Xen project Mailing List

[PATCH v4] xen/pci: detect when BARs are not suitably positioned

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Wed, 2 Feb 2022 15:45:23 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0sZyzVC3JRNwT9aRZuSsyTGUzKM7BvPWaKzuv2Xg9fc=; b=XqrPzk208Cg8zSmU20t4tpDDbG5H1czHkKEPBHi+OH9Ph8NhOKGLMK25XOIITaDQr9IgeulC/r2RcJwa99+jpFRl4I9Wzh1W/H3GA6kwSeb3MjwkKVvtpXFW2PuLp9COJ4Ip8pBl8H/xN7JUwubiQG27ed9fkASV5y9v4o1TaP4n/NqEKguH3CpHo7edoN6oWYaOOCC02KDtwJ/gbQE5DLBqHZEW/NkrDPQJCfBxuXNw/KmA1j70QSMwPUem1xrUFUJC/dTFc5GtfUxSrJ7B5+DYAD0P1ivXNMA3LmMMxGco+y5rXEvEC+dt30r+nxhjPsuWOhZRj8+GG7ZIQivoSA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q3hX2pVMidF2987nRF7KtkXtyoijNnd3Vq1Q7S9ZM+UbSE91CL/bxomMQ4wYrQ4+BSQsMKICApu+CdZbzO7aOH62o7qO7jBYYkWqZuN07V6uaKobqe1/hhdXSFJxvUmlBfA2sKeO2kjCd28vq17oC3aDDblk4VJV7luCBtURgwy2I9sfOZ94SJyfTv/RJnQJdB+RrVCcaE9Q5B5kZ/Hb3nfUlv67RrLUlB9wTv43YBzWu0c0xRsb5fL7hC6RkGb9rncn10c7Rn0nWeuC37cVNiYu7T0sbM+oya0r+y95sPoJbDPV3WMbi0B/CN1tjbQHdpobJ9VnHwnLrKTTFXYXyg==

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Wed, 02 Feb 2022 14:45:52 +0000

Ironport-data: A9a23:k+eqLqvbcwwXU6uUKJ9Ndryzu+fnVN5ZMUV32f8akzHdYApBsoF/q tZmKWGCaarfZjD8Kd1/aIy/900GvcDWnNIxSlQ9qChjRXgQ+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2YLhWWthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NplsaC/VSN5Aq/wqssjFCIJASBxZbZ4weqSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DJoQQt2sm1TjEJf0nXYrCU+PB4towMDIY2JsVR6eCO pVxhTxHVDHxZTBgIEUsFYNkxcuwjz7PV34HtwfAzUYwyzeKl1EguFT3C/LXZ9iLSMN9jkue4 GXc8AzRGQoGPdaSzT6E9HOEheLVmy7/HoUIG9WQ7vd3hHWDy2pVDwcZPXOrrP/8hkOgVtZ3L 00P5jFovaU07FasTNT2Q1u/unHslhwWVsdUEuY6wBqQ0aeS6AGcbkAbShZRZdpgs9U5LQHGz XfQwYmvX2Y29uTIFzTNrd94sA9eJwAREWAeQX84Tzc3zOekm9Ahjx2XVehaRfvdYsLOJRn8x DWDrS4bjroVjNIW26jTwW0rkw5AtbCSEFdru1y/snaNq1ogOdX7P9DABU3zsK4YRLt1WGVtq 5TtdyK2yOkVRa+AmyWWKAnmNOH4vq3VWNEwbLMGInXAy9hP0yLyFWyzyGsnTKuMDirjUWSxC HI/QSsLuPdu0IKCNMebmb6ZBcUw1rTHHt/4TP3SZdcmSsEvKFTYoHg/NBPJgTCFfK0QfUYXY s/zTCpRJSxCVfQPIMSeG4/xLoPHNghhnDiOFPgXPjys0KaEZW79dFv2GADmUwzN14vd+F+92 48Gb6OikkwDOMWjPHW/2dNNfDgicChqbbir+pc/XrPSfWJb9JQJVqW5LUUJIdI1xsy4V47go xmAZ6Ov4AGu2CSaeVjWMS0LhXGGdc8XkE/X9BcEZD6A83MifZyu/OEYcZ42dqMg7+tt0bh/S PxtRilKKq0npu3v92tPYJ/jgpZlcRj31wuCMzD8OGo0foJ6RhyP8djhJ1O9+C4LByuxlM0/v 7z/iV+LHctdH1xvXJTMdfai71KtpnxByuh8aFTFf4tIc0L2/Yk0dyGo1q0rI9sBIAnozyeB0 1rEGg8RoOTA+tdn8NTAia2egZ2uFu9yQhhTE2XBtO7kPijG5Guzh4RHVb/QLzzaUWr1/oSkZ PlUkK6gYKFWwg4SvtMlQbhxzK8469/+nJNgz1xpTCfRclCmKrJ8OX3aj8NBgbJAm+1CsgysV 0PRptQDYeeVONnoGUI6LRY+arjRzukdnzTf4KhnIEj+4yMrrrOLXV8LYkuJgS1ZarB0LJkk0 aEqv8tPs16zjR8jM9CniCFI9jvTcixcAvt/7pxKUpX2jgcLy01ZZc2OAyD715iDdtFQPxR4O TSTnqfD2+xRy0eqn6DfzpQRMT6xXagzhS0=

