1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * VFIO PCI Intel Graphics support
4 *
5 * Copyright (C) 2016 Red Hat, Inc. All rights reserved.
6 * Author: Alex Williamson <alex.williamson@redhat.com>
7 *
8 * Register a device specific region through which to provide read-only
9 * access to the Intel IGD opregion. The register defining the opregion
10 * address is also virtualized to prevent user modification.
11 */
12
13 #include <linux/io.h>
14 #include <linux/pci.h>
15 #include <linux/uaccess.h>
16 #include <linux/vfio.h>
17
18 #include "vfio_pci_priv.h"
19
20 #define OPREGION_SIGNATURE "IntelGraphicsMem"
21 #define OPREGION_SIZE (8 * 1024)
22 #define OPREGION_PCI_ADDR 0xfc
23
24 #define OPREGION_RVDA 0x3ba
25 #define OPREGION_RVDS 0x3c2
26 #define OPREGION_VERSION 0x16
27
28 struct igd_opregion_vbt {
29 void *opregion;
30 void *vbt_ex;
31 };
32
33 /**
34 * igd_opregion_shift_copy() - Copy OpRegion to user buffer and shift position.
35 * @dst: User buffer ptr to copy to.
36 * @off: Offset to user buffer ptr. Increased by bytes on return.
37 * @src: Source buffer to copy from.
38 * @pos: Increased by bytes on return.
39 * @remaining: Decreased by bytes on return.
40 * @bytes: Bytes to copy and adjust off, pos and remaining.
41 *
42 * Copy OpRegion to offset from specific source ptr and shift the offset.
43 *
44 * Return: 0 on success, -EFAULT otherwise.
45 *
46 */
igd_opregion_shift_copy(char __user * dst,loff_t * off,void * src,loff_t * pos,size_t * remaining,size_t bytes)47 static inline unsigned long igd_opregion_shift_copy(char __user *dst,
48 loff_t *off,
49 void *src,
50 loff_t *pos,
51 size_t *remaining,
52 size_t bytes)
53 {
54 if (copy_to_user(dst + (*off), src, bytes))
55 return -EFAULT;
56
57 *off += bytes;
58 *pos += bytes;
59 *remaining -= bytes;
60
61 return 0;
62 }
63
vfio_pci_igd_rw(struct vfio_pci_core_device * vdev,char __user * buf,size_t count,loff_t * ppos,bool iswrite)64 static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev,
65 char __user *buf, size_t count, loff_t *ppos,
66 bool iswrite)
67 {
68 unsigned int i = VFIO_PCI_OFFSET_TO_INDEX(*ppos) - VFIO_PCI_NUM_REGIONS;
69 struct igd_opregion_vbt *opregionvbt = vdev->region[i].data;
70 loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK, off = 0;
71 size_t remaining;
72
73 if (pos >= vdev->region[i].size || iswrite)
74 return -EINVAL;
75
76 count = min_t(size_t, count, vdev->region[i].size - pos);
77 remaining = count;
78
79 /* Copy until OpRegion version */
80 if (remaining && pos < OPREGION_VERSION) {
81 size_t bytes = min_t(size_t, remaining, OPREGION_VERSION - pos);
82
83 if (igd_opregion_shift_copy(buf, &off,
84 opregionvbt->opregion + pos, &pos,
85 &remaining, bytes))
86 return -EFAULT;
87 }
88
89 /* Copy patched (if necessary) OpRegion version */
90 if (remaining && pos < OPREGION_VERSION + sizeof(__le16)) {
91 size_t bytes = min_t(size_t, remaining,
92 OPREGION_VERSION + sizeof(__le16) - pos);
93 __le16 version = *(__le16 *)(opregionvbt->opregion +
94 OPREGION_VERSION);
95
96 /* Patch to 2.1 if OpRegion 2.0 has extended VBT */
97 if (le16_to_cpu(version) == 0x0200 && opregionvbt->vbt_ex)
98 version = cpu_to_le16(0x0201);
99
100 if (igd_opregion_shift_copy(buf, &off,
101 (u8 *)&version +
102 (pos - OPREGION_VERSION),
103 &pos, &remaining, bytes))
104 return -EFAULT;
105 }
106
107 /* Copy until RVDA */
108 if (remaining && pos < OPREGION_RVDA) {
109 size_t bytes = min_t(size_t, remaining, OPREGION_RVDA - pos);
110
111 if (igd_opregion_shift_copy(buf, &off,
112 opregionvbt->opregion + pos, &pos,
113 &remaining, bytes))
114 return -EFAULT;
115 }
116
117 /* Copy modified (if necessary) RVDA */
118 if (remaining && pos < OPREGION_RVDA + sizeof(__le64)) {
119 size_t bytes = min_t(size_t, remaining,
120 OPREGION_RVDA + sizeof(__le64) - pos);
121 __le64 rvda = cpu_to_le64(opregionvbt->vbt_ex ?
