1 /* 2 * Copyright (C) 2014-2016 Broadcom Corporation 3 * Copyright (c) 2017 Red Hat, Inc. 4 * Written by Prem Mallappa, Eric Auger 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * Author: Prem Mallappa <pmallapp@broadcom.com> 16 * 17 */ 18 19 #include "qemu/osdep.h" 20 #include "trace.h" 21 #include "exec/target_page.h" 22 #include "hw/core/cpu.h" 23 #include "hw/qdev-properties.h" 24 #include "qapi/error.h" 25 #include "qemu/jhash.h" 26 #include "qemu/module.h" 27 28 #include "qemu/error-report.h" 29 #include "hw/arm/smmu-common.h" 30 #include "smmu-internal.h" 31 32 /* IOTLB Management */ 33 34 static guint smmu_iotlb_key_hash(gconstpointer v) 35 { 36 SMMUIOTLBKey *key = (SMMUIOTLBKey *)v; 37 uint32_t a, b, c; 38 39 /* Jenkins hash */ 40 a = b = c = JHASH_INITVAL + sizeof(*key); 41 a += key->asid + key->vmid + key->level + key->tg; 42 b += extract64(key->iova, 0, 32); 43 c += extract64(key->iova, 32, 32); 44 45 __jhash_mix(a, b, c); 46 __jhash_final(a, b, c); 47 48 return c; 49 } 50 51 static gboolean smmu_iotlb_key_equal(gconstpointer v1, gconstpointer v2) 52 { 53 SMMUIOTLBKey *k1 = (SMMUIOTLBKey *)v1, *k2 = (SMMUIOTLBKey *)v2; 54 55 return (k1->asid == k2->asid) && (k1->iova == k2->iova) && 56 (k1->level == k2->level) && (k1->tg == k2->tg) && 57 (k1->vmid == k2->vmid); 58 } 59 60 SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova, 61 uint8_t tg, uint8_t level) 62 { 63 SMMUIOTLBKey key = {.asid = asid, .vmid = vmid, .iova = iova, 64 .tg = tg, .level = level}; 65 66 return key; 67 } 68 69 static SMMUTLBEntry *smmu_iotlb_lookup_all_levels(SMMUState *bs, 70 SMMUTransCfg *cfg, 71 SMMUTransTableInfo *tt, 72 hwaddr iova) 73 { 74 uint8_t tg = (tt->granule_sz - 10) / 2; 75 uint8_t inputsize = 64 - tt->tsz; 76 uint8_t stride = tt->granule_sz - 3; 77 uint8_t level = 4 - (inputsize - 4) / stride; 78 SMMUTLBEntry *entry = NULL; 79 80 while (level <= 3) { 81 uint64_t subpage_size = 1ULL << level_shift(level, tt->granule_sz); 82 uint64_t mask = subpage_size - 1; 83 SMMUIOTLBKey key; 84 85 key = smmu_get_iotlb_key(cfg->asid, cfg->s2cfg.vmid, 86 iova & ~mask, tg, level); 87 entry = g_hash_table_lookup(bs->iotlb, &key); 88 if (entry) { 89 break; 90 } 91 level++; 92 } 93 return entry; 94 } 95 96 /** 97 * smmu_iotlb_lookup - Look up for a TLB entry. 98 * @bs: SMMU state which includes the TLB instance 99 * @cfg: Configuration of the translation 100 * @tt: Translation table info (granule and tsz) 101 * @iova: IOVA address to lookup 102 * 103 * returns a valid entry on success, otherwise NULL. 104 * In case of nested translation, tt can be updated to include 105 * the granule of the found entry as it might different from 106 * the IOVA granule. 107 */ 108 SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg, 109 SMMUTransTableInfo *tt, hwaddr iova) 110 { 111 SMMUTLBEntry *entry = NULL; 112 113 entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova); 114 /* 115 * For nested translation also try the s2 granule, as the TLB will insert 116 * it if the size of s2 tlb entry was smaller. 