xref: /openbmc/qemu/hw/arm/smmu-common.c (revision e8122a71)
1 /*
2  * Copyright (C) 2014-2016 Broadcom Corporation
3  * Copyright (c) 2017 Red Hat, Inc.
4  * Written by Prem Mallappa, Eric Auger
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * Author: Prem Mallappa <pmallapp@broadcom.com>
16  *
17  */
18 
19 #include "qemu/osdep.h"
20 #include "trace.h"
21 #include "exec/target_page.h"
22 #include "hw/core/cpu.h"
23 #include "hw/qdev-properties.h"
24 #include "qapi/error.h"
25 #include "qemu/jhash.h"
26 #include "qemu/module.h"
27 
28 #include "qemu/error-report.h"
29 #include "hw/arm/smmu-common.h"
30 #include "smmu-internal.h"
31 
32 /* IOTLB Management */
33 
34 static guint smmu_iotlb_key_hash(gconstpointer v)
35 {
36     SMMUIOTLBKey *key = (SMMUIOTLBKey *)v;
37     uint32_t a, b, c;
38 
39     /* Jenkins hash */
40     a = b = c = JHASH_INITVAL + sizeof(*key);
41     a += key->asid + key->vmid + key->level + key->tg;
42     b += extract64(key->iova, 0, 32);
43     c += extract64(key->iova, 32, 32);
44 
45     __jhash_mix(a, b, c);
46     __jhash_final(a, b, c);
47 
48     return c;
49 }
50 
51 static gboolean smmu_iotlb_key_equal(gconstpointer v1, gconstpointer v2)
52 {
53     SMMUIOTLBKey *k1 = (SMMUIOTLBKey *)v1, *k2 = (SMMUIOTLBKey *)v2;
54 
55     return (k1->asid == k2->asid) && (k1->iova == k2->iova) &&
56            (k1->level == k2->level) && (k1->tg == k2->tg) &&
57            (k1->vmid == k2->vmid);
58 }
59 
60 SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
61                                 uint8_t tg, uint8_t level)
62 {
63     SMMUIOTLBKey key = {.asid = asid, .vmid = vmid, .iova = iova,
64                         .tg = tg, .level = level};
65 
66     return key;
67 }
68 
69 static SMMUTLBEntry *smmu_iotlb_lookup_all_levels(SMMUState *bs,
70                                                   SMMUTransCfg *cfg,
71                                                   SMMUTransTableInfo *tt,
72                                                   hwaddr iova)
73 {
74     uint8_t tg = (tt->granule_sz - 10) / 2;
75     uint8_t inputsize = 64 - tt->tsz;
76     uint8_t stride = tt->granule_sz - 3;
77     uint8_t level = 4 - (inputsize - 4) / stride;
78     SMMUTLBEntry *entry = NULL;
79 
80     while (level <= 3) {
81         uint64_t subpage_size = 1ULL << level_shift(level, tt->granule_sz);
82         uint64_t mask = subpage_size - 1;
83         SMMUIOTLBKey key;
84 
85         key = smmu_get_iotlb_key(cfg->asid, cfg->s2cfg.vmid,
86                                  iova & ~mask, tg, level);
87         entry = g_hash_table_lookup(bs->iotlb, &key);
88         if (entry) {
89             break;
90         }
91         level++;
92     }
93     return entry;
94 }
95 
96 /**
97  * smmu_iotlb_lookup - Look up for a TLB entry.
98  * @bs: SMMU state which includes the TLB instance
99  * @cfg: Configuration of the translation
100  * @tt: Translation table info (granule and tsz)
101  * @iova: IOVA address to lookup
102  *
103  * returns a valid entry on success, otherwise NULL.
104  * In case of nested translation, tt can be updated to include
105  * the granule of the found entry as it might different from
106  * the IOVA granule.
107  */
108 SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
109                                 SMMUTransTableInfo *tt, hwaddr iova)
110 {
111     SMMUTLBEntry *entry = NULL;
112 
113     entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
114     /*
115      * For nested translation also try the s2 granule, as the TLB will insert
116      * it if the size of s2 tlb entry was smaller.
