 d9429b84af
			
		
	
	
		d9429b84af
		
	
	
	
	
		
			
			IOMMU MMIO registers are divided in two groups by their offsets. Low offsets(<0x2000) registers are grouped into 'amdvi_mmio_low' table and higher offsets(>=0x2000) registers are grouped into 'amdvi_mmio_high' table. No of registers in each table is given by macro 'AMDVI_MMIO_REGS_LOW' and 'AMDVI_MMIO_REGS_HIGH' resp. Values of these two macros were swapped, resulting in an OOB access when reading 'amdvi_mmio_high' table. Correct these two macros. Also read from 'amdvi_mmio_low' table for lower address. Reported-by: Azureyang <azureyang@tencent.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
		
			
				
	
	
		
			290 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			290 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * QEMU emulation of an AMD IOMMU (AMD-Vi)
 | |
|  *
 | |
|  * Copyright (C) 2011 Eduard - Gabriel Munteanu
 | |
|  * Copyright (C) 2015 David Kiarie, <davidkiarie4@gmail.com>
 | |
|  *
 | |
|  * This program is free software; you can redistribute it and/or modify
 | |
|  * it under the terms of the GNU General Public License as published by
 | |
|  * the Free Software Foundation; either version 2 of the License, or
 | |
|  * (at your option) any later version.
 | |
| 
 | |
|  * This program is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  * GNU General Public License for more details.
 | |
| 
 | |
|  * You should have received a copy of the GNU General Public License along
 | |
|  * with this program; if not, see <http://www.gnu.org/licenses/>.
 | |
|  */
 | |
| 
 | |
| #ifndef AMD_IOMMU_H_
 | |
| #define AMD_IOMMU_H_
 | |
| 
 | |
| #include "hw/hw.h"
 | |
| #include "hw/pci/pci.h"
 | |
| #include "hw/pci/msi.h"
 | |
| #include "hw/sysbus.h"
 | |
| #include "sysemu/dma.h"
 | |
| #include "hw/i386/pc.h"
 | |
| #include "hw/pci/pci_bus.h"
 | |
| #include "hw/i386/x86-iommu.h"
 | |
| 
 | |
| /* Capability registers */
 | |
| #define AMDVI_CAPAB_BAR_LOW           0x04
 | |
| #define AMDVI_CAPAB_BAR_HIGH          0x08
 | |
| #define AMDVI_CAPAB_RANGE             0x0C
 | |
| #define AMDVI_CAPAB_MISC              0x10
 | |
| 
 | |
| #define AMDVI_CAPAB_SIZE              0x18
 | |
| #define AMDVI_CAPAB_REG_SIZE          0x04
 | |
| 
 | |
| /* Capability header data */
 | |
| #define AMDVI_CAPAB_ID_SEC            0xf
 | |
| #define AMDVI_CAPAB_FLAT_EXT          (1 << 28)
 | |
| #define AMDVI_CAPAB_EFR_SUP           (1 << 27)
 | |
| #define AMDVI_CAPAB_FLAG_NPCACHE      (1 << 26)
 | |
| #define AMDVI_CAPAB_FLAG_HTTUNNEL     (1 << 25)
 | |
| #define AMDVI_CAPAB_FLAG_IOTLBSUP     (1 << 24)
 | |
| #define AMDVI_CAPAB_INIT_TYPE         (3 << 16)
 | |
| 
 | |
| /* No. of used MMIO registers */
 | |
| #define AMDVI_MMIO_REGS_HIGH  7
 | |
| #define AMDVI_MMIO_REGS_LOW   8
 | |
| 