122 OPREGION_SIZE : 0);
123
124 if (igd_opregion_shift_copy(buf, &off,
125 (u8 *)&rvda + (pos - OPREGION_RVDA),
126 &pos, &remaining, bytes))
127 return -EFAULT;
128 }
129
130 /* Copy the rest of OpRegion */
131 if (remaining && pos < OPREGION_SIZE) {
132 size_t bytes = min_t(size_t, remaining, OPREGION_SIZE - pos);
133
134 if (igd_opregion_shift_copy(buf, &off,
135 opregionvbt->opregion + pos, &pos,
136 &remaining, bytes))
137 return -EFAULT;
138 }
139
140 /* Copy extended VBT if exists */
141 if (remaining &&
142 copy_to_user(buf + off, opregionvbt->vbt_ex + (pos - OPREGION_SIZE),
143 remaining))
144 return -EFAULT;
145
146 *ppos += count;
147
148 return count;
149 }
150
vfio_pci_igd_release(struct vfio_pci_core_device * vdev,struct vfio_pci_region * region)151 static void vfio_pci_igd_release(struct vfio_pci_core_device *vdev,
152 struct vfio_pci_region *region)
153 {
154 struct igd_opregion_vbt *opregionvbt = region->data;
155
156 if (opregionvbt->vbt_ex)
157 memunmap(opregionvbt->vbt_ex);
158
159 memunmap(opregionvbt->opregion);
160 kfree(opregionvbt);
161 }
162
163 static const struct vfio_pci_regops vfio_pci_igd_regops = {
164 .rw = vfio_pci_igd_rw,
165 .release = vfio_pci_igd_release,
166 };
167
vfio_pci_igd_opregion_init(struct vfio_pci_core_device * vdev)168 static int vfio_pci_igd_opregion_init(struct vfio_pci_core_device *vdev)
169 {
170 __le32 *dwordp = (__le32 *)(vdev->vconfig + OPREGION_PCI_ADDR);
171 u32 addr, size;
172 struct igd_opregion_vbt *opregionvbt;
173 int ret;
174 u16 version;
175
176 ret = pci_read_config_dword(vdev->pdev, OPREGION_PCI_ADDR, &addr);
177 if (ret)
178 return ret;
179
180 if (!addr || !(~addr))
181 return -ENODEV;
182
183 opregionvbt = kzalloc(sizeof(*opregionvbt), GFP_KERNEL_ACCOUNT);
184 if (!opregionvbt)
185 return -ENOMEM;
186
187 opregionvbt->opregion = memremap(addr, OPREGION_SIZE, MEMREMAP_WB);
188 if (!opregionvbt->opregion) {
189 kfree(opregionvbt);
190 return -ENOMEM;
191 }
192
193 if (memcmp(opregionvbt->opregion, OPREGION_SIGNATURE, 16)) {
194 memunmap(opregionvbt->opregion);
195 kfree(opregionvbt);
196 return -EINVAL;
197 }
198
199 size = le32_to_cpu(*(__le32 *)(opregionvbt->opregion + 16));
200 if (!size) {
201 memunmap(opregionvbt->opregion);
202 kfree(opregionvbt);
203 return -EINVAL;
204 }
205
206 size *= 1024; /* In KB */
207
208 /*
209 * OpRegion and VBT:
210 * When VBT data doesn't exceed 6KB, it's stored in Mailbox #4.
211 * When VBT data exceeds 6KB size, Mailbox #4 is no longer large enough
212 * to hold the VBT data, the Extended VBT region is introduced since
213 * OpRegion 2.0 to hold the VBT data. Since OpRegion 2.0, RVDA/RVDS are
214 * introduced to define the extended VBT data location and size.
215 * OpRegion 2.0: RVDA defines the absolute physical address of the
216 * extended VBT data, RVDS defines the VBT data size.
