vdev->pdev;
654 VFIOQuirk *quirk;
655
656 if (!vdev->has_vga || nr != 0 ||
657 pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_NVIDIA) {
658 return;
659 }
660
661 /* Log the chipset ID */
662 trace_vfio_probe_nvidia_bar0_1800_quirk_id(
663 (unsigned int)(vfio_region_read(&vdev->bars[0].region, 0, 4) >> 20)
664 & 0xff);
665
666 quirk = g_malloc0(sizeof(*quirk));
667 quirk->vdev = vdev;
668 quirk->data.flags = quirk->data.read_flags = quirk->data.write_flags = 1;
669 quirk->data.address_match = 0x1800;
670 quirk->data.address_mask = PCI_CONFIG_SPACE_SIZE - 1;
671 quirk->data.bar = nr;
672
673 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_generic_quirk, quirk,
674 "vfio-nvidia-bar0-1800-quirk",
675 TARGET_PAGE_ALIGN(quirk->data.address_mask + 1));
676 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
677 quirk->data.address_match & TARGET_PAGE_MASK,
678 &quirk->mem, 1);
679
680 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
681
682 trace_vfio_probe_nvidia_bar0_1800_quirk(vdev->vbasedev.name);
683}
684
685/*
686 * TODO - Some Nvidia devices provide config access to their companion HDA
687 * device and even to their parent bridge via these config space mirrors.
688 * Add quirks for those regions.
689 */
690
691#define PCI_VENDOR_ID_REALTEK 0x10ec
692
693/*
694 * RTL8168 devices have a backdoor that can access the MSI-X table. At BAR2
695 * offset 0x70 there is a dword data register, offset 0x74 is a dword address
696 * register. According to the Linux r8169 driver, the MSI-X table is addressed
697 * when the "type" portion of the address register is set to 0x1. This appears
698 * to be bits 16:30. Bit 31 is both a write indicator and some sort of
699 * "address latched" indicator. Bits 12:15 are a mask field, which we can
700 * ignore because the MSI-X table should always be accessed as a dword (full
701 * mask). Bits 0:11 is offset within the type.
702 *
703 * Example trace:
704 *
705 * Read from MSI-X table offset 0
706 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x1f000, 4) // store read addr
707 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x8001f000 // latch
708 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x70, 4) = 0xfee00398 // read data
709 *
710 * Write 0xfee00000 to MSI-X table offset 0
711 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x70, 0xfee00000, 4) // write data
712 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x8001f000, 4) // do write
713 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x1f000 // complete
714 */
715static uint64_t vfio_rtl8168_window_quirk_read(void *opaque,
716 hwaddr addr, unsigned size)
717{
718 VFIOQuirk *quirk = opaque;
719 VFIOPCIDevice *vdev = quirk->vdev;
720 uint64_t val = 0;
721
722 if (!quirk->data.flags) { /* Non-MSI-X table access */
723 return vfio_region_read(&vdev->bars[quirk->data.bar].region,
724 addr + 0x70, size);
725 }
726
727 switch (addr) {
728 case 4: /* address */
729 val = quirk->data.address_match ^ 0x80000000U; /* latch/complete */
730 break;
731 case 0: /* data */
732 if ((vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX)) {
733 memory_region_dispatch_read(&vdev->pdev.msix_table_mmio,
734 (hwaddr)(quirk->data.address_match & 0xfff),
735 &val, size, MEMTXATTRS_UNSPECIFIED);
736 }
737 break;
738 }
739
740 trace_vfio_rtl8168_quirk_read(vdev->vbasedev.name,
741 addr ? "address" : "data", val);
742 return val;
743}
744
745static void vfio_rtl8168_window_quirk_write(void *opaque, hwaddr addr,
746 uint64_t data, unsigned size)
747{
748 VFIOQuirk *quirk = opaque;
749 VFIOPCIDevice *vdev = quirk->vdev;
750
751 switch (addr) {
752 case 4: /* address */
753 if ((data & 0x7fff0000) == 0x10000) { /* MSI-X table */
754 quirk->data.flags = 1; /* Activate reads */
