xref: /openbmc/qemu/hw/s390x/s390-pci-inst.c (revision c7b64948f8ae4142b65f644164d0678892fe223d)
1 /*
2  * s390 PCI instructions
3  *
4  * Copyright 2014 IBM Corp.
5  * Author(s): Frank Blaschka <frank.blaschka@de.ibm.com>
6  *            Hong Bo Li <lihbbj@cn.ibm.com>
7  *            Yi Min Zhao <zyimin@cn.ibm.com>
8  *
9  * This work is licensed under the terms of the GNU GPL, version 2 or (at
10  * your option) any later version. See the COPYING file in the top-level
11  * directory.
12  */
13 
14 #include "qemu/osdep.h"
15 #include "exec/memop.h"
16 #include "exec/memory.h"
17 #include "qemu/error-report.h"
18 #include "sysemu/hw_accel.h"
19 #include "hw/pci/pci_device.h"
20 #include "hw/s390x/s390-pci-inst.h"
21 #include "hw/s390x/s390-pci-bus.h"
22 #include "hw/s390x/s390-pci-kvm.h"
23 #include "hw/s390x/s390-pci-vfio.h"
24 #include "hw/s390x/tod.h"
25 
26 #ifndef DEBUG_S390PCI_INST
27 #define DEBUG_S390PCI_INST  0
28 #endif
29 
30 #define DPRINTF(fmt, ...)                                          \
31     do {                                                           \
32         if (DEBUG_S390PCI_INST) {                                  \
33             fprintf(stderr, "s390pci-inst: " fmt, ## __VA_ARGS__); \
34         }                                                          \
35     } while (0)
36 
37 static inline void inc_dma_avail(S390PCIIOMMU *iommu)
38 {
39     if (iommu->dma_limit) {
40         iommu->dma_limit->avail++;
41     }
42 }
43 
44 static inline void dec_dma_avail(S390PCIIOMMU *iommu)
45 {
46     if (iommu->dma_limit) {
47         iommu->dma_limit->avail--;
48     }
49 }
50 
51 static void s390_set_status_code(CPUS390XState *env,
52                                  uint8_t r, uint64_t status_code)
53 {
54     env->regs[r] &= ~0xff000000ULL;
55     env->regs[r] |= (status_code & 0xff) << 24;
56 }
57 
58 static int list_pci(ClpReqRspListPci *rrb, uint8_t *cc)
59 {
60     S390PCIBusDevice *pbdev = NULL;
61     S390pciState *s = s390_get_phb();
62     uint32_t res_code, initial_l2, g_l2;
63     int rc, i;
64     uint64_t resume_token;
65 
66     rc = 0;
67     if (lduw_p(&rrb->request.hdr.len) != 32) {
68         res_code = CLP_RC_LEN;
69         rc = -EINVAL;
70         goto out;
71     }
72 
73     if ((ldl_p(&rrb->request.fmt) & CLP_MASK_FMT) != 0) {
74         res_code = CLP_RC_FMT;
75         rc = -EINVAL;
76         goto out;
77     }
78 
79     if ((ldl_p(&rrb->request.fmt) & ~CLP_MASK_FMT) != 0 ||
80         ldq_p(&rrb->request.reserved1) != 0) {
81         res_code = CLP_RC_RESNOT0;
82         rc = -EINVAL;
83         goto out;
84     }
85 
86     resume_token = ldq_p(&rrb->request.resume_token);
87 
88     if (resume_token) {
89         pbdev = s390_pci_find_dev_by_idx(s, resume_token);
90         if (!pbdev) {
91             res_code = CLP_RC_LISTPCI_BADRT;
92             rc = -EINVAL;
93             goto out;
94         }
95     } else {
96         pbdev = s390_pci_find_next_avail_dev(s, NULL);
97     }
98 
99     if (lduw_p(&rrb->response.hdr.len) < 48) {
100         res_code = CLP_RC_8K;
101         rc = -EINVAL;
102         goto out;
103     }
104 
105     initial_l2 = lduw_p(&rrb->response.hdr.len);
106     if ((initial_l2 - LIST_PCI_HDR_LEN) % sizeof(ClpFhListEntry)
107         != 0) {
108         res_code = CLP_RC_LEN;
109         rc = -EINVAL;
110         *cc = 3;
111         goto out;
112     }
113 
114     stl_p(&rrb->response.fmt, 0);
115     stq_p(&rrb->response.reserved1, 0);
116     stl_p(&rrb->response.mdd, FH_MASK_SHM);
117     stw_p(&rrb->response.max_fn, PCI_MAX_FUNCTIONS);
118     rrb->response.flags = UID_CHECKING_ENABLED;
119     rrb->response.entry_size = sizeof(ClpFhListEntry);
120 
121     i = 0;
122     g_l2 = LIST_PCI_HDR_LEN;
123     while (g_l2 < initial_l2 && pbdev) {
124         stw_p(&rrb->response.fh_list[i].device_id,
125             pci_get_word(pbdev->pdev->config + PCI_DEVICE_ID));
126         stw_p(&rrb->response.fh_list[i].vendor_id,
127             pci_get_word(pbdev->pdev->config + PCI_VENDOR_ID));
128         /* Ignore RESERVED devices. */
129         stl_p(&rrb->response.fh_list[i].config,
130             pbdev->state == ZPCI_FS_STANDBY ? 0 : 1 << 31);
131         stl_p(&rrb->response.fh_list[i].fid, pbdev->fid);
132         stl_p(&rrb->response.fh_list[i].fh, pbdev->fh);
133 
134         g_l2 += sizeof(ClpFhListEntry);
135         /* Add endian check for DPRINTF? */
136         DPRINTF("g_l2 %d vendor id 0x%x device id 0x%x fid 0x%x fh 0x%x\n",
137                 g_l2,
138                 lduw_p(&rrb->response.fh_list[i].vendor_id),
139                 lduw_p(&rrb->response.fh_list[i].device_id),
140                 ldl_p(&rrb->response.fh_list[i].fid),
141                 ldl_p(&rrb->response.fh_list[i].fh));
142         pbdev = s390_pci_find_next_avail_dev(s, pbdev);
143         i++;
144     }
145 
146     if (!pbdev) {
147         resume_token = 0;
148     } else {
149         resume_token = pbdev->fh & FH_MASK_INDEX;
150     }
151     stq_p(&rrb->response.resume_token, resume_token);
152     stw_p(&rrb->response.hdr.len, g_l2);
153     stw_p(&rrb->response.hdr.rsp, CLP_RC_OK);
154 out:
155     if (rc) {
156         DPRINTF("list pci failed rc 0x%x\n", rc);
157         stw_p(&rrb->response.hdr.rsp, res_code);
158     }
159     return rc;
160 }
161 
162 int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_t ra)
163 {
164     ClpReqHdr *reqh;
165     ClpRspHdr *resh;
166     S390PCIBusDevice *pbdev;
167     uint32_t req_len;
168     uint32_t res_len;
169     uint8_t buffer[4096 * 2];
170     uint8_t cc = 0;
171     CPUS390XState *env = &cpu->env;
172     S390pciState *s = s390_get_phb();
173     int i;
174 
175     if (env->psw.mask & PSW_MASK_PSTATE) {
