search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
esp: check dma length before reading scsi command(CVE-2016-4441)
[qemu/ar7.git] / hw / xen / xen_pt_msi.c
blob9a16f2bff1d32485556551ebdfed6f319b2a6c31
1 /*
2 * Copyright (c) 2007, Intel Corporation.
3 *
4 * This work is licensed under the terms of the GNU GPL, version 2. See
5 * the COPYING file in the top-level directory.
6 *
7 * Jiang Yunhong <yunhong.jiang@intel.com>
8 *
9 * This file implements direct PCI assignment to a HVM guest
10 */
11
12 #include "qemu/osdep.h"
13 #include <sys/mman.h>
14
15 #include "hw/xen/xen_backend.h"
16 #include "xen_pt.h"
17 #include "hw/i386/apic-msidef.h"
18
19
20 #define XEN_PT_AUTO_ASSIGN -1
21
22 /* shift count for gflags */
23 #define XEN_PT_GFLAGS_SHIFT_DEST_ID 0
24 #define XEN_PT_GFLAGS_SHIFT_RH 8
25 #define XEN_PT_GFLAGS_SHIFT_DM 9
26 #define XEN_PT_GFLAGSSHIFT_DELIV_MODE 12
27 #define XEN_PT_GFLAGSSHIFT_TRG_MODE 15
28
29 #define latch(fld) latch[PCI_MSIX_ENTRY_##fld / sizeof(uint32_t)]
30
31 /*
32 * Helpers
33 */
34
35 static inline uint8_t msi_vector(uint32_t data)
36 {
37 return (data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT;
38 }
39
40 static inline uint8_t msi_dest_id(uint32_t addr)
41 {
42 return (addr & MSI_ADDR_DEST_ID_MASK) >> MSI_ADDR_DEST_ID_SHIFT;
43 }
44
45 static inline uint32_t msi_ext_dest_id(uint32_t addr_hi)
46 {
47 return addr_hi & 0xffffff00;
48 }
49
50 static uint32_t msi_gflags(uint32_t data, uint64_t addr)
51 {
52 uint32_t result = 0;
53 int rh, dm, dest_id, deliv_mode, trig_mode;
54
55 rh = (addr >> MSI_ADDR_REDIRECTION_SHIFT) & 0x1;
56 dm = (addr >> MSI_ADDR_DEST_MODE_SHIFT) & 0x1;
57 dest_id = msi_dest_id(addr);
58 deliv_mode = (data >> MSI_DATA_DELIVERY_MODE_SHIFT) & 0x7;
59 trig_mode = (data >> MSI_DATA_TRIGGER_SHIFT) & 0x1;
60
61 result = dest_id | (rh << XEN_PT_GFLAGS_SHIFT_RH)
62 | (dm << XEN_PT_GFLAGS_SHIFT_DM)
63 | (deliv_mode << XEN_PT_GFLAGSSHIFT_DELIV_MODE)
64 | (trig_mode << XEN_PT_GFLAGSSHIFT_TRG_MODE);
65
66 return result;
67 }
68
69 static inline uint64_t msi_addr64(XenPTMSI *msi)
70 {
71 return (uint64_t)msi->addr_hi << 32 | msi->addr_lo;
72 }
73
74 static int msi_msix_enable(XenPCIPassthroughState *s,
75 uint32_t address,
76 uint16_t flag,
77 bool enable)
78 {
79 uint16_t val = 0;
80 int rc;
81
82 if (!address) {
83 return -1;
84 }
85
86 rc = xen_host_pci_get_word(&s->real_device, address, &val);
87 if (rc) {
88 XEN_PT_ERR(&s->dev, "Failed to read MSI/MSI-X register (0x%x), rc:%d\n",
89 address, rc);
90 return rc;
91 }
92 if (enable) {
93 val |= flag;
94 } else {
95 val &= ~flag;
96 }
97 rc = xen_host_pci_set_word(&s->real_device, address, val);
98 if (rc) {
99 XEN_PT_ERR(&s->dev, "Failed to write MSI/MSI-X register (0x%x), rc:%d\n",
100 address, rc);
101 }
102 return rc;
103 }
104
105 static int msi_msix_setup(XenPCIPassthroughState *s,
106 uint64_t addr,
