2 * device quirks for PCI devices
4 * Copyright Red Hat, Inc. 2012-2015
9 * This work is licensed under the terms of the GNU GPL, version 2. See
10 * the COPYING file in the top-level directory.
15 #include "qemu/range.h"
17 #define PCI_ANY_ID (~0)
19 /* Use uin32_t for vendor & device so PCI_ANY_ID expands and cannot match hw */
20 static bool vfio_pci_is(VFIOPCIDevice *vdev, uint32_t vendor, uint32_t device)
22 PCIDevice *pdev = &vdev->pdev;
24 return (vendor == PCI_ANY_ID ||
25 vendor == pci_get_word(pdev->config + PCI_VENDOR_ID)) &&
26 (device == PCI_ANY_ID ||
27 device == pci_get_word(pdev->config + PCI_DEVICE_ID));
30 static bool vfio_is_vga(VFIOPCIDevice *vdev)
32 PCIDevice *pdev = &vdev->pdev;
33 uint16_t class = pci_get_word(pdev->config + PCI_CLASS_DEVICE);
35 return class == PCI_CLASS_DISPLAY_VGA;
39 * List of device ids/vendor ids for which to disable
40 * option rom loading. This avoids the guest hangs during rom
41 * execution as noticed with the BCM 57810 card for lack of a
42 * more better way to handle such issues.
43 * The user can still override by specifying a romfile or
45 * Please see https://bugs.launchpad.net/qemu/+bug/1284874
46 * for an analysis of the 57810 card hang. When adding
47 * a new vendor id/device id combination below, please also add
48 * your card/environment details and information that could
49 * help in debugging to the bug tracking this issue
55 { 0x14e4, 0x168e }, /* Broadcom BCM 57810 */
58 bool vfio_blacklist_opt_rom(VFIOPCIDevice *vdev)
62 for (i = 0 ; i < ARRAY_SIZE(romblacklist); i++) {
63 if (vfio_pci_is(vdev, romblacklist[i].vendor, romblacklist[i].device)) {
64 trace_vfio_quirk_rom_blacklisted(vdev->vbasedev.name,
65 romblacklist[i].vendor,
66 romblacklist[i].device);
74 * Device specific region quirks (mostly backdoors to PCI config space)
78 * The generic window quirks operate on an address and data register,
79 * vfio_generic_window_address_quirk handles the address register and
80 * vfio_generic_window_data_quirk handles the data register. These ops
81 * pass reads and writes through to hardware until a value matching the
82 * stored address match/mask is written. When this occurs, the data
83 * register access emulated PCI config space for the device rather than
84 * passing through accesses. This enables devices where PCI config space
85 * is accessible behind a window register to maintain the virtualization
86 * provided through vfio.
88 typedef struct VFIOConfigWindowMatch {
91 } VFIOConfigWindowMatch;
93 typedef struct VFIOConfigWindowQuirk {
94 struct VFIOPCIDevice *vdev;
98 uint32_t address_offset;
104 MemoryRegion *addr_mem;
105 MemoryRegion *data_mem;
108 VFIOConfigWindowMatch matches[];
109 } VFIOConfigWindowQuirk;
111 static uint64_t vfio_generic_window_quirk_address_read(void *opaque,
115 VFIOConfigWindowQuirk *window = opaque;
116 VFIOPCIDevice *vdev = window->vdev;
118 return vfio_region_read(&vdev->bars[window->bar].region,
119 addr + window->address_offset, size);
122 static void vfio_generic_window_quirk_address_write(void *opaque, hwaddr addr,
126 VFIOConfigWindowQuirk *window = opaque;
127 VFIOPCIDevice *vdev = window->vdev;
130 window->window_enabled = false;
132 vfio_region_write(&vdev->bars[window->bar].region,
133 addr + window->address_offset, data, size);
135 for (i = 0; i < window->nr_matches; i++) {
136 if ((data & ~window->matches[i].mask) == window->matches[i].match) {
137 window->window_enabled = true;
138 window->address_val = data & window->matches[i].mask;
139 trace_vfio_quirk_generic_window_address_write(vdev->vbasedev.name,
140 memory_region_name(window->addr_mem), data);
146 static const MemoryRegionOps vfio_generic_window_address_quirk = {
147 .read = vfio_generic_window_quirk_address_read,
148 .write = vfio_generic_window_quirk_address_write,
149 .endianness = DEVICE_LITTLE_ENDIAN,
152 static uint64_t vfio_generic_window_quirk_data_read(void *opaque,
153 hwaddr addr, unsigned size)
155 VFIOConfigWindowQuirk *window = opaque;