117 */ 118 if (!entry && (cfg->stage == SMMU_NESTED) && 119 (cfg->s2cfg.granule_sz != tt->granule_sz)) { 120 tt->granule_sz = cfg->s2cfg.granule_sz; 121 entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova); 122 } 123 124 if (entry) { 125 cfg->iotlb_hits++; 126 trace_smmu_iotlb_lookup_hit(cfg->asid, cfg->s2cfg.vmid, iova, 127 cfg->iotlb_hits, cfg->iotlb_misses, 128 100 * cfg->iotlb_hits / 129 (cfg->iotlb_hits + cfg->iotlb_misses)); 130 } else { 131 cfg->iotlb_misses++; 132 trace_smmu_iotlb_lookup_miss(cfg->asid, cfg->s2cfg.vmid, iova, 133 cfg->iotlb_hits, cfg->iotlb_misses, 134 100 * cfg->iotlb_hits / 135 (cfg->iotlb_hits + cfg->iotlb_misses)); 136 } 137 return entry; 138 } 139 140 void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *new) 141 { 142 SMMUIOTLBKey *key = g_new0(SMMUIOTLBKey, 1); 143 uint8_t tg = (new->granule - 10) / 2; 144 145 if (g_hash_table_size(bs->iotlb) >= SMMU_IOTLB_MAX_SIZE) { 146 smmu_iotlb_inv_all(bs); 147 } 148 149 *key = smmu_get_iotlb_key(cfg->asid, cfg->s2cfg.vmid, new->entry.iova, 150 tg, new->level); 151 trace_smmu_iotlb_insert(cfg->asid, cfg->s2cfg.vmid, new->entry.iova, 152 tg, new->level); 153 g_hash_table_insert(bs->iotlb, key, new); 154 } 155 156 void smmu_iotlb_inv_all(SMMUState *s) 157 { 158 trace_smmu_iotlb_inv_all(); 159 g_hash_table_remove_all(s->iotlb); 160 } 161 162 static gboolean smmu_hash_remove_by_asid_vmid(gpointer key, gpointer value, 163 gpointer user_data) 164 { 165 SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data; 166 SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key; 167 168 return (SMMU_IOTLB_ASID(*iotlb_key) == info->asid) && 169 (SMMU_IOTLB_VMID(*iotlb_key) == info->vmid); 170 } 171 172 static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value, 173 gpointer user_data) 174 { 175 int vmid = *(int *)user_data; 176 SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key; 177 178 return SMMU_IOTLB_VMID(*iotlb_key) == vmid; 179 } 180 181 static gboolean smmu_hash_remove_by_vmid_s1(gpointer key, gpointer value, 182 gpointer user_data) 183 { 184 int vmid = *(int *)user_data; 185 SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key; 186 187 return (SMMU_IOTLB_VMID(*iotlb_key) == vmid) && 188 (SMMU_IOTLB_ASID(*iotlb_key) >= 0); 189 } 190 191 static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value, 192 gpointer user_data) 193 { 194 SMMUTLBEntry *iter = (SMMUTLBEntry *)value; 195 IOMMUTLBEntry *entry = &iter->entry; 196 SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data; 197 SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key; 198 199 if (info->asid >= 0 && info->asid != SMMU_IOTLB_ASID(iotlb_key)) { 200 return false; 201 } 202 if (info->vmid >= 0 && info->vmid != SMMU_IOTLB_VMID(iotlb_key)) { 203 return false; 204 } 205 return ((info->iova & ~entry->addr_mask) == entry->iova) || 206 ((entry->iova & ~info->mask) == info->iova); 207 } 208 209 static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value, 210 gpointer user_data) 211 { 212 SMMUTLBEntry *iter = (SMMUTLBEntry *)value; 213 IOMMUTLBEntry *entry = &iter->entry; 214 SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data; 215 SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key; 216 217 if (SMMU_IOTLB_ASID(iotlb_key) >= 0) { 218 /* This is a stage-1 address. */ 219 return false; 220 } 221 if (info->vmid != SMMU_IOTLB_VMID(iotlb_key)) { 222 return false; 223 } 224 return ((info->iova & ~entry->addr_mask) == entry->iova) || 225 ((entry->iova & ~info->mask) == info->iova); 226 } 227 228 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova, 229 uint8_t tg, uint64_t num_pages, uint8_t ttl) 230 { 231 /* if tg is not set we use 4KB range invalidation */ 232 uint8_t granule = tg ? tg * 2 + 10 : 12; 233 234 if (ttl && (num_pages == 1) && (asid >= 0)) { 235 SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, iova, tg, ttl); 236 237 if (g_hash_table_remove(s->iotlb, &key)) { 238 return; 239 } 240 /* 241 * if the entry is not found, let's see if it does not 242 * belong to a larger IOTLB entry 243 */ 244 } 245 246 SMMUIOTLBPageInvInfo info = { 