 | |
| /* MMIO registers */
 | |
| #define AMDVI_MMIO_DEVICE_TABLE       0x0000
 | |
| #define AMDVI_MMIO_COMMAND_BASE       0x0008
 | |
| #define AMDVI_MMIO_EVENT_BASE         0x0010
 | |
| #define AMDVI_MMIO_CONTROL            0x0018
 | |
| #define AMDVI_MMIO_EXCL_BASE          0x0020
 | |
| #define AMDVI_MMIO_EXCL_LIMIT         0x0028
 | |
| #define AMDVI_MMIO_EXT_FEATURES       0x0030
 | |
| #define AMDVI_MMIO_COMMAND_HEAD       0x2000
 | |
| #define AMDVI_MMIO_COMMAND_TAIL       0x2008
 | |
| #define AMDVI_MMIO_EVENT_HEAD         0x2010
 | |
| #define AMDVI_MMIO_EVENT_TAIL         0x2018
 | |
| #define AMDVI_MMIO_STATUS             0x2020
 | |
| #define AMDVI_MMIO_PPR_BASE           0x0038
 | |
| #define AMDVI_MMIO_PPR_HEAD           0x2030
 | |
| #define AMDVI_MMIO_PPR_TAIL           0x2038
 | |
| 
 | |
| #define AMDVI_MMIO_SIZE               0x4000
 | |
| 
 | |
| #define AMDVI_MMIO_DEVTAB_SIZE_MASK   ((1ULL << 12) - 1)
 | |
| #define AMDVI_MMIO_DEVTAB_BASE_MASK   (((1ULL << 52) - 1) & ~ \
 | |
|                                        AMDVI_MMIO_DEVTAB_SIZE_MASK)
 | |
| #define AMDVI_MMIO_DEVTAB_ENTRY_SIZE  32
 | |
| #define AMDVI_MMIO_DEVTAB_SIZE_UNIT   4096
 | |
| 
 | |
| /* some of this are similar but just for readability */
 | |
| #define AMDVI_MMIO_CMDBUF_SIZE_BYTE       (AMDVI_MMIO_COMMAND_BASE + 7)
 | |
| #define AMDVI_MMIO_CMDBUF_SIZE_MASK       0x0f
 | |
| #define AMDVI_MMIO_CMDBUF_BASE_MASK       AMDVI_MMIO_DEVTAB_BASE_MASK
 | |
| #define AMDVI_MMIO_CMDBUF_HEAD_MASK       (((1ULL << 19) - 1) & ~0x0f)
 | |
| #define AMDVI_MMIO_CMDBUF_TAIL_MASK       AMDVI_MMIO_EVTLOG_HEAD_MASK
 | |
| 
 | |
| #define AMDVI_MMIO_EVTLOG_SIZE_BYTE       (AMDVI_MMIO_EVENT_BASE + 7)
 | |
| #define AMDVI_MMIO_EVTLOG_SIZE_MASK       AMDVI_MMIO_CMDBUF_SIZE_MASK
 | |
| #define AMDVI_MMIO_EVTLOG_BASE_MASK       AMDVI_MMIO_CMDBUF_BASE_MASK
 | |
| #define AMDVI_MMIO_EVTLOG_HEAD_MASK       (((1ULL << 19) - 1) & ~0x0f)
 | |
| #define AMDVI_MMIO_EVTLOG_TAIL_MASK       AMDVI_MMIO_EVTLOG_HEAD_MASK
 | |
| 
 | |
| #define AMDVI_MMIO_PPRLOG_SIZE_BYTE       (AMDVI_MMIO_EVENT_BASE + 7)
 | |
| #define AMDVI_MMIO_PPRLOG_HEAD_MASK       AMDVI_MMIO_EVTLOG_HEAD_MASK
 | |
| #define AMDVI_MMIO_PPRLOG_TAIL_MASK       AMDVI_MMIO_EVTLOG_HEAD_MASK
 | |
| #define AMDVI_MMIO_PPRLOG_BASE_MASK       AMDVI_MMIO_EVTLOG_BASE_MASK
 | |
| #define AMDVI_MMIO_PPRLOG_SIZE_MASK       AMDVI_MMIO_EVTLOG_SIZE_MASK
 | |
| 
 | |
| #define AMDVI_MMIO_EXCL_ENABLED_MASK      (1ULL << 0)
 | |
| #define AMDVI_MMIO_EXCL_ALLOW_MASK        (1ULL << 1)
 | |
| #define AMDVI_MMIO_EXCL_LIMIT_MASK        AMDVI_MMIO_DEVTAB_BASE_MASK
 | |
| #define AMDVI_MMIO_EXCL_LIMIT_LOW         0xfff
 | |
| 
 | |
| /* mmio control register flags */
 | |
| #define AMDVI_MMIO_CONTROL_AMDVIEN        (1ULL << 0)
 | |
