Xen project Mailing List

[PATCH v2] xen/pci: detect when BARs are not suitably positioned

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Thu, 27 Jan 2022 09:22:18 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6tkCapznQWJ8ExDQRvBzeDu8ghGeLcH/K+PaPNmFKp4=; b=aUZRUZnJeFSP7piYyWT4L8LD9uvmsFHAT+moXahwC/ebxvmrfRuwFWHslNurUUW6FAEUldYboAgacoVbItNrN8PXNjAJGmzfheJ1JzeYFSzKvAibmBozOzvpLecgcuqDr2U4pWlcly2J/thhIqjf46A3gF/2Cd+rfJeqcAlhmKRxyGNoMJofpcWn3x6K+229pKPpNECiHcmiY/Y4pplgJdlAt7yUkOIFr45wSVlT63TMSkBXvOY2NPshYIZRLaOJzlGfuBBUDFpJS3siNmcU6xJltOSa2ULZVf3xK1XJer8CPyC4dQGdTOcDPjRlecwErb54poZt/XcNHHJpAPTr5A==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MfD0IS1KBUAzifJFY7qifaH02XfxzJVljTC6QmCaprmfY38zIsZhPH196rFJutqfyl6Xu2YhqiYhrKOnaSyBwfjdQ0hzCXDNuUPJTxNt7DWxFbBOykDb3IY9k42Bi3Q/IeGp0H8I2vMNDjX7sCf6IAGy8mA2Gmc/zuyf2CUkNew1goitW6KXa7f43XI4w2I/2GC3Ft+oxP1RrORHbpQ0z9CIK3NKtS2d+dES93WkIaHkmKy7V+5tnTmN/qjjItIgRFkOj665fK5op3ioPhPqzuRu2UtgUpwh37N9v+eurJl9mz5ZIY/DyXj9Ylb8Cn1w8fgSNdAGx8472GUWRn2YqQ==

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Thu, 27 Jan 2022 08:22:58 +0000

Ironport-data: A9a23:TTnb76jyol1QSidi2O/ldu4EX161KhYKZh0ujC45NGQN5FlHY01je htvXj+HPf2MZzSke90lbom+oUME6p/cy4BhSAY+qSE8ECMb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oAMKRCQ7InQLlbGILes1htZGEk0GE/NtTo5w7Rj2tcy3oDga++wk YiaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/DaptVBoaHq 9Prl9lVyI97EyAFUbtJmp6jGqEDryW70QKm0hK6UID66vROS7BbPg/W+5PwZG8O4whlkeydx /13raaORDoTOpHOu8UsaxkDAn0mHL1JreqvzXiX6aR/zmXDenrohf5vEFs3LcsT/eMf7WNmr KJCbmpXN1ba2rzwkOnTpupE36zPKOHxO4wSoDd4xCzxBvc6W5HTBa7N4Le02R9u3ZoRQquDN 6L1bxJgMRDnWjZ/PGsII41ipdX3vnPvTmxH/Qf9Sa0fvDGIkV0ZPKLWGNjfd8GORM5Vtl2Fv W+A9GP8ajkQOcaD0zOD/jSpj/XWgCLgcIsIEfuz8fsCqEWa22g7GBAQE1yhrpGRlUqWS99Zb UsO9UIGtrMu/UamSt38WRyQo3OeuBMYHd1KHIUS+AyLj6bZ/QudLmwFVSJaLswrstcsQj4n3 UPPmMnmbRRRt7mSRWOY562jhzq4MigILkcPfSYBCwAC5rHLopw3jx/JZsZuFuiylNKdJN3r6 2nU9m5k3exV1JNVkfXglbzav96yjqLRdDA42z/TYmCGzzJBZNW0O9SJ+VeOuJ6sM72lZlWGu XEFne2X4+YPEYyBmUSxfQkdIF26z63baWOB2DaDC7Fkrm3woCD7Iei89RkjfB8BDyoSRdP+j KY/Uyt17YQbAnalZLQfj2mZW5VzlviI+TgIu5npgjtyjnpZKVfvEMJGPxf4M4XRfK4Ey/xX1 XCzKp7EMJriIf47pAdavs9EuVPR+ggwxHnIWbfwxAm93LyVaRa9EOlZawHVNrtnsfvZ8W05F uqz0ePQlX2zt8WlOkHqHXM7dwhWfRDX+7iowyCoSgJzClU/QzxwYxMg6bggZ5Zkj8xoehTgp RmAtrtj4AOn3xXvcFzSAlg6Me+Hdcsh8RoTYHJ9VX71iylLSdv+t883KspoFYTLAcQ+l5aYu dFfJZXZahmOIxyakwkggW7V9dw7K0/z1FvQZkJIolEXJvZdeuAAwfe9FiPH/ygSFCun88w4p ryrzATARpQfAQ9lCa7rhDiHnztdZFARx7B/WVXmON5WdBm++YRmMXWp3PQ2P9sNOVPIwT7Dj 1SaBhIRpO/spY4p8YaW2fDY/tnxS+YuTFBHG2T77KqtMXWI9GSU3oIdAv2DeirQVT2o9fz6N /lV1fz1LNYOgE1O79hnC79uwK9nv4nvqrZWwx5KBnLOa1j3WLpsLmPfhZtEt7FXx68fsgyzA xrd9t5fMLSPGcXkDF9Oe1Z1MrXdjakZw2CA4+40LUP24D5M0ICGCUgCbQORjCF9LaduNN93y +kWp8NLuRe0jQAnM4jag3kMpXiMNHEJT44uqooeXN3wkgMux1xPPc7cByvx7M3dYtlAKBB3c Dqdha6EjLVA3EvSNXE0ECGVj+ZagJ0PvjFMzUMDeAvVyoaU2Kdv0U0D6ykzQyRU0g5DgrB6N WVcPkFoIbmDomVzj89ZUmHwQwxMCXV1IKAqJ4flQIEBc3SVaw==