176         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
177         return 0;
178     }
179 
180     if (s390_cpu_virt_mem_read(cpu, env->regs[r2], r2, buffer, sizeof(*reqh))) {
181         s390_cpu_virt_mem_handle_exc(cpu, ra);
182         return 0;
183     }
184     reqh = (ClpReqHdr *)buffer;
185     req_len = lduw_p(&reqh->len);
186     if (req_len < 16 || req_len > 8184 || (req_len % 8 != 0)) {
187         s390_program_interrupt(env, PGM_OPERAND, ra);
188         return 0;
189     }
190 
191     if (s390_cpu_virt_mem_read(cpu, env->regs[r2], r2, buffer,
192                                req_len + sizeof(*resh))) {
193         s390_cpu_virt_mem_handle_exc(cpu, ra);
194         return 0;
195     }
196     resh = (ClpRspHdr *)(buffer + req_len);
197     res_len = lduw_p(&resh->len);
198     if (res_len < 8 || res_len > 8176 || (res_len % 8 != 0)) {
199         s390_program_interrupt(env, PGM_OPERAND, ra);
200         return 0;
201     }
202     if ((req_len + res_len) > 8192) {
203         s390_program_interrupt(env, PGM_OPERAND, ra);
204         return 0;
205     }
206 
207     if (s390_cpu_virt_mem_read(cpu, env->regs[r2], r2, buffer,
208                                req_len + res_len)) {
209         s390_cpu_virt_mem_handle_exc(cpu, ra);
210         return 0;
211     }
212 
213     if (req_len != 32) {
214         stw_p(&resh->rsp, CLP_RC_LEN);
215         goto out;
216     }
217 
218     switch (lduw_p(&reqh->cmd)) {
219     case CLP_LIST_PCI: {
220         ClpReqRspListPci *rrb = (ClpReqRspListPci *)buffer;
221         list_pci(rrb, &cc);
222         break;
223     }
224     case CLP_SET_PCI_FN: {
225         ClpReqSetPci *reqsetpci = (ClpReqSetPci *)reqh;
226         ClpRspSetPci *ressetpci = (ClpRspSetPci *)resh;
227 
228         pbdev = s390_pci_find_dev_by_fh(s, ldl_p(&reqsetpci->fh));
229         if (!pbdev) {
230                 stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_FH);
231                 goto out;
232         }
233 
234         switch (reqsetpci->oc) {
235         case CLP_SET_ENABLE_PCI_FN:
236             switch (reqsetpci->ndas) {
237             case 0:
238                 stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_DMAAS);
239                 goto out;
240             case 1:
241                 break;
242             default:
243                 stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_RES);
244                 goto out;
245             }
246 
247             if (pbdev->fh & FH_MASK_ENABLE) {
248                 stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_FHOP);
249                 goto out;
250             }
251 
252             /*
253              * Take this opportunity to make sure we still have an accurate
254              * host fh.  It's possible part of the handle changed while the
255              * device was disabled to the guest (e.g. vfio hot reset for
256              * ISM during plug)
257              */
258             if (pbdev->interp) {
259                 /* Take this opportunity to make sure we are sync'd with host */
260                 if (!s390_pci_get_host_fh(pbdev, &pbdev->fh) ||
261                     !(pbdev->fh & FH_MASK_ENABLE)) {
262                     stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_FH);
263                     goto out;
264                 }
265             }
266             pbdev->fh |= FH_MASK_ENABLE;
267             pbdev->state = ZPCI_FS_ENABLED;
268             stl_p(&ressetpci->fh, pbdev->fh);
269             stw_p(&ressetpci->hdr.rsp, CLP_RC_OK);
270             break;
271         case CLP_SET_DISABLE_PCI_FN:
272             if (!(pbdev->fh & FH_MASK_ENABLE)) {
273                 stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_FHOP);
274                 goto out;
275             }
276             device_cold_reset(DEVICE(pbdev));
277             pbdev->fh &= ~FH_MASK_ENABLE;
278             pbdev->state = ZPCI_FS_DISABLED;
279             stl_p(&ressetpci->fh, pbdev->fh);
280             stw_p(&ressetpci->hdr.rsp, CLP_RC_OK);
281             break;
282         default:
283             DPRINTF("unknown set pci command\n");
284             stw_p(&ressetpci->hdr.rsp, CLP_RC_SETPCIFN_FHOP);
285             break;
286         }
287         break;
288     }
289     case CLP_QUERY_PCI_FN: {
290         ClpReqQueryPci *reqquery = (ClpReqQueryPci *)reqh;
291         ClpRspQueryPci *resquery = (ClpRspQueryPci *)resh;
292 
293         pbdev = s390_pci_find_dev_by_fh(s, ldl_p(&reqquery->fh));
294         if (!pbdev) {
295             DPRINTF("query pci no pci dev\n");
296             stw_p(&resquery->hdr.rsp, CLP_RC_SETPCIFN_FH);
297             goto out;
298         }
299 
300         stq_p(&resquery->sdma, pbdev->zpci_fn.sdma);
301         stq_p(&resquery->edma, pbdev->zpci_fn.edma);
302         stw_p(&resquery->pchid, pbdev->zpci_fn.pchid);
303         stw_p(&resquery->vfn, pbdev->zpci_fn.vfn);
304         resquery->flags = pbdev->zpci_fn.flags;
305         resquery->pfgid = pbdev->zpci_fn.pfgid;
306         resquery->pft = pbdev->zpci_fn.pft;
307         resquery->fmbl = pbdev->zpci_fn.fmbl;
308         stl_p(&resquery->fid, pbdev->zpci_fn.fid);
309         stl_p(&resquery->uid, pbdev->zpci_fn.uid);
310         memcpy(resquery->pfip, pbdev->zpci_fn.pfip, CLP_PFIP_NR_SEGMENTS);
311         memcpy(resquery->util_str, pbdev->zpci_fn.util_str, CLP_UTIL_STR_LEN);
312 
313         for (i = 0; i < PCI_BAR_COUNT; i++) {
314             uint32_t data = pci_get_long(pbdev->pdev->config +
315                 PCI_BASE_ADDRESS_0 + (i * 4));
316 
317             stl_p(&resquery->bar[i], data);
318             resquery->bar_size[i] = pbdev->pdev->io_regions[i].size ?
