2019-05-27 14:55:21 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2016-04-26 18:06:12 +08:00
|
|
|
/*
|
|
|
|
* VGIC MMIO handling functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/bitops.h>
|
|
|
|
#include <linux/bsearch.h>
|
|
|
|
#include <linux/kvm.h>
|
|
|
|
#include <linux/kvm_host.h>
|
|
|
|
#include <kvm/iodev.h>
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
#include <kvm/arm_arch_timer.h>
|
2016-04-26 18:06:12 +08:00
|
|
|
#include <kvm/arm_vgic.h>
|
|
|
|
|
|
|
|
#include "vgic.h"
|
|
|
|
#include "vgic-mmio.h"
|
|
|
|
|
|
|
|
unsigned long vgic_mmio_read_raz(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
unsigned long vgic_mmio_read_rao(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
return -1UL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_wi(struct kvm_vcpu *vcpu, gpa_t addr,
|
|
|
|
unsigned int len, unsigned long val)
|
|
|
|
{
|
|
|
|
/* Ignore */
|
|
|
|
}
|
|
|
|
|
2018-07-16 21:06:23 +08:00
|
|
|
int vgic_mmio_uaccess_write_wi(struct kvm_vcpu *vcpu, gpa_t addr,
|
|
|
|
unsigned int len, unsigned long val)
|
|
|
|
{
|
|
|
|
/* Ignore */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-07-16 21:06:25 +08:00
|
|
|
unsigned long vgic_mmio_read_group(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
u32 value = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Loop over all IRQs affected by this read */
|
|
|
|
for (i = 0; i < len * 8; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
if (irq->group)
|
|
|
|
value |= BIT(i);
|
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
}
|
|
|
|
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_group(struct kvm_vcpu *vcpu, gpa_t addr,
|
|
|
|
unsigned int len, unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
for (i = 0; i < len * 8; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2018-07-16 21:06:25 +08:00
|
|
|
irq->group = !!(val & BIT(i));
|
|
|
|
vgic_queue_irq_unlock(vcpu->kvm, irq, flags);
|
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-01 22:33:05 +08:00
|
|
|
/*
|
|
|
|
* Read accesses to both GICD_ICENABLER and GICD_ISENABLER return the value
|
|
|
|
* of the enabled bit, so there is only one function for both here.
|
|
|
|
*/
|
|
|
|
unsigned long vgic_mmio_read_enable(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
u32 value = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Loop over all IRQs affected by this read */
|
|
|
|
for (i = 0; i < len * 8; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
if (irq->enabled)
|
|
|
|
value |= (1U << i);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:05 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_senable(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:33:05 +08:00
|
|
|
|
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2019-08-07 17:53:20 +08:00
|
|
|
if (vgic_irq_is_mapped_level(irq)) {
|
|
|
|
bool was_high = irq->line_level;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We need to update the state of the interrupt because
|
|
|
|
* the guest might have changed the state of the device
|
|
|
|
* while the interrupt was disabled at the VGIC level.
|
|
|
|
*/
|
|
|
|
irq->line_level = vgic_get_phys_line_level(irq);
|
|
|
|
/*
|
|
|
|
* Deactivate the physical interrupt so the GIC will let
|
|
|
|
* us know when it is asserted again.
|
|
|
|
*/
|
|
|
|
if (!irq->active && was_high && !irq->line_level)
|
|
|
|
vgic_irq_set_phys_active(irq, false);
|
|
|
|
}
|
2015-12-01 22:33:05 +08:00
|
|
|
irq->enabled = true;
|
2016-10-17 04:19:11 +08:00
|
|
|
vgic_queue_irq_unlock(vcpu->kvm, irq, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:05 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_cenable(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:33:05 +08:00
|
|
|
|
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2015-12-01 22:33:05 +08:00
|
|
|
|
|
|
|
irq->enabled = false;
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:05 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-01 22:33:41 +08:00
|
|
|
unsigned long vgic_mmio_read_pending(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
u32 value = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Loop over all IRQs affected by this read */
|
|
|
|
for (i = 0; i < len * 8; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
2018-03-06 17:21:06 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:33:41 +08:00
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2017-01-23 21:07:18 +08:00
|
|
|
if (irq_is_pending(irq))
|
2015-12-01 22:33:41 +08:00
|
|
|
value |= (1U << i);
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:41 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
2017-09-15 02:08:45 +08:00
|
|
|
/*
|
|
|
|
* This function will return the VCPU that performed the MMIO access and
|
|
|
|
* trapped from within the VM, and will return NULL if this is a userspace
|
|
|
|
* access.
|
|
|
|
*
|
|
|
|
* We can disable preemption locally around accessing the per-CPU variable,
|
|
|
|
* and use the resolved vcpu pointer after enabling preemption again, because
|
|
|
|
* even if the current thread is migrated to another CPU, reading the per-CPU
|
|
|
|
* value later will give us the same value as we update the per-CPU variable
|
|
|
|
* in the preempt notifier handlers.