247 .asid = asid, .iova = iova, 248 .vmid = vmid, 249 .mask = (num_pages * 1 << granule) - 1}; 250 251 g_hash_table_foreach_remove(s->iotlb, 252 smmu_hash_remove_by_asid_vmid_iova, 253 &info); 254 } 255 256 /* 257 * Similar to smmu_iotlb_inv_iova(), but for Stage-2, ASID is always -1, 258 * in Stage-1 invalidation ASID = -1, means don't care. 259 */ 260 void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg, 261 uint64_t num_pages, uint8_t ttl) 262 { 263 uint8_t granule = tg ? tg * 2 + 10 : 12; 264 int asid = -1; 265 266 if (ttl && (num_pages == 1)) { 267 SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, ipa, tg, ttl); 268 269 if (g_hash_table_remove(s->iotlb, &key)) { 270 return; 271 } 272 } 273 274 SMMUIOTLBPageInvInfo info = { 275 .iova = ipa, 276 .vmid = vmid, 277 .mask = (num_pages << granule) - 1}; 278 279 g_hash_table_foreach_remove(s->iotlb, 280 smmu_hash_remove_by_vmid_ipa, 281 &info); 282 } 283 284 void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid) 285 { 286 SMMUIOTLBPageInvInfo info = { 287 .asid = asid, 288 .vmid = vmid, 289 }; 290 291 trace_smmu_iotlb_inv_asid_vmid(asid, vmid); 292 g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid_vmid, &info); 293 } 294 295 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid) 296 { 297 trace_smmu_iotlb_inv_vmid(vmid); 298 g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid); 299 } 300 301 inline void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid) 302 { 303 trace_smmu_iotlb_inv_vmid_s1(vmid); 304 g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid_s1, &vmid); 305 } 306 307 /* VMSAv8-64 Translation */ 308 309 /** 310 * get_pte - Get the content of a page table entry located at 311 * @base_addr[@index] 312 */ 313 static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte, 314 SMMUPTWEventInfo *info) 315 { 316 int ret; 317 dma_addr_t addr = baseaddr + index * sizeof(*pte); 318 319 /* TODO: guarantee 64-bit single-copy atomicity */ 320 ret = ldq_le_dma(&address_space_memory, addr, pte, MEMTXATTRS_UNSPECIFIED); 321 322 if (ret != MEMTX_OK) { 323 info->type = SMMU_PTW_ERR_WALK_EABT; 324 info->addr = addr; 325 return -EINVAL; 326 } 327 trace_smmu_get_pte(baseaddr, index, addr, *pte); 328 return 0; 329 } 330 331 /* VMSAv8-64 Translation Table Format Descriptor Decoding */ 332 333 /** 334 * get_page_pte_address - returns the L3 descriptor output address, 335 * ie. the page frame 336 * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format 337 */ 338 static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz) 339 { 340 return PTE_ADDRESS(pte, granule_sz); 341 } 342 343 /** 344 * get_table_pte_address - return table descriptor output address, 345 * ie. address of next level table 346 * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats 347 */ 348 static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz) 349 { 350 return PTE_ADDRESS(pte, granule_sz); 351 } 352 353 /** 354 * get_block_pte_address - return block descriptor output address and block size 355 * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats 356 */ 357 static inline hwaddr get_block_pte_address(uint64_t pte, int level, 358 int granule_sz, uint64_t *bsz) 359 { 360 int n = level_shift(level, granule_sz); 361 362 *bsz = 1ULL << n; 363 return PTE_ADDRESS(pte, n); 364 } 365 366 SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova) 367 { 368 bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi); 369 uint8_t tbi_byte = tbi * 8; 370 371 if (cfg->tt[0].tsz && 372 !