156 VFIOPCIDevice *vdev = window->vdev;
159 /* Always read data reg, discard if window enabled */
160 data = vfio_region_read(&vdev->bars[window->bar].region,
161 addr + window->data_offset, size);
163 if (window->window_enabled) {
164 data = vfio_pci_read_config(&vdev->pdev, window->address_val, size);
165 trace_vfio_quirk_generic_window_data_read(vdev->vbasedev.name,
166 memory_region_name(window->data_mem), data);
172 static void vfio_generic_window_quirk_data_write(void *opaque, hwaddr addr,
173 uint64_t data, unsigned size)
175 VFIOConfigWindowQuirk *window = opaque;
176 VFIOPCIDevice *vdev = window->vdev;
178 if (window->window_enabled) {
179 vfio_pci_write_config(&vdev->pdev, window->address_val, data, size);
180 trace_vfio_quirk_generic_window_data_write(vdev->vbasedev.name,
181 memory_region_name(window->data_mem), data);
185 vfio_region_write(&vdev->bars[window->bar].region,
186 addr + window->data_offset, data, size);
189 static const MemoryRegionOps vfio_generic_window_data_quirk = {
190 .read = vfio_generic_window_quirk_data_read,
191 .write = vfio_generic_window_quirk_data_write,
192 .endianness = DEVICE_LITTLE_ENDIAN,
196 * The generic mirror quirk handles devices which expose PCI config space
197 * through a region within a BAR. When enabled, reads and writes are
198 * redirected through to emulated PCI config space. XXX if PCI config space
199 * used memory regions, this could just be an alias.
201 typedef struct VFIOConfigMirrorQuirk {
202 struct VFIOPCIDevice *vdev;
206 } VFIOConfigMirrorQuirk;
208 static uint64_t vfio_generic_quirk_mirror_read(void *opaque,
209 hwaddr addr, unsigned size)
211 VFIOConfigMirrorQuirk *mirror = opaque;
212 VFIOPCIDevice *vdev = mirror->vdev;
215 /* Read and discard in case the hardware cares */
216 (void)vfio_region_read(&vdev->bars[mirror->bar].region,
217 addr + mirror->offset, size);
219 data = vfio_pci_read_config(&vdev->pdev, addr, size);
220 trace_vfio_quirk_generic_mirror_read(vdev->vbasedev.name,
221 memory_region_name(mirror->mem),
226 static void vfio_generic_quirk_mirror_write(void *opaque, hwaddr addr,
227 uint64_t data, unsigned size)
229 VFIOConfigMirrorQuirk *mirror = opaque;
230 VFIOPCIDevice *vdev = mirror->vdev;
232 vfio_pci_write_config(&vdev->pdev, addr, data, size);
233 trace_vfio_quirk_generic_mirror_write(vdev->vbasedev.name,
234 memory_region_name(mirror->mem),
238 static const MemoryRegionOps vfio_generic_mirror_quirk = {
239 .read = vfio_generic_quirk_mirror_read,
240 .write = vfio_generic_quirk_mirror_write,
241 .endianness = DEVICE_LITTLE_ENDIAN,
244 /* Is range1 fully contained within range2? */
245 static bool vfio_range_contained(uint64_t first1, uint64_t len1,
246 uint64_t first2, uint64_t len2) {
247 return (first1 >= first2 && first1 + len1 <= first2 + len2);
250 #define PCI_VENDOR_ID_ATI 0x1002
253 * Radeon HD cards (HD5450 & HD7850) report the upper byte of the I/O port BAR
254 * through VGA register 0x3c3. On newer cards, the I/O port BAR is always
255 * BAR4 (older cards like the X550 used BAR1, but we don't care to support
256 * those). Note that on bare metal, a read of 0x3c3 doesn't always return the
257 * I/O port BAR address. Originally this was coded to return the virtual BAR
258 * address only if the physical register read returns the actual BAR address,
259 * but users have reported greater success if we return the virtual address
262 static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
263 hwaddr addr, unsigned size)
265 VFIOPCIDevice *vdev = opaque;
266 uint64_t data = vfio_pci_read_config(&vdev->pdev,
267 PCI_BASE_ADDRESS_4 + 1, size);
269 trace_vfio_quirk_ati_3c3_read(vdev->vbasedev.name, data);
274 static const MemoryRegionOps vfio_ati_3c3_quirk = {
275 .read = vfio_ati_3c3_quirk_read,
276 .endianness = DEVICE_LITTLE_ENDIAN,
279 static void vfio_vga_probe_ati_3c3_quirk(VFIOPCIDevice *vdev)
284 * As long as the BAR is >= 256 bytes it will be aligned such that the
285 * lower byte is always zero. Filter out anything else, if it exists.