|
|
|
|
*/
|
|
|
|
static struct kvm_vcpu *vgic_get_mmio_requester_vcpu(void)
|
|
|
|
{
|
|
|
|
struct kvm_vcpu *vcpu;
|
|
|
|
|
|
|
|
preempt_disable();
|
|
|
|
vcpu = kvm_arm_get_running_vcpu();
|
|
|
|
preempt_enable();
|
|
|
|
return vcpu;
|
|
|
|
}
|
|
|
|
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
/* Must be called with irq->irq_lock held */
|
|
|
|
static void vgic_hw_irq_spending(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
|
|
|
|
bool is_uaccess)
|
|
|
|
{
|
|
|
|
if (is_uaccess)
|
|
|
|
return;
|
|
|
|
|
|
|
|
irq->pending_latch = true;
|
|
|
|
vgic_irq_set_phys_active(irq, true);
|
|
|
|
}
|
|
|
|
|
2019-08-28 18:10:16 +08:00
|
|
|
static bool is_vgic_v2_sgi(struct kvm_vcpu *vcpu, struct vgic_irq *irq)
|
|
|
|
{
|
|
|
|
return (vgic_irq_is_sgi(irq->intid) &&
|
|
|
|
vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V2);
|
|
|
|
}
|
|
|
|
|
2015-12-01 22:33:41 +08:00
|
|
|
void vgic_mmio_write_spending(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
bool is_uaccess = !vgic_get_mmio_requester_vcpu();
|
2015-12-01 22:33:41 +08:00
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:33:41 +08:00
|
|
|
|
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-08-28 18:10:16 +08:00
|
|
|
/* GICD_ISPENDR0 SGI bits are WI */
|
|
|
|
if (is_vgic_v2_sgi(vcpu, irq)) {
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
if (irq->hw)
|
|
|
|
vgic_hw_irq_spending(vcpu, irq, is_uaccess);
|
|
|
|
else
|
|
|
|
irq->pending_latch = true;
|
2016-10-17 04:19:11 +08:00
|
|
|
vgic_queue_irq_unlock(vcpu->kvm, irq, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:41 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
/* Must be called with irq->irq_lock held */
|
|
|
|
static void vgic_hw_irq_cpending(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
|
|
|
|
bool is_uaccess)
|
|
|
|
{
|
|
|
|
if (is_uaccess)
|
|
|
|
return;
|
|
|
|
|
|
|
|
irq->pending_latch = false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't want the guest to effectively mask the physical
|
|
|
|
* interrupt by doing a write to SPENDR followed by a write to
|
|
|
|
* CPENDR for HW interrupts, so we clear the active state on
|
|
|
|
* the physical side if the virtual interrupt is not active.
|
|
|
|
* This may lead to taking an additional interrupt on the
|
|
|
|
* host, but that should not be a problem as the worst that
|
|
|
|
* can happen is an additional vgic injection. We also clear
|
|
|
|
* the pending state to maintain proper semantics for edge HW
|
|
|
|
* interrupts.
|
|
|
|
*/
|
|
|
|
vgic_irq_set_phys_pending(irq, false);
|
|
|
|
if (!irq->active)
|
|
|
|
vgic_irq_set_phys_active(irq, false);
|
|
|
|
}
|
|
|
|
|
2015-12-01 22:33:41 +08:00
|
|
|
void vgic_mmio_write_cpending(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
bool is_uaccess = !vgic_get_mmio_requester_vcpu();
|
2015-12-01 22:33:41 +08:00
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:33:41 +08:00
|
|
|
|
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-08-28 18:10:16 +08:00
|
|
|
/* GICD_ICPENDR0 SGI bits are WI */
|
|
|
|
if (is_vgic_v2_sgi(vcpu, irq)) {
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2015-12-01 22:33:41 +08:00
|
|
|
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
if (irq->hw)
|
|
|
|
vgic_hw_irq_cpending(vcpu, irq, is_uaccess);
|
|
|
|
else
|
|
|
|
irq->pending_latch = false;
|
2015-12-01 22:33:41 +08:00
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:33:41 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-01 20:40:58 +08:00
|
|
|
unsigned long vgic_mmio_read_active(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
u32 value = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Loop over all IRQs affected by this read */
|
|
|
|
for (i = 0; i < len * 8; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
if (irq->active)
|
|
|
|
value |= (1U << i);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 20:40:58 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
/* Must be called with irq->irq_lock held */
|
|
|
|
static void vgic_hw_irq_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
|
|
|
|
bool active, bool is_uaccess)
|
|
|
|
{
|
|
|
|
if (is_uaccess)
|
|
|
|
return;
|
|
|
|
|
|
|
|
irq->active = active;
|
|
|
|
vgic_irq_set_phys_active(irq, active);
|
|
|
|
}
|
|
|
|
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
static void vgic_mmio_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
bool active)
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
{
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2017-09-15 02:08:45 +08:00
|
|
|
struct kvm_vcpu *requester_vcpu = vgic_get_mmio_requester_vcpu();
|
2017-03-06 21:42:37 +08:00
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2017-03-06 21:42:37 +08:00
|
|
|
|
KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
Now that we make sure we don't inject multiple instances of the
same GICv2 SGI at the same time, we've made another bug more
obvious:
If we exit with an active SGI, we completely lose track of which
vcpu it came from. On the next entry, we restore it with 0 as a
source, and if that wasn't the right one, too bad. While this
doesn't seem to trouble GIC-400, the architectural model gets
offended and doesn't deactivate the interrupt on EOI.
Another connected issue is that we will happilly make pending
an interrupt from another vcpu, overriding the above zero with
something that is just as inconsistent. Don't do that.
The final issue is that we signal a maintenance interrupt when
no pending interrupts are present in the LR. Assuming we've fixed
the two issues above, we end-up in a situation where we keep
exiting as soon as we've reached the active state, and not be
able to inject the following pending.