107 uint32_t data,
108 int *ppirq,
109 bool is_msix,
110 int msix_entry,
111 bool is_not_mapped)
112 {
113 uint8_t gvec = msi_vector(data);
114 int rc = 0;
115
116 assert((!is_msix && msix_entry == 0) || is_msix);
117
118 if (xen_is_pirq_msi(data)) {
119 *ppirq = msi_ext_dest_id(addr >> 32) | msi_dest_id(addr);
120 if (!*ppirq) {
121 /* this probably identifies an misconfiguration of the guest,
122 * try the emulated path */
123 *ppirq = XEN_PT_UNASSIGNED_PIRQ;
124 } else {
125 XEN_PT_LOG(&s->dev, "requested pirq %d for MSI%s"
126 " (vec: %#x, entry: %#x)\n",
127 *ppirq, is_msix ? "-X" : "", gvec, msix_entry);
128 }
129 }
130
131 if (is_not_mapped) {
132 uint64_t table_base = 0;
133
134 if (is_msix) {
135 table_base = s->msix->table_base;
136 }
137
138 rc = xc_physdev_map_pirq_msi(xen_xc, xen_domid, XEN_PT_AUTO_ASSIGN,
139 ppirq, PCI_DEVFN(s->real_device.dev,
140 s->real_device.func),
141 s->real_device.bus,
142 msix_entry, table_base);
143 if (rc) {
144 XEN_PT_ERR(&s->dev,
145 "Mapping of MSI%s (err: %i, vec: %#x, entry %#x)\n",
146 is_msix ? "-X" : "", errno, gvec, msix_entry);
147 return rc;
148 }
149 }
150
151 return 0;
152 }
153 static int msi_msix_update(XenPCIPassthroughState *s,
154 uint64_t addr,
155 uint32_t data,
156 int pirq,
157 bool is_msix,
158 int msix_entry,
159 int *old_pirq)
160 {
161 PCIDevice *d = &s->dev;
162 uint8_t gvec = msi_vector(data);
163 uint32_t gflags = msi_gflags(data, addr);
164 int rc = 0;
165 uint64_t table_addr = 0;
166
167 XEN_PT_LOG(d, "Updating MSI%s with pirq %d gvec %#x gflags %#x"
168 " (entry: %#x)\n",
169 is_msix ? "-X" : "", pirq, gvec, gflags, msix_entry);
170
171 if (is_msix) {
172 table_addr = s->msix->mmio_base_addr;
173 }
174
175 rc = xc_domain_update_msi_irq(xen_xc, xen_domid, gvec,
176 pirq, gflags, table_addr);
177
178 if (rc) {
179 XEN_PT_ERR(d, "Updating of MSI%s failed. (err: %d)\n",
180 is_msix ? "-X" : "", errno);
181
182 if (xc_physdev_unmap_pirq(xen_xc, xen_domid, *old_pirq)) {
183 XEN_PT_ERR(d, "Unmapping of MSI%s pirq %d failed. (err: %d)\n",
184 is_msix ? "-X" : "", *old_pirq, errno);
185 }
186 *old_pirq = XEN_PT_UNASSIGNED_PIRQ;
187 }
188 return rc;
189 }
190
191 static int msi_msix_disable(XenPCIPassthroughState *s,
192 uint64_t addr,
193 uint32_t data,
194 int pirq,
195 bool is_msix,
196 bool is_binded)
197 {
198 PCIDevice *d = &s->dev;
199 uint8_t gvec = msi_vector(data);
200 uint32_t gflags = msi_gflags(data, addr);
201 int rc = 0;
202
203 if (pirq == XEN_PT_UNASSIGNED_PIRQ) {
204 return 0;
205 }
206
207 if (is_binded) {
208 XEN_PT_LOG(d, "Unbind MSI%s with pirq %d, gvec %#x\n",
209 is_msix ? "-X" : "", pirq, gvec);
210 rc = xc_domain_unbind_msi_irq(xen_xc, xen_domid, gvec, pirq, gflags);
211 if (rc) {
212 XEN_PT_ERR(d, "Unbinding of MSI%s failed. (err: %d, pirq: %d, gvec: %#x)\n",
213 is_msix ? "-X" : "", errno, pirq, gvec);
214 return rc;
215 }
216 }