217 * OpRegion 2.1 and above: RVDA defines the relative address of the
218 * extended VBT data to OpRegion base, RVDS defines the VBT data size.
219 *
220 * Due to the RVDA definition diff in OpRegion VBT (also the only diff
221 * between 2.0 and 2.1), exposing OpRegion and VBT as a contiguous range
222 * for OpRegion 2.0 and above makes it possible to support the
223 * non-contiguous VBT through a single vfio region. From r/w ops view,
224 * only contiguous VBT after OpRegion with version 2.1+ is exposed,
225 * regardless the host OpRegion is 2.0 or non-contiguous 2.1+. The r/w
226 * ops will on-the-fly shift the actural offset into VBT so that data at
227 * correct position can be returned to the requester.
228 */
229 version = le16_to_cpu(*(__le16 *)(opregionvbt->opregion +
230 OPREGION_VERSION));
231 if (version >= 0x0200) {
232 u64 rvda = le64_to_cpu(*(__le64 *)(opregionvbt->opregion +
233 OPREGION_RVDA));
234 u32 rvds = le32_to_cpu(*(__le32 *)(opregionvbt->opregion +
235 OPREGION_RVDS));
236
237 /* The extended VBT is valid only when RVDA/RVDS are non-zero */
238 if (rvda && rvds) {
239 size += rvds;
240
241 /*
242 * Extended VBT location by RVDA:
243 * Absolute physical addr for 2.0.
244 * Relative addr to OpRegion header for 2.1+.
245 */
246 if (version == 0x0200)
247 addr = rvda;
248 else
249 addr += rvda;
250
251 opregionvbt->vbt_ex = memremap(addr, rvds, MEMREMAP_WB);
252 if (!opregionvbt->vbt_ex) {
253 memunmap(opregionvbt->opregion);
254 kfree(opregionvbt);
255 return -ENOMEM;
256 }
257 }
258 }
259
260 ret = vfio_pci_core_register_dev_region(vdev,
261 PCI_VENDOR_ID_INTEL | VFIO_REGION_TYPE_PCI_VENDOR_TYPE,
262 VFIO_REGION_SUBTYPE_INTEL_IGD_OPREGION, &vfio_pci_igd_regops,
263 size, VFIO_REGION_INFO_FLAG_READ, opregionvbt);
264 if (ret) {
265 if (opregionvbt->vbt_ex)
266 memunmap(opregionvbt->vbt_ex);
267
268 memunmap(opregionvbt->opregion);
269 kfree(opregionvbt);
270 return ret;
271 }
272
273 /* Fill vconfig with the hw value and virtualize register */
274 *dwordp = cpu_to_le32(addr);
275 memset(vdev->pci_config_map + OPREGION_PCI_ADDR,
276 PCI_CAP_ID_INVALID_VIRT, 4);
277
278 return ret;
279 }
280
vfio_pci_igd_cfg_rw(struct vfio_pci_core_device * vdev,char __user * buf,size_t count,loff_t * ppos,bool iswrite)281 static ssize_t vfio_pci_igd_cfg_rw(struct vfio_pci_core_device *vdev,
282 char __user *buf, size_t count, loff_t *ppos,
283 bool iswrite)
284 {
285 unsigned int i = VFIO_PCI_OFFSET_TO_INDEX(*ppos) - VFIO_PCI_NUM_REGIONS;
286 struct pci_dev *pdev = vdev->region[i].data;
287 loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK;
288 size_t size;
289 int ret;
290
291 if (pos >= vdev->region[i].size || iswrite)
292 return -EINVAL;
293
294 size = count = min(count, (size_t)(vdev->region[i].size - pos));
295
296 if ((pos & 1) && size) {
297 u8 val;
298
299 ret = pci_user_read_config_byte(pdev, pos, &val);
300 if (ret)
301 return ret;
302
303 if (copy_to_user(buf + count - size, &val, 1))
304 return -EFAULT;
305
306 pos++;
307 size--;
308 }
309
310 if ((pos & 3) && size > 2) {
311 u16 val;
312 __le16 lval;
313
314 ret = pci_user_read_config_word(pdev, pos, &val);
315 if (ret)
316 return ret;
317