The fix comes in 3 parts:
- GICv2 SGIs have their source vcpu saved if they are active on
exit, and restored on entry
- Multi-SGIs cannot go via the Pending+Active state, as this would
corrupt the source field
- Multi-SGIs are converted to using MI on EOI instead of NPIE
Fixes: 16ca6a607d84bef0 ("KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2018-04-18 17:39:04 +08:00
|
|
|
if (irq->hw) {
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
vgic_hw_irq_change_active(vcpu, irq, active, !requester_vcpu);
|
KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
Now that we make sure we don't inject multiple instances of the
same GICv2 SGI at the same time, we've made another bug more
obvious:
If we exit with an active SGI, we completely lose track of which
vcpu it came from. On the next entry, we restore it with 0 as a
source, and if that wasn't the right one, too bad. While this
doesn't seem to trouble GIC-400, the architectural model gets
offended and doesn't deactivate the interrupt on EOI.
Another connected issue is that we will happilly make pending
an interrupt from another vcpu, overriding the above zero with
something that is just as inconsistent. Don't do that.
The final issue is that we signal a maintenance interrupt when
no pending interrupts are present in the LR. Assuming we've fixed
the two issues above, we end-up in a situation where we keep
exiting as soon as we've reached the active state, and not be
able to inject the following pending.
The fix comes in 3 parts:
- GICv2 SGIs have their source vcpu saved if they are active on
exit, and restored on entry
- Multi-SGIs cannot go via the Pending+Active state, as this would
corrupt the source field
- Multi-SGIs are converted to using MI on EOI instead of NPIE
Fixes: 16ca6a607d84bef0 ("KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2018-04-18 17:39:04 +08:00
|
|
|
} else {
|
|
|
|
u32 model = vcpu->kvm->arch.vgic.vgic_model;
|
2018-12-11 19:51:03 +08:00
|
|
|
u8 active_source;
|
KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
Now that we make sure we don't inject multiple instances of the
same GICv2 SGI at the same time, we've made another bug more
obvious:
If we exit with an active SGI, we completely lose track of which
vcpu it came from. On the next entry, we restore it with 0 as a
source, and if that wasn't the right one, too bad. While this
doesn't seem to trouble GIC-400, the architectural model gets
offended and doesn't deactivate the interrupt on EOI.
Another connected issue is that we will happilly make pending
an interrupt from another vcpu, overriding the above zero with
something that is just as inconsistent. Don't do that.
The final issue is that we signal a maintenance interrupt when
no pending interrupts are present in the LR. Assuming we've fixed
the two issues above, we end-up in a situation where we keep
exiting as soon as we've reached the active state, and not be
able to inject the following pending.
The fix comes in 3 parts:
- GICv2 SGIs have their source vcpu saved if they are active on
exit, and restored on entry
- Multi-SGIs cannot go via the Pending+Active state, as this would
corrupt the source field
- Multi-SGIs are converted to using MI on EOI instead of NPIE
Fixes: 16ca6a607d84bef0 ("KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2018-04-18 17:39:04 +08:00
|
|
|
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
irq->active = active;
|
2018-12-11 19:51:03 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The GICv2 architecture indicates that the source CPUID for
|
|
|
|
* an SGI should be provided during an EOI which implies that
|
|
|
|
* the active state is stored somewhere, but at the same time
|
|
|
|
* this state is not architecturally exposed anywhere and we
|
|
|
|
* have no way of knowing the right source.
|
|
|
|
*
|
|
|
|
* This may lead to a VCPU not being able to receive
|
|
|
|
* additional instances of a particular SGI after migration
|
|
|
|
* for a GICv2 VM on some GIC implementations. Oh well.
|
|
|
|
*/
|
|
|
|
active_source = (requester_vcpu) ? requester_vcpu->vcpu_id : 0;
|
|
|
|
|
KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
Now that we make sure we don't inject multiple instances of the
same GICv2 SGI at the same time, we've made another bug more
obvious:
If we exit with an active SGI, we completely lose track of which
vcpu it came from. On the next entry, we restore it with 0 as a
source, and if that wasn't the right one, too bad. While this
doesn't seem to trouble GIC-400, the architectural model gets
offended and doesn't deactivate the interrupt on EOI.
Another connected issue is that we will happilly make pending
an interrupt from another vcpu, overriding the above zero with
something that is just as inconsistent. Don't do that.
The final issue is that we signal a maintenance interrupt when
no pending interrupts are present in the LR. Assuming we've fixed
the two issues above, we end-up in a situation where we keep
exiting as soon as we've reached the active state, and not be
able to inject the following pending.
The fix comes in 3 parts:
- GICv2 SGIs have their source vcpu saved if they are active on
exit, and restored on entry
- Multi-SGIs cannot go via the Pending+Active state, as this would
corrupt the source field
- Multi-SGIs are converted to using MI on EOI instead of NPIE
Fixes: 16ca6a607d84bef0 ("KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2018-04-18 17:39:04 +08:00
|
|
|
if (model == KVM_DEV_TYPE_ARM_VGIC_V2 &&
|
|
|
|
active && vgic_irq_is_sgi(irq->intid))
|
2018-12-11 19:51:03 +08:00
|
|
|
irq->active_source = active_source;
|
KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
Now that we make sure we don't inject multiple instances of the
same GICv2 SGI at the same time, we've made another bug more
obvious:
If we exit with an active SGI, we completely lose track of which
vcpu it came from. On the next entry, we restore it with 0 as a
source, and if that wasn't the right one, too bad. While this
doesn't seem to trouble GIC-400, the architectural model gets
offended and doesn't deactivate the interrupt on EOI.