287 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
288 !vdev->bars[4].ioport || vdev->bars[4].region.size < 256) {
292 quirk = g_malloc0(sizeof(*quirk));
293 quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 1);
296 memory_region_init_io(quirk->mem, OBJECT(vdev), &vfio_ati_3c3_quirk, vdev,
297 "vfio-ati-3c3-quirk", 1);
298 memory_region_add_subregion(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].mem,
299 3 /* offset 3 bytes from 0x3c0 */, quirk->mem);
301 QLIST_INSERT_HEAD(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].quirks,
304 trace_vfio_quirk_ati_3c3_probe(vdev->vbasedev.name);
308 * Newer ATI/AMD devices, including HD5450 and HD7850, have a mirror to PCI
309 * config space through MMIO BAR2 at offset 0x4000. Nothing seems to access
310 * the MMIO space directly, but a window to this space is provided through
311 * I/O port BAR4. Offset 0x0 is the address register and offset 0x4 is the
312 * data register. When the address is programmed to a range of 0x4000-0x4fff
313 * PCI configuration space is available. Experimentation seems to indicate
314 * that read-only may be provided by hardware.
316 static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, int nr)
319 VFIOConfigWindowQuirk *window;
321 /* This windows doesn't seem to be used except by legacy VGA code */
322 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
323 !vdev->has_vga || nr != 4) {
327 quirk = g_malloc0(sizeof(*quirk));
328 quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 2);
330 window = quirk->data = g_malloc0(sizeof(*window) +
331 sizeof(VFIOConfigWindowMatch));
333 window->address_offset = 0;
334 window->data_offset = 4;
335 window->nr_matches = 1;
336 window->matches[0].match = 0x4000;
337 window->matches[0].mask = PCIE_CONFIG_SPACE_SIZE - 1;
339 window->addr_mem = &quirk->mem[0];
340 window->data_mem = &quirk->mem[1];
342 memory_region_init_io(window->addr_mem, OBJECT(vdev),
343 &vfio_generic_window_address_quirk, window,
344 "vfio-ati-bar4-window-address-quirk", 4);
345 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
346 window->address_offset,
347 window->addr_mem, 1);
349 memory_region_init_io(window->data_mem, OBJECT(vdev),
350 &vfio_generic_window_data_quirk, window,
351 "vfio-ati-bar4-window-data-quirk", 4);
352 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
354 window->data_mem, 1);
356 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
358 trace_vfio_quirk_ati_bar4_probe(vdev->vbasedev.name);
362 * Trap the BAR2 MMIO mirror to config space as well.
364 static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, int nr)
367 VFIOConfigMirrorQuirk *mirror;
369 /* Only enable on newer devices where BAR2 is 64bit */
370 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
371 !vdev->has_vga || nr != 2 || !vdev->bars[2].mem64) {
375 quirk = g_malloc0(sizeof(*quirk));
376 mirror = quirk->data = g_malloc0(sizeof(*mirror));
377 mirror->mem = quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 1);
380 mirror->offset = 0x4000;
383 memory_region_init_io(mirror->mem, OBJECT(vdev),
384 &vfio_generic_mirror_quirk, mirror,
385 "vfio-ati-bar2-4000-quirk", PCI_CONFIG_SPACE_SIZE);
386 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
387 mirror->offset, mirror->mem, 1);
389 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
391 trace_vfio_quirk_ati_bar2_probe(vdev->vbasedev.name);
395 * Older ATI/AMD cards like the X550 have a similar window to that above.
396 * I/O port BAR1 provides a window to a mirror of PCI config space located
397 * in BAR2 at offset 0xf00. We don't care to support such older cards, but
398 * note it for future reference.
401 #define PCI_VENDOR_ID_NVIDIA 0x10de
404 * Nvidia has several different methods to get to config space, the
405 * nouveu project has several of these documented here:
406 * https://github.com/pathscale/envytools/tree/master/hwdocs
408 * The first quirk is actually not documented in envytools and is found
409 * on 10de:01d1 (NVIDIA Corporation G72 [GeForce 7300 LE]). This is an
410 * NV46 chipset. The backdoor uses the legacy VGA I/O ports to access
411 * the mirror of PCI config space found at BAR0 offset 0x1800. The access
412 * sequence first writes 0x338 to I/O port 0x3d4. The target offset is
413 * then written to 0x3d0. Finally 0x538 is written for a read and 0x738
414 * is written for a write to 0x3d4. The BAR0 offset is then accessible
415 * through 0x3d0. This quirk doesn't seem to be necessary on newer cards
416 * that use the I/O port BAR5 window but it doesn't hurt to leave it.
