1 /* 2 * Copyright (C) 2014-2016 Broadcom Corporation 3 * Copyright (c) 2017 Red Hat, Inc. 4 * Written by Prem Mallappa, Eric Auger 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License along 16 * with this program; if not, see <http://www.gnu.org/licenses/>. 17 */ 18 19 #include "qemu/osdep.h" 20 #include "qemu/bitops.h" 21 #include "hw/irq.h" 22 #include "hw/sysbus.h" 23 #include "migration/vmstate.h" 24 #include "hw/qdev-properties.h" 25 #include "hw/qdev-core.h" 26 #include "hw/pci/pci.h" 27 #include "cpu.h" 28 #include "trace.h" 29 #include "qemu/log.h" 30 #include "qemu/error-report.h" 31 #include "qapi/error.h" 32 33 #include "hw/arm/smmuv3.h" 34 #include "smmuv3-internal.h" 35 #include "smmu-internal.h" 36 37 #define PTW_RECORD_FAULT(ptw_info, cfg) (((ptw_info).stage == SMMU_STAGE_1 && \ 38 (cfg)->record_faults) || \ 39 ((ptw_info).stage == SMMU_STAGE_2 && \ 40 (cfg)->s2cfg.record_faults)) 41 42 /** 43 * smmuv3_trigger_irq - pulse @irq if enabled and update 44 * GERROR register in case of GERROR interrupt 45 * 46 * @irq: irq type 47 * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR) 48 */ 49 static void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, 50 uint32_t gerror_mask) 51 { 52 53 bool pulse = false; 54 55 switch (irq) { 56 case SMMU_IRQ_EVTQ: 57 pulse = smmuv3_eventq_irq_enabled(s); 58 break; 59 case SMMU_IRQ_PRIQ: 60 qemu_log_mask(LOG_UNIMP, "PRI not yet supported\n"); 61 break; 62 case SMMU_IRQ_CMD_SYNC: 63 pulse = true; 64 break; 65 case SMMU_IRQ_GERROR: 66 { 67 uint32_t pending = s->gerror ^ s->gerrorn; 68 uint32_t new_gerrors = ~pending & gerror_mask; 69 70 if (!new_gerrors) { 71 /* only toggle non pending errors */ 72 return; 73 } 74 s->gerror ^= new_gerrors; 75 trace_smmuv3_write_gerror(new_gerrors, s->gerror); 76 77 pulse = smmuv3_gerror_irq_enabled(s); 78 break; 79 } 80 } 81 if (pulse) { 82 trace_smmuv3_trigger_irq(irq); 83 qemu_irq_pulse(s->irq[irq]); 84 } 85 } 86 87 static void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn) 88 { 89 uint32_t pending = s->gerror ^ s->gerrorn; 90 uint32_t toggled = s->gerrorn ^ new_gerrorn; 91 92 if (toggled & ~pending) { 93 qemu_log_mask(LOG_GUEST_ERROR, 94 "guest toggles non pending errors = 0x%x\n", 95 toggled & ~pending); 96 } 97 98 /* 99 * We do not raise any error in case guest toggles bits corresponding 100 * to not active IRQs (CONSTRAINED UNPREDICTABLE) 101 */ 102 s->gerrorn = new_gerrorn; 103 104 trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn); 105 } 106 107 static inline MemTxResult queue_read(SMMUQueue *q, Cmd *cmd) 108 { 109 dma_addr_t addr = Q_CONS_ENTRY(q); 110 MemTxResult ret; 111 int i; 112 113 ret = dma_memory_read(&address_space_memory, addr, cmd, sizeof(Cmd), 114 MEMTXATTRS_UNSPECIFIED); 115 if (ret != MEMTX_OK) { 116 return ret; 117 } 118 for (i = 0; i < ARRAY_SIZE(cmd->word); i++) { 119 le32_to_cpus(&cmd->word[i]); 120 } 121 return ret; 122 } 123 124 static MemTxResult queue_write(SMMUQueue *q, Evt *evt_in) 125 { 126 dma_addr_t addr = Q_PROD_ENTRY(q); 127 MemTxResult ret; 128 Evt evt = *evt_in; 129 int i; 130 131 for (i = 0; i < ARRAY_SIZE(evt.word); i++) { 132 cpu_to_le32s(&evt.word[i]); 133 } 134 ret = dma_memory_write(&address_space_memory, addr, &evt, sizeof(Evt), 135 MEMTXATTRS_UNSPECIFIED); 136 if (ret != MEMTX_OK) { 137 return ret; 138 } 139 140 queue_prod_incr(q); 141 return MEMTX_OK; 142 } 143 144 static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt) 145 { 146 SMMUQueue *q = &s->eventq; 147 MemTxResult r; 148 149 if (!smmuv3_eventq_enabled(s)) { 150 return MEMTX_ERROR; 151 } 152 153 if (smmuv3_q_full(q)) { 154 return MEMTX_ERROR; 155 } 156 157 r = queue_write(q, evt); 158 if (r != MEMTX_OK) { 159 return r; 160 } 161 162 if (!smmuv3_q_empty(q)) { 163 smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0); 164 } 165 return MEMTX_OK; 166 } 167 168 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info) 169 { 170 Evt evt = {}; 171 MemTxResult r; 172 173 if (!smmuv3_eventq_enabled(s)) { 174 return; 175 } 176 177 EVT_SET_TYPE(&evt, info->type); 178 EVT_SET_SID(&evt, info->sid); 179 180 switch (info->type) { 181 case SMMU_EVT_NONE: 182 return; 183 case SMMU_EVT_F_UUT: 184 EVT_SET_SSID(&evt, info->u.f_uut.ssid); 185 EVT_SET_SSV(&evt, info->u.f_uut.ssv); 186 EVT_SET_ADDR(&evt, info->u.f_uut.addr); 187 EVT_SET_RNW(&evt, info->u.f_uut.rnw); 188 EVT_SET_PNU(&evt, info->u.f_uut.pnu); 189 EVT_SET_IND(&evt, info->u.f_uut.ind); 190 break; 191 case SMMU_EVT_C_BAD_STREAMID: 192 EVT_SET_SSID(&evt, info->u.c_bad_streamid.ssid); 193 EVT_SET_SSV(&evt, info->u.c_bad_streamid.ssv); 194 break; 195 case SMMU_EVT_F_STE_FETCH: 196 EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid); 197 EVT_SET_SSV(&evt, info->u.f_ste_fetch.ssv); 198 EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr); 199 break; 200 case SMMU_EVT_C_BAD_STE: 201 EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid); 202 EVT_SET_SSV(&evt, info->u.c_bad_ste.ssv); 203 break; 204 case SMMU_EVT_F_STREAM_DISABLED: 205 break; 206 case SMMU_EVT_F_TRANS_FORBIDDEN: 207 EVT_SET_ADDR(&evt, info->u.f_transl_forbidden.addr); 208 EVT_SET_RNW(&evt, info->u.f_transl_forbidden.rnw); 209 break; 210 case SMMU_EVT_C_BAD_SUBSTREAMID: 211 EVT_SET_SSID(&evt, info->u.c_bad_substream.ssid); 212 break; 213 case SMMU_EVT_F_CD_FETCH: 214 EVT_SET_SSID(&evt, info->u.f_cd_fetch.ssid); 215 EVT_SET_SSV(&evt, info->u.f_cd_fetch.ssv); 216 EVT_SET_ADDR(&evt, info->u.f_cd_fetch.addr); 217 break; 218 case SMMU_EVT_C_BAD_CD: 219 EVT_SET_SSID(&evt, info->u.c_bad_cd.ssid); 220 EVT_SET_SSV(&evt, info->u.c_bad_cd.ssv); 221 break; 222 case SMMU_EVT_F_WALK_EABT: 223 case SMMU_EVT_F_TRANSLATION: 224 case SMMU_EVT_F_ADDR_SIZE: 225 case SMMU_EVT_F_ACCESS: 226 case SMMU_EVT_F_PERMISSION: 227 EVT_SET_STALL(&evt, info->u.f_walk_eabt.stall); 228 EVT_SET_STAG(&evt, info->u.f_walk_eabt.stag); 229 EVT_SET_SSID(&evt, info->u.f_walk_eabt.ssid); 230 EVT_SET_SSV(&evt, info->u.f_walk_eabt.ssv); 231 EVT_SET_S2(&evt, info->u.f_walk_eabt.s2); 232 EVT_SET_ADDR(&evt, info->u.f_walk_eabt.addr); 233 EVT_SET_RNW(&evt, info->u.f_walk_eabt.rnw); 234 EVT_SET_PNU(&evt, info->u.f_walk_eabt.pnu); 235 EVT_SET_IND(&evt, info->u.f_walk_eabt.ind); 236 EVT_SET_CLASS(&evt, info->u.f_walk_eabt.class); 237 EVT_SET_ADDR2(&evt, info->u.f_walk_eabt.addr2); 238 break; 239 case SMMU_EVT_F_CFG_CONFLICT: 240 EVT_SET_SSID(&evt, info->u.f_cfg_conflict.ssid); 241 EVT_SET_SSV(&evt, info->u.f_cfg_conflict.ssv); 242 break; 243 /* rest is not implemented */ 244 case SMMU_EVT_F_BAD_ATS_TREQ: 245 case SMMU_EVT_F_TLB_CONFLICT: 246 case SMMU_EVT_E_PAGE_REQ: 247 default: 248 g_assert_not_reached(); 249 } 250 251 trace_smmuv3_record_event(smmu_event_string(info->type), info->sid); 252 r = smmuv3_write_eventq(s, &evt); 253 if (r != MEMTX_OK) { 254 smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_EVENTQ_ABT_ERR_MASK); 255 } 256 info->recorded = true; 257 } 258 259 static void smmuv3_init_regs(SMMUv3State *s) 260 { 261 /* Based on sys property, the stages supported in smmu will be advertised.