217
218 XEN_PT_LOG(d, "Unmap MSI%s pirq %d\n", is_msix ? "-X" : "", pirq);
219 rc = xc_physdev_unmap_pirq(xen_xc, xen_domid, pirq);
220 if (rc) {
221 XEN_PT_ERR(d, "Unmapping of MSI%s pirq %d failed. (err: %i)\n",
222 is_msix ? "-X" : "", pirq, errno);
223 return rc;
224 }
225
226 return 0;
227 }
228
229 /*
230 * MSI virtualization functions
231 */
232
233 static int xen_pt_msi_set_enable(XenPCIPassthroughState *s, bool enable)
234 {
235 XEN_PT_LOG(&s->dev, "%s MSI.\n", enable ? "enabling" : "disabling");
236
237 if (!s->msi) {
238 return -1;
239 }
240
241 return msi_msix_enable(s, s->msi->ctrl_offset, PCI_MSI_FLAGS_ENABLE,
242 enable);
243 }
244
245 /* setup physical msi, but don't enable it */
246 int xen_pt_msi_setup(XenPCIPassthroughState *s)
247 {
248 int pirq = XEN_PT_UNASSIGNED_PIRQ;
249 int rc = 0;
250 XenPTMSI *msi = s->msi;
251
252 if (msi->initialized) {
253 XEN_PT_ERR(&s->dev,
254 "Setup physical MSI when it has been properly initialized.\n");
255 return -1;
256 }
257
258 rc = msi_msix_setup(s, msi_addr64(msi), msi->data, &pirq, false, 0, true);
259 if (rc) {
260 return rc;
261 }
262
263 if (pirq < 0) {
264 XEN_PT_ERR(&s->dev, "Invalid pirq number: %d.\n", pirq);
265 return -1;
266 }
267
268 msi->pirq = pirq;
269 XEN_PT_LOG(&s->dev, "MSI mapped with pirq %d.\n", pirq);
270
271 return 0;
272 }
273
274 int xen_pt_msi_update(XenPCIPassthroughState *s)
275 {
276 XenPTMSI *msi = s->msi;
277 return msi_msix_update(s, msi_addr64(msi), msi->data, msi->pirq,
278 false, 0, &msi->pirq);
279 }
280
281 void xen_pt_msi_disable(XenPCIPassthroughState *s)
282 {
283 XenPTMSI *msi = s->msi;
284
285 if (!msi) {
286 return;
287 }
288
289 (void)xen_pt_msi_set_enable(s, false);
290
291 msi_msix_disable(s, msi_addr64(msi), msi->data, msi->pirq, false,
292 msi->initialized);
293
294 /* clear msi info */
295 msi->flags &= ~PCI_MSI_FLAGS_ENABLE;
296 msi->initialized = false;
297 msi->mapped = false;
298 msi->pirq = XEN_PT_UNASSIGNED_PIRQ;
299 }
300
301 /*
302 * MSI-X virtualization functions
303 */
304
305 static int msix_set_enable(XenPCIPassthroughState *s, bool enabled)
306 {
307 XEN_PT_LOG(&s->dev, "%s MSI-X.\n", enabled ? "enabling" : "disabling");
308
309 if (!s->msix) {
310 return -1;
311 }
312
313 return msi_msix_enable(s, s->msix->ctrl_offset, PCI_MSIX_FLAGS_ENABLE,
314 enabled);
315 }
316
317 static int xen_pt_msix_update_one(XenPCIPassthroughState *s, int entry_nr,
318 uint32_t vec_ctrl)
319 {
320 XenPTMSIXEntry *entry = NULL;
321 int pirq;
322 int rc;
323
324 if (entry_nr < 0 || entry_nr >= s->msix->total_entries) {
325 return -EINVAL;
326 }
327
328 entry = &s->msix->msix_entry[entry_nr];
329
330 if (!entry->updated) {
331 return 0;
332 }
333
334 pirq = entry->pirq;
335
336 /*
337 * Update the entry addr and data to the latest values only when the
338 * entry is masked or they are all masked, as required by the spec.