418 typedef enum {NONE = 0, SELECT, WINDOW, READ, WRITE} VFIONvidia3d0State;
419 static const char *nv3d0_states[] = { "NONE", "SELECT",
420 "WINDOW", "READ", "WRITE" };
422 typedef struct VFIONvidia3d0Quirk {
424 VFIONvidia3d0State state;
426 } VFIONvidia3d0Quirk;
428 static uint64_t vfio_nvidia_3d4_quirk_read(void *opaque,
429 hwaddr addr, unsigned size)
431 VFIONvidia3d0Quirk *quirk = opaque;
432 VFIOPCIDevice *vdev = quirk->vdev;
436 return vfio_vga_read(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
440 static void vfio_nvidia_3d4_quirk_write(void *opaque, hwaddr addr,
441 uint64_t data, unsigned size)
443 VFIONvidia3d0Quirk *quirk = opaque;
444 VFIOPCIDevice *vdev = quirk->vdev;
445 VFIONvidia3d0State old_state = quirk->state;
451 if (old_state == NONE) {
452 quirk->state = SELECT;
453 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
454 nv3d0_states[quirk->state]);
458 if (old_state == WINDOW) {
460 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
461 nv3d0_states[quirk->state]);
465 if (old_state == WINDOW) {
466 quirk->state = WRITE;
467 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
468 nv3d0_states[quirk->state]);
473 vfio_vga_write(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
474 addr + 0x14, data, size);
477 static const MemoryRegionOps vfio_nvidia_3d4_quirk = {
478 .read = vfio_nvidia_3d4_quirk_read,
479 .write = vfio_nvidia_3d4_quirk_write,
480 .endianness = DEVICE_LITTLE_ENDIAN,
483 static uint64_t vfio_nvidia_3d0_quirk_read(void *opaque,
484 hwaddr addr, unsigned size)
486 VFIONvidia3d0Quirk *quirk = opaque;
487 VFIOPCIDevice *vdev = quirk->vdev;
488 VFIONvidia3d0State old_state = quirk->state;
489 uint64_t data = vfio_vga_read(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
494 if (old_state == READ &&
495 (quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
496 uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
498 data = vfio_pci_read_config(&vdev->pdev, offset, size);
499 trace_vfio_quirk_nvidia_3d0_read(vdev->vbasedev.name,
506 static void vfio_nvidia_3d0_quirk_write(void *opaque, hwaddr addr,
507 uint64_t data, unsigned size)
509 VFIONvidia3d0Quirk *quirk = opaque;
510 VFIOPCIDevice *vdev = quirk->vdev;
511 VFIONvidia3d0State old_state = quirk->state;
515 if (old_state == SELECT) {
516 quirk->offset = (uint32_t)data;
517 quirk->state = WINDOW;
518 trace_vfio_quirk_nvidia_3d0_state(vdev->vbasedev.name,
519 nv3d0_states[quirk->state]);
520 } else if (old_state == WRITE) {
521 if ((quirk->offset & ~(PCI_CONFIG_SPACE_SIZE - 1)) == 0x1800) {
522 uint8_t offset = quirk->offset & (PCI_CONFIG_SPACE_SIZE - 1);
524 vfio_pci_write_config(&vdev->pdev, offset, data, size);
525 trace_vfio_quirk_nvidia_3d0_write(vdev->vbasedev.name,
531 vfio_vga_write(&vdev->vga.region[QEMU_PCI_VGA_IO_HI],
532 addr + 0x10, data, size);
535 static const MemoryRegionOps vfio_nvidia_3d0_quirk = {
536 .read = vfio_nvidia_3d0_quirk_read,
537 .write = vfio_nvidia_3d0_quirk_write,
538 .endianness = DEVICE_LITTLE_ENDIAN,
541 static void vfio_vga_probe_nvidia_3d0_quirk(VFIOPCIDevice *vdev)
544 VFIONvidia3d0Quirk *data;
546 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
547 !vdev->bars[1].region.size) {
551 quirk = g_malloc0(sizeof(*quirk));
552 quirk->data = data = g_malloc0(sizeof(*data));
553 quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 2);
557 memory_region_init_io(&quirk->mem[0], OBJECT(vdev), &vfio_nvidia_3d4_quirk,
558 data, "vfio-nvidia-3d4-quirk", 2);
559 memory_region_add_subregion(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].mem,
560 0x14 /* 0x3c0 + 0x14 */, &quirk->mem[0]);
562 memory_region_init_io(&quirk->mem[1], OBJECT(vdev), &vfio_nvidia_3d0_quirk,
563 data, "vfio-nvidia-3d0-quirk", 2);
564 memory_region_add_subregion(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].mem,
565 0x10 /* 0x3c0 + 0x10 */, &quirk->mem[1]);
567 QLIST_INSERT_HEAD(&vdev->vga.region[QEMU_PCI_VGA_IO_HI].quirks,
570 trace_vfio_quirk_nvidia_3d0_probe(vdev->vbasedev.name);
574 * The second quirk is documented in envytools. The I/O port BAR5 is just
575 * a set of address/data ports to the MMIO BARs. The BAR we care about is
576 * again BAR0. This backdoor is apparently a bit newer than the one above
577 * so we need to not only trap 256 bytes @0x1800, but all of PCI config
578 * space, including extended space is available at the 4k @0x88000.
