[Qemu-devel] [PULL 0/2] vfio-pci fixes

[Qemu-devel] [PULL 0/2] vfio-pci fixes

[Alex Williamson]

The following changes since commit 59a0419856c9ed24e9ecd033db092b2e8f81a728:

  hw/ppc/mac_newworld: simplify usb controller creation logic (2015-01-08 17:32:27 +0000)

are available in the git repository at:

  git://github.com/awilliam/qemu-vfio.git tags/vfio-update-20150109.0

for you to fetch changes up to b3e27c3aee8f5a96debfe0346e9c0e3a641a8516:

  vfio-pci: Fix interrupt disabling (2015-01-09 08:50:53 -0700)

----------------------------------------------------------------
VFIO fixes:
- Fix 32bit overflow in handling large PCI BARs (Alex Williamson)
- Fix interrupt shutdown ordering (Alex Williamson)

----------------------------------------------------------------
Alex Williamson (2):
      vfio-pci: Fix BAR size overflow
      vfio-pci: Fix interrupt disabling

 hw/vfio/pci.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

[Qemu-devel] [PULL 1/2] vfio-pci: Fix BAR size overflow

[Alex Williamson]

We use an unsigned int when working with the PCI BAR size, which can
obviously overflow if the BAR is 4GB or larger.  This needs to change
to a fixed length uint64_t.  A similar issue is possible, though even
more unlikely, when mapping the region above an MSI-X table.  The
start of the MSI-X vector table must be below 4GB, but the end, and
therefore the start of the next mapping region, could still land at
4GB.

Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Don Slutz <dslutz@verizon.com>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
 hw/vfio/pci.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index b4e73d1..b6703c7 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr)
 static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
 {
     VFIOBAR *bar = &vdev->bars[nr];
-    unsigned size = bar->region.size;
+    uint64_t size = bar->region.size;
     char name[64];
     uint32_t pci_bar;
     uint8_t type;
@@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
     }
 
     if (vdev->msix && vdev->msix->table_bar == nr) {
-        unsigned start;
+        uint64_t start;
 
         start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
                                 (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));

[Qemu-devel] [PULL 2/2] vfio-pci: Fix interrupt disabling

[Alex Williamson]

When disabling MSI/X interrupts the disable functions will leave the
device in INTx mode (when available).  This matches how hardware
operates, INTx is enabled unless MSI/X is enabled (DisINTx is handled
separately).  Therefore when we really want to disable all interrupts,
such as when removing the device, and we start with the device in
MSI/X mode, we need to pass through INTx on our way to being
completely quiesced.

In well behaved situations, the guest driver will have shutdown the
device and it will start vfio_exitfn() in INTx mode, producing the
desired result.  If hot-unplug causes the guest to crash, we may get
the device in MSI/X state, which will leave QEMU with a bogus handler
installed.

Fix this by re-ordering our disable routine so that it should always
finish in VFIO_INT_NONE state, which is what all callers expect.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
 hw/vfio/pci.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index b6703c7..014a92c 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2129,16 +2129,19 @@ static void vfio_pci_write_config(PCIDevice *pdev, uint32_t addr,
  */
 static void vfio_disable_interrupts(VFIOPCIDevice *vdev)
 {
-    switch (vdev->interrupt) {
-    case VFIO_INT_INTx:
-        vfio_disable_intx(vdev);
-        break;
-    case VFIO_INT_MSI:
-        vfio_disable_msi(vdev);
-        break;
-    case VFIO_INT_MSIX:
+    /*
+     * More complicated than it looks.  Disabling MSI/X transitions the
+     * device to INTx mode (if supported).  Therefore we need to first
+     * disable MSI/X and then cleanup by disabling INTx.
+     */
+    if (vdev->interrupt == VFIO_INT_MSIX) {
         vfio_disable_msix(vdev);
-        break;
+    } else if (vdev->interrupt == VFIO_INT_MSI) {
+        vfio_disable_msi(vdev);
+    }
+
+    if (vdev->interrupt == VFIO_INT_INTx) {
+        vfio_disable_intx(vdev);
     }
 }
 

Re: [Qemu-devel] [PULL 0/2] vfio-pci fixes

[Peter Maydell]

On 9 January 2015 at 16:30, Alex Williamson <alex.williamson@redhat.com> wrote:
> The following changes since commit 59a0419856c9ed24e9ecd033db092b2e8f81a728:
>
>   hw/ppc/mac_newworld: simplify usb controller creation logic (2015-01-08 17:32:27 +0000)
>
> are available in the git repository at:
>
>   git://github.com/awilliam/qemu-vfio.git tags/vfio-update-20150109.0
>
> for you to fetch changes up to b3e27c3aee8f5a96debfe0346e9c0e3a641a8516:
>
>   vfio-pci: Fix interrupt disabling (2015-01-09 08:50:53 -0700)
>
> ----------------------------------------------------------------
> VFIO fixes:
> - Fix 32bit overflow in handling large PCI BARs (Alex Williamson)
> - Fix interrupt shutdown ordering (Alex Williamson)
>

Applied, thanks.

-- PMM