755 quirk->data.address_match = data;
756
757 trace_vfio_rtl8168_quirk_write(vdev->vbasedev.name, data);
758
759 if (data & 0x80000000U) { /* Do write */
760 if (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX) {
761 hwaddr offset = data & 0xfff;
762 uint64_t val = quirk->data.address_mask;
763
764 trace_vfio_rtl8168_quirk_msix(vdev->vbasedev.name,
765 (uint16_t)offset, val);
766
767 /* Write to the proper guest MSI-X table instead */
768 memory_region_dispatch_write(&vdev->pdev.msix_table_mmio,
769 offset, val, size,
770 MEMTXATTRS_UNSPECIFIED);
771 }
772 return; /* Do not write guest MSI-X data to hardware */
773 }
774 } else {
775 quirk->data.flags = 0; /* De-activate reads, non-MSI-X */
776 }
777 break;
778 case 0: /* data */
779 quirk->data.address_mask = data;
780 break;
781 }
782
783 vfio_region_write(&vdev->bars[quirk->data.bar].region,
784 addr + 0x70, data, size);
785}
786
787static const MemoryRegionOps vfio_rtl8168_window_quirk = {
788 .read = vfio_rtl8168_window_quirk_read,
789 .write = vfio_rtl8168_window_quirk_write,
790 .valid = {
791 .min_access_size = 4,
792 .max_access_size = 4,
793 .unaligned = false,
794 },
795 .endianness = DEVICE_LITTLE_ENDIAN,
796};
797
798static void vfio_probe_rtl8168_bar2_window_quirk(VFIOPCIDevice *vdev, int nr)
799{
800 PCIDevice *pdev = &vdev->pdev;
801 VFIOQuirk *quirk;
802
803 if (pci_get_word(pdev->config + PCI_VENDOR_ID) != PCI_VENDOR_ID_REALTEK ||
804 pci_get_word(pdev->config + PCI_DEVICE_ID) != 0x8168 || nr != 2) {
805 return;
806 }
807
808 quirk = g_malloc0(sizeof(*quirk));
809 quirk->vdev = vdev;
810 quirk->data.bar = nr;
811
812 memory_region_init_io(&quirk->mem, OBJECT(vdev), &vfio_rtl8168_window_quirk,
813 quirk, "vfio-rtl8168-window-quirk", 8);
814 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
815 0x70, &quirk->mem, 1);
816
817 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
818
819 trace_vfio_rtl8168_quirk_enable(vdev->vbasedev.name);
820}
821
822/*
823 * Common quirk probe entry points.
824 */
825void vfio_vga_quirk_setup(VFIOPCIDevice *vdev)
826{
827 vfio_vga_probe_ati_3c3_quirk(vdev);
828 vfio_vga_probe_nvidia_3d0_quirk(vdev);
829}
830
831void vfio_vga_quirk_teardown(VFIOPCIDevice *vdev)
832{
833 VFIOQuirk *quirk;
834 int i;
835
836 for (i = 0; i < ARRAY_SIZE(vdev->vga.region); i++) {
837 QLIST_FOREACH(quirk, &vdev->vga.region[i].quirks, next) {
838 memory_region_del_subregion(&vdev->vga.region[i].mem, &quirk->mem);
839 }
840 }
841}
842
843void vfio_vga_quirk_free(VFIOPCIDevice *vdev)
844{
845 int i;
846
847 for (i = 0; i < ARRAY_SIZE(vdev->vga.region); i++) {
848 while (!QLIST_EMPTY(&vdev->vga.region[i].quirks)) {
849 VFIOQuirk *quirk = QLIST_FIRST(&vdev->vga.region[i].quirks);
850 object_unparent(OBJECT(&quirk->mem));
851 QLIST_REMOVE(quirk, next);
852 g_free(quirk);
853 }
854 }
855}
856
857void vfio_bar_quirk_setup(VFIOPCIDevice *vdev, int nr)
858{
859 vfio_probe_ati_bar4_window_quirk(vdev, nr);
860 vfio_probe_ati_bar2_4000_quirk(vdev, nr);
861 vfio_probe_nvidia_bar5_window_quirk(vdev, nr);
862 vfio_probe_nvidia_bar0_88000_quirk(vdev, nr);
863 vfio_probe_nvidia_bar0_1800_quirk(vdev, nr);
864 vfio_probe_rtl8168_bar2_window_quirk(vdev, nr);
865}
866
867void vfio_bar_quirk_teardown(VFIOPCIDevice *vdev, int nr)
868{
869 VFIOBAR *bar = &vdev->bars[nr];
870 VFIOQuirk *quirk;
871
872 QLIST_FOREACH(quirk, &bar->quirks, next) {
873 memory_region_del_subregion(&bar->region.mem, &quirk->mem);
874 }
875}
876
877void vfio_bar_quirk_free(VFIOPCIDevice *vdev, int nr)
878{
879 VFIOBAR *bar = &vdev->bars[nr];
880
881 while (!QLIST_EMPTY(&bar->quirks)) {
882 VFIOQuirk *quirk = QLIST_FIRST(&bar->quirks);
883 object_unparent(OBJECT(&quirk->mem));
884 QLIST_REMOVE(quirk, next);
885 g_free(quirk);
886 }
887}
QEMU mirror