580 typedef struct VFIONvidiaBAR5Quirk {
583 MemoryRegion *addr_mem;
584 MemoryRegion *data_mem;
586 VFIOConfigWindowQuirk window; /* last for match data */
587 } VFIONvidiaBAR5Quirk;
589 static void vfio_nvidia_bar5_enable(VFIONvidiaBAR5Quirk *bar5)
591 VFIOPCIDevice *vdev = bar5->window.vdev;
593 if (((bar5->master & bar5->enable) & 0x1) == bar5->enabled) {
597 bar5->enabled = !bar5->enabled;
598 trace_vfio_quirk_nvidia_bar5_state(vdev->vbasedev.name,
599 bar5->enabled ? "Enable" : "Disable");
600 memory_region_set_enabled(bar5->addr_mem, bar5->enabled);
601 memory_region_set_enabled(bar5->data_mem, bar5->enabled);
604 static uint64_t vfio_nvidia_bar5_quirk_master_read(void *opaque,
605 hwaddr addr, unsigned size)
607 VFIONvidiaBAR5Quirk *bar5 = opaque;
608 VFIOPCIDevice *vdev = bar5->window.vdev;
610 return vfio_region_read(&vdev->bars[5].region, addr, size);
613 static void vfio_nvidia_bar5_quirk_master_write(void *opaque, hwaddr addr,
614 uint64_t data, unsigned size)
616 VFIONvidiaBAR5Quirk *bar5 = opaque;
617 VFIOPCIDevice *vdev = bar5->window.vdev;
619 vfio_region_write(&vdev->bars[5].region, addr, data, size);
622 vfio_nvidia_bar5_enable(bar5);
625 static const MemoryRegionOps vfio_nvidia_bar5_quirk_master = {
626 .read = vfio_nvidia_bar5_quirk_master_read,
627 .write = vfio_nvidia_bar5_quirk_master_write,
628 .endianness = DEVICE_LITTLE_ENDIAN,
631 static uint64_t vfio_nvidia_bar5_quirk_enable_read(void *opaque,
632 hwaddr addr, unsigned size)
634 VFIONvidiaBAR5Quirk *bar5 = opaque;
635 VFIOPCIDevice *vdev = bar5->window.vdev;
637 return vfio_region_read(&vdev->bars[5].region, addr + 4, size);
640 static void vfio_nvidia_bar5_quirk_enable_write(void *opaque, hwaddr addr,
641 uint64_t data, unsigned size)
643 VFIONvidiaBAR5Quirk *bar5 = opaque;
644 VFIOPCIDevice *vdev = bar5->window.vdev;
646 vfio_region_write(&vdev->bars[5].region, addr + 4, data, size);
649 vfio_nvidia_bar5_enable(bar5);
652 static const MemoryRegionOps vfio_nvidia_bar5_quirk_enable = {
653 .read = vfio_nvidia_bar5_quirk_enable_read,
654 .write = vfio_nvidia_bar5_quirk_enable_write,
655 .endianness = DEVICE_LITTLE_ENDIAN,
658 static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice *vdev, int nr)
661 VFIONvidiaBAR5Quirk *bar5;
662 VFIOConfigWindowQuirk *window;
664 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
665 !vdev->has_vga || nr != 5) {
669 quirk = g_malloc0(sizeof(*quirk));
670 quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 4);
672 bar5 = quirk->data = g_malloc0(sizeof(*bar5) +
673 (sizeof(VFIOConfigWindowMatch) * 2));
674 window = &bar5->window;
677 window->address_offset = 0x8;
678 window->data_offset = 0xc;
679 window->nr_matches = 2;
680 window->matches[0].match = 0x1800;
681 window->matches[0].mask = PCI_CONFIG_SPACE_SIZE - 1;
682 window->matches[1].match = 0x88000;
683 window->matches[1].mask = PCIE_CONFIG_SPACE_SIZE - 1;
685 window->addr_mem = bar5->addr_mem = &quirk->mem[0];
686 window->data_mem = bar5->data_mem = &quirk->mem[1];
688 memory_region_init_io(window->addr_mem, OBJECT(vdev),
689 &vfio_generic_window_address_quirk, window,
690 "vfio-nvidia-bar5-window-address-quirk", 4);
691 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
692 window->address_offset,
693 window->addr_mem, 1);
694 memory_region_set_enabled(window->addr_mem, false);
696 memory_region_init_io(window->data_mem, OBJECT(vdev),
697 &vfio_generic_window_data_quirk, window,