Ironport-hdrordr: A9a23:jjQVPqAOh8+h/1XlHehCsceALOsnbusQ8zAXPh9KJyC9I/b2qy nxppgmPH/P6Ar4WBkb6Le90c67MA7hHP9OkPMs1NKZPTUO11HYVb2KgbGSpgEIeBeOiNK1t5 0QC5SWYeeYZTMR4LeYkWuF+r4bsaa6GcuT9IHjJhlWPGVXg/YK1XYENu/XKDw/eCB2Qb4CUL aM7MtOoDStPVwRc8SAH3EAG8zOvcfCmp7KaQMPQ0dP0njFsRqYrJrBVzSI1BYXVD1ChZ8k7G j+igT8ooGuqeuyxBPw33Laq75WhNzi4N1eA9HksLlfFhzcziKTIKhxUbyLuz445Mmp9VYRid HJ5ywtOsxigkmhCV2dkF/I4U3NwTwu43jtxRuzmn34u/H0Qzo8Fo5omZ9ZWgGx0TtugPhMlI Zwm06JvZteCh3N2A7n4cLTah1snk2o5VI/jO8oiWBFW4d2Us4ckWUmxjIVLH48JlO71Gh+e9 MeT/00pcwmPG9yVkqp8FWGm7eXLzYO9hTveDl3hiXa6UkSoJlD9Tpp+CUopAZ0yHsMceg02w 36CNUaqFg3dL5sUUtcPpZ2fSLlMB2FffrzWFjiU2gPUpt3f07wlw==

Ironport-sdr: i2ytqYmjw/nn2ZfamQEBAYynoSlV3/6U0bU4HwSJNRia+YjD2VJp9LNlzE0h+C+sql24nwSSLI CHtAwc4gevaaBUKuNzFxBhY4w9EMDqFNp7ogygNMFk2FGKh8+iLf5PjVgfML3c7aK8TiR7eEzd lx5Fpy01ob6h0me8ky9VyndCnR9Mg4crpPPay0mF6zE7AU5ttutOjMYxqErQ+HrGT2PyW9v4VZ 1z939l64hCXUCznZ5pM3LL0id/1zvLoe3Sjj0uJcR9l7GViK0Fpwp7r7QWI6Uh7mlILttRoTYC wp42GZeNqhjEFO7qWry11kL+