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) { 373 /* there is a ttbr0 region and we are in it (high bits all zero) */ 374 return &cfg->tt[0]; 375 } else if (cfg->tt[1].tsz && 376 sextract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte) == -1) { 377 /* there is a ttbr1 region and we are in it (high bits all one) */ 378 return &cfg->tt[1]; 379 } else if (!cfg->tt[0].tsz) { 380 /* ttbr0 region is "everything not in the ttbr1 region" */ 381 return &cfg->tt[0]; 382 } else if (!cfg->tt[1].tsz) { 383 /* ttbr1 region is "everything not in the ttbr0 region" */ 384 return &cfg->tt[1]; 385 } 386 /* in the gap between the two regions, this is a Translation fault */ 387 return NULL; 388 } 389 390 /* Translate stage-1 table address using stage-2 page table. */ 391 static inline int translate_table_addr_ipa(SMMUState *bs, 392 dma_addr_t *table_addr, 393 SMMUTransCfg *cfg, 394 SMMUPTWEventInfo *info) 395 { 396 dma_addr_t addr = *table_addr; 397 SMMUTLBEntry *cached_entry; 398 int asid; 399 400 /* 401 * The translation table walks performed from TTB0 or TTB1 are always 402 * performed in IPA space if stage 2 translations are enabled. 403 */ 404 asid = cfg->asid; 405 cfg->stage = SMMU_STAGE_2; 406 cfg->asid = -1; 407 cached_entry = smmu_translate(bs, cfg, addr, IOMMU_RO, info); 408 cfg->asid = asid; 409 cfg->stage = SMMU_NESTED; 410 411 if (cached_entry) { 412 *table_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr); 413 return 0; 414 } 415 416 info->stage = SMMU_STAGE_2; 417 info->addr = addr; 418 info->is_ipa_descriptor = true; 419 return -EINVAL; 420 } 421 422 /** 423 * smmu_ptw_64_s1 - VMSAv8-64 Walk of the page tables for a given IOVA 424 * @bs: smmu state which includes TLB instance 425 * @cfg: translation config 426 * @iova: iova to translate 427 * @perm: access type 428 * @tlbe: SMMUTLBEntry (out) 429 * @info: handle to an error info 430 * 431 * Return 0 on success, < 0 on error. In case of error, @info is filled 432 * and tlbe->perm is set to IOMMU_NONE. 433 * Upon success, @tlbe is filled with translated_addr and entry 434 * permission rights. 435 */ 436 static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg, 437 dma_addr_t iova, IOMMUAccessFlags perm, 438 SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info) 439 { 440 dma_addr_t baseaddr, indexmask; 441 SMMUStage stage = cfg->stage; 442 SMMUTransTableInfo *tt = select_tt(cfg, iova); 443 uint8_t level, granule_sz, inputsize, stride; 444 445 if (!tt || tt->disabled) { 446 info->type = SMMU_PTW_ERR_TRANSLATION; 447 goto error; 448 } 449 450 granule_sz = tt->granule_sz; 451 stride = VMSA_STRIDE(granule_sz); 452 inputsize = 64 - tt->tsz; 453 level = 4 - (inputsize - 4) / stride; 454 indexmask = VMSA_IDXMSK(inputsize, stride, level); 455 456 baseaddr = extract64(tt->ttb, 0, cfg->oas); 457 baseaddr &= ~indexmask; 458 459 while (level < VMSA_LEVELS) { 460 uint64_t subpage_size = 1ULL << level_shift(level, granule_sz); 461 uint64_t mask = subpage_size - 1; 462 uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz); 463 uint64_t pte, gpa; 464 dma_addr_t pte_addr = baseaddr + offset * sizeof(pte); 465 uint8_t ap; 466 467 if (get_pte(baseaddr, offset, &pte, info)) { 468 goto error; 469 } 470 trace_smmu_ptw_level(stage, level, iova, subpage_size, 471 baseaddr, offset, pte); 472 473 if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) { 474 trace_smmu_ptw_invalid_pte(stage, level, baseaddr, 475 pte_addr, offset, pte); 476 break; 477 } 478 479 if (is_table_pte(pte, level)) { 480 ap = PTE_APTABLE(pte); 481 482 if (is_permission_fault(ap, perm) && !tt->had) { 483 info->type = SMMU_PTW_ERR_PERMISSION; 484 goto error; 485 } 486 baseaddr = get_table_pte_address(pte, granule_sz); 487 if (cfg->stage == SMMU_NESTED) { 488 if (translate_table_addr_ipa(bs, &baseaddr, cfg, info)) { 489 goto error; 490 } 491 } 492 level++; 493 continue; 494 } else if (is_page_pte(pte, level)) { 495 gpa = get_page_pte_address(pte, granule_sz); 496 trace_smmu_ptw_page_pte(stage, level, iova, 497 baseaddr, pte_addr, pte, gpa); 498 } else { 499 uint64_t block_size; 500 501 gpa = get_block_pte_address(pte, level, granule_sz, 502 &block_size); 503 trace_smmu_ptw_block_pte(stage, level, baseaddr, 504 pte_addr, pte, iova, gpa, 505 block_size >> 20); 506 } 507 508 /* 509 * QEMU does not currently implement HTTU, so if AFFD and PTE.AF 510 * are 0 we take an Access flag fault. (5.4. Context Descriptor) 511 * An Access flag fault takes priority over a Permission fault. 512 */ 513 if (!PTE_AF(pte) && !cfg->affd) { 514 info->type = SMMU_PTW_ERR_ACCESS; 515 goto error; 516 } 517 518 ap = PTE_AP(pte); 519 if (is_permission_fault(ap, perm)) { 520 info->type = SMMU_PTW_ERR_PERMISSION; 521 goto error; 522 } 523 524 /* 525 * The address output from the translation causes a stage 1 Address 526 * Size fault if it exceeds the range of the effective IPA size for 527 * the given CD. 528 */ 529 if (gpa >= (1ULL << cfg->oas)) { 530 info->type = SMMU_PTW_ERR_ADDR_SIZE; 531 goto error; 532 } 533 534 tlbe->entry.translated_addr = gpa; 535 tlbe->entry.iova = iova & ~mask; 536 tlbe->entry.addr_mask = mask; 537 tlbe->parent_perm = PTE_AP_TO_PERM(ap); 538 tlbe->entry.perm = tlbe->parent_perm; 539 tlbe->level = level; 540 tlbe->granule = granule_sz; 541 return 0; 542 } 543 info->type = SMMU_PTW_ERR_TRANSLATION; 544 545 error: 546 info->stage = SMMU_STAGE_1; 547 tlbe->entry.perm = IOMMU_NONE; 548 return -EINVAL; 549 } 550 551 /** 552 * smmu_ptw_64_s2 - VMSAv8-64 Walk of the page tables for a given ipa 553 * for stage-2. 554 * @cfg: translation config 555 * @ipa: ipa to translate 556 * @perm: access type 557 * @tlbe: SMMUTLBEntry (out) 558 * @info: handle to an error info 559 * 560 * Return 0 on success, < 0 on error. In case of error, @info is filled 561 * and tlbe->perm is set to IOMMU_NONE. 562 * Upon success, @tlbe is filled with translated_addr and entry 563 * permission rights. 564 */ 565 static int smmu_ptw_64_s2(SMMUTransCfg *cfg, 566 dma_addr_t ipa, IOMMUAccessFlags perm, 567 SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info) 568 { 569 const SMMUStage stage = SMMU_STAGE_2; 570 int granule_sz = cfg->s2cfg.granule_sz; 571 /* ARM DDI0487I.a: Table D8-7. */ 572 int inputsize = 64 - cfg->s2cfg.tsz; 573 int level = get_start_level(cfg->s2cfg.sl0, granule_sz); 574 int stride = VMSA_STRIDE(granule_sz); 575 int idx = pgd_concat_idx(level, granule_sz, ipa); 576 /* 577 * Get the ttb from concatenated structure. 578 * The offset is the idx * size of each ttb(number of ptes * (sizeof(pte)) 579 */ 580 uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, cfg->s2cfg.eff_ps) + 581 (1 << stride) * idx * sizeof(uint64_t); 582 dma_addr_t indexmask = VMSA_IDXMSK(inputsize, stride, level); 583 584 baseaddr &= ~indexmask; 585 586 /* 587 * On input, a stage 2 Translation fault occurs if the IPA is outside the 588 * range configured by the relevant S2T0SZ field of the STE. 589 */ 590 if (ipa >= (1ULL << inputsize)) { 591 info->type = SMMU_PTW_ERR_TRANSLATION; 592 goto error_ipa; 593 } 594 595 while (level < VMSA_LEVELS) { 596 uint64_t subpage_size = 1ULL << level_shift(level, granule_sz); 597 uint64_t mask = subpage_size - 1; 598 uint32_t offset = iova_level_offset(ipa, inputsize, level, granule_sz); 599 uint64_t pte, gpa; 600 dma_addr_t pte_addr = baseaddr + offset * sizeof(pte); 601 uint8_t s2ap; 602 603 if (get_pte(baseaddr, offset, &pte, info)) { 604 goto error; 605 } 606 trace_smmu_ptw_level(stage, level, ipa, subpage_size, 607 baseaddr, offset, pte); 608 if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) { 609 trace_smmu_ptw_invalid_pte(stage, level, baseaddr, 610 pte_addr, offset, pte); 611 break; 612 } 613 614 if (is_table_pte(pte, level)) { 615 baseaddr = get_table_pte_address(pte, granule_sz); 616 level++; 617 continue; 618 } else if (is_page_pte(pte, level)) { 619 gpa = get_page_pte_address(pte, granule_sz); 620 trace_smmu_ptw_page_pte(stage, level, ipa, 621 baseaddr, pte_addr, pte, gpa); 622 } else { 623 uint64_t block_size; 624 625 gpa = get_block_pte_address(pte, level, granule_sz, 626 &block_size); 627 trace_smmu_ptw_block_pte(stage, level, baseaddr, 628 pte_addr, pte, ipa, gpa, 629 block_size >> 20); 630 } 631 632 /* 633 * If S2AFFD and PTE.AF are 0 => fault. (5.2. Stream Table Entry) 634 * An Access fault takes priority over a Permission fault. 635 */ 636 if (!PTE_AF(pte) && !cfg->s2cfg.affd) { 637 info->type = SMMU_PTW_ERR_ACCESS; 638 goto error_ipa; 639 } 640 641 s2ap = PTE_AP(pte); 642 if (is_permission_fault_s2(s2ap, perm)) { 643 info->type = SMMU_PTW_ERR_PERMISSION; 644 goto error_ipa; 645 } 646 647 /* 648 * The address output from the translation causes a stage 2 Address 649 * Size fault if it exceeds the effective PA output range. 650 */ 651 if (gpa >= (1ULL << cfg->s2cfg.eff_ps)) { 652 info->type = SMMU_PTW_ERR_ADDR_SIZE; 653 goto error_ipa; 654 } 655 656 tlbe->entry.translated_addr = gpa; 657 tlbe->entry.iova = ipa & ~mask; 658 tlbe->entry.addr_mask = mask; 659 tlbe->parent_perm = s2ap; 660 tlbe->entry.perm = tlbe->parent_perm; 661 tlbe->level = level; 662 tlbe->granule = granule_sz; 663 return 0; 664 } 665 info->type = SMMU_PTW_ERR_TRANSLATION; 666 667 error_ipa: 668 info->addr = ipa; 669 error: 670 info->stage = SMMU_STAGE_2; 671 tlbe->entry.perm = IOMMU_NONE; 672 return -EINVAL; 673 } 674 675 /* 676 * combine S1 and S2 TLB entries into a single entry. 677 * As a result the S1 entry is overriden with combined data. 678 */ 679 static void combine_tlb(SMMUTLBEntry *tlbe, SMMUTLBEntry *tlbe_s2, 680 dma_addr_t iova, SMMUTransCfg *cfg) 681 { 682 if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) { 683 tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask; 684 tlbe->granule = tlbe_s2->granule; 685 tlbe->level = tlbe_s2->level; 686 } 687 688 tlbe->entry.translated_addr = CACHED_ENTRY_TO_ADDR(tlbe_s2, 689 tlbe->entry.translated_addr); 690 691 tlbe->entry.iova = iova & ~tlbe->entry.addr_mask; 692 /* parent_perm has s2 perm while perm keeps s1 perm. */ 693 tlbe->parent_perm = tlbe_s2->entry.perm; 694 return; 695 } 696 697 /** 698 * smmu_ptw - Walk the page tables for an IOVA, according to @cfg 699 * 700 * @bs: smmu state which includes TLB instance 701 * @cfg: translation configuration 702 * @iova: iova to translate 703 * @perm: tentative access type 704 * @tlbe: returned entry 705 * @info: ptw event handle 706 * 707 * return 0 on success 708 */ 709 int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova, 710 IOMMUAccessFlags perm, SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info) 711 { 712 int ret; 713 SMMUTLBEntry tlbe_s2; 714 dma_addr_t ipa; 715 716 if (cfg->stage == SMMU_STAGE_1) { 717 return smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info); 718 } else if (cfg->stage == SMMU_STAGE_2) { 719 /* 720 * If bypassing stage 1(or unimplemented), the input address is passed 721 * directly to stage 2 as IPA. If the input address of a transaction 722 * exceeds the size of the IAS, a stage 1 Address Size fault occurs. 723 * For AA64, IAS = OAS according to (IHI 0070.E.a) "3.4 Address sizes" 724 */ 725 if (iova >= (1ULL << cfg->oas)) { 726 info->type = SMMU_PTW_ERR_ADDR_SIZE; 727 info->stage = SMMU_STAGE_1; 728 tlbe->entry.perm = IOMMU_NONE; 729 return -EINVAL; 730 } 731 732 return smmu_ptw_64_s2(cfg, iova, perm, tlbe, info); 733 } 734 735 /* SMMU_NESTED. */ 736 ret = smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info); 737 if (ret) { 738 return ret; 739 } 740 741 ipa = CACHED_ENTRY_TO_ADDR(tlbe, iova); 742 ret = smmu_ptw_64_s2(cfg, ipa, perm, &tlbe_s2, info); 743 if (ret) { 744 return ret; 745 } 746 747 combine_tlb(tlbe, &tlbe_s2, iova, cfg); 748 return 0; 749 } 750 751 SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr, 752 IOMMUAccessFlags flag, SMMUPTWEventInfo *info) 753 { 754 SMMUTLBEntry *cached_entry = NULL; 755 SMMUTransTableInfo *tt; 756 int status; 757 758 /* 759 * Combined attributes used for TLB lookup, holds the attributes for 760 * the input stage. 761 */ 762 SMMUTransTableInfo tt_combined; 763 764 if (cfg->stage == SMMU_STAGE_2) { 765 /* Stage2. */ 766 tt_combined.granule_sz = cfg->s2cfg.granule_sz; 767 tt_combined.tsz = cfg->s2cfg.tsz; 768 } else { 769 /* Select stage1 translation table. */ 770 tt = select_tt(cfg, addr); 771 if (!tt) { 772 info->type = SMMU_PTW_ERR_TRANSLATION; 773 info->stage = SMMU_STAGE_1; 774 return NULL; 775 } 776 tt_combined.granule_sz = tt->granule_sz; 777 tt_combined.tsz = tt->tsz; 778 } 779 780 cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr); 781 if (cached_entry) { 782 if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & 783 cached_entry->parent_perm & IOMMU_WO)) { 784 info->type = SMMU_PTW_ERR_PERMISSION; 785 info->stage = !(cached_entry->entry.perm & IOMMU_WO) ? 786 SMMU_STAGE_1 : 787 SMMU_STAGE_2; 788 return NULL; 789 } 790 return cached_entry; 791 } 792 793 cached_entry = g_new0(SMMUTLBEntry, 1); 794 status = smmu_ptw(bs, cfg, addr, flag, cached_entry, info); 795 if (status) { 796 g_free(cached_entry); 797 return NULL; 798 } 799 smmu_iotlb_insert(bs, cfg, cached_entry); 800 return cached_entry; 801 } 802 803 /** 804 * The bus number is used for lookup when SID based invalidation occurs. 805 * In that case we lazily populate the SMMUPciBus array from the bus hash 806 * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus 807 * numbers may not be always initialized yet. 808 */ 809 SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num) 810 { 811 SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num]; 812 GHashTableIter iter; 813 814 if (smmu_pci_bus) { 815 return smmu_pci_bus; 816 } 817 818 g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr); 819 while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) { 820 if (pci_bus_num(smmu_pci_bus->bus) == bus_num) { 821 s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus; 822 return smmu_pci_bus; 823 } 824 } 825 826 return NULL; 827 } 828 829 static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn) 830 { 831 SMMUState *s = opaque; 832 SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus); 833 SMMUDevice *sdev; 834 static unsigned int index; 835 836 if (!sbus) { 837 sbus = g_malloc0(sizeof(SMMUPciBus) + 838 sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX); 839 sbus->bus = bus; 840 g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus); 841 } 842 843 sdev = sbus->pbdev[devfn]; 844 if (!sdev) { 845 char *name = g_strdup_printf("%s-%d-%d", s->mrtypename, devfn, index++); 846 847 sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1); 848 849 sdev->smmu = s; 850 sdev->bus = bus; 851 sdev->devfn = devfn; 852 853 memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu), 854 s->mrtypename, 855 OBJECT(s), name, UINT64_MAX); 856 address_space_init(&sdev->as, 857 MEMORY_REGION(&sdev->iommu), name); 858 trace_smmu_add_mr(name); 859 g_free(name); 860 } 861 862 return &sdev->as; 863 } 864 865 static const PCIIOMMUOps smmu_ops = { 866 .get_address_space = smmu_find_add_as, 867 }; 868 869 SMMUDevice *smmu_find_sdev(SMMUState *s, uint32_t sid) 870 { 871 uint8_t bus_n, devfn; 872 SMMUPciBus *smmu_bus; 873 874 bus_n = PCI_BUS_NUM(sid); 875 smmu_bus = smmu_find_smmu_pcibus(s, bus_n); 876 if (smmu_bus) { 877 devfn = SMMU_PCI_DEVFN(sid); 878 return smmu_bus->pbdev[devfn]; 879 } 880 return NULL; 881 } 882 883 /* Unmap all notifiers attached to @mr */ 884 static void smmu_inv_notifiers_mr(IOMMUMemoryRegion *mr) 885 { 886 IOMMUNotifier *n; 887 888 trace_smmu_inv_notifiers_mr(mr->parent_obj.name); 889 IOMMU_NOTIFIER_FOREACH(n, mr) { 890 memory_region_unmap_iommu_notifier_range(n); 891 } 892 } 893 894 /* Unmap all notifiers of all mr's */ 895 void smmu_inv_notifiers_all(SMMUState *s) 896 { 897 SMMUDevice *sdev; 898 899 QLIST_FOREACH(sdev, &s->devices_with_notifiers, next) { 900 smmu_inv_notifiers_mr(&sdev->iommu); 901 } 902 } 903 904 static void smmu_base_realize(DeviceState *dev, Error **errp) 905 { 906 SMMUState *s = ARM_SMMU(dev); 907 SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev); 908 Error *local_err = NULL; 909 910 sbc->parent_realize(dev, &local_err); 911 if (local_err) { 912 error_propagate(errp, local_err); 913 return; 914 } 915 s->configs = g_hash_table_new_full(NULL, NULL, NULL, g_free); 916 s->iotlb = g_hash_table_new_full(smmu_iotlb_key_hash, smmu_iotlb_key_equal, 917 g_free, g_free); 918 s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL); 919 920 if (s->primary_bus) { 921 pci_setup_iommu(s->primary_bus, &smmu_ops, s); 922 } else { 923 error_setg(errp, "SMMU is not attached to any PCI bus!"); 924 } 925 } 926 927 static void smmu_base_reset_hold(Object *obj, ResetType type) 928 { 929 SMMUState *s = ARM_SMMU(obj); 930 931 memset(s->smmu_pcibus_by_bus_num, 0, sizeof(s->smmu_pcibus_by_bus_num)); 932 933 g_hash_table_remove_all(s->configs); 934 g_hash_table_remove_all(s->iotlb); 935 } 936 937 static Property smmu_dev_properties[] = { 938 DEFINE_PROP_UINT8("bus_num", SMMUState, bus_num, 0), 939 DEFINE_PROP_LINK("primary-bus", SMMUState, primary_bus, 940 TYPE_PCI_BUS, PCIBus *), 941 DEFINE_PROP_END_OF_LIST(), 942 }; 943 944 static void smmu_base_class_init(ObjectClass *klass, void *data) 945 { 946 DeviceClass *dc = DEVICE_CLASS(klass); 947 ResettableClass *rc = RESETTABLE_CLASS(klass); 948 SMMUBaseClass *sbc = ARM_SMMU_CLASS(klass); 949 950 device_class_set_props(dc, smmu_dev_properties); 951 device_class_set_parent_realize(dc, smmu_base_realize, 952 &sbc->parent_realize); 953 rc->phases.hold = smmu_base_reset_hold; 954 } 955 956 static const TypeInfo smmu_base_info = { 957 .name = TYPE_ARM_SMMU, 958 .parent = TYPE_SYS_BUS_DEVICE, 959 .instance_size = sizeof(SMMUState), 960 .class_data = NULL, 961 .class_size = sizeof(SMMUBaseClass), 962 .class_init = smmu_base_class_init, 963 .abstract = true, 964 }; 965 966 static void smmu_base_register_types(void) 967 { 968 type_register_static(&smmu_base_info); 969 } 970 971 type_init(smmu_base_register_types) 972 973