698 "vfio-nvidia-bar5-window-data-quirk", 4);
699 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
701 window->data_mem, 1);
702 memory_region_set_enabled(window->data_mem, false);
704 memory_region_init_io(&quirk->mem[2], OBJECT(vdev),
705 &vfio_nvidia_bar5_quirk_master, bar5,
706 "vfio-nvidia-bar5-master-quirk", 4);
707 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
708 0, &quirk->mem[2], 1);
710 memory_region_init_io(&quirk->mem[3], OBJECT(vdev),
711 &vfio_nvidia_bar5_quirk_enable, bar5,
712 "vfio-nvidia-bar5-enable-quirk", 4);
713 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
714 4, &quirk->mem[3], 1);
716 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
718 trace_vfio_quirk_nvidia_bar5_probe(vdev->vbasedev.name);
722 * Finally, BAR0 itself. We want to redirect any accesses to either
723 * 0x1800 or 0x88000 through the PCI config space access functions.
725 static void vfio_nvidia_quirk_mirror_write(void *opaque, hwaddr addr,
726 uint64_t data, unsigned size)
728 VFIOConfigMirrorQuirk *mirror = opaque;
729 VFIOPCIDevice *vdev = mirror->vdev;
730 PCIDevice *pdev = &vdev->pdev;
732 vfio_generic_quirk_mirror_write(opaque, addr, data, size);
735 * Nvidia seems to acknowledge MSI interrupts by writing 0xff to the
736 * MSI capability ID register. Both the ID and next register are
737 * read-only, so we allow writes covering either of those to real hw.
739 if ((pdev->cap_present & QEMU_PCI_CAP_MSI) &&
740 vfio_range_contained(addr, size, pdev->msi_cap, PCI_MSI_FLAGS)) {
741 vfio_region_write(&vdev->bars[mirror->bar].region,
742 addr + mirror->offset, data, size);
743 trace_vfio_quirk_nvidia_bar0_msi_ack(vdev->vbasedev.name);
747 static const MemoryRegionOps vfio_nvidia_mirror_quirk = {
748 .read = vfio_generic_quirk_mirror_read,
749 .write = vfio_nvidia_quirk_mirror_write,
750 .endianness = DEVICE_LITTLE_ENDIAN,
753 static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice *vdev, int nr)
756 VFIOConfigMirrorQuirk *mirror;
758 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
759 !vfio_is_vga(vdev) || nr != 0) {
763 quirk = g_malloc0(sizeof(*quirk));
764 mirror = quirk->data = g_malloc0(sizeof(*mirror));
765 mirror->mem = quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 1);
768 mirror->offset = 0x88000;
771 memory_region_init_io(mirror->mem, OBJECT(vdev),
772 &vfio_nvidia_mirror_quirk, mirror,
773 "vfio-nvidia-bar0-88000-mirror-quirk",
774 PCIE_CONFIG_SPACE_SIZE);
775 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
776 mirror->offset, mirror->mem, 1);
778 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
780 /* The 0x1800 offset mirror only seems to get used by legacy VGA */
782 quirk = g_malloc0(sizeof(*quirk));
783 mirror = quirk->data = g_malloc0(sizeof(*mirror));
784 mirror->mem = quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 1);
787 mirror->offset = 0x1800;
790 memory_region_init_io(mirror->mem, OBJECT(vdev),
791 &vfio_nvidia_mirror_quirk, mirror,
792 "vfio-nvidia-bar0-1800-mirror-quirk",
793 PCI_CONFIG_SPACE_SIZE);
794 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
795 mirror->offset, mirror->mem, 1);
797 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
800 trace_vfio_quirk_nvidia_bar0_probe(vdev->vbasedev.name);
804 * TODO - Some Nvidia devices provide config access to their companion HDA
805 * device and even to their parent bridge via these config space mirrors.