| #define AMDVI_MMIO_CONTROL_HTTUNEN        (1ULL << 1)
 | |
| #define AMDVI_MMIO_CONTROL_EVENTLOGEN     (1ULL << 2)
 | |
| #define AMDVI_MMIO_CONTROL_EVENTINTEN     (1ULL << 3)
 | |
| #define AMDVI_MMIO_CONTROL_COMWAITINTEN   (1ULL << 4)
 | |
| #define AMDVI_MMIO_CONTROL_CMDBUFLEN      (1ULL << 12)
 | |
| 
 | |
| /* MMIO status register bits */
 | |
| #define AMDVI_MMIO_STATUS_CMDBUF_RUN  (1 << 4)
 | |
| #define AMDVI_MMIO_STATUS_EVT_RUN     (1 << 3)
 | |
| #define AMDVI_MMIO_STATUS_COMP_INT    (1 << 2)
 | |
| #define AMDVI_MMIO_STATUS_EVT_OVF     (1 << 0)
 | |
| 
 | |
| #define AMDVI_CMDBUF_ID_BYTE              0x07
 | |
| #define AMDVI_CMDBUF_ID_RSHIFT            4
 | |
| 
 | |
| #define AMDVI_CMD_COMPLETION_WAIT         0x01
 | |
| #define AMDVI_CMD_INVAL_DEVTAB_ENTRY      0x02
 | |
| #define AMDVI_CMD_INVAL_AMDVI_PAGES       0x03
 | |
| #define AMDVI_CMD_INVAL_IOTLB_PAGES       0x04
 | |
| #define AMDVI_CMD_INVAL_INTR_TABLE        0x05
 | |
| #define AMDVI_CMD_PREFETCH_AMDVI_PAGES    0x06
 | |
| #define AMDVI_CMD_COMPLETE_PPR_REQUEST    0x07
 | |
| #define AMDVI_CMD_INVAL_AMDVI_ALL         0x08
 | |
| 
 | |
| #define AMDVI_DEVTAB_ENTRY_SIZE           32
 | |
| 
 | |
| /* Device table entry bits 0:63 */
 | |
| #define AMDVI_DEV_VALID                   (1ULL << 0)
 | |
| #define AMDVI_DEV_TRANSLATION_VALID       (1ULL << 1)
 | |
| #define AMDVI_DEV_MODE_MASK               0x7
 | |
| #define AMDVI_DEV_MODE_RSHIFT             9
 | |
| #define AMDVI_DEV_PT_ROOT_MASK            0xffffffffff000
 | |
| #define AMDVI_DEV_PT_ROOT_RSHIFT          12
 | |
| #define AMDVI_DEV_PERM_SHIFT              61
 | |
| #define AMDVI_DEV_PERM_READ               (1ULL << 61)
 | |
| #define AMDVI_DEV_PERM_WRITE              (1ULL << 62)
 | |
| 
 | |
| /* Device table entry bits 64:127 */
 | |
| #define AMDVI_DEV_DOMID_ID_MASK          ((1ULL << 16) - 1)
 | |
| 
 | |
| /* Event codes and flags, as stored in the info field */
 | |
| #define AMDVI_EVENT_ILLEGAL_DEVTAB_ENTRY  (0x1U << 12)
 | |
| #define AMDVI_EVENT_IOPF                  (0x2U << 12)
 | |
| #define   AMDVI_EVENT_IOPF_I              (1U << 3)
 | |
| #define AMDVI_EVENT_DEV_TAB_HW_ERROR      (0x3U << 12)
 | |
| #define AMDVI_EVENT_PAGE_TAB_HW_ERROR     (0x4U << 12)
 | |
| #define AMDVI_EVENT_ILLEGAL_COMMAND_ERROR (0x5U << 12)
 | |
| #define AMDVI_EVENT_COMMAND_HW_ERROR      (0x6U << 12)
 | |
| 
 | |
| #define AMDVI_EVENT_LEN                  16
 | |
| #define AMDVI_PERM_READ             (1 << 0)
 | |
| #define AMDVI_PERM_WRITE            (1 << 1)
 | |
| 
 | |
| #define AMDVI_FEATURE_PREFETCH            (1ULL << 0) /* page prefetch       */
 | |
| #define AMDVI_FEATURE_PPR                 (1ULL << 1) /* PPR Support         */
 | |
| #define AMDVI_FEATURE_GT                  (1ULL << 4) /* Guest Translation   */
 | |