Ironport-hdrordr: A9a23:+VPMEaCr9U3JOYblHehAsceALOsnbusQ8zAXPh9KJiC9I/b1qy nxppkmPH/P6Qr4WBkb6LS90c67MAnhHP9OkPIs1NKZMjUO11HYSr2KgbGSoQEIeBeOidK1t5 0QCpSWYeeYZTMR7beY3ODRKadd/DDtytHOuQ6x9QYJcek8AJsQkjuRRzzrW3FedU1jP94UBZ Cc7s1Iq36JfmkWVN2yAj0gU/LYr9PGuZr6aVpebiRXozWmvHeN0vrXAhKY1hARX3dmxqojy3 HMl0jc6r+4u/+25xfA3yv47ohQmvHm1txfbfb8wvQ9G3HJsEKFdY5hU7qNsHQcp/yu0k8jlJ 32rxIpL61ImgfsV1DwhSGo9xjr0T4o5XOn40Sfm2HfrcvwQy9/I9ZdhKpCGyGpp3YIjZVZ6u ZmzmiZv51YAVfrhyLm/eXFUBlsiw6dvWciq+gOlHZSOLFuJYO5lbZvsn+9La1wXR4TsOscYa lT5YDnlbxrmGqhHj/kVjIF+q3uYpwxdi32N3Tq9PblkQS+p0oJvnfw8vZv7EvoxKhNNaWs2N 60QpiA7Is+NvP+TZgNc9vpEvHHfFAkf3r3QRGvyBLcZeQ6B04=

Ironport-sdr: MkPhPY26NqdhySkiQOxXoGDFIPCHkHrQ14JS6IaGTGP5Li2/FmyKwKKqVACbnrIgQHHg/od6wm J2uHnP8GR9RKTTcm6t6Bhuiq+alENWnVA+tFgtBMm4kEbEB4KCwy4zixR+4jbJgTfbqJel9/xt O72DEkC/7zGQ2pOrGqG2J1mr9RZKTzbi/eyH4Pm8iLLd6atiG1+Kh6ir/cS69I2lnr6OoNJfIa DfcMvggcoBAMvZvr6C7JGokf3AfE6nbzg0LPz+jXkYBXz7OYb+ZfojUPB7529hVowO8PYga6Mp aZRvWUqb6FmmfcuUw7X7e8th