806 * Add quirks for those regions.
809 #define PCI_VENDOR_ID_REALTEK 0x10ec
812 * RTL8168 devices have a backdoor that can access the MSI-X table. At BAR2
813 * offset 0x70 there is a dword data register, offset 0x74 is a dword address
814 * register. According to the Linux r8169 driver, the MSI-X table is addressed
815 * when the "type" portion of the address register is set to 0x1. This appears
816 * to be bits 16:30. Bit 31 is both a write indicator and some sort of
817 * "address latched" indicator. Bits 12:15 are a mask field, which we can
818 * ignore because the MSI-X table should always be accessed as a dword (full
819 * mask). Bits 0:11 is offset within the type.
823 * Read from MSI-X table offset 0
824 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x1f000, 4) // store read addr
825 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x8001f000 // latch
826 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x70, 4) = 0xfee00398 // read data
828 * Write 0xfee00000 to MSI-X table offset 0
829 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x70, 0xfee00000, 4) // write data
830 * vfio: vfio_bar_write(0000:05:00.0:BAR2+0x74, 0x8001f000, 4) // do write
831 * vfio: vfio_bar_read(0000:05:00.0:BAR2+0x74, 4) = 0x1f000 // complete
833 typedef struct VFIOrtl8168Quirk {
840 static uint64_t vfio_rtl8168_quirk_address_read(void *opaque,
841 hwaddr addr, unsigned size)
843 VFIOrtl8168Quirk *rtl = opaque;
844 VFIOPCIDevice *vdev = rtl->vdev;
845 uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x74, size);
848 data = rtl->addr ^ 0x80000000U; /* latch/complete */
849 trace_vfio_quirk_rtl8168_fake_latch(vdev->vbasedev.name, data);
855 static void vfio_rtl8168_quirk_address_write(void *opaque, hwaddr addr,
856 uint64_t data, unsigned size)
858 VFIOrtl8168Quirk *rtl = opaque;
859 VFIOPCIDevice *vdev = rtl->vdev;
861 rtl->enabled = false;
863 if ((data & 0x7fff0000) == 0x10000) { /* MSI-X table */
865 rtl->addr = (uint32_t)data;
867 if (data & 0x80000000U) { /* Do write */
868 if (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX) {
869 hwaddr offset = data & 0xfff;
870 uint64_t val = rtl->data;
872 trace_vfio_quirk_rtl8168_msix_write(vdev->vbasedev.name,
873 (uint16_t)offset, val);
875 /* Write to the proper guest MSI-X table instead */
876 memory_region_dispatch_write(&vdev->pdev.msix_table_mmio,
878 MEMTXATTRS_UNSPECIFIED);
880 return; /* Do not write guest MSI-X data to hardware */
884 vfio_region_write(&vdev->bars[2].region, addr + 0x74, data, size);
887 static const MemoryRegionOps vfio_rtl_address_quirk = {
888 .read = vfio_rtl8168_quirk_address_read,
889 .write = vfio_rtl8168_quirk_address_write,
891 .min_access_size = 4,
892 .max_access_size = 4,
895 .endianness = DEVICE_LITTLE_ENDIAN,
898 static uint64_t vfio_rtl8168_quirk_data_read(void *opaque,
899 hwaddr addr, unsigned size)
901 VFIOrtl8168Quirk *rtl = opaque;
902 VFIOPCIDevice *vdev = rtl->vdev;
903 uint64_t data = vfio_region_read(&vdev->bars[2].region, addr + 0x74, size);
905 if (rtl->enabled && (vdev->pdev.cap_present & QEMU_PCI_CAP_MSIX)) {
906 hwaddr offset = rtl->addr & 0xfff;
907 memory_region_dispatch_read(&vdev->pdev.msix_table_mmio, offset,
908 &data, size, MEMTXATTRS_UNSPECIFIED);