339 * Addr and data changes while the MSI-X entry is unmasked get deferred
340 * until the next masked -> unmasked transition.
341 */
342 if (pirq == XEN_PT_UNASSIGNED_PIRQ || s->msix->maskall ||
343 (vec_ctrl & PCI_MSIX_ENTRY_CTRL_MASKBIT)) {
344 entry->addr = entry->latch(LOWER_ADDR) |
345 ((uint64_t)entry->latch(UPPER_ADDR) << 32);
346 entry->data = entry->latch(DATA);
347 }
348
349 rc = msi_msix_setup(s, entry->addr, entry->data, &pirq, true, entry_nr,
350 entry->pirq == XEN_PT_UNASSIGNED_PIRQ);
351 if (rc) {
352 return rc;
353 }
354 if (entry->pirq == XEN_PT_UNASSIGNED_PIRQ) {
355 entry->pirq = pirq;
356 }
357
358 rc = msi_msix_update(s, entry->addr, entry->data, pirq, true,
359 entry_nr, &entry->pirq);
360
361 if (!rc) {
362 entry->updated = false;
363 }
364
365 return rc;
366 }
367
368 int xen_pt_msix_update(XenPCIPassthroughState *s)
369 {
370 XenPTMSIX *msix = s->msix;
371 int i;
372
373 for (i = 0; i < msix->total_entries; i++) {
374 xen_pt_msix_update_one(s, i, msix->msix_entry[i].latch(VECTOR_CTRL));
375 }
376
377 return 0;
378 }
379
380 void xen_pt_msix_disable(XenPCIPassthroughState *s)
381 {
382 int i = 0;
383
384 msix_set_enable(s, false);
385
386 for (i = 0; i < s->msix->total_entries; i++) {
387 XenPTMSIXEntry *entry = &s->msix->msix_entry[i];
388
389 msi_msix_disable(s, entry->addr, entry->data, entry->pirq, true, true);
390
391 /* clear MSI-X info */
392 entry->pirq = XEN_PT_UNASSIGNED_PIRQ;
393 entry->updated = false;
394 }
395 }
396
397 int xen_pt_msix_update_remap(XenPCIPassthroughState *s, int bar_index)
398 {
399 XenPTMSIXEntry *entry;
400 int i, ret;
401
402 if (!(s->msix && s->msix->bar_index == bar_index)) {
403 return 0;
404 }
405
406 for (i = 0; i < s->msix->total_entries; i++) {
407 entry = &s->msix->msix_entry[i];
408 if (entry->pirq != XEN_PT_UNASSIGNED_PIRQ) {
409 ret = xc_domain_unbind_pt_irq(xen_xc, xen_domid, entry->pirq,
410 PT_IRQ_TYPE_MSI, 0, 0, 0, 0);
411 if (ret) {
412 XEN_PT_ERR(&s->dev, "unbind MSI-X entry %d failed (err: %d)\n",
413 entry->pirq, errno);
414 }
415 entry->updated = true;
416 }
417 }
418 return xen_pt_msix_update(s);
419 }
420
421 static uint32_t get_entry_value(XenPTMSIXEntry *e, int offset)
422 {
423 assert(!(offset % sizeof(*e->latch)));
424 return e->latch[offset / sizeof(*e->latch)];
425 }
426
427 static void set_entry_value(XenPTMSIXEntry *e, int offset, uint32_t val)
428 {
429 assert(!(offset % sizeof(*e->latch)));
430 e->latch[offset / sizeof(*e->latch)] = val;
431 }
432
433 static void pci_msix_write(void *opaque, hwaddr addr,
434 uint64_t val, unsigned size)
435 {
436 XenPCIPassthroughState *s = opaque;
437 XenPTMSIX *msix = s->msix;
438 XenPTMSIXEntry *entry;
439 unsigned int entry_nr, offset;