Another connected issue is that we will happilly make pending
an interrupt from another vcpu, overriding the above zero with
something that is just as inconsistent. Don't do that.
The final issue is that we signal a maintenance interrupt when
no pending interrupts are present in the LR. Assuming we've fixed
the two issues above, we end-up in a situation where we keep
exiting as soon as we've reached the active state, and not be
able to inject the following pending.
The fix comes in 3 parts:
- GICv2 SGIs have their source vcpu saved if they are active on
exit, and restored on entry
- Multi-SGIs cannot go via the Pending+Active state, as this would
corrupt the source field
- Multi-SGIs are converted to using MI on EOI instead of NPIE
Fixes: 16ca6a607d84bef0 ("KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2018-04-18 17:39:04 +08:00
|
|
|
}
|
KVM: arm/arm64: Support VGIC dist pend/active changes for mapped IRQs
For mapped IRQs (with the HW bit set in the LR) we have to follow some
rules of the architecture. One of these rules is that VM must not be
allowed to deactivate a virtual interrupt with the HW bit set unless the
physical interrupt is also active.
This works fine when injecting mapped interrupts, because we leave it up
to the injector to either set EOImode==1 or manually set the active
state of the physical interrupt.
However, the guest can set virtual interrupt to be pending or active by
writing to the virtual distributor, which could lead to deactivating a
virtual interrupt with the HW bit set without the physical interrupt
being active.
We could set the physical interrupt to active whenever we are about to
enter the VM with a HW interrupt either pending or active, but that
would be really slow, especially on GICv2. So we take the long way
around and do the hard work when needed, which is expected to be
extremely rare.
When the VM sets the pending state for a HW interrupt on the virtual
distributor we set the active state on the physical distributor, because
the virtual interrupt can become active and then the guest can
deactivate it.
When the VM clears the pending state we also clear it on the physical
side, because the injector might otherwise raise the interrupt. We also
clear the physical active state when the virtual interrupt is not
active, since otherwise a SPEND/CPEND sequence from the guest would
prevent signaling of future interrupts.
Changing the state of mapped interrupts from userspace is not supported,
and it's expected that userspace unmaps devices from VFIO before
attempting to set the interrupt state, because the interrupt state is
driven by hardware.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2017-09-01 22:25:12 +08:00
|
|
|
|
|
|
|
if (irq->active)
|
2016-10-17 04:19:11 +08:00
|
|
|
vgic_queue_irq_unlock(vcpu->kvm, irq, flags);
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
else
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we are fiddling with an IRQ's active state, we have to make sure the IRQ
|
|
|
|
* is not queued on some running VCPU's LRs, because then the change to the
|
|
|
|
* active state can be overwritten when the VCPU's state is synced coming back
|
|
|
|
* from the guest.
|
|
|
|
*
|
|
|
|
* For shared interrupts, we have to stop all the VCPUs because interrupts can
|
|
|
|
* be migrated while we don't hold the IRQ locks and we don't want to be
|
|
|
|
* chasing moving targets.
|
|
|
|
*
|
2017-05-07 02:01:24 +08:00
|
|
|
* For private interrupts we don't have to do anything because userspace
|
|
|
|
* accesses to the VGIC state already require all VCPUs to be stopped, and
|
|
|
|
* only the VCPU itself can modify its private interrupts active state, which
|
|
|
|
* guarantees that the VCPU is not running.
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
*/
|
|
|
|
static void vgic_change_active_prepare(struct kvm_vcpu *vcpu, u32 intid)
|
|
|
|
{
|
2018-12-18 22:59:09 +08:00
|
|
|
if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 ||
|
|
|
|
intid > VGIC_NR_PRIVATE_IRQS)
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
kvm_arm_halt_guest(vcpu->kvm);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* See vgic_change_active_prepare */
|
|
|
|
static void vgic_change_active_finish(struct kvm_vcpu *vcpu, u32 intid)
|
|
|
|
{
|
2018-12-18 22:59:09 +08:00
|
|
|
if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 ||
|
|
|
|
intid > VGIC_NR_PRIVATE_IRQS)
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
kvm_arm_resume_guest(vcpu->kvm);
|
|
|
|
}
|
|
|
|
|
2017-05-16 15:44:39 +08:00
|
|
|
static void __vgic_mmio_write_cactive(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
2015-12-01 20:40:58 +08:00
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
vgic_mmio_change_active(vcpu, irq, false);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 20:40:58 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-16 15:44:39 +08:00
|
|
|
void vgic_mmio_write_cactive(struct kvm_vcpu *vcpu,
|
2015-12-01 20:40:58 +08:00
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
|
2017-05-07 02:01:24 +08:00
|
|
|
mutex_lock(&vcpu->kvm->lock);
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
vgic_change_active_prepare(vcpu, intid);
|
2017-05-16 15:44:39 +08:00
|
|
|
|
|
|
|
__vgic_mmio_write_cactive(vcpu, addr, len, val);
|
|
|
|
|
|
|
|
vgic_change_active_finish(vcpu, intid);
|
2017-05-07 02:01:24 +08:00
|
|
|
mutex_unlock(&vcpu->kvm->lock);
|
2017-05-16 15:44:39 +08:00
|
|
|
}
|
|
|
|
|
2018-07-16 21:06:23 +08:00
|
|
|
int vgic_mmio_uaccess_write_cactive(struct kvm_vcpu *vcpu,
|
2017-05-16 15:44:39 +08:00
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
__vgic_mmio_write_cactive(vcpu, addr, len, val);
|
2018-07-16 21:06:23 +08:00
|
|
|
return 0;
|
2017-05-16 15:44:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void __vgic_mmio_write_sactive(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
int i;
|
|
|
|
|
2015-12-01 20:40:58 +08:00
|
|
|
for_each_set_bit(i, &val, len * 8) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
vgic_mmio_change_active(vcpu, irq, true);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 20:40:58 +08:00
|
|
|
}
|
2017-05-16 15:44:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_sactive(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 1);
|
|
|
|
|
2017-05-07 02:01:24 +08:00
|
|
|
mutex_lock(&vcpu->kvm->lock);
|
2017-05-16 15:44:39 +08:00
|
|
|
vgic_change_active_prepare(vcpu, intid);
|
|
|
|
|
|
|
|
__vgic_mmio_write_sactive(vcpu, addr, len, val);
|
|
|
|
|
KVM: arm/arm64: vgic-new: Synchronize changes to active state
When modifying the active state of an interrupt via the MMIO interface,
we should ensure that the write has the intended effect.