319                                     ctz64(pbdev->pdev->io_regions[i].size) : 0;
320             DPRINTF("bar %d addr 0x%x size 0x%" PRIx64 "barsize 0x%x\n", i,
321                     ldl_p(&resquery->bar[i]),
322                     pbdev->pdev->io_regions[i].size,
323                     resquery->bar_size[i]);
324         }
325 
326         stw_p(&resquery->hdr.rsp, CLP_RC_OK);
327         break;
328     }
329     case CLP_QUERY_PCI_FNGRP: {
330         ClpRspQueryPciGrp *resgrp = (ClpRspQueryPciGrp *)resh;
331 
332         ClpReqQueryPciGrp *reqgrp = (ClpReqQueryPciGrp *)reqh;
333         S390PCIGroup *group;
334 
335         group = s390_group_find(reqgrp->g);
336         if (!group) {
337             /* We do not allow access to unknown groups */
338             /* The group must have been obtained with a vfio device */
339             stw_p(&resgrp->hdr.rsp, CLP_RC_QUERYPCIFG_PFGID);
340             goto out;
341         }
342         resgrp->fr = group->zpci_group.fr;
343         stq_p(&resgrp->dasm, group->zpci_group.dasm);
344         stq_p(&resgrp->msia, group->zpci_group.msia);
345         stw_p(&resgrp->mui, group->zpci_group.mui);
346         stw_p(&resgrp->i, group->zpci_group.i);
347         stw_p(&resgrp->maxstbl, group->zpci_group.maxstbl);
348         resgrp->version = group->zpci_group.version;
349         resgrp->dtsm = group->zpci_group.dtsm;
350         stw_p(&resgrp->hdr.rsp, CLP_RC_OK);
351         break;
352     }
353     default:
354         DPRINTF("unknown clp command\n");
355         stw_p(&resh->rsp, CLP_RC_CMD);
356         break;
357     }
358 
359 out:
360     if (s390_cpu_virt_mem_write(cpu, env->regs[r2], r2, buffer,
361                                 req_len + res_len)) {
362         s390_cpu_virt_mem_handle_exc(cpu, ra);
363         return 0;
364     }
365     setcc(cpu, cc);
366     return 0;
367 }
368 
369 /**
370  * Swap data contained in s390x big endian registers to little endian
371  * PCI bars.
372  *
373  * @ptr: a pointer to a uint64_t data field
374  * @len: the length of the valid data, must be 1,2,4 or 8
375  */
376 static int zpci_endian_swap(uint64_t *ptr, uint8_t len)
377 {
378     uint64_t data = *ptr;
379 
380     switch (len) {
381     case 1:
382         break;
383     case 2:
384         data = bswap16(data);
385         break;
386     case 4:
387         data = bswap32(data);
388         break;
389     case 8:
390         data = bswap64(data);
391         break;
392     default:
393         return -EINVAL;
394     }
395     *ptr = data;
396     return 0;
397 }
398 
399 static MemoryRegion *s390_get_subregion(MemoryRegion *mr, uint64_t offset,
400                                         uint8_t len)
401 {
402     MemoryRegion *subregion;
403     uint64_t subregion_size;
404 
405     QTAILQ_FOREACH(subregion, &mr->subregions, subregions_link) {
406         subregion_size = int128_get64(subregion->size);
407         if ((offset >= subregion->addr) &&
408             (offset + len) <= (subregion->addr + subregion_size)) {
409             mr = subregion;
410             break;
411         }
412     }
413     return mr;
414 }
415 
416 static MemTxResult zpci_read_bar(S390PCIBusDevice *pbdev, uint8_t pcias,
417                                  uint64_t offset, uint64_t *data, uint8_t len)
418 {
419     MemoryRegion *mr;
420 
421     mr = pbdev->pdev->io_regions[pcias].memory;
422     mr = s390_get_subregion(mr, offset, len);
423     offset -= mr->addr;
424     return memory_region_dispatch_read(mr, offset, data,
425                                        size_memop(len) | MO_BE,
426                                        MEMTXATTRS_UNSPECIFIED);
427 }
428 
429 int pcilg_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
430 {
431     CPUS390XState *env = &cpu->env;
432     S390PCIBusDevice *pbdev;
433     uint64_t offset;
434     uint64_t data;
435     MemTxResult result;
436     uint8_t len;
437     uint32_t fh;
438     uint8_t pcias;
439 
440     if (env->psw.mask & PSW_MASK_PSTATE) {
441         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
442         return 0;
443     }
444 
445     if (r2 & 0x1) {
446         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
447         return 0;
448     }
449 
450     fh = env->regs[r2] >> 32;
451     pcias = (env->regs[r2] >> 16) & 0xf;
452     len = env->regs[r2] & 0xf;
453     offset = env->regs[r2 + 1];
454 
455     if (!(fh & FH_MASK_ENABLE)) {
456         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
457         return 0;
458     }
459 
460     pbdev = s390_pci_find_dev_by_fh(s390_get_phb(), fh);
461     if (!pbdev) {
462         DPRINTF("pcilg no pci dev\n");
463         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
464         return 0;
465     }
466 
467     switch (pbdev->state) {
468     case ZPCI_FS_PERMANENT_ERROR:
469     case ZPCI_FS_ERROR:
470         setcc(cpu, ZPCI_PCI_LS_ERR);
471         s390_set_status_code(env, r2, ZPCI_PCI_ST_BLOCKED);
472         return 0;
473     default:
474         break;
475     }
476 
477     switch (pcias) {
478     case ZPCI_IO_BAR_MIN...ZPCI_IO_BAR_MAX:
479         if (!len || (len > (8 - (offset & 0x7)))) {
480             s390_program_interrupt(env, PGM_OPERAND, ra);
481             return 0;
482         }
483         result = zpci_read_bar(pbdev, pcias, offset, &data, len);
484         if (result != MEMTX_OK) {
485             s390_program_interrupt(env, PGM_OPERAND, ra);
486             return 0;
487         }
488         break;
489     case ZPCI_CONFIG_BAR:
490         if (!len || (len > (4 - (offset & 0x3))) || len == 3) {
491             s390_program_interrupt(env, PGM_OPERAND, ra);
492             return 0;
493         }
494         data =  pci_host_config_read_common(
495                    pbdev->pdev, offset, pci_config_size(pbdev->pdev), len);
496 
497         if (zpci_endian_swap(&data, len)) {
498             s390_program_interrupt(env, PGM_OPERAND, ra);
499             return 0;