440
441 entry_nr = addr / PCI_MSIX_ENTRY_SIZE;
442 if (entry_nr >= msix->total_entries) {
443 return;
444 }
445 entry = &msix->msix_entry[entry_nr];
446 offset = addr % PCI_MSIX_ENTRY_SIZE;
447
448 if (offset != PCI_MSIX_ENTRY_VECTOR_CTRL) {
449 if (get_entry_value(entry, offset) == val
450 && entry->pirq != XEN_PT_UNASSIGNED_PIRQ) {
451 return;
452 }
453
454 entry->updated = true;
455 } else if (msix->enabled && entry->updated &&
456 !(val & PCI_MSIX_ENTRY_CTRL_MASKBIT)) {
457 const volatile uint32_t *vec_ctrl;
458
459 /*
460 * If Xen intercepts the mask bit access, entry->vec_ctrl may not be
461 * up-to-date. Read from hardware directly.
462 */
463 vec_ctrl = s->msix->phys_iomem_base + entry_nr * PCI_MSIX_ENTRY_SIZE
464 + PCI_MSIX_ENTRY_VECTOR_CTRL;
465 xen_pt_msix_update_one(s, entry_nr, *vec_ctrl);
466 }
467
468 set_entry_value(entry, offset, val);
469 }
470
471 static uint64_t pci_msix_read(void *opaque, hwaddr addr,
472 unsigned size)
473 {
474 XenPCIPassthroughState *s = opaque;
475 XenPTMSIX *msix = s->msix;
476 int entry_nr, offset;
477
478 entry_nr = addr / PCI_MSIX_ENTRY_SIZE;
479 if (entry_nr < 0) {
480 XEN_PT_ERR(&s->dev, "asked MSI-X entry '%i' invalid!\n", entry_nr);
481 return 0;
482 }
483
484 offset = addr % PCI_MSIX_ENTRY_SIZE;
485
486 if (addr < msix->total_entries * PCI_MSIX_ENTRY_SIZE) {
487 return get_entry_value(&msix->msix_entry[entry_nr], offset);
488 } else {
489 /* Pending Bit Array (PBA) */
490 return *(uint32_t *)(msix->phys_iomem_base + addr);
491 }
492 }
493
494 static bool pci_msix_accepts(void *opaque, hwaddr addr,
495 unsigned size, bool is_write)
496 {
497 return !(addr & (size - 1));
498 }
499
500 static const MemoryRegionOps pci_msix_ops = {
501 .read = pci_msix_read,
502 .write = pci_msix_write,
503 .endianness = DEVICE_NATIVE_ENDIAN,
504 .valid = {
505 .min_access_size = 4,
506 .max_access_size = 4,
507 .unaligned = false,
508 .accepts = pci_msix_accepts
509 },
510 .impl = {
511 .min_access_size = 4,
512 .max_access_size = 4,
513 .unaligned = false
514 }
515 };
516
517 int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base)
518 {
519 uint8_t id = 0;
520 uint16_t control = 0;
521 uint32_t table_off = 0;
522 int i, total_entries, bar_index;
523 XenHostPCIDevice *hd = &s->real_device;
524 PCIDevice *d = &s->dev;
525 int fd = -1;
526 XenPTMSIX *msix = NULL;
527 int rc = 0;
528
529 rc = xen_host_pci_get_byte(hd, base + PCI_CAP_LIST_ID, &id);
530 if (rc) {
531 return rc;
532 }
533
534 if (id != PCI_CAP_ID_MSIX) {
535 XEN_PT_ERR(d, "Invalid id %#x base %#x\n", id, base);
536 return -1;
537 }
538
539 xen_host_pci_get_word(hd, base + PCI_MSIX_FLAGS, &control);
540 total_entries = control & PCI_MSIX_FLAGS_QSIZE;