*/ 262 if (s->stage && !strcmp("2", s->stage)) { 263 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1); 264 } else if (s->stage && !strcmp("nested", s->stage)) { 265 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); 266 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1); 267 } else { 268 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); 269 } 270 271 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTF, 2); /* AArch64 PTW only */ 272 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, COHACC, 1); /* IO coherent */ 273 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, ASID16, 1); /* 16-bit ASID */ 274 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, VMID16, 1); /* 16-bit VMID */ 275 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTENDIAN, 2); /* little endian */ 276 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STALL_MODEL, 1); /* No stall */ 277 /* terminated transaction will always be aborted/error returned */ 278 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TERM_MODEL, 1); 279 /* 2-level stream table supported */ 280 s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STLEVEL, 1); 281 282 s->idr[1] = FIELD_DP32(s->idr[1], IDR1, SIDSIZE, SMMU_IDR1_SIDSIZE); 283 s->idr[1] = FIELD_DP32(s->idr[1], IDR1, EVENTQS, SMMU_EVENTQS); 284 s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS, SMMU_CMDQS); 285 286 s->idr[3] = FIELD_DP32(s->idr[3], IDR3, HAD, 1); 287 if (FIELD_EX32(s->idr[0], IDR0, S2P)) { 288 /* XNX is a stage-2-specific feature */ 289 s->idr[3] = FIELD_DP32(s->idr[3], IDR3, XNX, 1); 290 } 291 s->idr[3] = FIELD_DP32(s->idr[3], IDR3, RIL, 1); 292 s->idr[3] = FIELD_DP32(s->idr[3], IDR3, BBML, 2); 293 294 s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 bits */ 295 /* 4K, 16K and 64K granule support */ 296 s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1); 297 s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN16K, 1); 298 s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1); 299 300 s->cmdq.base = deposit64(s->cmdq.base, 0, 5, SMMU_CMDQS); 301 s->cmdq.prod = 0; 302 s->cmdq.cons = 0; 303 s->cmdq.entry_size = sizeof(struct Cmd); 304 s->eventq.base = deposit64(s->eventq.base, 0, 5, SMMU_EVENTQS); 305 s->eventq.prod = 0; 306 s->eventq.cons = 0; 307 s->eventq.entry_size = sizeof(struct Evt); 308 309 s->features = 0; 310 s->sid_split = 0; 311 s->aidr = 0x1; 312 s->cr[0] = 0; 313 s->cr0ack = 0; 314 s->irq_ctrl = 0; 315 s->gerror = 0; 316 s->gerrorn = 0; 317 s->statusr = 0; 318 s->gbpa = SMMU_GBPA_RESET_VAL; 319 } 320 321 static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf, 322 SMMUEventInfo *event) 323 { 324 int ret, i; 325 326 trace_smmuv3_get_ste(addr); 327 /* TODO: guarantee 64-bit single-copy atomicity */ 328 ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), 329 MEMTXATTRS_UNSPECIFIED); 330 if (ret != MEMTX_OK) { 331 qemu_log_mask(LOG_GUEST_ERROR, 332 "Cannot fetch pte at address=0x%"PRIx64"\n", addr); 333 event->type = SMMU_EVT_F_STE_FETCH; 334 event->u.f_ste_fetch.addr = addr; 335 return -EINVAL; 336 } 337 for (i = 0; i < ARRAY_SIZE(buf->word); i++) { 338 le32_to_cpus(&buf->word[i]); 339 } 340 return 0; 341 342 } 343 344 static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr, 345 SMMUTransCfg *cfg, 346 SMMUEventInfo *event, 347 IOMMUAccessFlags flag, 348 SMMUTLBEntry **out_entry, 349 SMMUTranslationClass class); 350 /* @ssid > 0 not supported yet */ 351 static int smmu_get_cd(SMMUv3State *s, STE *ste, SMMUTransCfg *cfg, 352 uint32_t ssid, CD *buf, SMMUEventInfo *event) 353 { 354 dma_addr_t addr = STE_CTXPTR(ste); 355 int ret, i; 356 SMMUTranslationStatus status; 357 SMMUTLBEntry *entry; 358 359 trace_smmuv3_get_cd(addr); 360 361 if (cfg->stage == SMMU_NESTED) { 362 status = smmuv3_do_translate(s, addr, cfg, event, 363 IOMMU_RO, &entry, SMMU_CLASS_CD); 364 365 /* Same PTW faults are reported but with CLASS = CD. */ 366 if (status != SMMU_TRANS_SUCCESS) { 367 return -EINVAL; 368 } 369 370 addr = CACHED_ENTRY_TO_ADDR(entry, addr); 371 } 372 373 /* TODO: guarantee 64-bit single-copy atomicity */ 374 ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), 375 MEMTXATTRS_UNSPECIFIED); 376 if (ret != MEMTX_OK) { 377 qemu_log_mask(LOG_GUEST_ERROR, 378 "Cannot fetch pte at address=0x%"PRIx64"\n", addr); 379 event->type = SMMU_EVT_F_CD_FETCH; 380 event->u.f_cd_fetch.addr = addr; 381 return -EINVAL; 382 } 383 for (i = 0; i < ARRAY_SIZE(buf->word); i++) { 384 le32_to_cpus(&buf->word[i]); 385 } 386 return 0; 387 } 388 389 /* 390 * Max valid value is 39 when SMMU_IDR3.STT == 0. 391 * In architectures after SMMUv3.0: 392 * - If STE.S2TG selects a 4KB or 16KB granule, the minimum valid value for this 393 * field is MAX(16, 64-IAS) 394 * - If STE.S2TG selects a 64KB granule, the minimum valid value for this field 395 * is (64-IAS). 396 * As we only support AA64, IAS = OAS. 397 */ 398 static bool s2t0sz_valid(SMMUTransCfg *cfg) 399 { 400 if (cfg->s2cfg.tsz > 39) { 401 return false; 402 } 403 404 if (cfg->s2cfg.granule_sz == 16) { 405 return (cfg->s2cfg.tsz >= 64 - cfg->s2cfg.eff_ps); 406 } 407 408 return (cfg->s2cfg.tsz >= MAX(64 - cfg->s2cfg.eff_ps, 16)); 409 } 410 411 /* 412 * Return true if s2 page table config is valid. 413 * This checks with the configured start level, ias_bits and granularity we can 414 * have a valid page table as described in ARM ARM D8.2 Translation process. 415 * The idea here is to see for the highest possible number of IPA bits, how 416 * many concatenated tables we would need, if it is more than 16, then this is 417 * not possible. 418 */ 419 static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran) 420 { 421 int level = get_start_level(sl0, gran); 422 uint64_t ipa_bits = 64 - t0sz; 423 uint64_t max_ipa = (1ULL << ipa_bits) - 1; 424 int nr_concat = pgd_concat_idx(level, gran, max_ipa) + 1; 425 426 return nr_concat <= VMSA_MAX_S2_CONCAT; 427 } 428 429 static int decode_ste_s2_cfg(SMMUv3State *s, SMMUTransCfg *cfg, 430 STE *ste) 431 { 432 uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS); 433 434 if (STE_S2AA64(ste) == 0x0) { 435 qemu_log_mask(LOG_UNIMP, 436 "SMMUv3 AArch32 tables not supported\n"); 437 g_assert_not_reached(); 438 } 439 440 switch (STE_S2TG(ste)) { 441 case 0x0: /* 4KB */ 442 cfg->s2cfg.granule_sz = 12; 443 break; 444 case 0x1: /* 64KB */ 445 cfg->s2cfg.granule_sz = 16; 446 break; 447 case 0x2: /* 16KB */ 448 cfg->s2cfg.granule_sz = 14; 449 break; 450 default: 451 qemu_log_mask(LOG_GUEST_ERROR, 452 "SMMUv3 bad STE S2TG: %x\n", STE_S2TG(ste)); 453 goto bad_ste; 454 } 455 456 cfg->s2cfg.vttb = STE_S2TTB(ste); 457 458 cfg->s2cfg.sl0 = STE_S2SL0(ste); 459 /* FEAT_TTST not supported. */ 460 if (cfg->s2cfg.sl0 == 0x3) { 461 qemu_log_mask(LOG_UNIMP, "SMMUv3 S2SL0 = 0x3 has no meaning!\n"); 462 goto bad_ste; 463 } 464 465 /* For AA64, The effective S2PS size is capped to the OAS. */ 466 cfg->s2cfg.eff_ps = oas2bits(MIN(STE_S2PS(ste), oas)); 467 /* 468 * For SMMUv3.1 and later, when OAS == IAS == 52, the stage 2 input 469 * range is further limited to 48 bits unless STE.S2TG indicates a 470 * 64KB granule. 471 */ 472 if (cfg->s2cfg.granule_sz != 16) { 473 cfg->s2cfg.eff_ps = MIN(cfg->s2cfg.eff_ps, 48); 474 } 475 /* 476 * It is ILLEGAL for the address in S2TTB to be outside the range 477 * described by the effective S2PS value. 478 */ 479 if (cfg->s2cfg.vttb & ~(MAKE_64BIT_MASK(0, cfg->s2cfg.eff_ps))) { 480 qemu_log_mask(LOG_GUEST_ERROR, 481 "SMMUv3 S2TTB too large 0x%" PRIx64 482 ", effective PS %d bits\n", 483 cfg->s2cfg.vttb, cfg->s2cfg.eff_ps); 484 goto bad_ste; 485 } 486 487 cfg->s2cfg.tsz = STE_S2T0SZ(ste); 488 489 if (!s2t0sz_valid(cfg)) { 490 qemu_log_mask(LOG_GUEST_ERROR, "SMMUv3 bad STE S2T0SZ = %d\n", 491 cfg->s2cfg.tsz); 492 goto bad_ste; 493 } 494 495 if (!s2_pgtable_config_valid(cfg->s2cfg.sl0, cfg->s2cfg.tsz, 496 cfg->s2cfg.granule_sz)) { 497 qemu_log_mask(LOG_GUEST_ERROR, 498 "SMMUv3 STE stage 2 config not valid!