500         }
501         break;
502     default:
503         DPRINTF("pcilg invalid space\n");
504         setcc(cpu, ZPCI_PCI_LS_ERR);
505         s390_set_status_code(env, r2, ZPCI_PCI_ST_INVAL_AS);
506         return 0;
507     }
508 
509     pbdev->fmb.counter[ZPCI_FMB_CNT_LD]++;
510 
511     env->regs[r1] = data;
512     setcc(cpu, ZPCI_PCI_LS_OK);
513     return 0;
514 }
515 
516 static MemTxResult zpci_write_bar(S390PCIBusDevice *pbdev, uint8_t pcias,
517                                   uint64_t offset, uint64_t data, uint8_t len)
518 {
519     MemoryRegion *mr;
520 
521     mr = pbdev->pdev->io_regions[pcias].memory;
522     mr = s390_get_subregion(mr, offset, len);
523     offset -= mr->addr;
524     return memory_region_dispatch_write(mr, offset, data,
525                                         size_memop(len) | MO_BE,
526                                         MEMTXATTRS_UNSPECIFIED);
527 }
528 
529 int pcistg_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
530 {
531     CPUS390XState *env = &cpu->env;
532     uint64_t offset, data;
533     S390PCIBusDevice *pbdev;
534     MemTxResult result;
535     uint8_t len;
536     uint32_t fh;
537     uint8_t pcias;
538 
539     if (env->psw.mask & PSW_MASK_PSTATE) {
540         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
541         return 0;
542     }
543 
544     if (r2 & 0x1) {
545         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
546         return 0;
547     }
548 
549     fh = env->regs[r2] >> 32;
550     pcias = (env->regs[r2] >> 16) & 0xf;
551     len = env->regs[r2] & 0xf;
552     offset = env->regs[r2 + 1];
553     data = env->regs[r1];
554 
555     if (!(fh & FH_MASK_ENABLE)) {
556         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
557         return 0;
558     }
559 
560     pbdev = s390_pci_find_dev_by_fh(s390_get_phb(), fh);
561     if (!pbdev) {
562         DPRINTF("pcistg no pci dev\n");
563         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
564         return 0;
565     }
566 
567     switch (pbdev->state) {
568     /* ZPCI_FS_RESERVED, ZPCI_FS_STANDBY and ZPCI_FS_DISABLED
569      * are already covered by the FH_MASK_ENABLE check above
570      */
571     case ZPCI_FS_PERMANENT_ERROR:
572     case ZPCI_FS_ERROR:
573         setcc(cpu, ZPCI_PCI_LS_ERR);
574         s390_set_status_code(env, r2, ZPCI_PCI_ST_BLOCKED);
575         return 0;
576     default:
577         break;
578     }
579 
580     switch (pcias) {
581         /* A ZPCI PCI card may use any BAR from BAR 0 to BAR 5 */
582     case ZPCI_IO_BAR_MIN...ZPCI_IO_BAR_MAX:
583         /* Check length:
584          * A length of 0 is invalid and length should not cross a double word
585          */
586         if (!len || (len > (8 - (offset & 0x7)))) {
587             s390_program_interrupt(env, PGM_OPERAND, ra);
588             return 0;
589         }
590 
591         result = zpci_write_bar(pbdev, pcias, offset, data, len);
592         if (result != MEMTX_OK) {
593             s390_program_interrupt(env, PGM_OPERAND, ra);
594             return 0;
595         }
596         break;
597     case ZPCI_CONFIG_BAR:
598         /* ZPCI uses the pseudo BAR number 15 as configuration space */
599         /* possible access lengths are 1,2,4 and must not cross a word */
600         if (!len || (len > (4 - (offset & 0x3))) || len == 3) {
601             s390_program_interrupt(env, PGM_OPERAND, ra);
602             return 0;
603         }
604         /* len = 1,2,4 so we do not need to test */
605         zpci_endian_swap(&data, len);
606         pci_host_config_write_common(pbdev->pdev, offset,
607                                      pci_config_size(pbdev->pdev),
608                                      data, len);
609         break;
610     default:
611         DPRINTF("pcistg invalid space\n");
612         setcc(cpu, ZPCI_PCI_LS_ERR);
613         s390_set_status_code(env, r2, ZPCI_PCI_ST_INVAL_AS);
614         return 0;
615     }
616 
617     pbdev->fmb.counter[ZPCI_FMB_CNT_ST]++;
618 
619     setcc(cpu, ZPCI_PCI_LS_OK);
620     return 0;
621 }
622 
623 static uint32_t s390_pci_update_iotlb(S390PCIIOMMU *iommu,
624                                       S390IOTLBEntry *entry)
625 {
626     S390IOTLBEntry *cache = g_hash_table_lookup(iommu->iotlb, &entry->iova);
627     IOMMUTLBEvent event = {
628         .type = entry->perm ? IOMMU_NOTIFIER_MAP : IOMMU_NOTIFIER_UNMAP,
629         .entry = {
630             .target_as = &address_space_memory,
631             .iova = entry->iova,
632             .translated_addr = entry->translated_addr,
633             .perm = entry->perm,
634             .addr_mask = ~TARGET_PAGE_MASK,
635         },
636     };
637 
638     if (event.type == IOMMU_NOTIFIER_UNMAP) {
639         if (!cache) {
640             goto out;
641         }
642         g_hash_table_remove(iommu->iotlb, &entry->iova);
643         inc_dma_avail(iommu);
644         /* Don't notify the iommu yet, maybe we can bundle contiguous unmaps */
645         goto out;
646     } else {
647         if (cache) {
648             if (cache->perm == entry->perm &&
649                 cache->translated_addr == entry->translated_addr) {
650                 goto out;
651             }
652 
653             event.type = IOMMU_NOTIFIER_UNMAP;
654             event.entry.perm = IOMMU_NONE;
655             memory_region_notify_iommu(&iommu->iommu_mr, 0, event);
656             event.type = IOMMU_NOTIFIER_MAP;
657             event.entry.perm = entry->perm;
658         }
659 
660         cache = g_new(S390IOTLBEntry, 1);
661         cache->iova = entry->iova;
662         cache->translated_addr = entry->translated_addr;
663         cache->len = TARGET_PAGE_SIZE;
664         cache->perm = entry->perm;
665         g_hash_table_replace(iommu->iotlb, &cache->iova, cache);
666         dec_dma_avail(iommu);
667     }
668 
669     /*
670      * All associated iotlb entries have already been cleared, trigger the
671      * unmaps.