If a guest sets an interrupt to active, but that interrupt is already
flushed into a list register on a running VCPU, then that VCPU will
write the active state back into the struct vgic_irq upon returning from
the guest and syncing its state. This is a non-benign race, because the
guest can observe that an interrupt is not active, and it can have a
reasonable expectations that other VCPUs will not ack any IRQs, and then
set the state to active, and expect it to stay that way. Currently we
are not honoring this case.
Thefore, change both the SACTIVE and CACTIVE mmio handlers to stop the
world, change the irq state, potentially queue the irq if we're setting
it to active, and then continue.
We take this chance to slightly optimize these functions by not stopping
the world when touching private interrupts where there is inherently no
possible race.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
2016-05-20 21:25:28 +08:00
|
|
|
vgic_change_active_finish(vcpu, intid);
|
2017-05-07 02:01:24 +08:00
|
|
|
mutex_unlock(&vcpu->kvm->lock);
|
2015-12-01 20:40:58 +08:00
|
|
|
}
|
|
|
|
|
2018-07-16 21:06:23 +08:00
|
|
|
int vgic_mmio_uaccess_write_sactive(struct kvm_vcpu *vcpu,
|
2017-05-16 15:44:39 +08:00
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
__vgic_mmio_write_sactive(vcpu, addr, len, val);
|
2018-07-16 21:06:23 +08:00
|
|
|
return 0;
|
2017-05-16 15:44:39 +08:00
|
|
|
}
|
|
|
|
|
2015-12-01 22:34:02 +08:00
|
|
|
unsigned long vgic_mmio_read_priority(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 8);
|
|
|
|
int i;
|
|
|
|
u64 val = 0;
|
|
|
|
|
|
|
|
for (i = 0; i < len; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
val |= (u64)irq->priority << (i * 8);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:34:02 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return val;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We currently don't handle changing the priority of an interrupt that
|
|
|
|
* is already pending on a VCPU. If there is a need for this, we would
|
|
|
|
* need to make this VCPU exit and re-evaluate the priorities, potentially
|
|
|
|
* leading to this interrupt getting presented now to the guest (if it has
|
|
|
|
* been masked by the priority mask before).
|
|
|
|
*/
|
|
|
|
void vgic_mmio_write_priority(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 8);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 22:34:02 +08:00
|
|
|
|
|
|
|
for (i = 0; i < len; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2015-12-01 22:34:02 +08:00
|
|
|
/* Narrow the priority range to what we actually support */
|
|
|
|
irq->priority = (val >> (i * 8)) & GENMASK(7, 8 - VGIC_PRI_BITS);
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 22:34:02 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-01 20:41:31 +08:00
|
|
|
unsigned long vgic_mmio_read_config(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 2);
|
|
|
|
u32 value = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < len * 4; i++) {
|
|
|
|
struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
if (irq->config == VGIC_CONFIG_EDGE)
|
|
|
|
value |= (2U << (i * 2));
|
2016-07-15 19:43:27 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 20:41:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_mmio_write_config(struct kvm_vcpu *vcpu,
|
|
|
|
gpa_t addr, unsigned int len,
|
|
|
|
unsigned long val)
|
|
|
|
{
|
|
|
|
u32 intid = VGIC_ADDR_TO_INTID(addr, 2);
|
|
|
|
int i;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2015-12-01 20:41:31 +08:00
|
|
|
|
|
|
|
for (i = 0; i < len * 4; i++) {
|
2016-07-15 19:43:27 +08:00
|
|
|
struct vgic_irq *irq;
|
2015-12-01 20:41:31 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The configuration cannot be changed for SGIs in general,
|
|
|
|
* for PPIs this is IMPLEMENTATION DEFINED. The arch timer
|
|
|
|
* code relies on PPIs being level triggered, so we also
|
|
|
|
* make them read-only here.
