[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH RFC] xen/pci: detect when BARs overlap RAM
One of the boxes where I was attempting to boot Xen in PVH dom0 mode has quirky firmware, as it will handover with a device with memory decoding enabled and a BAR of size 4K at address 0. Such BAR overlaps with a RAM range on the e820. This interacts badly with the dom0 PVH build, as BARs will be setup on the p2m before RAM, so if there's a BAR positioned over a RAM region it will trigger a domain crash when the dom0 builder attempts to populate that region with a regular RAM page. It's in general a very bad idea to have a BAR overlapping with a RAM region, so add some sanity checks for devices that are added with memory decoding enabled in order to assure that BARs are not placed on top of memory regions. If overlaps are detected just disable the memory decoding bit for the device and expect the hardware domain to properly position the BAR. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- RFC because: - Not sure the best way to implement is_iomem_range on Arm. BARs can be quite big, so iterating over every possible page is not ideal. - is_iomem_page cannot be used for this purpose on x86, because all the low 1MB will return true due to belonging to dom_io. - VF BARs are not checked. Should we also check them and disable VF if overlaps in a followup patch? --- xen/arch/arm/mm.c | 11 ++++++ xen/arch/x86/mm.c | 20 +++++++++++ xen/drivers/passthrough/pci.c | 68 ++++++++++++++++++++++++++++++++++- xen/include/xen/mm.h | 2 ++ 4 files changed, 100 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c index eea926d823..fa4cee64c7 100644 --- a/xen/arch/arm/mm.c +++ b/xen/arch/arm/mm.c @@ -1625,6 +1625,17 @@ bool is_iomem_page(mfn_t mfn) return !mfn_valid(mfn); } +bool is_iomem_range(uint64_t start, uint64_t size) +{ + unsigned int i; + + for ( i = 0; i < PFN_UP(size); i++ ) + if ( !is_iomem_page(_mfn(PFN_DOWN(start) + i)) ) + return false; + + return true; +} + void clear_and_clean_page(struct page_info *page) { void *p = __map_domain_page(page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 1397f83e41..03699b2227 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -479,6 +479,26 @@ unsigned int page_get_ram_type(mfn_t mfn) return type ?: RAM_TYPE_UNKNOWN; } +bool is_iomem_range(uint64_t start, uint64_t size) +{ + unsigned int i; + + for ( i = 0; i < e820.nr_map; i++ ) + { + struct e820entry *entry = &e820.map[i]; + + if ( entry->type != E820_RAM && entry->type != E820_ACPI && + entry->type != E820_NVS ) + continue; + + if ( start < entry->addr + entry->size && + entry->addr < start + size ) + return false; + } + + return true; +} + unsigned long domain_get_maximum_gpfn(struct domain *d) { if ( is_hvm_domain(d) ) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 0d8ab2e716..032df71393 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -233,6 +233,7 @@ static void check_pdev(const struct pci_dev *pdev) PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT | \ PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY) u16 val; + unsigned int nbars = 0, rom_pos = 0, i; if ( command_mask ) { @@ -251,6 +252,8 @@ static void check_pdev(const struct pci_dev *pdev) switch ( pci_conf_read8(pdev->sbdf, PCI_HEADER_TYPE) & 0x7f ) { case PCI_HEADER_TYPE_BRIDGE: + nbars = PCI_HEADER_BRIDGE_NR_BARS; + rom_pos = PCI_ROM_ADDRESS1; if ( !bridge_ctl_mask ) break; val = pci_conf_read16(pdev->sbdf, PCI_BRIDGE_CONTROL); @@ -267,11 +270,74 @@ static void check_pdev(const struct pci_dev *pdev) } break; + case PCI_HEADER_TYPE_NORMAL: + nbars = PCI_HEADER_NORMAL_NR_BARS; + rom_pos = PCI_ROM_ADDRESS; + break; + case PCI_HEADER_TYPE_CARDBUS: /* TODO */ break; } #undef PCI_STATUS_CHECK + + /* Check if BARs overlap with RAM regions. */ + val = pci_conf_read16(pdev->sbdf, PCI_COMMAND); + if ( !(val & PCI_COMMAND_MEMORY) || pdev->ignore_bars ) + return; + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val & ~PCI_COMMAND_MEMORY); + for ( i = 0; i < nbars; ) + { + uint64_t addr, size; + unsigned int reg = PCI_BASE_ADDRESS_0 + i * 4; + int rc = 1; + + if ( (pci_conf_read32(pdev->sbdf, reg) & PCI_BASE_ADDRESS_SPACE) != + PCI_BASE_ADDRESS_SPACE_MEMORY ) + goto next; + + rc = pci_size_mem_bar(pdev->sbdf, reg, &addr, &size, + (i == nbars - 1) ? PCI_BAR_LAST : 0); + if ( rc < 0 ) + return; + if ( size && !is_iomem_range(addr, size) ) + { + /* + * Return without enabling memory decoding if BAR overlaps with + * RAM region. + */ + printk(XENLOG_WARNING + "%pp: disabled: BAR%u [%" PRIx64 ", %" PRIx64 + ") overlaps with RAM\n", + &pdev->sbdf, i, addr, addr + size); + return; + } + + next: + ASSERT(rc > 0); + i += rc; + } + + if ( pci_conf_read32(pdev->sbdf, rom_pos) & PCI_ROM_ADDRESS_ENABLE ) + { + uint64_t addr, size; + int rc = pci_size_mem_bar(pdev->sbdf, rom_pos, &addr, &size, + PCI_BAR_ROM); + + if ( rc < 0 ) + return; + if ( size && !is_iomem_range(addr, size) ) + { + printk(XENLOG_WARNING + "%pp: disabled: ROM BAR [%" PRIx64 ", %" PRIx64 + ") overlaps with RAM\n", + &pdev->sbdf, addr, addr + size); + return; + } + } + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val); } static void apply_quirks(struct pci_dev *pdev) @@ -399,8 +465,8 @@ static struct pci_dev *alloc_pdev(struct pci_seg *pseg, u8 bus, u8 devfn) break; } - check_pdev(pdev); apply_quirks(pdev); + check_pdev(pdev); return pdev; } diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 5db26ed477..764dcad5b3 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -554,6 +554,8 @@ int __must_check steal_page(struct domain *d, struct page_info *page, int page_is_ram_type(unsigned long mfn, unsigned long mem_type); /* Returns the page type(s). */ unsigned int page_get_ram_type(mfn_t mfn); +/* Check if a range is in IO suitable memory. */ +bool is_iomem_range(uint64_t start, uint64_t size); /* Prepare/destroy a ring for a dom0 helper. Helper with talk * with Xen on behalf of this domain. */ -- 2.34.1
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |