pkg/xen-tools: refactor iGPU QEMU patch for q35 passthrough

Rework vfio_probe_igd_bar4_quirk() for correct iGPU passthrough on q35:
- Move Intel VGA check to function top; exit early if not iGPU
- Accept any gen >= 0 (Sandy Bridge through future devices); the old
  gen != 6 && gen != 8 check incorrectly blocked gen 9-12 devices
- Read GMCH and emulate it unconditionally before the BDF/LPC checks,
  so UPT-mode guests on q35 also see a clean value
- Write etc/igd-bdsm-size to fw_cfg before the BDF/LPC checks so OVMF's
  IgdAssignmentDxe can allocate guest stolen memory on q35 (the "Sorry
  Q35" path never reaches the old write location in legacy mode)
- Emulate BDSM (PCI config 0x5C) to 0 before the BDF/LPC checks so
  IgdAssignmentDxe's idempotency guard (skip if BDSM != 0) is not
  falsely triggered by the host physical address
- Remove duplicate fw_cfg, GMCH, and BDSM writes from the legacy path
  to prevent a QEMU crash from a duplicate fw_cfg key on i440fx

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Co-Authored-By: sesantos <sergioliveirasantos@gmail.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

pkg/xen-tools/patches-4.19.0/x86_64/08-Revert__Revert__vfio_pci-quirks_c__Disable_stolen_memory_for_igd_VFIO__.patch

@@ -1,23 +1,26 @@
-From 9eb4883e57224db64588d724d5764cdccb164c7d Mon Sep 17 00:00:00 2001
-From: Petr Fedchenkov <giggsoff@gmail.com>
-Date: Mon, 11 Oct 2021 17:30:15 +0300
-Subject: [PATCH] Revert "Revert "vfio/pci-quirks.c: Disable stolen memory for
- igd VFIO"" and adopts it to the new qemu with moved vfio_probe_igd_bar4_quirk
- into igd.c.
+From 22e1ac33571bbb70740bb181e4729018b6402442 Mon Sep 17 00:00:00 2001
+From: Mikhail Malyshev <mike.malyshev@gmail.com>
+Date: Fri, 27 Mar 2026 23:26:25 +0000
+Subject: [PATCH 1/2] vfio/igd: q35 iGPU passthrough support
+ (GMCH/BDSM/bdsm-size)
 
-This reverts commit 93587e3af3a259deac89c12863d93653d69d22b8.
 ---
- tools/qemu-xen/hw/vfio/igd.c | 64 ++++++++++++++++++++++++++++++---------------------
- 1 file changed, 38 insertions(+), 26 deletions(-)
+ hw/vfio/igd.c | 133 ++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 91 insertions(+), 42 deletions(-)
 
 diff --git a/tools/qemu-xen/hw/vfio/igd.c b/tools/qemu-xen/hw/vfio/igd.c
-index 64e332746b..573cd53803 100644
+index d320d032a7..cb37f8ce08 100644
 --- a/tools/qemu-xen/hw/vfio/igd.c
 +++ b/tools/qemu-xen/hw/vfio/igd.c
-@@ -377,14 +377,45 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -375,19 +375,98 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+     VFIOIGDQuirk *igd;
+     PCIDevice *lpc_bridge;
+     int i, ret, ggms_mb, gms_mb = 0, gen;
+-    uint64_t *bdsm_size;
+     uint32_t gmch;
      uint16_t cmd_orig, cmd;
      Error *err = NULL;
-
+ 
 +    /* This must be an Intel VGA device. */
 +    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
 +        !vfio_is_vga(vdev) || nr != 4 ) {
@@ -29,16 +32,16 @@ index 64e332746b..573cd53803 100644
 -     * consider enabling legacy mode.  The vBIOS has dependencies on the
 -     * PCI bus address.
 +     * IGD is not a standard, they like to change their specs often.  We
-+     * only attempt to support back to SandBridge and we hope that newer
-+     * devices maintain compatibility with generation 8.
++     * support Sandy Bridge (gen 6) through Raptor Lake (gen 12) and assume
++     * future devices maintain compatibility with the gen 8 GMCH layout.
       */
 -    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
 -        !vfio_is_vga(vdev) || nr != 4 ||
 -        &vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
 +    gen = igd_gen(vdev);
-+    if (gen != 6 && gen != 8) {
-+        error_report("IGD device %s is unsupported by IGD quirks, "
-+                     "try SandyBridge or newer", vdev->vbasedev.name);
++    if (gen < 0) {
++        error_report("IGD device %s has unknown generation, skipping IGD quirks",
++                     vdev->vbasedev.name);
 +        return;
 +    }
 +
@@ -51,6 +54,40 @@ index 64e332746b..573cd53803 100644
 +     * this below.
 +     */
 +    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
++
++    /*
++     * Write the GMS-based stolen memory size to fw_cfg so that OVMF's
++     * IgdAssignmentDxe can allocate guest stolen memory and set BDSM
++     * (PCI config 0x5C).  We do this before the BDF and LPC bridge checks
++     * so the entry is available on q35 where the legacy-mode path never
++     * runs ("Sorry Q35").
++     *
++     * GMS codes 1-16 map to 32-512 MB (code * 32 MB).
++     */
++    {
++        uint32_t gms = (gmch >> (gen < 8 ? 3 : 8)) & (gen < 8 ? 0x1f : 0xff);
++        uint64_t bdsm_bytes = (uint64_t)gms * 32 * MiB;
++        error_report("IGD bdsm-size: device %04x gen=%d gmch=0x%08x "
++                     "gms=%u bdsm_bytes=%" PRIu64,
++                     vdev->device_id, gen, gmch, gms, bdsm_bytes);
++        if (gms) {
++            FWCfgState *fw_cfg = fw_cfg_find();
++            if (fw_cfg) {
++                uint64_t *bdsm_size = g_malloc(sizeof(*bdsm_size));
++                *bdsm_size = cpu_to_le64(bdsm_bytes);
++                fw_cfg_add_file(fw_cfg, "etc/igd-bdsm-size",
++                                bdsm_size, sizeof(*bdsm_size));
++                error_report("IGD bdsm-size: wrote etc/igd-bdsm-size = %"
++                             PRIu64 " bytes to fw_cfg", bdsm_bytes);
++            } else {
++                error_report("IGD bdsm-size: fw_cfg not found, skipping");
++            }
++        } else {
++            error_report("IGD bdsm-size: gms=0, no stolen memory "
++                         "reported by host GMCH");
++        }
++    }
++
 +    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
 +
 +    /* GMCH is read-only, emulated */
@@ -59,17 +96,32 @@ index 64e332746b..573cd53803 100644
 +    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
 +
 +    /*
++     * BDSM is read-write, emulated.  Initialize to 0 here (before the BDF
++     * and LPC bridge checks) so that:
++     *   1. On q35 ("Sorry Q35"), where the legacy path never runs, OVMF's
++     *      IgdAssignmentDxe sees BDSM=0 and proceeds to allocate guest
++     *      stolen memory, writing the guest PA back here.
++     *   2. The guest driver reads the guest PA written by OVMF, not the
++     *      host PA (which would cause DMA into the wrong guest memory).
++     *   3. IgdAssignmentDxe's idempotency check ("if BDSM != 0, skip")
++     *      is not falsely triggered by the host's physical address.
++     */
++    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
++    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
++    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
++
++    /*
 +     * This must be at address 00:02.0 for us to even onsider enabling
 +     * legacy mode.  The vBIOS has dependencies on the PCI bus address.
 +     */
 +    if (&vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
                                         0, PCI_DEVFN(0x2, 0))) {
          return;
      }
-@@ -403,18 +434,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -406,18 +485,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
          return;
      }
-
+ 
 -    /*
 -     * IGD is not a standard, they like to change their specs often.  We
 -     * only attempt to support back to SandBridge and we hope that newer
@@ -85,21 +137,21 @@ index 64e332746b..573cd53803 100644
      /*
       * Most of what we're doing here is to enable the ROM to run, so if
       * there's no ROM, there's no point in setting up this quirk.
-@@ -470,8 +489,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
-         goto out;
+@@ -473,8 +540,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+         return;
      }
-
+ 
 -    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
 -
      /*
       * If IGD VGA Disable is clear (expected) and VGA is not already enabled,
       * try to enable it.  Probably shouldn't be using legacy mode without VGA,
-@@ -540,12 +557,12 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -542,12 +607,12 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
       * when IVD (IGD VGA Disable) is clear, but the claim is that it's unused,
       * so let's not waste VM memory for it.
       */
 -    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
-
+ 
      if (vdev->igd_gms) {
          if (vdev->igd_gms <= 0x10) {
              gms_mb = vdev->igd_gms * 32;
@@ -108,17 +160,77 @@ index 64e332746b..573cd53803 100644
          } else {
              error_report("Unsupported IGD GMS value 0x%x", vdev->igd_gms);
              vdev->igd_gms = 0;
-@@ -565,11 +582,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
-     fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
-                     bdsm_size, sizeof(*bdsm_size));
-
+@@ -555,27 +620,11 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+     }
+ 
+     /*
+-     * Request reserved memory for stolen memory via fw_cfg.  VM firmware
+-     * must allocate a 1MB aligned reserved memory region below 4GB with
+-     * the requested size (in bytes) for use by the Intel PCI class VGA
+-     * device at VM address 00:02.0.  The base address of this reserved
+-     * memory region must be written to the device BDSM register at PCI
+-     * config offset 0x5C.
++     * etc/igd-bdsm-size is written before the BDF check (above) so that it
++     * is available on q35 machines where the legacy path never runs.
++     * Do not write it again here to avoid a duplicate fw_cfg key.
++     * BDSM emulation is also set up before the BDF check.
+      */
+-    bdsm_size = g_malloc(sizeof(*bdsm_size));
+-    *bdsm_size = cpu_to_le64((ggms_mb + gms_mb) * MiB);
+-    fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
+-                    bdsm_size, sizeof(*bdsm_size));
+-
 -    /* GMCH is read-only, emulated */
 -    pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
 -    pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
 -    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
 -
-     /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
-     pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
-     pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
---
-2.30.2
+-    /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
+-    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
+-    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
+-    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
+ 
+     /*
+      * This IOBAR gives us access to GTTADR, which allows us to write to
+-- 
+2.43.0
+
+
+From 77fe327406163bd4acfb1fccb1fc37d17b458ef3 Mon Sep 17 00:00:00 2001
+From: Mikhail Malyshev <mike.malyshev@gmail.com>
+Date: Sat, 28 Mar 2026 00:25:44 +0000
+Subject: [PATCH 2/2] vfio/igd: fix GMS stolen memory size for gen9+ 0xf0-0xff
+ codes
+
+---
+ hw/vfio/igd.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/qemu-xen/hw/vfio/igd.c b/tools/qemu-xen/hw/vfio/igd.c
+index cb37f8ce08..921cddfa16 100644
+--- a/tools/qemu-xen/hw/vfio/igd.c
++++ b/tools/qemu-xen/hw/vfio/igd.c
+@@ -414,11 +414,18 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+      * so the entry is available on q35 where the legacy-mode path never
+      * runs ("Sorry Q35").
+      *
+-     * GMS codes 1-16 map to 32-512 MB (code * 32 MB).
++     * GMS encoding (gen >= 9): codes 0x01-0xef map to N*32 MB; codes
++     * 0xf0-0xff map to (N-0xf0+1)*4 MB (4 MB granularity, Atom SKUs).
++     * For gen < 9 the field is at most 5 bits so only 0x01-0x10 are valid.
+      */
+     {
+         uint32_t gms = (gmch >> (gen < 8 ? 3 : 8)) & (gen < 8 ? 0x1f : 0xff);
+-        uint64_t bdsm_bytes = (uint64_t)gms * 32 * MiB;
++        uint64_t bdsm_bytes;
++        if (gen < 9 || gms < 0xf0) {
++            bdsm_bytes = (uint64_t)gms * 32 * MiB;
++        } else {
++            bdsm_bytes = (uint64_t)(gms - 0xf0 + 1) * 4 * MiB;
++        }
+         error_report("IGD bdsm-size: device %04x gen=%d gmch=0x%08x "
+                      "gms=%u bdsm_bytes=%" PRIu64,
+                      vdev->device_id, gen, gmch, gms, bdsm_bytes);
+-- 
+2.43.0
+