\n"); 499 goto bad_ste; 500 } 501 502 /* Only LE supported(IDR0.TTENDIAN). */ 503 if (STE_S2ENDI(ste)) { 504 qemu_log_mask(LOG_GUEST_ERROR, 505 "SMMUv3 STE_S2ENDI only supports LE!\n"); 506 goto bad_ste; 507 } 508 509 cfg->s2cfg.affd = STE_S2AFFD(ste); 510 511 cfg->s2cfg.record_faults = STE_S2R(ste); 512 /* As stall is not supported. */ 513 if (STE_S2S(ste)) { 514 qemu_log_mask(LOG_UNIMP, "SMMUv3 Stall not implemented!\n"); 515 goto bad_ste; 516 } 517 518 return 0; 519 520 bad_ste: 521 return -EINVAL; 522 } 523 524 static void decode_ste_config(SMMUTransCfg *cfg, uint32_t config) 525 { 526 527 if (STE_CFG_ABORT(config)) { 528 cfg->aborted = true; 529 return; 530 } 531 if (STE_CFG_BYPASS(config)) { 532 cfg->bypassed = true; 533 return; 534 } 535 536 if (STE_CFG_S1_ENABLED(config)) { 537 cfg->stage = SMMU_STAGE_1; 538 } 539 540 if (STE_CFG_S2_ENABLED(config)) { 541 cfg->stage |= SMMU_STAGE_2; 542 } 543 } 544 545 /* Returns < 0 in case of invalid STE, 0 otherwise */ 546 static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg, 547 STE *ste, SMMUEventInfo *event) 548 { 549 uint32_t config; 550 uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS); 551 int ret; 552 553 if (!STE_VALID(ste)) { 554 if (!event->inval_ste_allowed) { 555 qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n"); 556 } 557 goto bad_ste; 558 } 559 560 config = STE_CONFIG(ste); 561 562 decode_ste_config(cfg, config); 563 564 if (cfg->aborted || cfg->bypassed) { 565 return 0; 566 } 567 568 /* 569 * If a stage is enabled in SW while not advertised, throw bad ste 570 * according to user manual(IHI0070E) "5.2 Stream Table Entry". 571 */ 572 if (!STAGE1_SUPPORTED(s) && STE_CFG_S1_ENABLED(config)) { 573 qemu_log_mask(LOG_GUEST_ERROR, "SMMUv3 S1 used but not supported.\n"); 574 goto bad_ste; 575 } 576 if (!STAGE2_SUPPORTED(s) && STE_CFG_S2_ENABLED(config)) { 577 qemu_log_mask(LOG_GUEST_ERROR, "SMMUv3 S2 used but not supported.\n"); 578 goto bad_ste; 579 } 580 581 if (STAGE2_SUPPORTED(s)) { 582 /* VMID is considered even if s2 is disabled. */ 583 cfg->s2cfg.vmid = STE_S2VMID(ste); 584 } else { 585 /* Default to -1 */ 586 cfg->s2cfg.vmid = -1; 587 } 588 589 if (STE_CFG_S2_ENABLED(config)) { 590 /* 591 * Stage-1 OAS defaults to OAS even if not enabled as it would be used 592 * in input address check for stage-2. 593 */ 594 cfg->oas = oas2bits(oas); 595 ret = decode_ste_s2_cfg(s, cfg, ste); 596 if (ret) { 597 goto bad_ste; 598 } 599 } 600 601 if (STE_S1CDMAX(ste) != 0) { 602 qemu_log_mask(LOG_UNIMP, 603 "SMMUv3 does not support multiple context descriptors yet\n"); 604 goto bad_ste; 605 } 606 607 if (STE_S1STALLD(ste)) { 608 qemu_log_mask(LOG_UNIMP, 609 "SMMUv3 S1 stalling fault model not allowed yet\n"); 610 goto bad_ste; 611 } 612 return 0; 613 614 bad_ste: 615 event->type = SMMU_EVT_C_BAD_STE; 616 return -EINVAL; 617 } 618 619 /** 620 * smmu_find_ste - Return the stream table entry associated 621 * to the sid 622 * 623 * @s: smmuv3 handle 624 * @sid: stream ID 625 * @ste: returned stream table entry 626 * @event: handle to an event info 627 * 628 * Supports linear and 2-level stream table 629 * Return 0 on success, -EINVAL otherwise 630 */ 631 static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, 632 SMMUEventInfo *event) 633 { 634 dma_addr_t addr, strtab_base; 635 uint32_t log2size; 636 int strtab_size_shift; 637 int ret; 638 639 trace_smmuv3_find_ste(sid, s->features, s->sid_split); 640 log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE); 641 /* 642 * Check SID range against both guest-configured and implementation limits 643 */ 644 if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) { 645 event->type = SMMU_EVT_C_BAD_STREAMID; 646 return -EINVAL; 647 } 648 if (s->features & SMMU_FEATURE_2LVL_STE) { 649 int l1_ste_offset, l2_ste_offset, max_l2_ste, span, i; 650 dma_addr_t l1ptr, l2ptr; 651 STEDesc l1std; 652 653 /* 654 * Align strtab base address to table size. For this purpose, assume it 655 * is not bounded by SMMU_IDR1_SIDSIZE. 656 */ 657 strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3); 658 strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK & 659 ~MAKE_64BIT_MASK(0, strtab_size_shift); 660 l1_ste_offset = sid >> s->sid_split; 661 l2_ste_offset = sid & ((1 << s->sid_split) - 1); 662 l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); 663 /* TODO: guarantee 64-bit single-copy atomicity */ 664 ret = dma_memory_read(&address_space_memory, l1ptr, &l1std, 665 sizeof(l1std), MEMTXATTRS_UNSPECIFIED); 666 if (ret != MEMTX_OK) { 667 qemu_log_mask(LOG_GUEST_ERROR, 668 "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr); 669 event->type = SMMU_EVT_F_STE_FETCH; 670 event->u.f_ste_fetch.addr = l1ptr; 671 return -EINVAL; 672 } 673 for (i = 0; i < ARRAY_SIZE(l1std.word); i++) { 674 le32_to_cpus(&l1std.word[i]); 675 } 676 677 span = L1STD_SPAN(&l1std); 678 679 if (!span) { 680 /* l2ptr is not valid */ 681 if (!event->inval_ste_allowed) { 682 qemu_log_mask(LOG_GUEST_ERROR, 683 "invalid sid=%d (L1STD span=0)\n", sid); 684 } 685 event->type = SMMU_EVT_C_BAD_STREAMID; 686 return -EINVAL; 687 } 688 max_l2_ste = (1 << span) - 1; 689 l2ptr = l1std_l2ptr(&l1std); 690 trace_smmuv3_find_ste_2lvl(s->strtab_base, l1ptr, l1_ste_offset, 691 l2ptr, l2_ste_offset, max_l2_ste); 692 if (l2_ste_offset > max_l2_ste) { 693 qemu_log_mask(LOG_GUEST_ERROR, 694 "l2_ste_offset=%d > max_l2_ste=%d\n", 695 l2_ste_offset, max_l2_ste); 696 event->type = SMMU_EVT_C_BAD_STE; 697 return -EINVAL; 698 } 699 addr = l2ptr + l2_ste_offset * sizeof(*ste); 700 } else { 701 strtab_size_shift = log2size + 5; 702 strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK & 703 ~MAKE_64BIT_MASK(0, strtab_size_shift); 704 addr = strtab_base + sid * sizeof(*ste); 705 } 706 707 if (smmu_get_ste(s, addr, ste, event)) { 708 return -EINVAL; 709 } 710 711 return 0; 712 } 713 714 static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg, 715 CD *cd, SMMUEventInfo *event) 716 { 717 int ret = -EINVAL; 718 int i; 719 SMMUTranslationStatus status; 720 SMMUTLBEntry *entry; 721 uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS); 722 723 if (!CD_VALID(cd) || !CD_AARCH64(cd)) { 724 goto bad_cd; 725 } 726 if (!CD_A(cd)) { 727 goto bad_cd; /* SMMU_IDR0.TERM_MODEL == 1 */ 728 } 729 if (CD_S(cd)) { 730 goto bad_cd; /* !STE_SECURE && SMMU_IDR0.STALL_MODEL == 1 */ 731 } 732 if (CD_HA(cd) || CD_HD(cd)) { 733 goto bad_cd; /* HTTU = 0 */ 734 } 735 736 /* we support only those at the moment */ 737 cfg->aa64 = true; 738 739 cfg->oas = oas2bits(CD_IPS(cd)); 740 cfg->oas = MIN(oas2bits(oas), cfg->oas); 741 cfg->tbi = CD_TBI(cd); 742 cfg->asid = CD_ASID(cd); 743 cfg->affd = CD_AFFD(cd); 744 745 trace_smmuv3_decode_cd(cfg->oas); 746 747 /* decode data dependent on TT */ 748 for (i = 0; i <= 1; i++) { 749 int tg, tsz; 750 SMMUTransTableInfo *tt = &cfg->tt[i]; 751 752 cfg->tt[i].disabled = CD_EPD(cd, i); 753 if (cfg->tt[i].disabled) { 754 continue; 755 } 756 757 tsz = CD_TSZ(cd, i); 758 if (tsz < 16 || tsz > 39) { 759 goto bad_cd; 760 } 761 762 tg = CD_TG(cd, i); 763 tt->granule_sz = tg2granule(tg, i); 764 if ((tt->granule_sz != 12 && tt->granule_sz != 14 && 765 tt->granule_sz != 16) || CD_ENDI(cd)) { 766 goto bad_cd; 767 } 768 769 /* 770 * An address greater than 48 bits in size can only be output from a 771 * TTD when, in SMMUv3.1 and later, the effective IPS is 52 and a 64KB 772 * granule is in use for that translation table 773 */ 774 if (tt->granule_sz != 16) { 775 cfg->oas = MIN(cfg->oas, 48); 776 } 777 tt->tsz = tsz; 778 tt->ttb = CD_TTB(cd, i); 779 780 if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) { 781 goto bad_cd; 782 } 783 784 /* Translate the TTBx, from IPA to PA if nesting is enabled. */ 785 if (cfg->stage == SMMU_NESTED) { 786 status = smmuv3_do_translate(s, tt->ttb, cfg, event, IOMMU_RO, 787 &entry, SMMU_CLASS_TT); 788 /* 789 * Same PTW faults are reported but with CLASS = TT. 790 * If TTBx is larger than the effective stage 1 output addres 791 * size, it reports C_BAD_CD, which is handled by the above case. 792 */ 793 if (status != SMMU_TRANS_SUCCESS) { 794 return -EINVAL; 795 } 796 tt->ttb = CACHED_ENTRY_TO_ADDR(entry, tt->ttb); 797 } 798 799 tt->had = CD_HAD(cd, i); 800 trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz, tt->had); 801 } 802 803 cfg->record_faults = CD_R(cd); 804 805 return 0; 806 807 bad_cd: 808 event->type = SMMU_EVT_C_BAD_CD; 809 return ret; 810 } 811 812 /** 813 * smmuv3_decode_config - Prepare the translation configuration 814 * for the @mr iommu region 815 * @mr: iommu memory region the translation config must be prepared for 816 * @cfg: output translation configuration which is populated through 817 * the different configuration decoding steps 818 * @event: must be zero'ed by the caller 819 * 820 * return < 0 in case of config decoding error (@event is filled 821 * accordingly). Return 0 otherwise. 822 */ 823 static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg, 824 SMMUEventInfo *event) 825 { 826 SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu); 827 uint32_t sid = smmu_get_sid(sdev); 828 SMMUv3State *s = sdev->smmu; 829 int ret; 830 STE ste; 831 CD cd; 832 833 /* ASID defaults to -1 (if s1 is not supported). */ 834 cfg->asid = -1; 835 836 ret = smmu_find_ste(s, sid, &ste, event); 837 if (ret) { 838 return ret; 839 } 840 841 ret = decode_ste(s, cfg, &ste, event); 842 if (ret) { 843 return ret; 844 } 845 846 if (cfg->aborted || cfg->bypassed || (cfg->stage == SMMU_STAGE_2)) { 847 return 0; 848 } 849 850 ret = smmu_get_cd(s, &ste, cfg, 0 /* ssid */, &cd, event); 851 if (ret) { 852 return ret; 853 } 854 855 return decode_cd(s, cfg, &cd, event); 856 } 857 858 /** 859 * smmuv3_get_config - Look up for a cached copy of configuration data for 860 * @sdev and on cache miss performs a configuration structure decoding from 861 * guest RAM. 862 * 863 * @sdev: SMMUDevice handle 864 * @event: output event info 865 * 866 * The configuration cache contains data resulting from both STE and CD 867 * decoding under the form of an SMMUTransCfg struct. The hash table is indexed 868 * by the SMMUDevice handle. 869 */ 870 static SMMUTransCfg *smmuv3_get_config(SMMUDevice *sdev, SMMUEventInfo *event) 871 { 872 SMMUv3State *s = sdev->smmu; 873 SMMUState *bc = &s->smmu_state; 874 SMMUTransCfg *cfg; 875 876 cfg = g_hash_table_lookup(bc->configs, sdev); 877 if (cfg) { 878 sdev->cfg_cache_hits++; 879 trace_smmuv3_config_cache_hit(smmu_get_sid(sdev), 880 sdev->cfg_cache_hits, sdev->cfg_cache_misses, 881 100 * sdev->cfg_cache_hits / 882 (sdev->cfg_cache_hits + sdev->cfg_cache_misses)); 883 } else { 884 sdev->cfg_cache_misses++; 885 trace_smmuv3_config_cache_miss(smmu_get_sid(sdev), 886 sdev->cfg_cache_hits, sdev->cfg_cache_misses, 887 100 * sdev->cfg_cache_hits / 888 (sdev->cfg_cache_hits + sdev->cfg_cache_misses)); 889 cfg = g_new0(SMMUTransCfg, 1); 890 891 if (!smmuv3_decode_config(&sdev->iommu, cfg, event)) { 892 g_hash_table_insert(bc->configs, sdev, cfg); 893 } else { 894 g_free(cfg); 895 cfg = NULL; 896 } 897 } 898 return cfg; 899 } 900 901 static void smmuv3_flush_config(SMMUDevice *sdev) 902 { 903 SMMUv3State *s = sdev->smmu; 904 SMMUState *bc = &s->smmu_state; 905 906 trace_smmu_config_cache_inv(smmu_get_sid(sdev)); 907 g_hash_table_remove(bc->configs, sdev); 908 } 909 910 /* Do translation with TLB lookup. */ 911 static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr, 912 SMMUTransCfg *cfg, 913 SMMUEventInfo *event, 914 IOMMUAccessFlags flag, 915 SMMUTLBEntry **out_entry, 916 SMMUTranslationClass class) 917 { 918 SMMUPTWEventInfo ptw_info = {}; 919 SMMUState *bs = ARM_SMMU(s); 920 SMMUTLBEntry *cached_entry = NULL; 921 int asid, stage; 922 bool desc_s2_translation = class != SMMU_CLASS_IN; 923 924 /* 925 * The function uses the argument class to identify which stage is used: 926 * - CLASS = IN: Means an input translation, determine the stage from STE. 927 * - CLASS = CD: Means the addr is an IPA of the CD, and it would be 928 * translated using the stage-2. 929 * - CLASS = TT: Means the addr is an IPA of the stage-1 translation table 930 * and it would be translated using the stage-2. 931 * For the last 2 cases instead of having intrusive changes in the common 932 * logic, we modify the cfg to be a stage-2 translation only in case of 933 * nested, and then restore it after. 934 */ 935 if (desc_s2_translation) { 936 asid = cfg->asid; 937 stage = cfg->stage; 938 cfg->asid = -1; 939 cfg->stage = SMMU_STAGE_2; 940 } 941 942 cached_entry = smmu_translate(bs, cfg, addr, flag, &ptw_info); 943 944 if (desc_s2_translation) { 945 cfg->asid = asid; 946 cfg->stage = stage; 947 } 948 949 if (!cached_entry) { 950 /* All faults from PTW has S2 field. */ 951 event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2); 952 /* 953 * Fault class is set as follows based on "class" input to 954 * the function and to "ptw_info" from "smmu_translate()" 955 * For stage-1: 956 * - EABT => CLASS_TT (hardcoded) 957 * - other events => CLASS_IN (input to function) 958 * For stage-2 => CLASS_IN (input to function) 959 * For nested, for all events: 960 * - CD fetch => CLASS_CD (input to function) 961 * - walking stage 1 translation table => CLASS_TT (from 962 * is_ipa_descriptor or input in case of TTBx) 963 * - s2 translation => CLASS_IN (input to function) 964 */ 965 class = ptw_info.is_ipa_descriptor ? SMMU_CLASS_TT : class; 966 switch (ptw_info.type) { 967 case SMMU_PTW_ERR_WALK_EABT: 968 event->type = SMMU_EVT_F_WALK_EABT; 969 event->u.f_walk_eabt.rnw = flag & 0x1; 970 event->u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ? 971 class : SMMU_CLASS_TT; 972 event->u.f_walk_eabt.addr2 = ptw_info.addr; 973 break; 974 case SMMU_PTW_ERR_TRANSLATION: 975 if (PTW_RECORD_FAULT(ptw_info, cfg)) { 976 event->type = SMMU_EVT_F_TRANSLATION; 977 event->u.f_translation.addr2 = ptw_info.addr; 978 event->u.f_translation.class = class; 979 event->u.f_translation.rnw = flag & 0x1; 980 } 981 break; 982 case SMMU_PTW_ERR_ADDR_SIZE: 983 if (PTW_RECORD_FAULT(ptw_info, cfg)) { 984 event->type = SMMU_EVT_F_ADDR_SIZE; 985 event->u.f_addr_size.addr2 = ptw_info.addr; 986 event->u.f_addr_size.class = class; 987 event->u.f_addr_size.rnw = flag & 0x1; 988 } 989 break; 990 case SMMU_PTW_ERR_ACCESS: 991 if (PTW_RECORD_FAULT(ptw_info, cfg)) { 992 event->type = SMMU_EVT_F_ACCESS; 993 event->u.f_access.addr2 = ptw_info.addr; 994 event->u.f_access.class = class; 995 event->u.f_access.rnw = flag & 0x1; 996 } 997 break; 998 case SMMU_PTW_ERR_PERMISSION: 999 if (PTW_RECORD_FAULT(ptw_info, cfg)) { 1000 event->type = SMMU_EVT_F_PERMISSION; 1001 event->u.f_permission.addr2 = ptw_info.addr; 1002 event->u.f_permission.class = class; 1003 event->u.f_permission.rnw = flag & 0x1; 1004 } 1005 break; 1006 default: 1007 g_assert_not_reached(); 1008 } 1009 return SMMU_TRANS_ERROR; 1010 } 1011 *out_entry = cached_entry; 1012 return SMMU_TRANS_SUCCESS; 1013 } 1014 1015 /* 1016 * Sets the InputAddr for an SMMU_TRANS_ERROR, as it can't be 1017 * set from all contexts, as smmuv3_get_config() can return 1018 * translation faults in case of nested translation (for CD 1019 * and TTBx). But in that case the iova is not known. 1020 */ 1021 static void smmuv3_fixup_event(SMMUEventInfo *event, hwaddr iova) 1022 { 1023 switch (event->type) { 1024 case SMMU_EVT_F_WALK_EABT: 1025 case SMMU_EVT_F_TRANSLATION: 1026 case SMMU_EVT_F_ADDR_SIZE: 1027 case SMMU_EVT_F_ACCESS: 1028 case SMMU_EVT_F_PERMISSION: 1029 event->u.f_walk_eabt.addr = iova; 1030 break; 1031 default: 1032 break; 1033 } 1034 } 1035 1036 /* Entry point to SMMU, does everything. */ 1037 static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr, 1038 IOMMUAccessFlags flag, int iommu_idx) 1039 { 1040 SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu); 1041 SMMUv3State *s = sdev->smmu; 1042 uint32_t sid = smmu_get_sid(sdev); 1043 SMMUEventInfo event = {.type = SMMU_EVT_NONE, 1044 .sid = sid, 1045 .inval_ste_allowed = false}; 1046 SMMUTranslationStatus status; 1047 SMMUTransCfg *cfg = NULL; 1048 IOMMUTLBEntry entry = { 1049 .target_as = &address_space_memory, 1050 .iova = addr, 1051 .translated_addr = addr, 1052 .addr_mask = ~(hwaddr)0, 1053 .perm = IOMMU_NONE, 1054 }; 1055 SMMUTLBEntry *cached_entry = NULL; 1056 1057 qemu_mutex_lock(&s->mutex); 1058 1059 if (!smmu_enabled(s)) { 1060 if (FIELD_EX32(s->gbpa, GBPA, ABORT)) { 1061 status = SMMU_TRANS_ABORT; 1062 } else { 1063 status = SMMU_TRANS_DISABLE; 1064 } 1065 goto epilogue; 1066 } 1067 1068 cfg = smmuv3_get_config(sdev, &event); 1069 if (!cfg) { 1070 status = SMMU_TRANS_ERROR; 1071 goto epilogue; 1072 } 1073 1074 if (cfg->aborted) { 1075 status = SMMU_TRANS_ABORT; 1076 goto epilogue; 1077 } 1078 1079 if (cfg->bypassed) { 1080 status = SMMU_TRANS_BYPASS; 1081 goto epilogue; 1082 } 1083 1084 status = smmuv3_do_translate(s, addr, cfg, &event, flag, 1085 &cached_entry, SMMU_CLASS_IN); 1086 1087 epilogue: 1088 qemu_mutex_unlock(&s->mutex); 1089 switch (status) { 1090 case SMMU_TRANS_SUCCESS: 1091 entry.perm = cached_entry->entry.perm; 1092 entry.translated_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr); 1093 entry.addr_mask = cached_entry->entry.addr_mask; 1094 trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr, 1095 entry.translated_addr, entry.perm, 1096 cfg->stage); 1097 break; 1098 case SMMU_TRANS_DISABLE: 1099 entry.perm = flag; 1100 entry.addr_mask = ~TARGET_PAGE_MASK; 1101 trace_smmuv3_translate_disable(mr->parent_obj.name, sid, addr, 1102 entry.perm); 1103 break; 1104 case SMMU_TRANS_BYPASS: 1105 entry.perm = flag; 1106 entry.addr_mask = ~TARGET_PAGE_MASK; 1107 trace_smmuv3_translate_bypass(mr->parent_obj.name, sid, addr, 1108 entry.perm); 1109 break; 1110 case SMMU_TRANS_ABORT: 1111 /* no event is recorded on abort */ 1112 trace_smmuv3_translate_abort(mr->parent_obj.name, sid, addr, 1113 entry.perm); 1114 break; 1115 case SMMU_TRANS_ERROR: 1116 smmuv3_fixup_event(&event, addr); 1117 qemu_log_mask(LOG_GUEST_ERROR, 1118 "%s translation failed for iova=0x%"PRIx64" (%s)\n", 1119 mr->parent_obj.name, addr, smmu_event_string(event.type)); 1120 smmuv3_record_event(s, &event); 1121 break; 1122 } 1123 1124 return entry; 1125 } 1126 1127 /** 1128 * smmuv3_notify_iova - call the notifier @n for a given 1129 * @asid and @iova tuple. 1130 * 1131 * @mr: IOMMU mr region handle 1132 * @n: notifier to be called 1133 * @asid: address space ID or negative value if we don't care 1134 * @vmid: virtual machine ID or negative value if we don't care 1135 * @iova: iova 1136 * @tg: translation granule (if communicated through range invalidation) 1137 * @num_pages: number of @granule sized pages (if tg != 0), otherwise 1 1138 * @stage: Which stage(1 or 2) is used 1139 */ 1140 static void smmuv3_notify_iova(IOMMUMemoryRegion *mr, 1141 IOMMUNotifier *n, 1142 int asid, int vmid, 1143 dma_addr_t iova, uint8_t tg, 1144 uint64_t num_pages, int stage) 1145 { 1146 SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu); 1147 SMMUEventInfo eventinfo = {.inval_ste_allowed = true}; 1148 SMMUTransCfg *cfg = smmuv3_get_config(sdev, &eventinfo); 1149 IOMMUTLBEvent event; 1150 uint8_t granule; 1151 1152 if (!cfg) { 1153 return; 1154 } 1155 1156 /* 1157 * stage is passed from TLB invalidation commands which can be either 1158 * stage-1 or stage-2. 1159 * However, IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2 1160 * SMMU instances we consider the input address as the IOVA, but when 1161 * nesting is used, we can't mix stage-1 and stage-2 addresses, so for 1162 * nesting only stage-1 is considered the IOVA and would be notified. 1163 */ 1164 if ((stage == SMMU_STAGE_2) && (cfg->stage == SMMU_NESTED)) 1165 return; 1166 1167 if (!tg) { 1168 SMMUTransTableInfo *tt; 1169 1170 if (asid >= 0 && cfg->asid != asid) { 1171 return; 1172 } 1173 1174 if (vmid >= 0 && cfg->s2cfg.vmid != vmid) { 1175 return; 1176 } 1177 1178 if (stage == SMMU_STAGE_1) { 1179 tt = select_tt(cfg, iova); 1180 if (!tt) { 1181 return; 1182 } 1183 granule = tt->granule_sz; 1184 } else { 1185 granule = cfg->s2cfg.granule_sz; 1186 } 1187 1188 } else { 1189 granule = tg * 2 + 10; 1190 } 1191 1192 event.type = IOMMU_NOTIFIER_UNMAP; 1193 event.entry.target_as = &address_space_memory; 1194 event.entry.iova = iova; 1195 event.entry.addr_mask = num_pages * (1 << granule) - 1; 1196 event.entry.perm = IOMMU_NONE; 1197 1198 memory_region_notify_iommu_one(n, &event); 1199 } 1200 1201 /* invalidate an asid/vmid/iova range tuple in all mr's */ 1202 static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid, 1203 dma_addr_t iova, uint8_t tg, 1204 uint64_t num_pages, int stage) 1205 { 1206 SMMUDevice *sdev; 1207 1208 QLIST_FOREACH(sdev, &s->devices_with_notifiers, next) { 1209 IOMMUMemoryRegion *mr = &sdev->iommu; 1210 IOMMUNotifier *n; 1211 1212 trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, vmid, 1213 iova, tg, num_pages, stage); 1214 1215 IOMMU_NOTIFIER_FOREACH(n, mr) { 1216 smmuv3_notify_iova(mr, n, asid, vmid, iova, tg, num_pages, stage); 1217 } 1218 } 1219 } 1220 1221 static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage) 1222 { 1223 dma_addr_t end, addr = CMD_ADDR(cmd); 1224 uint8_t type = CMD_TYPE(cmd); 1225 int vmid = -1; 1226 uint8_t scale = CMD_SCALE(cmd); 1227 uint8_t num = CMD_NUM(cmd); 1228 uint8_t ttl = CMD_TTL(cmd); 1229 bool leaf = CMD_LEAF(cmd); 1230 uint8_t tg = CMD_TG(cmd); 1231 uint64_t num_pages; 1232 uint8_t granule; 1233 int asid = -1; 1234 SMMUv3State *smmuv3 = ARM_SMMUV3(s); 1235 1236 /* Only consider VMID if stage-2 is supported. */ 1237 if (STAGE2_SUPPORTED(smmuv3)) { 1238 vmid = CMD_VMID(cmd); 1239 } 1240 1241 if (type == SMMU_CMD_TLBI_NH_VA) { 1242 asid = CMD_ASID(cmd); 1243 } 1244 1245 if (!tg) { 1246 trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf, stage); 1247 smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1, stage); 1248 if (stage == SMMU_STAGE_1) { 1249 smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl); 1250 } else { 1251 smmu_iotlb_inv_ipa(s, vmid, addr, tg, 1, ttl); 1252 } 1253 return; 1254 } 1255 1256 /* RIL in use */ 1257 1258 num_pages = (num + 1) * BIT_ULL(scale); 1259 granule = tg * 2 + 10; 1260 1261 /* Split invalidations into ^2 range invalidations */ 1262 end = addr + (num_pages << granule) - 1; 1263 1264 while (addr != end + 1) { 1265 uint64_t mask = dma_aligned_pow2_mask(addr, end, 64); 1266 1267 num_pages = (mask + 1) >> granule; 1268 trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages, 1269 ttl, leaf, stage); 1270 smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages, stage); 1271 if (stage == SMMU_STAGE_1) { 1272 smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl); 1273 } else { 1274 smmu_iotlb_inv_ipa(s, vmid, addr, tg, num_pages, ttl); 1275 } 1276 addr += mask + 1; 1277 } 1278 } 1279 1280 static int smmuv3_cmdq_consume(SMMUv3State *s) 1281 { 1282 SMMUState *bs = ARM_SMMU(s); 1283 SMMUCmdError cmd_error = SMMU_CERROR_NONE; 1284 SMMUQueue *q = &s->cmdq; 1285 SMMUCommandType type = 0; 1286 1287 if (!smmuv3_cmdq_enabled(s)) { 1288 return 0; 1289 } 1290 /* 1291 * some commands depend on register values, typically CR0. In case those 1292 * register values change while handling the command, spec says it 1293 * is UNPREDICTABLE whether the command is interpreted under the new 1294 * or old value. 1295 */ 1296 1297 while (!smmuv3_q_empty(q)) { 1298 uint32_t pending = s->gerror ^ s->gerrorn; 1299 Cmd cmd; 1300 1301 trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q), 1302 Q_PROD_WRAP(q), Q_CONS_WRAP(q)); 1303 1304 if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) { 1305 break; 1306 } 1307 1308 if (queue_read(q, &cmd) != MEMTX_OK) { 1309 cmd_error = SMMU_CERROR_ABT; 1310 break; 1311 } 1312 1313 type = CMD_TYPE(&cmd); 1314 1315 trace_smmuv3_cmdq_opcode(smmu_cmd_string(type)); 1316 1317 qemu_mutex_lock(&s->mutex); 1318 switch (type) { 1319 case SMMU_CMD_SYNC: 1320 if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) { 1321 smmuv3_trigger_irq(s, SMMU_IRQ_CMD_SYNC, 0); 1322 } 1323 break; 1324 case SMMU_CMD_PREFETCH_CONFIG: 1325 case SMMU_CMD_PREFETCH_ADDR: 1326 break; 1327 case SMMU_CMD_CFGI_STE: 1328 { 1329 uint32_t sid = CMD_SID(&cmd); 1330 SMMUDevice *sdev = smmu_find_sdev(bs, sid); 1331 1332 if (CMD_SSEC(&cmd)) { 1333 cmd_error = SMMU_CERROR_ILL; 1334 break; 1335 } 1336 1337 if (!sdev) { 1338 break; 1339 } 1340 1341 trace_smmuv3_cmdq_cfgi_ste(sid); 1342 smmuv3_flush_config(sdev); 1343 1344 break; 1345 } 1346 case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */ 1347 { 1348 uint32_t sid = CMD_SID(&cmd), mask; 1349 uint8_t range = CMD_STE_RANGE(&cmd); 1350 SMMUSIDRange sid_range; 1351 1352 if (CMD_SSEC(&cmd)) { 1353 cmd_error = SMMU_CERROR_ILL; 1354 break; 1355 } 1356 1357 mask = (1ULL << (range + 1)) - 1; 1358 sid_range.start = sid & ~mask; 1359 sid_range.end = sid_range.start + mask; 1360 1361 trace_smmuv3_cmdq_cfgi_ste_range(sid_range.start, sid_range.end); 1362 smmu_configs_inv_sid_range(bs, sid_range); 1363 break; 1364 } 1365 case SMMU_CMD_CFGI_CD: 1366 case SMMU_CMD_CFGI_CD_ALL: 1367 { 1368 uint32_t sid = CMD_SID(&cmd); 1369 SMMUDevice *sdev = smmu_find_sdev(bs, sid); 1370 1371 if (CMD_SSEC(&cmd)) { 1372 cmd_error = SMMU_CERROR_ILL; 1373 break; 1374 } 1375 1376 if (!sdev) { 1377 break; 1378 } 1379 1380 trace_smmuv3_cmdq_cfgi_cd(sid); 1381 smmuv3_flush_config(sdev); 1382 break; 1383 } 1384 case SMMU_CMD_TLBI_NH_ASID: 1385 { 1386 int asid = CMD_ASID(&cmd); 1387 int vmid = -1; 1388 1389 if (!STAGE1_SUPPORTED(s)) { 1390 cmd_error = SMMU_CERROR_ILL; 1391 break; 1392 } 1393 1394 /* 1395 * VMID is only matched when stage 2 is supported, otherwise set it 1396 * to -1 as the value used for stage-1 only VMIDs. 1397 */ 1398 if (STAGE2_SUPPORTED(s)) { 1399 vmid = CMD_VMID(&cmd); 1400 } 1401 1402 trace_smmuv3_cmdq_tlbi_nh_asid(asid); 1403 smmu_inv_notifiers_all(&s->smmu_state); 1404 smmu_iotlb_inv_asid_vmid(bs, asid, vmid); 1405 break; 1406 } 1407 case SMMU_CMD_TLBI_NH_ALL: 1408 { 1409 int vmid = -1; 1410 1411 if (!STAGE1_SUPPORTED(s)) { 1412 cmd_error = SMMU_CERROR_ILL; 1413 break; 1414 } 1415 1416 /* 1417 * If stage-2 is supported, invalidate for this VMID only, otherwise 1418 * invalidate the whole thing. 1419 */ 1420 if (STAGE2_SUPPORTED(s)) { 1421 vmid = CMD_VMID(&cmd); 1422 trace_smmuv3_cmdq_tlbi_nh(vmid); 1423 smmu_iotlb_inv_vmid_s1(bs, vmid); 1424 break; 1425 } 1426 QEMU_FALLTHROUGH; 1427 } 1428 case SMMU_CMD_TLBI_NSNH_ALL: 1429 trace_smmuv3_cmdq_tlbi_nsnh(); 1430 smmu_inv_notifiers_all(&s->smmu_state); 1431 smmu_iotlb_inv_all(bs); 1432 break; 1433 case SMMU_CMD_TLBI_NH_VAA: 1434 case SMMU_CMD_TLBI_NH_VA: 1435 if (!STAGE1_SUPPORTED(s)) { 1436 cmd_error = SMMU_CERROR_ILL; 1437 break; 1438 } 1439 smmuv3_range_inval(bs, &cmd, SMMU_STAGE_1); 1440 break; 1441 case SMMU_CMD_TLBI_S12_VMALL: 1442 { 1443 int vmid = CMD_VMID(&cmd); 1444 1445 if (!STAGE2_SUPPORTED(s)) { 1446 cmd_error = SMMU_CERROR_ILL; 1447 break; 1448 } 1449 1450 trace_smmuv3_cmdq_tlbi_s12_vmid(vmid); 1451 smmu_inv_notifiers_all(&s->smmu_state); 1452 smmu_iotlb_inv_vmid(bs, vmid); 1453 break; 1454 } 1455 case SMMU_CMD_TLBI_S2_IPA: 1456 if (!STAGE2_SUPPORTED(s)) { 1457 cmd_error = SMMU_CERROR_ILL; 1458 break; 1459 } 1460 /* 1461 * As currently only either s1 or s2 are supported 1462 * we can reuse same function for s2. 1463 */ 1464 smmuv3_range_inval(bs, &cmd, SMMU_STAGE_2); 1465 break; 1466 case SMMU_CMD_TLBI_EL3_ALL: 1467 case SMMU_CMD_TLBI_EL3_VA: 1468 case SMMU_CMD_TLBI_EL2_ALL: 1469 case SMMU_CMD_TLBI_EL2_ASID: 1470 case SMMU_CMD_TLBI_EL2_VA: 1471 case SMMU_CMD_TLBI_EL2_VAA: 1472 case SMMU_CMD_ATC_INV: 1473 case SMMU_CMD_PRI_RESP: 1474 case SMMU_CMD_RESUME: 1475 case SMMU_CMD_STALL_TERM: 1476 trace_smmuv3_unhandled_cmd(type); 1477 break; 1478 default: 1479 cmd_error = SMMU_CERROR_ILL; 1480 break; 1481 } 1482 qemu_mutex_unlock(&s->mutex); 1483 if (cmd_error) { 1484 if (cmd_error == SMMU_CERROR_ILL) { 1485 qemu_log_mask(LOG_GUEST_ERROR, 1486 "Illegal command type: %d\n", CMD_TYPE(&cmd)); 1487 } 1488 break; 1489 } 1490 /* 1491 * We only increment the cons index after the completion of 1492 * the command. We do that because the SYNC returns immediately 1493 * and does not check the completion of previous commands 1494 */ 1495 queue_cons_incr(q); 1496 } 1497 1498 if (cmd_error) { 1499 trace_smmuv3_cmdq_consume_error(smmu_cmd_string(type), cmd_error); 1500 smmu_write_cmdq_err(s, cmd_error); 1501 smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_CMDQ_ERR_MASK); 1502 } 1503 1504 trace_smmuv3_cmdq_consume_out(Q_PROD(q), Q_CONS(q), 1505 Q_PROD_WRAP(q), Q_CONS_WRAP(q)); 1506 1507 return 0; 1508 } 1509 1510 static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset, 1511 uint64_t data, MemTxAttrs attrs) 1512 { 1513 switch (offset) { 1514 case A_GERROR_IRQ_CFG0: 1515 s->gerror_irq_cfg0 = data; 1516 return MEMTX_OK; 1517 case A_STRTAB_BASE: 1518 s->strtab_base = data; 1519 return MEMTX_OK; 1520 case A_CMDQ_BASE: 1521 s->cmdq.base = data; 1522 s->cmdq.log2size = extract64(s->cmdq.base, 0, 5); 1523 if (s->cmdq.log2size > SMMU_CMDQS) { 1524 s->cmdq.log2size = SMMU_CMDQS; 1525 } 1526 return MEMTX_OK; 1527 case A_EVENTQ_BASE: 1528 s->eventq.base = data; 1529 s->eventq.log2size = extract64(s->eventq.base, 0, 5); 1530 if (s->eventq.log2size > SMMU_EVENTQS) { 1531 s->eventq.log2size = SMMU_EVENTQS; 1532 } 1533 return MEMTX_OK; 1534 case A_EVENTQ_IRQ_CFG0: 1535 s->eventq_irq_cfg0 = data; 1536 return MEMTX_OK; 1537 default: 1538 qemu_log_mask(LOG_UNIMP, 1539 "%s Unexpected 64-bit access to 0x%"PRIx64" (WI)\n", 1540 __func__, offset); 1541 return MEMTX_OK; 1542 } 1543 } 1544 1545 static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset, 1546 uint64_t data, MemTxAttrs attrs) 1547 { 1548 switch (offset) { 1549 case A_CR0: 1550 s->cr[0] = data; 1551 s->cr0ack = data & ~SMMU_CR0_RESERVED; 1552 /* in case the command queue has been enabled */ 1553 smmuv3_cmdq_consume(s); 1554 return MEMTX_OK; 1555 case A_CR1: 1556 s->cr[1] = data; 1557 return MEMTX_OK; 1558 case A_CR2: 1559 s->cr[2] = data; 1560 return MEMTX_OK; 1561 case A_IRQ_CTRL: 1562 s->irq_ctrl = data; 1563 return MEMTX_OK; 1564 case A_GERRORN: 1565 smmuv3_write_gerrorn(s, data); 1566 /* 1567 * By acknowledging the CMDQ_ERR, SW may notify cmds can 1568 * be processed again 1569 */ 1570 smmuv3_cmdq_consume(s); 1571 return MEMTX_OK; 1572 case A_GERROR_IRQ_CFG0: /* 64b */ 1573 s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 0, 32, data); 1574 return MEMTX_OK; 1575 case A_GERROR_IRQ_CFG0 + 4: 1576 s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 32, 32, data); 1577 return MEMTX_OK; 1578 case A_GERROR_IRQ_CFG1: 1579 s->gerror_irq_cfg1 = data; 1580 return MEMTX_OK; 1581 case A_GERROR_IRQ_CFG2: 1582 s->gerror_irq_cfg2 = data; 1583 return MEMTX_OK; 1584 case A_GBPA: 1585 /* 1586 * If UPDATE is not set, the write is ignored. This is the only 1587 * permitted behavior in SMMUv3.2 and later. 1588 */ 1589 if (data & R_GBPA_UPDATE_MASK) { 1590 /* Ignore update bit as write is synchronous. */ 1591 s->gbpa = data & ~R_GBPA_UPDATE_MASK; 1592 } 1593 return MEMTX_OK; 1594 case A_STRTAB_BASE: /* 64b */ 1595 s->strtab_base = deposit64(s->strtab_base, 0, 32, data); 1596 return MEMTX_OK; 1597 case A_STRTAB_BASE + 4: 1598 s->strtab_base = deposit64(s->strtab_base, 32, 32, data); 1599 return MEMTX_OK; 1600 case A_STRTAB_BASE_CFG: 1601 s->strtab_base_cfg = data; 1602 if (FIELD_EX32(data, STRTAB_BASE_CFG, FMT) == 1) { 1603 s->sid_split = FIELD_EX32(data, STRTAB_BASE_CFG, SPLIT); 1604 s->features |= SMMU_FEATURE_2LVL_STE; 1605 } 1606 return MEMTX_OK; 1607 case A_CMDQ_BASE: /* 64b */ 1608 s->cmdq.base = deposit64(s->cmdq.base, 0, 32, data); 1609 s->cmdq.log2size = extract64(s->cmdq.base, 0, 5); 1610 if (s->cmdq.log2size > SMMU_CMDQS) { 1611 s->cmdq.log2size = SMMU_CMDQS; 1612 } 1613 return MEMTX_OK; 1614 case A_CMDQ_BASE + 4: /* 64b */ 1615 s->cmdq.base = deposit64(s->cmdq.base, 32, 32, data); 1616 return MEMTX_OK; 1617 case A_CMDQ_PROD: 1618 s->cmdq.prod = data; 1619 smmuv3_cmdq_consume(s); 1620 return MEMTX_OK; 1621 case A_CMDQ_CONS: 1622 s->cmdq.cons = data; 1623 return MEMTX_OK; 1624 case A_EVENTQ_BASE: /* 64b */ 1625 s->eventq.base = deposit64(s->eventq.base, 0, 32, data); 1626 s->eventq.log2size = extract64(s->eventq.base, 0, 5); 1627 if (s->eventq.log2size > SMMU_EVENTQS) { 1628 s->eventq.log2size = SMMU_EVENTQS; 1629 } 1630 return MEMTX_OK; 1631 case A_EVENTQ_BASE + 4: 1632 s->eventq.base = deposit64(s->eventq.base, 32, 32, data); 1633 return MEMTX_OK; 1634 case A_EVENTQ_PROD: 1635 s->eventq.prod = data; 1636 return MEMTX_OK; 1637 case A_EVENTQ_CONS: 1638 s->eventq.cons = data; 1639 return MEMTX_OK; 1640 case A_EVENTQ_IRQ_CFG0: /* 64b */ 1641 s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 0, 32, data); 1642 return MEMTX_OK; 1643 case A_EVENTQ_IRQ_CFG0 + 4: 1644 s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 32, 32, data); 1645 return MEMTX_OK; 1646 case A_EVENTQ_IRQ_CFG1: 1647 s->eventq_irq_cfg1 = data; 1648 return MEMTX_OK; 1649 case A_EVENTQ_IRQ_CFG2: 1650 s->eventq_irq_cfg2 = data; 1651 return MEMTX_OK; 1652 default: 1653 qemu_log_mask(LOG_UNIMP, 1654 "%s Unexpected 32-bit access to 0x%"PRIx64" (WI)\n", 1655 __func__, offset); 1656 return MEMTX_OK; 1657 } 1658 } 1659 1660 static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data, 1661 unsigned size, MemTxAttrs attrs) 1662 { 1663 SMMUState *sys = opaque; 1664 SMMUv3State *s = ARM_SMMUV3(sys); 1665 MemTxResult r; 1666 1667 /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */ 1668 offset &= ~0x10000; 1669 1670 switch (size) { 1671 case 8: 1672 r = smmu_writell(s, offset, data, attrs); 1673 break; 1674 case 4: 1675 r = smmu_writel(s, offset, data, attrs); 1676 break; 1677 default: 1678 r = MEMTX_ERROR; 1679 break; 1680 } 1681 1682 trace_smmuv3_write_mmio(offset, data, size, r); 1683 return r; 1684 } 1685 1686 static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset, 1687 uint64_t *data, MemTxAttrs attrs) 1688 { 1689 switch (offset) { 1690 case A_GERROR_IRQ_CFG0: 1691 *data = s->gerror_irq_cfg0; 1692 return MEMTX_OK; 1693 case A_STRTAB_BASE: 1694 *data = s->strtab_base; 1695 return MEMTX_OK; 1696 case A_CMDQ_BASE: 1697 *data = s->cmdq.base; 1698 return MEMTX_OK; 1699 case A_EVENTQ_BASE: 1700 *data = s->eventq.base; 1701 return MEMTX_OK; 1702 default: 1703 *data = 0; 1704 qemu_log_mask(LOG_UNIMP, 1705 "%s Unexpected 64-bit access to 0x%"PRIx64" (RAZ)\n", 1706 __func__, offset); 1707 return MEMTX_OK; 1708 } 1709 } 1710 1711 static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset, 1712 uint64_t *data, MemTxAttrs attrs) 1713 { 1714 switch (offset) { 1715 case A_IDREGS ... A_IDREGS + 0x2f: 1716 *data = smmuv3_idreg(offset - A_IDREGS); 1717 return MEMTX_OK; 1718 case A_IDR0 ... A_IDR5: 1719 *data = s->idr[(offset - A_IDR0) / 4]; 1720 return MEMTX_OK; 1721 case A_IIDR: 1722 *data = s->iidr; 1723 return MEMTX_OK; 1724 case A_AIDR: 1725 *data = s->aidr; 1726 return MEMTX_OK; 1727 case A_CR0: 1728 *data = s->cr[0]; 1729 return MEMTX_OK; 1730 case A_CR0ACK: 1731 *data = s->cr0ack; 1732 return MEMTX_OK; 1733 case A_CR1: 1734 *data = s->cr[1]; 1735 return MEMTX_OK; 1736 case A_CR2: 1737 *data = s->cr[2]; 1738 return MEMTX_OK; 1739 case A_STATUSR: 1740 *data = s->statusr; 1741 return MEMTX_OK; 1742 case A_GBPA: 1743 *data = s->gbpa; 1744 return MEMTX_OK; 1745 case A_IRQ_CTRL: 1746 case A_IRQ_CTRL_ACK: 1747 *data = s->irq_ctrl; 1748 return MEMTX_OK; 1749 case A_GERROR: 1750 *data = s->gerror; 1751 return MEMTX_OK; 1752 case A_GERRORN: 1753 *data = s->gerrorn; 1754 return MEMTX_OK; 1755 case A_GERROR_IRQ_CFG0: /* 64b */ 1756 *data = extract64(s->gerror_irq_cfg0, 0, 32); 1757 return MEMTX_OK; 1758 case A_GERROR_IRQ_CFG0 + 4: 1759 *data = extract64(s->gerror_irq_cfg0, 32, 32); 1760 return MEMTX_OK; 1761 case A_GERROR_IRQ_CFG1: 1762 *data = s->gerror_irq_cfg1; 1763 return MEMTX_OK; 1764 case A_GERROR_IRQ_CFG2: 1765 *data = s->gerror_irq_cfg2; 1766 return MEMTX_OK; 1767 case A_STRTAB_BASE: /* 64b */ 1768 *data = extract64(s->strtab_base, 0, 32); 1769 return MEMTX_OK; 1770 case A_STRTAB_BASE + 4: /* 64b */ 1771 *data = extract64(s->strtab_base, 32, 32); 1772 return MEMTX_OK; 1773 case A_STRTAB_BASE_CFG: 1774 *data = s->strtab_base_cfg; 1775 return MEMTX_OK; 1776 case A_CMDQ_BASE: /* 64b */ 1777 *data = extract64(s->cmdq.base, 0, 32); 1778 return MEMTX_OK; 1779 case A_CMDQ_BASE + 4: 1780 *data = extract64(s->cmdq.base, 32, 32); 1781 return MEMTX_OK; 1782 case A_CMDQ_PROD: 1783 *data = s->cmdq.prod; 1784 return MEMTX_OK; 1785 case A_CMDQ_CONS: 1786 *data = s->cmdq.cons; 1787 return MEMTX_OK; 1788 case A_EVENTQ_BASE: /* 64b */ 1789 *data = extract64(s->eventq.base, 0, 32); 1790 return MEMTX_OK; 1791 case A_EVENTQ_BASE + 4: /* 64b */ 1792 *data = extract64(s->eventq.base, 32, 32); 1793 return MEMTX_OK; 1794 case A_EVENTQ_PROD: 1795 *data = s->eventq.prod; 1796 return MEMTX_OK; 1797 case A_EVENTQ_CONS: 1798 *data = s->eventq.cons; 1799 return MEMTX_OK; 1800 default: 1801 *data = 0; 1802 qemu_log_mask(LOG_UNIMP, 1803 "%s unhandled 32-bit access at 0x%"PRIx64" (RAZ)\n", 1804 __func__, offset); 1805 return MEMTX_OK; 1806 } 1807 } 1808 1809 static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data, 1810 unsigned size, MemTxAttrs attrs) 1811 { 1812 SMMUState *sys = opaque; 1813 SMMUv3State *s = ARM_SMMUV3(sys); 1814 MemTxResult r; 1815 1816 /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */ 1817 offset &= ~0x10000; 1818 1819 switch (size) { 1820 case 8: 1821 r = smmu_readll(s, offset, data, attrs); 1822 break; 1823 case 4: 1824 r = smmu_readl(s, offset, data, attrs); 1825 break; 1826 default: 1827 r = MEMTX_ERROR; 1828 break; 1829 } 1830 1831 trace_smmuv3_read_mmio(offset, *data, size, r); 1832 return r; 1833 } 1834 1835 static const MemoryRegionOps smmu_mem_ops = { 1836 .read_with_attrs = smmu_read_mmio, 1837 .write_with_attrs = smmu_write_mmio, 1838 .endianness = DEVICE_LITTLE_ENDIAN, 1839 .valid = { 1840 .min_access_size = 4, 1841 .max_access_size = 8, 1842 }, 1843 .impl = { 1844 .min_access_size = 4, 1845 .max_access_size = 8, 1846 }, 1847 }; 1848 1849 static void smmu_init_irq(SMMUv3State *s, SysBusDevice *dev) 1850 { 1851 int i; 1852 1853 for (i = 0; i < ARRAY_SIZE(s->irq); i++) { 1854 sysbus_init_irq(dev, &s->irq[i]); 1855 } 1856 } 1857 1858 /* 1859 * Make sure the IOMMU is reset in 'exit' phase after 1860 * all outstanding DMA requests have been quiesced during 1861 * the 'enter' or 'hold' reset phases 1862 */ 1863 static void smmu_reset_exit(Object *obj, ResetType type) 1864 { 1865 SMMUv3State *s = ARM_SMMUV3(obj); 1866 SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s); 1867 1868 trace_smmu_reset_exit(); 1869 if (c->parent_phases.exit) { 1870 c->parent_phases.exit(obj, type); 1871 } 1872 1873 smmuv3_init_regs(s); 1874 } 1875 1876 static void smmu_realize(DeviceState *d, Error **errp) 1877 { 1878 SMMUState *sys = ARM_SMMU(d); 1879 SMMUv3State *s = ARM_SMMUV3(sys); 1880 SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s); 1881 SysBusDevice *dev = SYS_BUS_DEVICE(d); 1882 Error *local_err = NULL; 1883 1884 c->parent_realize(d, &local_err); 1885 if (local_err) { 1886 error_propagate(errp, local_err); 1887 return; 1888 } 1889 1890 qemu_mutex_init(&s->mutex); 1891 1892 memory_region_init_io(&sys->iomem, OBJECT(s), 1893 &smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000); 1894 1895 sys->mrtypename = TYPE_SMMUV3_IOMMU_MEMORY_REGION; 1896 1897 sysbus_init_mmio(dev, &sys->iomem); 1898 1899 smmu_init_irq(s, dev); 1900 } 1901 1902 static const VMStateDescription vmstate_smmuv3_queue = { 1903 .name = "smmuv3_queue", 1904 .version_id = 1, 1905 .minimum_version_id = 1, 1906 .fields = (const VMStateField[]) { 1907 VMSTATE_UINT64(base, SMMUQueue), 1908 VMSTATE_UINT32(prod, SMMUQueue), 1909 VMSTATE_UINT32(cons, SMMUQueue), 1910 VMSTATE_UINT8(log2size, SMMUQueue), 1911 VMSTATE_END_OF_LIST(), 1912 }, 1913 }; 1914 1915 static bool smmuv3_gbpa_needed(void *opaque) 1916 { 1917 SMMUv3State *s = opaque; 1918 1919 /* Only migrate GBPA if it has different reset value. */ 1920 return s->gbpa != SMMU_GBPA_RESET_VAL; 1921 } 1922 1923 static const VMStateDescription vmstate_gbpa = { 1924 .name = "smmuv3/gbpa", 1925 .version_id = 1, 1926 .minimum_version_id = 1, 1927 .needed = smmuv3_gbpa_needed, 1928 .fields = (const VMStateField[]) { 1929 VMSTATE_UINT32(gbpa, SMMUv3State), 1930 VMSTATE_END_OF_LIST() 1931 } 1932 }; 1933 1934 static const VMStateDescription vmstate_smmuv3 = { 1935 .name = "smmuv3", 1936 .version_id = 1, 1937 .minimum_version_id = 1, 1938 .priority = MIG_PRI_IOMMU, 1939 .fields = (const VMStateField[]) { 1940 VMSTATE_UINT32(features, SMMUv3State), 1941 VMSTATE_UINT8(sid_size, SMMUv3State), 1942 VMSTATE_UINT8(sid_split, SMMUv3State), 1943 1944 VMSTATE_UINT32_ARRAY(cr, SMMUv3State, 3), 1945 VMSTATE_UINT32(cr0ack, SMMUv3State), 1946 VMSTATE_UINT32(statusr, SMMUv3State), 1947 VMSTATE_UINT32(irq_ctrl, SMMUv3State), 1948 VMSTATE_UINT32(gerror, SMMUv3State), 1949 VMSTATE_UINT32(gerrorn, SMMUv3State), 1950 VMSTATE_UINT64(gerror_irq_cfg0, SMMUv3State), 1951 VMSTATE_UINT32(gerror_irq_cfg1, SMMUv3State), 1952 VMSTATE_UINT32(gerror_irq_cfg2, SMMUv3State), 1953 VMSTATE_UINT64(strtab_base, SMMUv3State), 1954 VMSTATE_UINT32(strtab_base_cfg, SMMUv3State), 1955 VMSTATE_UINT64(eventq_irq_cfg0, SMMUv3State), 1956 VMSTATE_UINT32(eventq_irq_cfg1, SMMUv3State), 1957 VMSTATE_UINT32(eventq_irq_cfg2, SMMUv3State), 1958 1959 VMSTATE_STRUCT(cmdq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue), 1960 VMSTATE_STRUCT(eventq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue), 1961 1962 VMSTATE_END_OF_LIST(), 1963 }, 1964 .subsections = (const VMStateDescription * const []) { 1965 &vmstate_gbpa, 1966 NULL 1967 } 1968 }; 1969 1970 static const Property smmuv3_properties[] = { 1971 /* 1972 * Stages of translation advertised. 1973 * "1": Stage 1 1974 * "2": Stage 2 1975 * "nested": Both stage 1 and stage 2 1976 * Defaults to stage 1 1977 */ 1978 DEFINE_PROP_STRING("stage", SMMUv3State, stage), 1979 }; 1980 1981 static void smmuv3_instance_init(Object *obj) 1982 { 1983 /* Nothing much to do here as of now */ 1984 } 1985 1986 static void smmuv3_class_init(ObjectClass *klass, void *data) 1987 { 1988 DeviceClass *dc = DEVICE_CLASS(klass); 1989 ResettableClass *rc = RESETTABLE_CLASS(klass); 1990 SMMUv3Class *c = ARM_SMMUV3_CLASS(klass); 1991 1992 dc->vmsd = &vmstate_smmuv3; 1993 resettable_class_set_parent_phases(rc, NULL, NULL, smmu_reset_exit, 1994 &c->parent_phases); 1995 device_class_set_parent_realize(dc, smmu_realize, 1996 &c->parent_realize); 1997 device_class_set_props(dc, smmuv3_properties); 1998 } 1999 2000 static int smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu, 2001 IOMMUNotifierFlag old, 2002 IOMMUNotifierFlag new, 2003 Error **errp) 2004 { 2005 SMMUDevice *sdev = container_of(iommu, SMMUDevice, iommu); 2006 SMMUv3State *s3 = sdev->smmu; 2007 SMMUState *s = &(s3->smmu_state); 2008 2009 if (new & IOMMU_NOTIFIER_DEVIOTLB_UNMAP) { 2010 error_setg(errp, "SMMUv3 does not support dev-iotlb yet"); 2011 return -EINVAL; 2012 } 2013 2014 if (new & IOMMU_NOTIFIER_MAP) { 2015 error_setg(errp, 2016 "device %02x.%02x.%x requires iommu MAP notifier which is " 2017 "not currently supported", pci_bus_num(sdev->bus), 2018 PCI_SLOT(sdev->devfn), PCI_FUNC(sdev->devfn)); 2019 return -EINVAL; 2020 } 2021 2022 if (old == IOMMU_NOTIFIER_NONE) { 2023 trace_smmuv3_notify_flag_add(iommu->parent_obj.name); 2024 QLIST_INSERT_HEAD(&s->devices_with_notifiers, sdev, next); 2025 } else if (new == IOMMU_NOTIFIER_NONE) { 2026 trace_smmuv3_notify_flag_del(iommu->parent_obj.name); 2027 QLIST_REMOVE(sdev, next); 2028 } 2029 return 0; 2030 } 2031 2032 static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass, 2033 void *data) 2034 { 2035 IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass); 2036 2037 imrc->translate = smmuv3_translate; 2038 imrc->notify_flag_changed = smmuv3_notify_flag_changed; 2039 } 2040 2041 static const TypeInfo smmuv3_type_info = { 2042 .name = TYPE_ARM_SMMUV3, 2043 .parent = TYPE_ARM_SMMU, 2044 .instance_size = sizeof(SMMUv3State), 2045 .instance_init = smmuv3_instance_init, 2046 .class_size = sizeof(SMMUv3Class), 2047 .class_init = smmuv3_class_init, 2048 }; 2049 2050 static const TypeInfo smmuv3_iommu_memory_region_info = { 2051 .parent = TYPE_IOMMU_MEMORY_REGION, 2052 .name = TYPE_SMMUV3_IOMMU_MEMORY_REGION, 2053 .class_init = smmuv3_iommu_memory_region_class_init, 2054 }; 2055 2056 static void smmuv3_register_types(void) 2057 { 2058 type_register_static(&smmuv3_type_info); 2059 type_register_static(&smmuv3_iommu_memory_region_info); 2060 } 2061 2062 type_init(smmuv3_register_types) 2063 2064