|
|
|
|
*/
|
|
|
|
if (intid + i < VGIC_NR_PRIVATE_IRQS)
|
|
|
|
continue;
|
|
|
|
|
2016-07-15 19:43:27 +08:00
|
|
|
irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
|
2017-01-23 21:07:18 +08:00
|
|
|
if (test_bit(i * 2 + 1, &val))
|
2015-12-01 20:41:31 +08:00
|
|
|
irq->config = VGIC_CONFIG_EDGE;
|
2017-01-23 21:07:18 +08:00
|
|
|
else
|
2015-12-01 20:41:31 +08:00
|
|
|
irq->config = VGIC_CONFIG_LEVEL;
|
2016-07-15 19:43:27 +08:00
|
|
|
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2016-07-15 19:43:27 +08:00
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
2015-12-01 20:41:31 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-26 22:20:52 +08:00
|
|
|
u64 vgic_read_irq_line_level_info(struct kvm_vcpu *vcpu, u32 intid)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
u64 val = 0;
|
|
|
|
int nr_irqs = vcpu->kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS;
|
|
|
|
|
|
|
|
for (i = 0; i < 32; i++) {
|
|
|
|
struct vgic_irq *irq;
|
|
|
|
|
|
|
|
if ((intid + i) < VGIC_NR_SGIS || (intid + i) >= nr_irqs)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
if (irq->config == VGIC_CONFIG_LEVEL && irq->line_level)
|
|
|
|
val |= (1U << i);
|
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
}
|
|
|
|
|
|
|
|
return val;
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_write_irq_line_level_info(struct kvm_vcpu *vcpu, u32 intid,
|
|
|
|
const u64 val)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
int nr_irqs = vcpu->kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS;
|
2016-10-17 04:19:11 +08:00
|
|
|
unsigned long flags;
|
2017-01-26 22:20:52 +08:00
|
|
|
|
|
|
|
for (i = 0; i < 32; i++) {
|
|
|
|
struct vgic_irq *irq;
|
|
|
|
bool new_level;
|
|
|
|
|
|
|
|
if ((intid + i) < VGIC_NR_SGIS || (intid + i) >= nr_irqs)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Line level is set irrespective of irq type
|
|
|
|
* (level or edge) to avoid dependency that VM should
|
|
|
|
* restore irq config before line level.
|
|
|
|
*/
|
|
|
|
new_level = !!(val & (1U << i));
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_lock_irqsave(&irq->irq_lock, flags);
|
2017-01-26 22:20:52 +08:00
|
|
|
irq->line_level = new_level;
|
|
|
|
if (new_level)
|
2016-10-17 04:19:11 +08:00
|
|
|
vgic_queue_irq_unlock(vcpu->kvm, irq, flags);
|
2017-01-26 22:20:52 +08:00
|
|
|
else
|
2019-01-07 23:06:15 +08:00
|
|
|
raw_spin_unlock_irqrestore(&irq->irq_lock, flags);
|
2017-01-26 22:20:52 +08:00
|
|
|
|
|
|
|
vgic_put_irq(vcpu->kvm, irq);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:06:12 +08:00
|
|
|
static int match_region(const void *key, const void *elt)
|
|
|
|
{
|
|
|
|
const unsigned int offset = (unsigned long)key;
|
|
|
|
const struct vgic_register_region *region = elt;
|
|
|
|
|
|
|
|
if (offset < region->reg_offset)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (offset >= region->reg_offset + region->len)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-20 16:20:00 +08:00
|
|
|
const struct vgic_register_region *
|
|
|
|
vgic_find_mmio_region(const struct vgic_register_region *regions,
|
|
|
|
int nr_regions, unsigned int offset)
|
2016-04-26 18:06:12 +08:00
|
|
|
{
|
2016-12-20 16:20:00 +08:00
|
|
|
return bsearch((void *)(uintptr_t)offset, regions, nr_regions,
|
|
|
|
sizeof(regions[0]), match_region);
|
2016-04-26 18:06:12 +08:00
|
|
|
}
|
|
|
|
|
2017-01-26 22:20:50 +08:00
|
|
|
void vgic_set_vmcr(struct kvm_vcpu *vcpu, struct vgic_vmcr *vmcr)
|
|
|
|
{
|
|
|
|
if (kvm_vgic_global_state.type == VGIC_V2)
|
|
|
|
vgic_v2_set_vmcr(vcpu, vmcr);
|
|
|
|
else
|
|
|
|
vgic_v3_set_vmcr(vcpu, vmcr);
|
|
|
|
}
|
|
|
|
|
|
|
|
void vgic_get_vmcr(struct kvm_vcpu *vcpu, struct vgic_vmcr *vmcr)
|
|
|
|
{
|
|
|
|
if (kvm_vgic_global_state.type == VGIC_V2)
|
|
|
|
vgic_v2_get_vmcr(vcpu, vmcr);
|
|
|
|
else
|
|
|
|
vgic_v3_get_vmcr(vcpu, vmcr);
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:06:12 +08:00
|
|
|
/*
|
|
|
|
* kvm_mmio_read_buf() returns a value in a format where it can be converted
|
|
|
|
* to a byte array and be directly observed as the guest wanted it to appear
|
|
|
|
* in memory if it had done the store itself, which is LE for the GIC, as the
|
|
|
|
* guest knows the GIC is always LE.
|
|
|
|
*
|
|
|
|
* We convert this value to the CPUs native format to deal with it as a data
|
|
|
|
* value.
|
|
|
|
*/
|
|
|
|
unsigned long vgic_data_mmio_bus_to_host(const void *val, unsigned int len)
|
|
|
|
{
|
|
|
|
unsigned long data = kvm_mmio_read_buf(val, len);
|
|
|
|
|
|
|
|
switch (len) {
|
|
|
|
case 1:
|
|
|
|
return data;
|
|
|
|
case 2:
|
|
|
|
return le16_to_cpu(data);
|
|
|
|
case 4:
|
|
|
|
return le32_to_cpu(data);
|
|
|
|
default:
|
|
|
|
return le64_to_cpu(data);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* kvm_mmio_write_buf() expects a value in a format such that if converted to
|
|
|
|
* a byte array it is observed as the guest would see it if it could perform
|
|
|
|
* the load directly. Since the GIC is LE, and the guest knows this, the
|
|
|
|
* guest expects a value in little endian format.