| #define AMDVI_FEATURE_IA                  (1ULL << 6) /* inval all support   */
 | |
| #define AMDVI_FEATURE_GA                  (1ULL << 7) /* guest VAPIC support */
 | |
| #define AMDVI_FEATURE_HE                  (1ULL << 8) /* hardware error regs */
 | |
| #define AMDVI_FEATURE_PC                  (1ULL << 9) /* Perf counters       */
 | |
| 
 | |
| /* reserved DTE bits */
 | |
| #define AMDVI_DTE_LOWER_QUAD_RESERVED  0x80300000000000fc
 | |
| #define AMDVI_DTE_MIDDLE_QUAD_RESERVED 0x0000000000000100
 | |
| #define AMDVI_DTE_UPPER_QUAD_RESERVED  0x08f0000000000000
 | |
| 
 | |
| /* AMDVI paging mode */
 | |
| #define AMDVI_GATS_MODE                 (6ULL <<  12)
 | |
| #define AMDVI_HATS_MODE                 (6ULL <<  10)
 | |
| 
 | |
| /* IOTLB */
 | |
| #define AMDVI_IOTLB_MAX_SIZE 1024
 | |
| #define AMDVI_DEVID_SHIFT    36
 | |
| 
 | |
| /* extended feature support */
 | |
| #define AMDVI_EXT_FEATURES (AMDVI_FEATURE_PREFETCH | AMDVI_FEATURE_PPR | \
 | |
|         AMDVI_FEATURE_IA | AMDVI_FEATURE_GT | AMDVI_FEATURE_HE | \
 | |
|         AMDVI_GATS_MODE | AMDVI_HATS_MODE)
 | |
| 
 | |
| /* capabilities header */
 | |
| #define AMDVI_CAPAB_FEATURES (AMDVI_CAPAB_FLAT_EXT | \
 | |
|         AMDVI_CAPAB_FLAG_NPCACHE | AMDVI_CAPAB_FLAG_IOTLBSUP \
 | |
|         | AMDVI_CAPAB_ID_SEC | AMDVI_CAPAB_INIT_TYPE | \
 | |
|         AMDVI_CAPAB_FLAG_HTTUNNEL |  AMDVI_CAPAB_EFR_SUP)
 | |
| 
 | |
| /* AMDVI default address */
 | |
| #define AMDVI_BASE_ADDR 0xfed80000
 | |
| 
 | |
| /* page management constants */
 | |
| #define AMDVI_PAGE_SHIFT 12
 | |
| #define AMDVI_PAGE_SIZE  (1ULL << AMDVI_PAGE_SHIFT)
 | |
| 
 | |
| #define AMDVI_PAGE_SHIFT_4K 12
 | |
| #define AMDVI_PAGE_MASK_4K  (~((1ULL << AMDVI_PAGE_SHIFT_4K) - 1))
 | |
| 
 | |
| #define AMDVI_MAX_VA_ADDR          (48UL << 5)
 | |
| #define AMDVI_MAX_PH_ADDR          (40UL << 8)
 | |
| #define AMDVI_MAX_GVA_ADDR         (48UL << 15)
 | |
| 
 | |
| /* Completion Wait data size */
 | |
| #define AMDVI_COMPLETION_DATA_SIZE    8
 | |
| 
 | |
| #define AMDVI_COMMAND_SIZE   16
 | |
| /* Completion Wait data size */
 | |
| #define AMDVI_COMPLETION_DATA_SIZE    8
 | |
| 
 | |
| #define AMDVI_COMMAND_SIZE   16
 | |
| 
 | |
| #define AMDVI_INT_ADDR_FIRST 0xfee00000
 | |
| #define AMDVI_INT_ADDR_LAST  0xfeefffff
 | |
| 
 | |
| #define TYPE_AMD_IOMMU_DEVICE "amd-iommu"
 | |
| #define AMD_IOMMU_DEVICE(obj)\
 | |
|     OBJECT_CHECK(AMDVIState, (obj), TYPE_AMD_IOMMU_DEVICE)
 | |
| 
 | |
| #define TYPE_AMD_IOMMU_PCI "AMDVI-PCI"
 | |
| 
 | |
| typedef struct AMDVIAddressSpace AMDVIAddressSpace;
 | |
| 
 | |
| /* functions to steal PCI config space */
 | |
| typedef struct AMDVIPCIState {
 | |
|     PCIDevice dev;               /* The PCI device itself        */
 | |
| } AMDVIPCIState;
 | |
| 
 | |
| typedef struct AMDVIState {
 | |