672      */
673     memory_region_notify_iommu(&iommu->iommu_mr, 0, event);
674 
675 out:
676     return iommu->dma_limit ? iommu->dma_limit->avail : 1;
677 }
678 
679 static void s390_pci_batch_unmap(S390PCIIOMMU *iommu, uint64_t iova,
680                                  uint64_t len)
681 {
682     uint64_t remain = len, start = iova, end = start + len - 1, mask, size;
683     IOMMUTLBEvent event = {
684         .type = IOMMU_NOTIFIER_UNMAP,
685         .entry = {
686             .target_as = &address_space_memory,
687             .translated_addr = 0,
688             .perm = IOMMU_NONE,
689         },
690     };
691 
692     while (remain >= TARGET_PAGE_SIZE) {
693         mask = dma_aligned_pow2_mask(start, end, 64);
694         size = mask + 1;
695         event.entry.iova = start;
696         event.entry.addr_mask = mask;
697         memory_region_notify_iommu(&iommu->iommu_mr, 0, event);
698         start += size;
699         remain -= size;
700     }
701 }
702 
703 int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
704 {
705     CPUS390XState *env = &cpu->env;
706     uint64_t iova, coalesce = 0;
707     uint32_t fh;
708     uint16_t error = 0;
709     S390PCIBusDevice *pbdev;
710     S390PCIIOMMU *iommu;
711     S390IOTLBEntry entry;
712     hwaddr start, end, sstart;
713     uint32_t dma_avail;
714     bool again;
715 
716     if (env->psw.mask & PSW_MASK_PSTATE) {
717         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
718         return 0;
719     }
720 
721     if (r2 & 0x1) {
722         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
723         return 0;
724     }
725 
726     fh = env->regs[r1] >> 32;
727     sstart = start = env->regs[r2];
728     end = start + env->regs[r2 + 1];
729 
730     pbdev = s390_pci_find_dev_by_fh(s390_get_phb(), fh);
731     if (!pbdev) {
732         DPRINTF("rpcit no pci dev\n");
733         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
734         return 0;
735     }
736 
737     switch (pbdev->state) {
738     case ZPCI_FS_RESERVED:
739     case ZPCI_FS_STANDBY:
740     case ZPCI_FS_DISABLED:
741     case ZPCI_FS_PERMANENT_ERROR:
742         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
743         return 0;
744     case ZPCI_FS_ERROR:
745         setcc(cpu, ZPCI_PCI_LS_ERR);
746         s390_set_status_code(env, r1, ZPCI_MOD_ST_ERROR_RECOVER);
747         return 0;
748     default:
749         break;
750     }
751 
752     iommu = pbdev->iommu;
753     if (iommu->dma_limit) {
754         dma_avail = iommu->dma_limit->avail;
755     } else {
756         dma_avail = 1;
757     }
758     if (!iommu->g_iota) {
759         error = ERR_EVENT_INVALAS;
760         goto err;
761     }
762 
763     if (end < iommu->pba || start > iommu->pal) {
764         error = ERR_EVENT_OORANGE;
765         goto err;
766     }
767 
768  retry:
769     start = sstart;
770     again = false;
771     while (start < end) {
772         error = s390_guest_io_table_walk(iommu->g_iota, start, &entry);
773         if (error) {
774             break;
775         }
776 
777         /*
778          * If this is an unmap of a PTE, let's try to coalesce multiple unmaps
779          * into as few notifier events as possible.
780          */
781         if (entry.perm == IOMMU_NONE && entry.len == TARGET_PAGE_SIZE) {
782             if (coalesce == 0) {
783                 iova = entry.iova;
784             }
785             coalesce += entry.len;
786         } else if (coalesce > 0) {
787             /* Unleash the coalesced unmap before processing a new map */
788             s390_pci_batch_unmap(iommu, iova, coalesce);
789             coalesce = 0;
790         }
791 
792         start += entry.len;
793         while (entry.iova < start && entry.iova < end) {
794             if (dma_avail > 0 || entry.perm == IOMMU_NONE) {
795                 dma_avail = s390_pci_update_iotlb(iommu, &entry);
796                 entry.iova += TARGET_PAGE_SIZE;
797                 entry.translated_addr += TARGET_PAGE_SIZE;
798             } else {
799                 /*
800                  * We are unable to make a new mapping at this time, continue
801                  * on and hopefully free up more space.  Then attempt another
802                  * pass.
803                  */
804                 again = true;
805                 break;
806             }
807         }
808     }
809     if (coalesce) {
810             /* Unleash the coalesced unmap before finishing rpcit */
811             s390_pci_batch_unmap(iommu, iova, coalesce);
812             coalesce = 0;
813     }
814     if (again && dma_avail > 0)
815         goto retry;
816 err:
817     if (error) {
818         pbdev->state = ZPCI_FS_ERROR;
819         setcc(cpu, ZPCI_PCI_LS_ERR);
820         s390_set_status_code(env, r1, ZPCI_PCI_ST_FUNC_IN_ERR);
821         s390_pci_generate_error_event(error, pbdev->fh, pbdev->fid, start, 0);
822     } else {
823         pbdev->fmb.counter[ZPCI_FMB_CNT_RPCIT]++;
824         if (dma_avail > 0) {
825             setcc(cpu, ZPCI_PCI_LS_OK);
826         } else {
827             /* vfio DMA mappings are exhausted, trigger a RPCIT */
828             setcc(cpu, ZPCI_PCI_LS_ERR);
829             s390_set_status_code(env, r1, ZPCI_RPCIT_ST_INSUFF_RES);
830         }
831     }
832     return 0;
833 }
834 
835 int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
836                         uint8_t ar, uintptr_t ra)
837 {
838     CPUS390XState *env = &cpu->env;
839     S390PCIBusDevice *pbdev;
840     MemoryRegion *mr;
841     MemTxResult result;
842     uint64_t offset;
843     int i;
844     uint32_t fh;
845     uint8_t pcias;
846     uint16_t len;
847     uint8_t buffer[128];
848 
849     if (env->psw.mask & PSW_MASK_PSTATE) {
850         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
851         return 0;
852     }
853 
854     fh = env->regs[r1] >> 32;
855     pcias = (env->regs[r1] >> 16) & 0xf;
856     len = env->regs[r1] & 0x1fff;
857     offset = env->regs[r3];
858 
859     if (!(fh & FH_MASK_ENABLE)) {
860         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
861         return 0;
862     }
863 
864     pbdev = s390_pci_find_dev_by_fh(s390_get_phb(), fh);
865     if (!pbdev) {
866         DPRINTF("pcistb no pci dev fh 0x%x\n", fh);
867         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
868         return 0;
869     }
870 
871     switch (pbdev->state) {
872     case ZPCI_FS_PERMANENT_ERROR:
873     case ZPCI_FS_ERROR:
874         setcc(cpu, ZPCI_PCI_LS_ERR);
875         s390_set_status_code(env, r1, ZPCI_PCI_ST_BLOCKED);
876         return 0;
877     default:
878         break;
879     }
880 
881     if (pcias > ZPCI_IO_BAR_MAX) {
882         DPRINTF("pcistb invalid space\n");
883         setcc(cpu, ZPCI_PCI_LS_ERR);
884         s390_set_status_code(env, r1, ZPCI_PCI_ST_INVAL_AS);
885         return 0;
886     }
887 
888     /* Verify the address, offset and length */
889     /* offset must be a multiple of 8 */
890     if (offset % 8) {
891         goto specification_error;
892     }
893     /* Length must be greater than 8, a multiple of 8 */
894     /* and not greater than maxstbl */
895     if ((len <= 8) || (len % 8) ||
896         (len > pbdev->pci_group->zpci_group.maxstbl)) {
897         goto specification_error;
898     }
899     /* Do not cross a 4K-byte boundary */
900     if (((offset & 0xfff) + len) > 0x1000) {
901         goto specification_error;
902     }
903     /* Guest address must be double word aligned */
904     if (gaddr & 0x07UL) {
905         goto specification_error;
906     }
907 
908     mr = pbdev->pdev->io_regions[pcias].memory;
909     mr = s390_get_subregion(mr, offset, len);
910     offset -= mr->addr;
911 
912     for (i = 0; i < len; i += 8) {
913         if (!memory_region_access_valid(mr, offset + i, 8, true,
914                                         MEMTXATTRS_UNSPECIFIED)) {
915             s390_program_interrupt(env, PGM_OPERAND, ra);
916             return 0;
917         }
918     }
919 
920     if (s390_cpu_virt_mem_read(cpu, gaddr, ar, buffer, len)) {
921         s390_cpu_virt_mem_handle_exc(cpu, ra);
922         return 0;
923     }
924 
925     for (i = 0; i < len / 8; i++) {
926         result = memory_region_dispatch_write(mr, offset + i * 8,
927                                               ldq_p(buffer + i * 8),
928                                               MO_64, MEMTXATTRS_UNSPECIFIED);
929         if (result != MEMTX_OK) {
930             s390_program_interrupt(env, PGM_OPERAND, ra);
931             return 0;
932         }
933     }
934 
935     pbdev->fmb.counter[ZPCI_FMB_CNT_STB]++;
936 
937     setcc(cpu, ZPCI_PCI_LS_OK);
938     return 0;
939 
940 specification_error:
941     s390_program_interrupt(env, PGM_SPECIFICATION, ra);
942     return 0;
943 }
944 
945 static int reg_irqs(CPUS390XState *env, S390PCIBusDevice *pbdev, ZpciFib fib)
946 {
947     int ret, len;
948     uint8_t isc = FIB_DATA_ISC(ldl_p(&fib.data));
949 
950     pbdev->routes.adapter.adapter_id = css_get_adapter_id(
951                                        CSS_IO_ADAPTER_PCI, isc);
952     pbdev->summary_ind = get_indicator(ldq_p(&fib.aisb), sizeof(uint64_t));
953     len = BITS_TO_LONGS(FIB_DATA_NOI(ldl_p(&fib.data))) * sizeof(unsigned long);
954     pbdev->indicator = get_indicator(ldq_p(&fib.aibv), len);
955 
956     ret = map_indicator(&pbdev->routes.adapter, pbdev->summary_ind);
957     if (ret) {
958         goto out;
959     }
960 
961     ret = map_indicator(&pbdev->routes.adapter, pbdev->indicator);
962     if (ret) {
963         goto out;
964     }
965 
966     pbdev->routes.adapter.summary_addr = ldq_p(&fib.aisb);
967     pbdev->routes.adapter.summary_offset = FIB_DATA_AISBO(ldl_p(&fib.data));
968     pbdev->routes.adapter.ind_addr = ldq_p(&fib.aibv);
969     pbdev->routes.adapter.ind_offset = FIB_DATA_AIBVO(ldl_p(&fib.data));
970     pbdev->isc = isc;
971     pbdev->noi = FIB_DATA_NOI(ldl_p(&fib.data));
972     pbdev->sum = FIB_DATA_SUM(ldl_p(&fib.data));
973 
974     DPRINTF("reg_irqs adapter id %d\n", pbdev->routes.adapter.adapter_id);
975     return 0;
976 out:
977     release_indicator(&pbdev->routes.adapter, pbdev->summary_ind);
978     release_indicator(&pbdev->routes.adapter, pbdev->indicator);
979     pbdev->summary_ind = NULL;
980     pbdev->indicator = NULL;
981     return ret;
982 }
983 
984 int pci_dereg_irqs(S390PCIBusDevice *pbdev)
985 {
986     release_indicator(&pbdev->routes.adapter, pbdev->summary_ind);
987     release_indicator(&pbdev->routes.adapter, pbdev->indicator);
988 
989     pbdev->summary_ind = NULL;
990     pbdev->indicator = NULL;
991     pbdev->routes.adapter.summary_addr = 0;
992     pbdev->routes.adapter.summary_offset = 0;
993     pbdev->routes.adapter.ind_addr = 0;
994     pbdev->routes.adapter.ind_offset = 0;
995     pbdev->isc = 0;
996     pbdev->noi = 0;
997     pbdev->sum = 0;
998 
999     DPRINTF("dereg_irqs adapter id %d\n", pbdev->routes.adapter.adapter_id);
1000     return 0;
1001 }
1002 
1003 static int reg_ioat(CPUS390XState *env, S390PCIBusDevice *pbdev, ZpciFib fib,
1004                     uintptr_t ra)
1005 {
1006     S390PCIIOMMU *iommu = pbdev->iommu;
1007     uint64_t pba = ldq_p(&fib.pba);
1008     uint64_t pal = ldq_p(&fib.pal);
1009     uint64_t g_iota = ldq_p(&fib.iota);
1010     uint8_t dt = (g_iota >> 2) & 0x7;
1011     uint8_t t = (g_iota >> 11) & 0x1;
1012 
1013     pba &= ~0xfff;
1014     pal |= 0xfff;
1015     if (pba > pal || pba < pbdev->zpci_fn.sdma || pal > pbdev->zpci_fn.edma) {
1016         s390_program_interrupt(env, PGM_OPERAND, ra);
1017         return -EINVAL;
1018     }
1019 
1020     /* currently we only support designation type 1 with translation */
1021     if (!(dt == ZPCI_IOTA_RTTO && t)) {
1022         error_report("unsupported ioat dt %d t %d", dt, t);
1023         s390_program_interrupt(env, PGM_OPERAND, ra);
1024         return -EINVAL;
1025     }
1026 
1027     iommu->pba = pba;
1028     iommu->pal = pal;
1029     iommu->g_iota = g_iota;
1030 
1031     s390_pci_iommu_enable(iommu);
1032 
1033     return 0;
1034 }
1035 
1036 void pci_dereg_ioat(S390PCIIOMMU *iommu)
1037 {
1038     s390_pci_iommu_disable(iommu);
1039     iommu->pba = 0;
1040     iommu->pal = 0;
1041     iommu->g_iota = 0;
1042 }
1043 
1044 void fmb_timer_free(S390PCIBusDevice *pbdev)
1045 {
1046     if (pbdev->fmb_timer) {
1047         timer_free(pbdev->fmb_timer);
1048         pbdev->fmb_timer = NULL;
1049     }
1050     pbdev->fmb_addr = 0;
1051     memset(&pbdev->fmb, 0, sizeof(ZpciFmb));
1052 }
1053 
1054 static int fmb_do_update(S390PCIBusDevice *pbdev, int offset, uint64_t val,
1055                          int len)
1056 {
1057     MemTxResult ret;
1058     uint64_t dst = pbdev->fmb_addr + offset;
1059 
1060     switch (len) {
1061     case 8:
1062         address_space_stq_be(&address_space_memory, dst, val,
1063                              MEMTXATTRS_UNSPECIFIED,