|
|
|
|
*
|
|
|
|
* We convert the data value from the CPUs native format to LE so that the
|
|
|
|
* value is returned in the proper format.
|
|
|
|
*/
|
|
|
|
void vgic_data_host_to_mmio_bus(void *buf, unsigned int len,
|
|
|
|
unsigned long data)
|
|
|
|
{
|
|
|
|
switch (len) {
|
|
|
|
case 1:
|
|
|
|
break;
|
|
|
|
case 2:
|
|
|
|
data = cpu_to_le16(data);
|
|
|
|
break;
|
|
|
|
case 4:
|
|
|
|
data = cpu_to_le32(data);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
data = cpu_to_le64(data);
|
|
|
|
}
|
|
|
|
|
|
|
|
kvm_mmio_write_buf(buf, len, data);
|
|
|
|
}
|
|
|
|
|
|
|
|
static
|
|
|
|
struct vgic_io_device *kvm_to_vgic_iodev(const struct kvm_io_device *dev)
|
|
|
|
{
|
|
|
|
return container_of(dev, struct vgic_io_device, dev);
|
|
|
|
}
|
|
|
|
|
2016-11-02 02:00:08 +08:00
|
|
|
static bool check_region(const struct kvm *kvm,
|
|
|
|
const struct vgic_register_region *region,
|
2016-04-26 18:06:12 +08:00
|
|
|
gpa_t addr, int len)
|
|
|
|
{
|
2016-11-02 02:00:08 +08:00
|
|
|
int flags, nr_irqs = kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS;
|
|
|
|
|
|
|
|
switch (len) {
|
|
|
|
case sizeof(u8):
|
|
|
|
flags = VGIC_ACCESS_8bit;
|
|
|
|
break;
|
|
|
|
case sizeof(u32):
|
|
|
|
flags = VGIC_ACCESS_32bit;
|
|
|
|
break;
|
|
|
|
case sizeof(u64):
|
|
|
|
flags = VGIC_ACCESS_64bit;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((region->access_flags & flags) && IS_ALIGNED(addr, len)) {
|
|
|
|
if (!region->bits_per_irq)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
/* Do we access a non-allocated IRQ? */
|
|
|
|
return VGIC_ADDR_TO_INTID(addr, region->bits_per_irq) < nr_irqs;
|
|
|
|
}
|
2016-04-26 18:06:12 +08:00
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-01-26 22:20:47 +08:00
|
|
|
const struct vgic_register_region *
|
2017-01-26 22:20:46 +08:00
|
|
|
vgic_get_mmio_region(struct kvm_vcpu *vcpu, struct vgic_io_device *iodev,
|
|
|
|
gpa_t addr, int len)
|
|
|
|
{
|
|
|
|
const struct vgic_register_region *region;
|
|
|
|
|
|
|
|
region = vgic_find_mmio_region(iodev->regions, iodev->nr_regions,
|
|
|
|
addr - iodev->base_addr);
|
|
|
|
if (!region || !check_region(vcpu->kvm, region, addr, len))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return region;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int vgic_uaccess_read(struct kvm_vcpu *vcpu, struct kvm_io_device *dev,
|
|
|
|
gpa_t addr, u32 *val)
|
|
|
|
{
|
|
|
|
struct vgic_io_device *iodev = kvm_to_vgic_iodev(dev);
|
|
|
|
const struct vgic_register_region *region;
|
|
|
|
struct kvm_vcpu *r_vcpu;
|
|
|
|
|
|
|
|
region = vgic_get_mmio_region(vcpu, iodev, addr, sizeof(u32));
|
|
|
|
if (!region) {
|
|
|
|
*val = 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
r_vcpu = iodev->redist_vcpu ? iodev->redist_vcpu : vcpu;
|
|
|
|
if (region->uaccess_read)
|
|
|
|
*val = region->uaccess_read(r_vcpu, addr, sizeof(u32));
|
|
|
|
else
|
|
|
|
*val = region->read(r_vcpu, addr, sizeof(u32));
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int vgic_uaccess_write(struct kvm_vcpu *vcpu, struct kvm_io_device *dev,
|
|
|
|
gpa_t addr, const u32 *val)
|
|
|
|
{
|
|
|
|
struct vgic_io_device *iodev = kvm_to_vgic_iodev(dev);
|
|
|
|
const struct vgic_register_region *region;
|
|
|
|
struct kvm_vcpu *r_vcpu;
|
|
|
|
|
|
|
|
region = vgic_get_mmio_region(vcpu, iodev, addr, sizeof(u32));
|
|
|
|
if (!region)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
r_vcpu = iodev->redist_vcpu ? iodev->redist_vcpu : vcpu;
|
|
|
|
if (region->uaccess_write)
|
2018-07-16 21:06:23 +08:00
|
|
|
return region->uaccess_write(r_vcpu, addr, sizeof(u32), *val);
|
2017-01-26 22:20:46 +08:00
|
|
|
|
2018-07-16 21:06:23 +08:00
|
|
|
region->write(r_vcpu, addr, sizeof(u32), *val);
|
2017-01-26 22:20:46 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Userland access to VGIC registers.