|     X86IOMMUState iommu;        /* IOMMU bus device             */
 | |
|     AMDVIPCIState pci;          /* IOMMU PCI device             */
 | |
| 
 | |
|     uint32_t version;
 | |
|     uint32_t capab_offset;       /* capability offset pointer    */
 | |
| 
 | |
|     uint64_t mmio_addr;
 | |
| 
 | |
|     uint32_t devid;              /* auto-assigned devid          */
 | |
| 
 | |
|     bool enabled;                /* IOMMU enabled                */
 | |
|     bool ats_enabled;            /* address translation enabled  */
 | |
|     bool cmdbuf_enabled;         /* command buffer enabled       */
 | |
|     bool evtlog_enabled;         /* event log enabled            */
 | |
|     bool excl_enabled;
 | |
| 
 | |
|     hwaddr devtab;               /* base address device table    */
 | |
|     size_t devtab_len;           /* device table length          */
 | |
| 
 | |
|     hwaddr cmdbuf;               /* command buffer base address  */
 | |
|     uint64_t cmdbuf_len;         /* command buffer length        */
 | |
|     uint32_t cmdbuf_head;        /* current IOMMU read position  */
 | |
|     uint32_t cmdbuf_tail;        /* next Software write position */
 | |
|     bool completion_wait_intr;
 | |
| 
 | |
|     hwaddr evtlog;               /* base address event log       */
 | |
|     bool evtlog_intr;
 | |
|     uint32_t evtlog_len;         /* event log length             */
 | |
|     uint32_t evtlog_head;        /* current IOMMU write position */
 | |
|     uint32_t evtlog_tail;        /* current Software read position */
 | |
| 
 | |
|     /* unused for now */
 | |
|     hwaddr excl_base;            /* base DVA - IOMMU exclusion range */
 | |
|     hwaddr excl_limit;           /* limit of IOMMU exclusion range   */
 | |
|     bool excl_allow;             /* translate accesses to the exclusion range */
 | |
|     bool excl_enable;            /* exclusion range enabled          */
 | |
| 
 | |
|     hwaddr ppr_log;              /* base address ppr log */
 | |
|     uint32_t pprlog_len;         /* ppr log len  */
 | |
|     uint32_t pprlog_head;        /* ppr log head */
 | |
|     uint32_t pprlog_tail;        /* ppr log tail */
 | |
| 
 | |
|     MemoryRegion mmio;                 /* MMIO region                  */
 | |
|     uint8_t mmior[AMDVI_MMIO_SIZE];    /* read/write MMIO              */
 | |
|     uint8_t w1cmask[AMDVI_MMIO_SIZE];  /* read/write 1 clear mask      */
 | |
|     uint8_t romask[AMDVI_MMIO_SIZE];   /* MMIO read/only mask          */
 | |
|     bool mmio_enabled;
 | |
| 
 | |
|     /* IOMMU function */
 | |
|     MemoryRegionIOMMUOps iommu_ops;
 | |
| 
 | |
|     /* for each served device */
 | |
|     AMDVIAddressSpace **address_spaces[PCI_BUS_MAX];
 | |
| 
 | |
|     /* IOTLB */
 | |
|     GHashTable *iotlb;
 | |
| } AMDVIState;
 | |
| 
 | |
| #endif
 |