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

One of the boxes where I was attempting to boot Xen in PVH dom0 mode has quirky firmware, as it will handover with a PCI device with memory decoding enabled and a BAR of size 4K at address 0. Such BAR overlaps with a RAM range on the e820. This interacts badly with the dom0 PVH build, as BARs will be setup on the p2m before RAM, so if there's a BAR positioned over a RAM region it will trigger a domain crash when the dom0 builder attempts to populate that region with a regular RAM page. It's in general a very bad idea to have a BAR overlapping with a RAM region, so add some sanity checks for devices that are added with memory decoding enabled in order to assure that BARs are not placed on top of memory regions defined in the memory map. If overlaps are detected just disable the memory decoding bit for the device and expect the hardware domain to properly position the BAR. Note apply_quirks must be called before check_pdev so that ignore_bars is set when calling the later. PCI_HEADER_{NORMAL,BRIDGE}_NR_BARS needs to be moved into pci_regs.h so it's defined even in the absence of vPCI. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v1: - Add comment regarding pci_size_mem_bar failure. - Make e820entry const. - Move is_iomem_range after is_iomem_page. - Reword error message. - Make is_iomem_range paddr_t - Expand commit message. - Move PCI_HEADER_{NORMAL,BRIDGE}_NR_BARS. - Only attempt to read ROM BAR if rom_pos != 0. --- xen/arch/arm/mm.c | 11 ++++++ xen/arch/x86/mm.c | 17 +++++++++ xen/drivers/passthrough/pci.c | 69 ++++++++++++++++++++++++++++++++++- xen/include/xen/mm.h | 2 + xen/include/xen/pci_regs.h | 2 + xen/include/xen/vpci.h | 2 - 6 files changed, 100 insertions(+), 3 deletions(-) diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c index eea926d823..4626e9eb8b 100644 --- a/xen/arch/arm/mm.c +++ b/xen/arch/arm/mm.c @@ -1625,6 +1625,17 @@ bool is_iomem_page(mfn_t mfn) return !mfn_valid(mfn); } +bool is_iomem_range(paddr_t start, uint64_t size) +{ + unsigned int i; + + for ( i = 0; i < PFN_UP(size); i++ ) + if ( !is_iomem_page(_mfn(PFN_DOWN(start) + i)) ) + return false; + + return true; +} + void clear_and_clean_page(struct page_info *page) { void *p = __map_domain_page(page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 1397f83e41..3f451134c6 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -783,6 +783,23 @@ bool is_iomem_page(mfn_t mfn) return (page_get_owner(page) == dom_io); } +bool is_iomem_range(paddr_t start, uint64_t size) +{ + unsigned int i; + + for ( i = 0; i < e820.nr_map; i++ ) + { + const struct e820entry *entry = &e820.map[i]; + + /* Do not allow overlaps with any memory range. */ + if ( start < entry->addr + entry->size && + entry->addr < start + size ) + return false; + } + + return true; +} + static int update_xen_mappings(unsigned long mfn, unsigned int cacheattr) { int err = 0; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 0d8ab2e716..07753109e0 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -233,6 +233,7 @@ static void check_pdev(const struct pci_dev *pdev) PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT | \ PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY) u16 val; + unsigned int nbars = 0, rom_pos = 0, i; if ( command_mask ) { @@ -251,6 +252,8 @@ static void check_pdev(const struct pci_dev *pdev) switch ( pci_conf_read8(pdev->sbdf, PCI_HEADER_TYPE) & 0x7f ) { case PCI_HEADER_TYPE_BRIDGE: + nbars = PCI_HEADER_BRIDGE_NR_BARS; + rom_pos = PCI_ROM_ADDRESS1; if ( !bridge_ctl_mask ) break; val = pci_conf_read16(pdev->sbdf, PCI_BRIDGE_CONTROL); @@ -267,11 +270,75 @@ static void check_pdev(const struct pci_dev *pdev) } break; + case PCI_HEADER_TYPE_NORMAL: + nbars = PCI_HEADER_NORMAL_NR_BARS; + rom_pos = PCI_ROM_ADDRESS; + break; + case PCI_HEADER_TYPE_CARDBUS: /* TODO */ break; } #undef PCI_STATUS_CHECK + + /* Check if BARs overlap with other memory regions. */ + val = pci_conf_read16(pdev->sbdf, PCI_COMMAND); + if ( !(val & PCI_COMMAND_MEMORY) || pdev->ignore_bars ) + return; + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val & ~PCI_COMMAND_MEMORY); + for ( i = 0; i < nbars; ) + { + uint64_t addr, size; + unsigned int reg = PCI_BASE_ADDRESS_0 + i * 4; + int rc = 1; + + if ( (pci_conf_read32(pdev->sbdf, reg) & PCI_BASE_ADDRESS_SPACE) != + PCI_BASE_ADDRESS_SPACE_MEMORY ) + goto next; + + rc = pci_size_mem_bar(pdev->sbdf, reg, &addr, &size, + (i == nbars - 1) ? PCI_BAR_LAST : 0); + if ( rc < 0 ) + /* Unable to size, better leave memory decoding disabled. */ + return; + if ( size && !is_iomem_range(addr, size) ) + { + /* + * Return without enabling memory decoding if BAR position is not + * in IO suitable memory. Let the hardware domain re-position the + * BAR. + */ + printk(XENLOG_WARNING +"%pp disabled: BAR%u [%" PRIx64 ", %" PRIx64 ") overlaps with memory map\n", + &pdev->sbdf, i, addr, addr + size); + return; + } + + next: + ASSERT(rc > 0); + i += rc; + } + + if ( rom_pos && + (pci_conf_read32(pdev->sbdf, rom_pos) & PCI_ROM_ADDRESS_ENABLE) ) + { + uint64_t addr, size; + int rc = pci_size_mem_bar(pdev->sbdf, rom_pos, &addr, &size, + PCI_BAR_ROM); + + if ( rc < 0 ) + return; + if ( size && !is_iomem_range(addr, size) ) + { + printk(XENLOG_WARNING +"%pp disabled: ROM BAR [%" PRIx64 ", %" PRIx64 ") overlaps with memory map\n", + &pdev->sbdf, addr, addr + size); + return; + } + } + + pci_conf_write16(pdev->sbdf, PCI_COMMAND, val); } static void apply_quirks(struct pci_dev *pdev) @@ -399,8 +466,8 @@ static struct pci_dev *alloc_pdev(struct pci_seg *pseg, u8 bus, u8 devfn) break; } - check_pdev(pdev); apply_quirks(pdev); + check_pdev(pdev); return pdev; } diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 5db26ed477..4801811bb5 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -554,6 +554,8 @@ int __must_check steal_page(struct domain *d, struct page_info *page, int page_is_ram_type(unsigned long mfn, unsigned long mem_type); /* Returns the page type(s). */ unsigned int page_get_ram_type(mfn_t mfn); +/* Check if a range is in IO suitable memory. */ +bool is_iomem_range(paddr_t start, uint64_t size); /* Prepare/destroy a ring for a dom0 helper. Helper with talk * with Xen on behalf of this domain. */ diff --git a/xen/include/xen/pci_regs.h b/xen/include/xen/pci_regs.h index cc4ee3b83e..ee8e82be36 100644 --- a/xen/include/xen/pci_regs.h +++ b/xen/include/xen/pci_regs.h @@ -88,6 +88,8 @@ * 0xffffffff to the register, and reading it back. Only * 1 bits are decoded. */ +#define PCI_HEADER_NORMAL_NR_BARS 6 +#define PCI_HEADER_BRIDGE_NR_BARS 2 #define PCI_BASE_ADDRESS_0 0x10 /* 32 bits */ #define PCI_BASE_ADDRESS_1 0x14 /* 32 bits [htype 0,1 only] */ #define PCI_BASE_ADDRESS_2 0x18 /* 32 bits [htype 0 only] */ diff --git a/xen/include/xen/vpci.h b/xen/include/xen/vpci.h index 3f32de9d7e..e8ac1eb395 100644 --- a/xen/include/xen/vpci.h +++ b/xen/include/xen/vpci.h @@ -80,8 +80,6 @@ struct vpci { bool prefetchable : 1; /* Store whether the BAR is mapped into guest p2m. */ bool enabled : 1; -#define PCI_HEADER_NORMAL_NR_BARS 6 -#define PCI_HEADER_BRIDGE_NR_BARS 2 } bars[PCI_HEADER_NORMAL_NR_BARS + 1]; /* At most 6 BARS + 1 expansion ROM BAR. */ -- 2.34.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.