1064                              &ret);
1065         break;
1066     case 4:
1067         address_space_stl_be(&address_space_memory, dst, val,
1068                              MEMTXATTRS_UNSPECIFIED,
1069                              &ret);
1070         break;
1071     case 2:
1072         address_space_stw_be(&address_space_memory, dst, val,
1073                              MEMTXATTRS_UNSPECIFIED,
1074                              &ret);
1075         break;
1076     case 1:
1077         address_space_stb(&address_space_memory, dst, val,
1078                           MEMTXATTRS_UNSPECIFIED,
1079                           &ret);
1080         break;
1081     default:
1082         ret = MEMTX_ERROR;
1083         break;
1084     }
1085     if (ret != MEMTX_OK) {
1086         s390_pci_generate_error_event(ERR_EVENT_FMBA, pbdev->fh, pbdev->fid,
1087                                       pbdev->fmb_addr, 0);
1088         fmb_timer_free(pbdev);
1089     }
1090 
1091     return ret;
1092 }
1093 
1094 static void fmb_update(void *opaque)
1095 {
1096     S390PCIBusDevice *pbdev = opaque;
1097     int64_t t = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
1098     int i;
1099 
1100     /* Update U bit */
1101     pbdev->fmb.last_update *= 2;
1102     pbdev->fmb.last_update |= UPDATE_U_BIT;
1103     if (fmb_do_update(pbdev, offsetof(ZpciFmb, last_update),
1104                       pbdev->fmb.last_update,
1105                       sizeof(pbdev->fmb.last_update))) {
1106         return;
1107     }
1108 
1109     /* Update FMB sample count */
1110     if (fmb_do_update(pbdev, offsetof(ZpciFmb, sample),
1111                       pbdev->fmb.sample++,
1112                       sizeof(pbdev->fmb.sample))) {
1113         return;
1114     }
1115 
1116     /* Update FMB counters */
1117     for (i = 0; i < ZPCI_FMB_CNT_MAX; i++) {
1118         if (fmb_do_update(pbdev, offsetof(ZpciFmb, counter[i]),
1119                           pbdev->fmb.counter[i],
1120                           sizeof(pbdev->fmb.counter[0]))) {
1121             return;
1122         }
1123     }
1124 
1125     /* Clear U bit and update the time */
1126     pbdev->fmb.last_update = time2tod(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
1127     pbdev->fmb.last_update *= 2;
1128     if (fmb_do_update(pbdev, offsetof(ZpciFmb, last_update),
1129                       pbdev->fmb.last_update,
1130                       sizeof(pbdev->fmb.last_update))) {
1131         return;
1132     }
1133     timer_mod(pbdev->fmb_timer, t + pbdev->pci_group->zpci_group.mui);
1134 }
1135 
1136 static int mpcifc_reg_int_interp(S390PCIBusDevice *pbdev, ZpciFib *fib)
1137 {
1138     int rc;
1139 
1140     rc = s390_pci_kvm_aif_enable(pbdev, fib, pbdev->forwarding_assist);
1141     if (rc) {
1142         DPRINTF("Failed to enable interrupt forwarding\n");
1143         return rc;
1144     }
1145 
1146     return 0;
1147 }
1148 
1149 static int mpcifc_dereg_int_interp(S390PCIBusDevice *pbdev, ZpciFib *fib)
1150 {
1151     int rc;
1152 
1153     rc = s390_pci_kvm_aif_disable(pbdev);
1154     if (rc) {
1155         DPRINTF("Failed to disable interrupt forwarding\n");
1156         return rc;
1157     }
1158 
1159     return 0;
1160 }
1161 
1162 int mpcifc_service_call(S390CPU *cpu, uint8_t r1, uint64_t fiba, uint8_t ar,
1163                         uintptr_t ra)
1164 {
1165     CPUS390XState *env = &cpu->env;
1166     uint8_t oc, dmaas;
1167     uint32_t fh;
1168     ZpciFib fib;
1169     S390PCIBusDevice *pbdev;
1170     uint64_t cc = ZPCI_PCI_LS_OK;
1171 
1172     if (env->psw.mask & PSW_MASK_PSTATE) {
1173         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
1174         return 0;
1175     }
1176 
1177     oc = env->regs[r1] & 0xff;
1178     dmaas = (env->regs[r1] >> 16) & 0xff;
1179     fh = env->regs[r1] >> 32;
1180 
1181     if (fiba & 0x7) {
1182         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
1183         return 0;
1184     }
1185 
1186     pbdev = s390_pci_find_dev_by_fh(s390_get_phb(), fh);
1187     if (!pbdev) {
1188         DPRINTF("mpcifc no pci dev fh 0x%x\n", fh);
1189         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
1190         return 0;
1191     }
1192 
1193     switch (pbdev->state) {
1194     case ZPCI_FS_RESERVED:
1195     case ZPCI_FS_STANDBY:
1196     case ZPCI_FS_DISABLED:
1197     case ZPCI_FS_PERMANENT_ERROR:
1198         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
1199         return 0;
1200     default:
1201         break;
1202     }
1203 
1204     if (s390_cpu_virt_mem_read(cpu, fiba, ar, (uint8_t *)&fib, sizeof(fib))) {
1205         s390_cpu_virt_mem_handle_exc(cpu, ra);
1206         return 0;
1207     }
1208 
1209     if (fib.fmt != 0) {
1210         s390_program_interrupt(env, PGM_OPERAND, ra);
1211         return 0;
1212     }
1213 
1214     switch (oc) {
1215     case ZPCI_MOD_FC_REG_INT:
1216         if (pbdev->interp) {
1217             if (mpcifc_reg_int_interp(pbdev, &fib)) {
1218                 cc = ZPCI_PCI_LS_ERR;
1219                 s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1220             }
1221         } else if (pbdev->summary_ind) {
1222             cc = ZPCI_PCI_LS_ERR;
1223             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1224         } else if (reg_irqs(env, pbdev, fib)) {
1225             cc = ZPCI_PCI_LS_ERR;
1226             s390_set_status_code(env, r1, ZPCI_MOD_ST_RES_NOT_AVAIL);
1227         }
1228         break;
1229     case ZPCI_MOD_FC_DEREG_INT:
1230         if (pbdev->interp) {
1231             if (mpcifc_dereg_int_interp(pbdev, &fib)) {
1232                 cc = ZPCI_PCI_LS_ERR;
1233                 s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1234             }
1235         } else if (!pbdev->summary_ind) {
1236             cc = ZPCI_PCI_LS_ERR;
1237             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1238         } else {
1239             pci_dereg_irqs(pbdev);
1240         }
1241         break;
1242     case ZPCI_MOD_FC_REG_IOAT:
1243         if (dmaas != 0) {
1244             cc = ZPCI_PCI_LS_ERR;
1245             s390_set_status_code(env, r1, ZPCI_MOD_ST_DMAAS_INVAL);
1246         } else if (pbdev->iommu->enabled) {
1247             cc = ZPCI_PCI_LS_ERR;
1248             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1249         } else if (reg_ioat(env, pbdev, fib, ra)) {
1250             cc = ZPCI_PCI_LS_ERR;