318 lval = cpu_to_le16(val);
319 if (copy_to_user(buf + count - size, &lval, 2))
320 return -EFAULT;
321
322 pos += 2;
323 size -= 2;
324 }
325
326 while (size > 3) {
327 u32 val;
328 __le32 lval;
329
330 ret = pci_user_read_config_dword(pdev, pos, &val);
331 if (ret)
332 return ret;
333
334 lval = cpu_to_le32(val);
335 if (copy_to_user(buf + count - size, &lval, 4))
336 return -EFAULT;
337
338 pos += 4;
339 size -= 4;
340 }
341
342 while (size >= 2) {
343 u16 val;
344 __le16 lval;
345
346 ret = pci_user_read_config_word(pdev, pos, &val);
347 if (ret)
348 return ret;
349
350 lval = cpu_to_le16(val);
351 if (copy_to_user(buf + count - size, &lval, 2))
352 return -EFAULT;
353
354 pos += 2;
355 size -= 2;
356 }
357
358 while (size) {
359 u8 val;
360
361 ret = pci_user_read_config_byte(pdev, pos, &val);
362 if (ret)
363 return ret;
364
365 if (copy_to_user(buf + count - size, &val, 1))
366 return -EFAULT;
367
368 pos++;
369 size--;
370 }
371
372 *ppos += count;
373
374 return count;
375 }
376
vfio_pci_igd_cfg_release(struct vfio_pci_core_device * vdev,struct vfio_pci_region * region)377 static void vfio_pci_igd_cfg_release(struct vfio_pci_core_device *vdev,
378 struct vfio_pci_region *region)
379 {
380 struct pci_dev *pdev = region->data;
381
382 pci_dev_put(pdev);
383 }
384
385 static const struct vfio_pci_regops vfio_pci_igd_cfg_regops = {
386 .rw = vfio_pci_igd_cfg_rw,
387 .release = vfio_pci_igd_cfg_release,
388 };
389
vfio_pci_igd_cfg_init(struct vfio_pci_core_device * vdev)390 static int vfio_pci_igd_cfg_init(struct vfio_pci_core_device *vdev)
391 {
392 struct pci_dev *host_bridge, *lpc_bridge;
393 int ret;
394
395 host_bridge = pci_get_domain_bus_and_slot(0, 0, PCI_DEVFN(0, 0));
396 if (!host_bridge)
397 return -ENODEV;
398
399 if (host_bridge->vendor != PCI_VENDOR_ID_INTEL ||
400 host_bridge->class != (PCI_CLASS_BRIDGE_HOST << 8)) {
401 pci_dev_put(host_bridge);
402 return -EINVAL;
403 }
404
405 ret = vfio_pci_core_register_dev_region(vdev,
406 PCI_VENDOR_ID_INTEL | VFIO_REGION_TYPE_PCI_VENDOR_TYPE,
407 VFIO_REGION_SUBTYPE_INTEL_IGD_HOST_CFG,
408 &vfio_pci_igd_cfg_regops, host_bridge->cfg_size,
409 VFIO_REGION_INFO_FLAG_READ, host_bridge);
410 if (ret) {
411 pci_dev_put(host_bridge);
412 return ret;
413 }
414
415 lpc_bridge = pci_get_domain_bus_and_slot(0, 0, PCI_DEVFN(0x1f, 0));
416 if (!lpc_bridge)
417 return -ENODEV;
418
419 if (lpc_bridge->vendor != PCI_VENDOR_ID_INTEL ||
420 lpc_bridge->class != (PCI_CLASS_BRIDGE_ISA << 8)) {
421 pci_dev_put(lpc_bridge);
422 return -EINVAL;
423 }
424
425 ret = vfio_pci_core_register_dev_region(vdev,
426 PCI_VENDOR_ID_INTEL | VFIO_REGION_TYPE_PCI_VENDOR_TYPE,
427 VFIO_REGION_SUBTYPE_INTEL_IGD_LPC_CFG,
428 &vfio_pci_igd_cfg_regops, lpc_bridge->cfg_size,
429 VFIO_REGION_INFO_FLAG_READ, lpc_bridge);
430 if (ret) {
431 pci_dev_put(lpc_bridge);
432 return ret;
433 }
434
435 return 0;
436 }
437
vfio_pci_igd_init(struct vfio_pci_core_device * vdev)438 int vfio_pci_igd_init(struct vfio_pci_core_device *vdev)
439 {
440 int ret;
441
442 ret = vfio_pci_igd_opregion_init(vdev);
443 if (ret)
444 return ret;
445
446 ret = vfio_pci_igd_cfg_init(vdev);
447 if (ret)
448 return ret;
449
450 return 0;
451 }
452