909 trace_vfio_quirk_rtl8168_msix_read(vdev->vbasedev.name, offset, data);
915 static void vfio_rtl8168_quirk_data_write(void *opaque, hwaddr addr,
916 uint64_t data, unsigned size)
918 VFIOrtl8168Quirk *rtl = opaque;
919 VFIOPCIDevice *vdev = rtl->vdev;
921 rtl->data = (uint32_t)data;
923 vfio_region_write(&vdev->bars[2].region, addr + 0x70, data, size);
926 static const MemoryRegionOps vfio_rtl_data_quirk = {
927 .read = vfio_rtl8168_quirk_data_read,
928 .write = vfio_rtl8168_quirk_data_write,
930 .min_access_size = 4,
931 .max_access_size = 4,
934 .endianness = DEVICE_LITTLE_ENDIAN,
937 static void vfio_probe_rtl8168_bar2_quirk(VFIOPCIDevice *vdev, int nr)
940 VFIOrtl8168Quirk *rtl;
942 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_REALTEK, 0x8168) || nr != 2) {
946 quirk = g_malloc0(sizeof(*quirk));
947 quirk->mem = g_malloc0_n(sizeof(MemoryRegion), 2);
949 quirk->data = rtl = g_malloc0(sizeof(*rtl));
952 memory_region_init_io(&quirk->mem[0], OBJECT(vdev),
953 &vfio_rtl_address_quirk, rtl,
954 "vfio-rtl8168-window-address-quirk", 4);
955 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
956 0x74, &quirk->mem[0], 1);
958 memory_region_init_io(&quirk->mem[1], OBJECT(vdev),
959 &vfio_rtl_data_quirk, rtl,
960 "vfio-rtl8168-window-data-quirk", 4);
961 memory_region_add_subregion_overlap(&vdev->bars[nr].region.mem,
962 0x70, &quirk->mem[1], 1);
964 QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
966 trace_vfio_quirk_rtl8168_probe(vdev->vbasedev.name);
970 * Common quirk probe entry points.
972 void vfio_vga_quirk_setup(VFIOPCIDevice *vdev)
974 vfio_vga_probe_ati_3c3_quirk(vdev);
975 vfio_vga_probe_nvidia_3d0_quirk(vdev);
978 void vfio_vga_quirk_teardown(VFIOPCIDevice *vdev)
983 for (i = 0; i < ARRAY_SIZE(vdev->vga.region); i++) {
984 QLIST_FOREACH(quirk, &vdev->vga.region[i].quirks, next) {
985 for (j = 0; j < quirk->nr_mem; j++) {
986 memory_region_del_subregion(&vdev->vga.region[i].mem,
993 void vfio_vga_quirk_free(VFIOPCIDevice *vdev)
997 for (i = 0; i < ARRAY_SIZE(vdev->vga.region); i++) {
998 while (!QLIST_EMPTY(&vdev->vga.region[i].quirks)) {
999 VFIOQuirk *quirk = QLIST_FIRST(&vdev->vga.region[i].quirks);
1000 QLIST_REMOVE(quirk, next);
1001 for (j = 0; j < quirk->nr_mem; j++) {
1002 object_unparent(OBJECT(&quirk->mem[j]));
1005 g_free(quirk->data);
1011 void vfio_bar_quirk_setup(VFIOPCIDevice *vdev, int nr)
1013 vfio_probe_ati_bar4_quirk(vdev, nr);
1014 vfio_probe_ati_bar2_quirk(vdev, nr);
1015 vfio_probe_nvidia_bar5_quirk(vdev, nr);
1016 vfio_probe_nvidia_bar0_quirk(vdev, nr);
1017 vfio_probe_rtl8168_bar2_quirk(vdev, nr);
1020 void vfio_bar_quirk_teardown(VFIOPCIDevice *vdev, int nr)
1022 VFIOBAR *bar = &vdev->bars[nr];
1026 QLIST_FOREACH(quirk, &bar->quirks, next) {
1027 for (i = 0; i < quirk->nr_mem; i++) {
1028 memory_region_del_subregion(&bar->region.mem, &quirk->mem[i]);
1033 void vfio_bar_quirk_free(VFIOPCIDevice *vdev, int nr)
1035 VFIOBAR *bar = &vdev->bars[nr];
1038 while (!QLIST_EMPTY(&bar->quirks)) {
1039 VFIOQuirk *quirk = QLIST_FIRST(&bar->quirks);
1040 QLIST_REMOVE(quirk, next);
1041 for (i = 0; i < quirk->nr_mem; i++) {
1042 object_unparent(OBJECT(&quirk->mem[i]));
1045 g_free(quirk->data);
projects / qemu.git / blob