1251             s390_set_status_code(env, r1, ZPCI_MOD_ST_INSUF_RES);
1252         }
1253         break;
1254     case ZPCI_MOD_FC_DEREG_IOAT:
1255         if (dmaas != 0) {
1256             cc = ZPCI_PCI_LS_ERR;
1257             s390_set_status_code(env, r1, ZPCI_MOD_ST_DMAAS_INVAL);
1258         } else if (!pbdev->iommu->enabled) {
1259             cc = ZPCI_PCI_LS_ERR;
1260             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1261         } else {
1262             pci_dereg_ioat(pbdev->iommu);
1263         }
1264         break;
1265     case ZPCI_MOD_FC_REREG_IOAT:
1266         if (dmaas != 0) {
1267             cc = ZPCI_PCI_LS_ERR;
1268             s390_set_status_code(env, r1, ZPCI_MOD_ST_DMAAS_INVAL);
1269         } else if (!pbdev->iommu->enabled) {
1270             cc = ZPCI_PCI_LS_ERR;
1271             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1272         } else {
1273             pci_dereg_ioat(pbdev->iommu);
1274             if (reg_ioat(env, pbdev, fib, ra)) {
1275                 cc = ZPCI_PCI_LS_ERR;
1276                 s390_set_status_code(env, r1, ZPCI_MOD_ST_INSUF_RES);
1277             }
1278         }
1279         break;
1280     case ZPCI_MOD_FC_RESET_ERROR:
1281         switch (pbdev->state) {
1282         case ZPCI_FS_BLOCKED:
1283         case ZPCI_FS_ERROR:
1284             pbdev->state = ZPCI_FS_ENABLED;
1285             break;
1286         default:
1287             cc = ZPCI_PCI_LS_ERR;
1288             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1289         }
1290         break;
1291     case ZPCI_MOD_FC_RESET_BLOCK:
1292         switch (pbdev->state) {
1293         case ZPCI_FS_ERROR:
1294             pbdev->state = ZPCI_FS_BLOCKED;
1295             break;
1296         default:
1297             cc = ZPCI_PCI_LS_ERR;
1298             s390_set_status_code(env, r1, ZPCI_MOD_ST_SEQUENCE);
1299         }
1300         break;
1301     case ZPCI_MOD_FC_SET_MEASURE: {
1302         uint64_t fmb_addr = ldq_p(&fib.fmb_addr);
1303 
1304         if (fmb_addr & FMBK_MASK) {
1305             cc = ZPCI_PCI_LS_ERR;
1306             s390_pci_generate_error_event(ERR_EVENT_FMBPRO, pbdev->fh,
1307                                           pbdev->fid, fmb_addr, 0);
1308             fmb_timer_free(pbdev);
1309             break;
1310         }
1311 
1312         if (!fmb_addr) {
1313             /* Stop updating FMB. */
1314             fmb_timer_free(pbdev);
1315             break;
1316         }
1317 
1318         if (!pbdev->fmb_timer) {
1319             pbdev->fmb_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL,
1320                                             fmb_update, pbdev);
1321         } else if (timer_pending(pbdev->fmb_timer)) {
1322             /* Remove pending timer to update FMB address. */
1323             timer_del(pbdev->fmb_timer);
1324         }
1325         pbdev->fmb_addr = fmb_addr;
1326         timer_mod(pbdev->fmb_timer,
1327                   qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +
1328                                     pbdev->pci_group->zpci_group.mui);
1329         break;
1330     }
1331     default:
1332         s390_program_interrupt(&cpu->env, PGM_OPERAND, ra);
1333         cc = ZPCI_PCI_LS_ERR;
1334     }
1335 
1336     setcc(cpu, cc);
1337     return 0;
1338 }
1339 
1340 int stpcifc_service_call(S390CPU *cpu, uint8_t r1, uint64_t fiba, uint8_t ar,
1341                          uintptr_t ra)
1342 {
1343     CPUS390XState *env = &cpu->env;
1344     uint8_t dmaas;
1345     uint32_t fh;
1346     ZpciFib fib;
1347     S390PCIBusDevice *pbdev;
1348     uint32_t data;
1349     uint64_t cc = ZPCI_PCI_LS_OK;
1350 
1351     if (env->psw.mask & PSW_MASK_PSTATE) {
1352         s390_program_interrupt(env, PGM_PRIVILEGED, ra);
1353         return 0;
1354     }
1355 
1356     fh = env->regs[r1] >> 32;
1357     dmaas = (env->regs[r1] >> 16) & 0xff;
1358 
1359     if (dmaas) {
1360         setcc(cpu, ZPCI_PCI_LS_ERR);
1361         s390_set_status_code(env, r1, ZPCI_STPCIFC_ST_INVAL_DMAAS);
1362         return 0;
1363     }
1364 
1365     if (fiba & 0x7) {
1366         s390_program_interrupt(env, PGM_SPECIFICATION, ra);
1367         return 0;
1368     }
1369 
1370     pbdev = s390_pci_find_dev_by_idx(s390_get_phb(), fh & FH_MASK_INDEX);
1371     if (!pbdev) {
1372         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
1373         return 0;
1374     }
1375 
1376     memset(&fib, 0, sizeof(fib));
1377 
1378     switch (pbdev->state) {
1379     case ZPCI_FS_RESERVED:
1380     case ZPCI_FS_STANDBY:
1381         setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
1382         return 0;
1383     case ZPCI_FS_DISABLED:
1384         if (fh & FH_MASK_ENABLE) {
1385             setcc(cpu, ZPCI_PCI_LS_INVAL_HANDLE);
1386             return 0;
1387         }
1388         goto out;
1389     /* BLOCKED bit is set to one coincident with the setting of ERROR bit.
1390      * FH Enabled bit is set to one in states of ENABLED, BLOCKED or ERROR. */
1391     case ZPCI_FS_ERROR:
1392         fib.fc |= 0x20;
1393         /* fallthrough */
1394     case ZPCI_FS_BLOCKED:
1395         fib.fc |= 0x40;
1396         /* fallthrough */
1397     case ZPCI_FS_ENABLED:
1398         fib.fc |= 0x80;
1399         if (pbdev->iommu->enabled) {
1400             fib.fc |= 0x10;
1401         }
1402         if (!(fh & FH_MASK_ENABLE)) {
1403             env->regs[r1] |= 1ULL << 63;
1404         }
1405         break;
1406     case ZPCI_FS_PERMANENT_ERROR:
1407         setcc(cpu, ZPCI_PCI_LS_ERR);
1408         s390_set_status_code(env, r1, ZPCI_STPCIFC_ST_PERM_ERROR);
1409         return 0;
1410     }
1411 
1412     stq_p(&fib.pba, pbdev->iommu->pba);
1413     stq_p(&fib.pal, pbdev->iommu->pal);
1414     stq_p(&fib.iota, pbdev->iommu->g_iota);
1415     stq_p(&fib.aibv, pbdev->routes.adapter.ind_addr);
1416     stq_p(&fib.aisb, pbdev->routes.adapter.summary_addr);
1417     stq_p(&fib.fmb_addr, pbdev->fmb_addr);
1418 
1419     data = ((uint32_t)pbdev->isc << 28) | ((uint32_t)pbdev->noi << 16) |
1420            ((uint32_t)pbdev->routes.adapter.ind_offset << 8) |
1421            ((uint32_t)pbdev->sum << 7) | pbdev->routes.adapter.summary_offset;
1422     stl_p(&fib.data, data);
1423 
1424 out:
1425     if (s390_cpu_virt_mem_write(cpu, fiba, ar, (uint8_t *)&fib, sizeof(fib))) {
1426         s390_cpu_virt_mem_handle_exc(cpu, ra);
1427         return 0;
1428     }
1429 
1430     setcc(cpu, cc);
1431     return 0;
1432 }
1433