541 total_entries += 1;
542
543 s->msix = g_malloc0(sizeof (XenPTMSIX)
544 + total_entries * sizeof (XenPTMSIXEntry));
545 msix = s->msix;
546
547 msix->total_entries = total_entries;
548 for (i = 0; i < total_entries; i++) {
549 msix->msix_entry[i].pirq = XEN_PT_UNASSIGNED_PIRQ;
550 }
551
552 memory_region_init_io(&msix->mmio, OBJECT(s), &pci_msix_ops,
553 s, "xen-pci-pt-msix",
554 (total_entries * PCI_MSIX_ENTRY_SIZE
555 + XC_PAGE_SIZE - 1)
556 & XC_PAGE_MASK);
557
558 xen_host_pci_get_long(hd, base + PCI_MSIX_TABLE, &table_off);
559 bar_index = msix->bar_index = table_off & PCI_MSIX_FLAGS_BIRMASK;
560 table_off = table_off & ~PCI_MSIX_FLAGS_BIRMASK;
561 msix->table_base = s->real_device.io_regions[bar_index].base_addr;
562 XEN_PT_LOG(d, "get MSI-X table BAR base 0x%"PRIx64"\n", msix->table_base);
563
564 fd = open("/dev/mem", O_RDWR);
565 if (fd == -1) {
566 rc = -errno;
567 XEN_PT_ERR(d, "Can't open /dev/mem: %s\n", strerror(errno));
568 goto error_out;
569 }
570 XEN_PT_LOG(d, "table_off = %#x, total_entries = %d\n",
571 table_off, total_entries);
572 msix->table_offset_adjust = table_off & 0x0fff;
573 msix->phys_iomem_base =
574 mmap(NULL,
575 total_entries * PCI_MSIX_ENTRY_SIZE + msix->table_offset_adjust,
576 PROT_READ,
577 MAP_SHARED | MAP_LOCKED,
578 fd,
579 msix->table_base + table_off - msix->table_offset_adjust);
580 close(fd);
581 if (msix->phys_iomem_base == MAP_FAILED) {
582 rc = -errno;
583 XEN_PT_ERR(d, "Can't map physical MSI-X table: %s\n", strerror(errno));
584 goto error_out;
585 }
586 msix->phys_iomem_base = (char *)msix->phys_iomem_base
587 + msix->table_offset_adjust;
588
589 XEN_PT_LOG(d, "mapping physical MSI-X table to %p\n",
590 msix->phys_iomem_base);
591
592 memory_region_add_subregion_overlap(&s->bar[bar_index], table_off,
593 &msix->mmio,
594 2); /* Priority: pci default + 1 */
595
596 return 0;
597
598 error_out:
599 g_free(s->msix);
600 s->msix = NULL;
601 return rc;
602 }
603
604 void xen_pt_msix_unmap(XenPCIPassthroughState *s)
605 {
606 XenPTMSIX *msix = s->msix;
607
608 if (!msix) {
609 return;
610 }
611
612 /* unmap the MSI-X memory mapped register area */
613 if (msix->phys_iomem_base) {
614 XEN_PT_LOG(&s->dev, "unmapping physical MSI-X table from %p\n",
615 msix->phys_iomem_base);
616 munmap(msix->phys_iomem_base, msix->total_entries * PCI_MSIX_ENTRY_SIZE
617 + msix->table_offset_adjust);
618 }
619
620 memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio);
621 }
622
623 void xen_pt_msix_delete(XenPCIPassthroughState *s)
624 {
625 XenPTMSIX *msix = s->msix;
626
627 if (!msix) {
628 return;
629 }
630
631 object_unparent(OBJECT(&msix->mmio));
632
633 g_free(s->msix);
634 s->msix = NULL;
635 }
AR7 emulation for QEMU