|
|
|
|
*/
|
|
|
|
int vgic_uaccess(struct kvm_vcpu *vcpu, struct vgic_io_device *dev,
|
|
|
|
bool is_write, int offset, u32 *val)
|
|
|
|
{
|
|
|
|
if (is_write)
|
|
|
|
return vgic_uaccess_write(vcpu, &dev->dev, offset, val);
|
|
|
|
else
|
|
|
|
return vgic_uaccess_read(vcpu, &dev->dev, offset, val);
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:06:12 +08:00
|
|
|
static int dispatch_mmio_read(struct kvm_vcpu *vcpu, struct kvm_io_device *dev,
|
|
|
|
gpa_t addr, int len, void *val)
|
|
|
|
{
|
|
|
|
struct vgic_io_device *iodev = kvm_to_vgic_iodev(dev);
|
|
|
|
const struct vgic_register_region *region;
|
2016-07-15 19:43:30 +08:00
|
|
|
unsigned long data = 0;
|
2016-04-26 18:06:12 +08:00
|
|
|
|
2017-01-26 22:20:46 +08:00
|
|
|
region = vgic_get_mmio_region(vcpu, iodev, addr, len);
|
|
|
|
if (!region) {
|
2016-04-26 18:06:12 +08:00
|
|
|
memset(val, 0, len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-07-15 19:43:30 +08:00
|
|
|
switch (iodev->iodev_type) {
|
|
|
|
case IODEV_CPUIF:
|
2016-07-18 18:57:36 +08:00
|
|
|
data = region->read(vcpu, addr, len);
|
|
|
|
break;
|
2016-07-15 19:43:30 +08:00
|
|
|
case IODEV_DIST:
|
|
|
|
data = region->read(vcpu, addr, len);
|
|
|
|
break;
|
|
|
|
case IODEV_REDIST:
|
|
|
|
data = region->read(iodev->redist_vcpu, addr, len);
|
|
|
|
break;
|
|
|
|
case IODEV_ITS:
|
|
|
|
data = region->its_read(vcpu->kvm, iodev->its, addr, len);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:06:12 +08:00
|
|
|
vgic_data_host_to_mmio_bus(val, len, data);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int dispatch_mmio_write(struct kvm_vcpu *vcpu, struct kvm_io_device *dev,
|
|
|
|
gpa_t addr, int len, const void *val)
|
|
|
|
{
|
|
|
|
struct vgic_io_device *iodev = kvm_to_vgic_iodev(dev);
|
|
|
|
const struct vgic_register_region *region;
|
|
|
|
unsigned long data = vgic_data_mmio_bus_to_host(val, len);
|
|
|
|
|
2017-01-26 22:20:46 +08:00
|
|
|
region = vgic_get_mmio_region(vcpu, iodev, addr, len);
|
|
|
|
if (!region)
|
2016-04-26 18:06:12 +08:00
|
|
|
return 0;
|
|
|
|
|
2016-07-15 19:43:30 +08:00
|
|
|
switch (iodev->iodev_type) {
|
|
|
|
case IODEV_CPUIF:
|
2016-07-18 18:57:36 +08:00
|
|
|
region->write(vcpu, addr, len, data);
|
2016-07-15 19:43:30 +08:00
|
|
|
break;
|
|
|
|
case IODEV_DIST:
|
|
|
|
region->write(vcpu, addr, len, data);
|
|
|
|
break;
|
|
|
|
case IODEV_REDIST:
|
|
|
|
region->write(iodev->redist_vcpu, addr, len, data);
|
|
|
|
break;
|
|
|
|
case IODEV_ITS:
|
|
|
|
region->its_write(vcpu->kvm, iodev->its, addr, len, data);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:06:12 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct kvm_io_device_ops kvm_io_gic_ops = {
|
|
|
|
.read = dispatch_mmio_read,
|
|
|
|
.write = dispatch_mmio_write,
|
|
|
|
};
|
2016-04-27 04:32:49 +08:00
|
|
|
|
|
|
|
int vgic_register_dist_iodev(struct kvm *kvm, gpa_t dist_base_address,
|
|
|
|
enum vgic_type type)
|
|
|
|
{
|
|
|
|
struct vgic_io_device *io_device = &kvm->arch.vgic.dist_iodev;
|
|
|
|
int ret = 0;
|
|
|
|
unsigned int len;
|
|
|
|
|
|
|
|
switch (type) {
|
|
|
|
case VGIC_V2:
|
|
|
|
len = vgic_v2_init_dist_iodev(io_device);
|
|
|
|
break;
|
2015-12-01 22:34:34 +08:00
|
|
|
case VGIC_V3:
|
|
|
|
len = vgic_v3_init_dist_iodev(io_device);
|
|
|
|
break;
|
2016-04-27 04:32:49 +08:00
|
|
|
default:
|
|
|
|
BUG_ON(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
io_device->base_addr = dist_base_address;
|
2016-07-15 19:43:30 +08:00
|
|
|
io_device->iodev_type = IODEV_DIST;
|
2016-04-27 04:32:49 +08:00
|
|
|
io_device->redist_vcpu = NULL;
|
|
|
|
|
|
|
|
mutex_lock(&kvm->slots_lock);
|
|
|
|
ret = kvm_io_bus_register_dev(kvm, KVM_MMIO_BUS, dist_base_address,
|
|
|
|
len, &io_device->dev);
|
|
|
|
mutex_unlock(&kvm->slots_lock);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|