[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.21] vpci/msix: improve handling of bogus MSI-X capabilities

  • To: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Mon, 6 Oct 2025 10:20:41 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HfrRewX2ZDUGv1nUjrpUqpxE8LQwco3eS0bA6FGwP8M=; b=wzrHfEDZe1aJmV5/AkQlLfUiQru3/DOh+7iwq31tVcv50UZ4oLixQzmZK/twVnPdAU3f/dqPWiGV6Ik8EYbbCIIk0S9McNBet04k73y/s7H01g11eUtgo12oYKSWDtb0h9IgHvHJ1vZfYXOSRAVWl/7jFa/iwEHLvFLm46ym8NXdOXfCNC1BTpR5Hd4AgW7F15X5eTrhpVSh9u9tN8S1OY0nR/Y3xkWaZqm/t89htrYMKnY8XFVZe1ENEbwe+UOG4bTW67FoEmdvakPU2rwGNxbkWuod1E32RZb628jGPMPWNL7piUiNWGNk9mQ3mKte3YktvogGH3Gh37NYzuttYw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QHPjvY/jpTdajeGPGPbjzE69PZkwhaLDsIrxH/3MjMW865pXs50rNlADUVwwXQWUAVN7lITazu9tblgKHGXNjLqR9oY4K5PcQJRvqaiEL+yUTwASP1UC6GUSpF2W6yG9sF/i9rzhmrenApJeIET9XQLmC+nOBqItdYkgx9IuqG2Kx/u65MgxzKyh907rBxiM0sltgfuc+olyk8jO0O5Nch7mZJ5fYypSEhj1XzLIgBq9o7nDCteQrZTFAvQfcefxIUsMm9rIA0nT6cMomvy7dZhIPe0cj0SfnOaTXJYVxCpSKK8zCA+5o/aT8b9Xn7SO7A++iYk4UE26AcTXtuWjCw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
  • Delivery-date: Mon, 06 Oct 2025 08:21:34 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Fri, Oct 03, 2025 at 11:29:40PM -0400, Stewart Hildebrand wrote:
> On 9/29/25 04:41, Roger Pau Monne wrote:
> > I've had the luck to come across a PCI card that exposes a MSI-X capability
> > where the BIR of the vector and PBA tables points at a BAR that has 0 size.
> > 
> > This doesn't play nice with the code in vpci_make_msix_hole(), as it would
> > still use the address of such empty BAR (0) and attempt to crave a hole in
> 
> s/crave/carve/
> 
> > the p2m.  This leads to errors like the one below being reported by Xen:
> > 
> > d0v0 0000:22:00.0: existing mapping (mfn: 181c4300 type: 0) at 0 clobbers 
> > MSIX MMIO area
> > 
> > And the device left unable to enable memory decoding due to the failure
> > reported by vpci_make_msix_hole().
> > 
> > Introduce checking in init_msix() to ensure the BARs containing the MSI-X
> > tables are usable.  This requires checking that the BIR points to a
> > non-empty BAR, and the offset and size of the MSI-X tables can fit in the
> > target BAR.
> > 
> > This fixes booting PVH dom0 on Supermicro AS -2126HS-TN severs with AMD
> > EPYC 9965 processors.  The broken device is:
> > 
> > 22:00.0 SATA controller: Advanced Micro Devices, Inc. [AMD] FCH SATA 
> > Controller [AHCI mode] (rev 93)
> > 
> > There are multiple of those integrated controllers in the system, all
> > broken in the same way.
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > Cc: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
> > Cc: Jan Beulich <jbeulich@xxxxxxxx>
> > Cc: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
> > 
> > While not strictly a bugfix, I consider this a worthy improvement so that
> > PVH dom0 has a chance to boot on hardware that exposes such broken MSI-X
> > capabilities.  Hence I think this change should be considered for inclusion
> > into 4.21.  There a risk of regressing on hardware that was already working
> > with PVH, but given enough testing that should be minimal.
> > ---
> >  xen/drivers/vpci/msix.c | 50 ++++++++++++++++++++++++++++++++++++-----
> >  1 file changed, 45 insertions(+), 5 deletions(-)
> > 
> > diff --git a/xen/drivers/vpci/msix.c b/xen/drivers/vpci/msix.c
> > index 54a5070733aa..8458955d5bbb 100644
> > --- a/xen/drivers/vpci/msix.c
> > +++ b/xen/drivers/vpci/msix.c
> > @@ -675,6 +675,51 @@ static int cf_check init_msix(struct pci_dev *pdev)
> >      if ( !msix )
> >          return -ENOMEM;
> >  
> > +    msix->tables[VPCI_MSIX_TABLE] =
> > +        pci_conf_read32(pdev->sbdf, msix_table_offset_reg(msix_offset));
> > +    msix->tables[VPCI_MSIX_PBA] =
> > +        pci_conf_read32(pdev->sbdf, msix_pba_offset_reg(msix_offset));
> > +
> > +    /* Check that the provided BAR is valid. */
> > +    for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ )
> > +    {
> > +        const char *name = (i == VPCI_MSIX_TABLE) ? "vector" : "PBA";
> > +        const struct vpci_bar *bars = pdev->vpci->header.bars;
> > +        unsigned int bir = msix->tables[i] & PCI_MSIX_BIRMASK;
> > +        unsigned int type;
> > +        unsigned int offset = msix->tables[i] & ~PCI_MSIX_BIRMASK;
> > +        unsigned int size =
> > +            (i == VPCI_MSIX_TABLE) ? max_entries * PCI_MSIX_ENTRY_SIZE
> > +                                   : ROUNDUP(DIV_ROUND_UP(max_entries, 8), 
> > 8);
> > +
> > +        if ( bir >= ARRAY_SIZE(pdev->vpci->header.bars) )
> 
> This assumes a type 0 header. For type 1 headers, bir values 2 and up are
> also reserved.

Right, but those BARs will be set as VPCI_BAR_EMPTY for type 1 headers.
The check here is to avoid doing an out of bounds array access, the
check for validity of the pointed BAR is done below.

> 
> > +        {
> > +            printk(XENLOG_ERR "%pp: MSI-X %s table with out of range BIR 
> > %u\n",
> > +                   &pdev->sbdf, name, bir);
> 
> Nit: placing the cleanup label at the end of the function and using 'rc' would
> make it more amenable to future uses.

The issue with that is that we then end up with a structure like:

    return vpci_make_msix_hole();

 error:
    xfree();
    return rc;

Which I don't like much because of the double usage of return (it's a
taste issue TBH).

My motivation for using a goto is that they are conceptually the same
error path, but we provide different log messages to aid in debugging
the issue.  Otherwise all checks will be done in a single condition.

Let me know how strong you feel about the usage of a label here vs one
at the tail of the function.

> 
> > + invalid:
> > +            xfree(msix);
> > +            return -ENODEV;
> > +
> 
> Extraneous newline.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.