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

One of the boxes where I was attempting to boot Xen in PVH dom0 mode has quirky firmware, as it will handover with a PCI device with memory decoding enabled and a BAR of size 4K at address 0. Such BAR overlaps with a RAM range on the e820. This interacts badly with the dom0 PVH build, as BARs will be setup on the p2m before RAM, so if there's a BAR positioned over a RAM region it will trigger a domain crash when the dom0 builder attempts to populate that region with a regular RAM page. It's in general a very bad idea to have a BAR overlapping with any memory region defined in the memory map, so add some sanity checks for devices that are added with memory decoding enabled in order to assure that BARs are not placed on top of memory regions defined in the memory map. If overlaps are detected just disable the memory decoding bit for the device and expect the hardware domain to properly position the BAR. Note apply_quirks must be called before check_pdev so that ignore_bars is set when calling the later. PCI_HEADER_{NORMAL,BRIDGE}_NR_BARS needs to be moved into pci_regs.h so it's defined even in the absence of vPCI. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v3: - Use mfn_t parameters. - Fix boundary checks. - Ignore memory ranges with 0 size. Changes since v2: - Unify warning message and store in a static const var. - Rename checker function to is_memory_hole. - Pass an inclusive MFN range to the checker function. - Remove Arm implementation of is_memory_hole due to lack of feedback. Changes since v1: - Add comment regarding pci_size_mem_bar failure. - Make e820entry const. - Move is_iomem_range after is_iomem_page. - Reword error message. - Make is_iomem_range paddr_t - Expand commit message. - Move PCI_HEADER_{NORMAL,BRIDGE}_NR_BARS. - Only attempt to read ROM BAR if rom_pos != 0. --- xen/arch/x86/mm.c | 23 ++++++++++++ xen/drivers/passthrough/pci.c | 71 ++++++++++++++++++++++++++++++++++- xen/include/xen/mm.h | 2 + xen/include/xen/pci_regs.h | 2 + xen/include/xen/vpci.h | 2 - 5 files changed, 97 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 1397f83e41..98edf5b89c 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -783,6 +783,29 @@ bool is_iomem_page(mfn_t mfn) return (page_get_owner(page) == dom_io); } +/* Input ranges are inclusive. */ +bool is_memory_hole(mfn_t start, mfn_t end) +{ + unsigned long s = mfn_x(start); + unsigned long e = mfn_x(end); + unsigned int i; + + for ( i = 0; i < e820.nr_map; i++ ) + { + const struct e820entry *entry = &e820.map[i]; + + if ( !entry->size ) + continue; + + /* Do not allow overlaps with any memory range. */ + if ( s <= PFN_DOWN(entry->addr + entry->size - 1) && + PFN_DOWN(entry->addr) <= e ) + return false; + } + + return true; +} + static int update_xen_mappings(unsigned long mfn, unsigned int cacheattr) { int err = 0; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 1fad80362f..e8b09d77d8 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -233,6 +233,9 @@ static void check_pdev(const struct pci_dev *pdev) PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT | \ PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY) u16 val; + unsigned int nbars = 0, rom_pos = 0, i; + static const char warn[] = XENLOG_WARNING + "%pp disabled: %sBAR [%#lx, %#lx] overlaps with memory map\n"; if ( command_mask ) { @@ -251,6 +254,8 @@ static void check_pdev(const struct pci_dev *pdev) switch ( pci_conf_read8(pdev->sbdf, PCI_HEADER_TYPE) & 0x7f ) { case PCI_HEADER_TYPE_BRIDGE: + nbars = PCI_HEADER_BRIDGE_NR_BARS; + rom_pos = PCI_ROM_ADDRESS1; if ( !bridge_ctl_mask ) break; val = pci_conf_read16(pdev->sbdf, PCI_BRIDGE_CONTROL); @@ -267,11 +272,75 @@ static void check_pdev(const struct pci_dev *pdev) } break; + case PCI_HEADER_TYPE_NORMAL: + nbars = PCI_HEADER_NORMAL_NR_BARS; + rom_pos = PCI_ROM_ADDRESS; + break; + case PCI_HEADER_TYPE_CARDBUS: /* TODO */ break; } #undef PCI_STATUS_CHECK + + /* Check if BARs overlap with other memory regions. */ + val = pci_conf_read16(pdev->sbdf, PCI_COMMAND); + if ( !