From: Costas Argyris <[email protected]> Add a qtest for AMD IOMMU command buffer head pointer wraparound. The test programs a command buffer, fills it with COMPLETION_WAIT commands, advances the tail to consume all but the final entry, then wraps the tail to zero to force the final command to advance CmdHeadPtr past the end of the buffer. The guest-visible CmdHeadPtr register must then wrap back to zero.
This covers the case fixed by an earlier CmdHeadPtr wraparound patch. The Linux kernel AMD IOMMU driver is not affected by this bug because it uses COMPLETION_WAIT with a memory store doorbell to detect command progress. Signed-off-by: Costas Argyris <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Message-Id: <[email protected]> --- MAINTAINERS | 1 + tests/qtest/amd-iommu-test.c | 76 ++++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 3 files changed, 78 insertions(+) create mode 100644 tests/qtest/amd-iommu-test.c diff --git a/MAINTAINERS b/MAINTAINERS index a90daf0308..3b768fc080 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4053,6 +4053,7 @@ M: Alejandro Jimenez <[email protected]> R: Sairaj Kodilkar <[email protected]> S: Supported F: hw/i386/amd_iommu* +F: tests/qtest/amd-iommu-test.c OpenSBI Firmware L: [email protected] diff --git a/tests/qtest/amd-iommu-test.c b/tests/qtest/amd-iommu-test.c new file mode 100644 index 0000000000..fb28511588 --- /dev/null +++ b/tests/qtest/amd-iommu-test.c @@ -0,0 +1,76 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "libqtest.h" +#include "hw/i386/amd_iommu.h" + +#define CMDBUF_ADDR 0x200000 +#define CMDBUF_LEN_FIELD 8 +#define CMDBUF_ENTRIES (1U << CMDBUF_LEN_FIELD) + +static inline uint64_t amdvi_reg_readq(QTestState *s, uint64_t offset) +{ + return qtest_readq(s, AMDVI_BASE_ADDR + offset); +} + +static inline void amdvi_reg_writeq(QTestState *s, uint64_t offset, + uint64_t val) +{ + qtest_writeq(s, AMDVI_BASE_ADDR + offset, val); +} + +static void test_cmdbuf_head_wrap(void) +{ + QTestState *s; + uint64_t head; + int i; + /* 16 bytes per command */ + struct { + uint64_t qw0; + uint64_t qw1; + } cmdbuf[CMDBUF_ENTRIES]; + + if (!qtest_has_machine("q35")) { + g_test_skip("q35 machine not available"); + return; + } + + s = qtest_init("-M q35 -device amd-iommu"); + + /* fill the command buffer with COMPLETION_WAIT (no-op) commands */ + for (i = 0; i < CMDBUF_ENTRIES; i++) { + cmdbuf[i].qw0 = (uint64_t)AMDVI_CMD_COMPLETION_WAIT << 60; + cmdbuf[i].qw1 = 0; + } + qtest_memwrite(s, CMDBUF_ADDR, cmdbuf, sizeof(cmdbuf)); + + /* point the IOMMU at the command buffer and set its length */ + amdvi_reg_writeq(s, AMDVI_MMIO_COMMAND_BASE, + CMDBUF_ADDR | ((uint64_t)CMDBUF_LEN_FIELD << 56)); + + /* enable the IOMMU and its command buffer processor */ + amdvi_reg_writeq(s, AMDVI_MMIO_CONTROL, + AMDVI_MMIO_CONTROL_AMDVIEN | AMDVI_MMIO_CONTROL_CMDBUFLEN); + + /* advance tail to the last entry, consuming all but the final entry */ + amdvi_reg_writeq(s, AMDVI_MMIO_COMMAND_TAIL, + (CMDBUF_ENTRIES - 1) * AMDVI_COMMAND_SIZE); + + /* wrap tail to 0, consuming the final entry and completing the buffer */ + amdvi_reg_writeq(s, AMDVI_MMIO_COMMAND_TAIL, 0); + + /* after consuming all entries the IOMMU must wrap CmdHeadPtr to 0 */ + head = amdvi_reg_readq(s, AMDVI_MMIO_COMMAND_HEAD); + g_assert((head & AMDVI_MMIO_CMDBUF_HEAD_MASK) == 0); + + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + g_test_init(&argc, &argv, NULL); + qtest_add_func("/q35/amd-iommu/cmdbuf-head-wrap", test_cmdbuf_head_wrap); + return g_test_run(); +} diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 728dde54b3..67eea5c71a 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -95,6 +95,7 @@ qtests_i386 = \ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] : []) + \ (config_all_devices.has_key('CONFIG_ESP_PCI') ? ['am53c974-test'] : []) + \ + (config_all_devices.has_key('CONFIG_AMD_IOMMU') ? ['amd-iommu-test'] : []) + \ (config_all_devices.has_key('CONFIG_VTD') ? ['intel-iommu-test'] : []) + \ (config_all_devices.has_key('CONFIG_VTD') and config_all_devices.has_key('CONFIG_IOMMU_TESTDEV') ? ['iommu-intel-test'] : []) + \ -- MST