(val & PCI_COMMAND_MEMORY) || pdev->ignore_bars ) + return; + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val & ~PCI_COMMAND_MEMORY); + for ( i = 0; i < nbars; ) + { + uint64_t addr, size; + unsigned int reg = PCI_BASE_ADDRESS_0 + i * 4; + int rc = 1; + + if ( (pci_conf_read32(pdev->sbdf, reg) & PCI_BASE_ADDRESS_SPACE) != + PCI_BASE_ADDRESS_SPACE_MEMORY ) + goto next; + + rc = pci_size_mem_bar(pdev->sbdf, reg, &addr, &size, + (i == nbars - 1) ? PCI_BAR_LAST : 0); + if ( rc < 0 ) + /* Unable to size, better leave memory decoding disabled. */ + return; + if ( size && !is_memory_hole(maddr_to_mfn(addr), + maddr_to_mfn(addr + size - 1)) ) + { + /* + * Return without enabling memory decoding if BAR position is not + * in IO suitable memory. Let the hardware domain re-position the + * BAR. + */ + printk(warn, + &pdev->sbdf, "", PFN_DOWN(addr), PFN_DOWN(addr + size - 1)); + return; + } + + next: + ASSERT(rc > 0); + i += rc; + } + + if ( rom_pos && + (pci_conf_read32(pdev->sbdf, rom_pos) & PCI_ROM_ADDRESS_ENABLE) ) + { + uint64_t addr, size; + int rc = pci_size_mem_bar(pdev->sbdf, rom_pos, &addr, &size, + PCI_BAR_ROM); + + if ( rc < 0 ) + return; + if ( size && !is_memory_hole(maddr_to_mfn(addr), + maddr_to_mfn(addr + size - 1)) ) + { + printk(warn, &pdev->sbdf, "ROM ", PFN_DOWN(addr), + PFN_DOWN(addr + size - 1)); + return; + } + } + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val); } static void apply_quirks(struct pci_dev *pdev) @@ -399,8 +468,8 @@ static struct pci_dev *alloc_pdev(struct pci_seg *pseg, u8 bus, u8 devfn) break; } - check_pdev(pdev); apply_quirks(pdev); + check_pdev(pdev); return pdev; } diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 5db26ed477..3be754da92 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -554,6 +554,8 @@ int __must_check steal_page(struct domain *d, struct page_info *page, int page_is_ram_type(unsigned long mfn, unsigned long mem_type); /* Returns the page type(s). */ unsigned int page_get_ram_type(mfn_t mfn); +/* Check if a range falls into a hole in the memory map. */ +bool is_memory_hole(mfn_t start, mfn_t end); /* Prepare/destroy a ring for a dom0 helper. Helper with talk * with Xen on behalf of this domain. */ diff --git a/xen/include/xen/pci_regs.h b/xen/include/xen/pci_regs.h index cc4ee3b83e..ee8e82be36 100644 --- a/xen/include/xen/pci_regs.h +++ b/xen/include/xen/pci_regs.h @@ -88,6 +88,8 @@ * 0xffffffff to the register, and reading it back. Only * 1 bits are decoded. */ +#define PCI_HEADER_NORMAL_NR_BARS 6 +#define PCI_HEADER_BRIDGE_NR_BARS 2 #define PCI_BASE_ADDRESS_0 0x10 /* 32 bits */ #define PCI_BASE_ADDRESS_1 0x14 /* 32 bits [htype 0,1 only] */ #define PCI_BASE_ADDRESS_2 0x18 /* 32 bits [htype 0 only] */ diff --git a/xen/include/xen/vpci.h b/xen/include/xen/vpci.h index 3f32de9d7e..e8ac1eb395 100644 --- a/xen/include/xen/vpci.h +++ b/xen/include/xen/vpci.h @@ -80,8 +80,6 @@ struct vpci { bool prefetchable : 1; /* Store whether the BAR is mapped into guest p2m. */ bool enabled : 1; -#define PCI_HEADER_NORMAL_NR_BARS 6 -#define PCI_HEADER_BRIDGE_NR_BARS 2 } bars[PCI_HEADER_NORMAL_NR_BARS + 1]; /* At most 6 BARS + 1 expansion ROM BAR. */ -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.