117      */
118     if (!entry && (cfg->stage == SMMU_NESTED) &&
119         (cfg->s2cfg.granule_sz != tt->granule_sz)) {
120         tt->granule_sz = cfg->s2cfg.granule_sz;
121         entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
122     }
123 
124     if (entry) {
125         cfg->iotlb_hits++;
126         trace_smmu_iotlb_lookup_hit(cfg->asid, cfg->s2cfg.vmid, iova,
127                                     cfg->iotlb_hits, cfg->iotlb_misses,
128                                     100 * cfg->iotlb_hits /
129                                     (cfg->iotlb_hits + cfg->iotlb_misses));
130     } else {
131         cfg->iotlb_misses++;
132         trace_smmu_iotlb_lookup_miss(cfg->asid, cfg->s2cfg.vmid, iova,
133                                      cfg->iotlb_hits, cfg->iotlb_misses,
134                                      100 * cfg->iotlb_hits /
135                                      (cfg->iotlb_hits + cfg->iotlb_misses));
136     }
137     return entry;
138 }
139 
140 void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *new)
141 {
142     SMMUIOTLBKey *key = g_new0(SMMUIOTLBKey, 1);
143     uint8_t tg = (new->granule - 10) / 2;
144 
145     if (g_hash_table_size(bs->iotlb) >= SMMU_IOTLB_MAX_SIZE) {
146         smmu_iotlb_inv_all(bs);
147     }
148 
149     *key = smmu_get_iotlb_key(cfg->asid, cfg->s2cfg.vmid, new->entry.iova,
150                               tg, new->level);
151     trace_smmu_iotlb_insert(cfg->asid, cfg->s2cfg.vmid, new->entry.iova,
152                             tg, new->level);
153     g_hash_table_insert(bs->iotlb, key, new);
154 }
155 
156 void smmu_iotlb_inv_all(SMMUState *s)
157 {
158     trace_smmu_iotlb_inv_all();
159     g_hash_table_remove_all(s->iotlb);
160 }
161 
162 static gboolean smmu_hash_remove_by_asid_vmid(gpointer key, gpointer value,
163                                               gpointer user_data)
164 {
165     SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
166     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
167 
168     return (SMMU_IOTLB_ASID(*iotlb_key) == info->asid) &&
169            (SMMU_IOTLB_VMID(*iotlb_key) == info->vmid);
170 }
171 
172 static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
173                                          gpointer user_data)
174 {
175     int vmid = *(int *)user_data;
176     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
177 
178     return SMMU_IOTLB_VMID(*iotlb_key) == vmid;
179 }
180 
181 static gboolean smmu_hash_remove_by_vmid_s1(gpointer key, gpointer value,
182                                             gpointer user_data)
183 {
184     int vmid = *(int *)user_data;
185     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
186 
187     return (SMMU_IOTLB_VMID(*iotlb_key) == vmid) &&
188            (SMMU_IOTLB_ASID(*iotlb_key) >= 0);
189 }
190 
191 static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value,
192                                               gpointer user_data)
193 {
194     SMMUTLBEntry *iter = (SMMUTLBEntry *)value;
195     IOMMUTLBEntry *entry = &iter->entry;
196     SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
197     SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key;
198 
199     if (info->asid >= 0 && info->asid != SMMU_IOTLB_ASID(iotlb_key)) {
200         return false;
201     }
202     if (info->vmid >= 0 && info->vmid != SMMU_IOTLB_VMID(iotlb_key)) {
203         return false;
204     }
205     return ((info->iova & ~entry->addr_mask) == entry->iova) ||
206            ((entry->iova & ~info->mask) == info->iova);
207 }
208 
209 static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value,
210                                              gpointer user_data)
211 {
212     SMMUTLBEntry *iter = (SMMUTLBEntry *)value;
213     IOMMUTLBEntry *entry = &iter->entry;
214     SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
215     SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key;
216 
217     if (SMMU_IOTLB_ASID(iotlb_key) >= 0) {
218         /* This is a stage-1 address. */
219         return false;
220     }
221     if (info->vmid != SMMU_IOTLB_VMID(iotlb_key)) {
222         return false;
223     }
224     return ((info->iova & ~entry->addr_mask) == entry->iova) ||
225            ((entry->iova & ~info->mask) == info->iova);
226 }
227 
228 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
229                          uint8_t tg, uint64_t num_pages, uint8_t ttl)
230 {
231     /* if tg is not set we use 4KB range invalidation */
232     uint8_t granule = tg ? tg * 2 + 10 : 12;
233 
234     if (ttl && (num_pages == 1) && (asid >= 0)) {
235         SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, iova, tg, ttl);
236 
237         if (g_hash_table_remove(s->iotlb, &key)) {
238             return;
239         }
240         /*
241          * if the entry is not found, let's see if it does not
242          * belong to a larger IOTLB entry
243          */
244     }
245 
246     SMMUIOTLBPageInvInfo info = {
247         .asid = asid, .iova = iova,
248         .vmid = vmid,
249         .mask = (num_pages * 1 << granule) - 1};
250 
251     g_hash_table_foreach_remove(s->iotlb,
252                                 smmu_hash_remove_by_asid_vmid_iova,
253                                 &info);
254 }
255 
256 /*
257  * Similar to smmu_iotlb_inv_iova(), but for Stage-2, ASID is always -1,
258  * in Stage-1 invalidation ASID = -1, means don't care.
259  */
260 void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
261                         uint64_t num_pages, uint8_t ttl)
262 {
263     uint8_t granule = tg ? tg * 2 + 10 : 12;
264     int asid = -1;
265 
266    if (ttl && (num_pages == 1)) {
267         SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, ipa, tg, ttl);
268 
269         if (g_hash_table_remove(s->iotlb, &key)) {
270             return;
271         }
272     }
273 
274     SMMUIOTLBPageInvInfo info = {
275         .iova = ipa,
276         .vmid = vmid,
277         .mask = (num_pages << granule) - 1};
278 
279     g_hash_table_foreach_remove(s->iotlb,
280                                 smmu_hash_remove_by_vmid_ipa,
281                                 &info);
282 }
283 
284 void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid)
285 {
286     SMMUIOTLBPageInvInfo info = {
287         .asid = asid,
288         .vmid = vmid,
289     };
290 
291     trace_smmu_iotlb_inv_asid_vmid(asid, vmid);
292     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid_vmid, &info);
293 }
294 
295 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
296 {
297     trace_smmu_iotlb_inv_vmid(vmid);
298     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid);
299 }
300 
301 inline void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid)
302 {
303     trace_smmu_iotlb_inv_vmid_s1(vmid);
304     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid_s1, &vmid);
305 }
306 
307 /* VMSAv8-64 Translation */
308 
309 /**
310  * get_pte - Get the content of a page table entry located at
311  * @base_addr[@index]
312  */
313 static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
314                    SMMUPTWEventInfo *info)
315 {
316     int ret;
317     dma_addr_t addr = baseaddr + index * sizeof(*pte);
318 
319     /* TODO: guarantee 64-bit single-copy atomicity */
320     ret = ldq_le_dma(&address_space_memory, addr, pte, MEMTXATTRS_UNSPECIFIED);
321 
322     if (ret != MEMTX_OK) {
323         info->type = SMMU_PTW_ERR_WALK_EABT;
324         info->addr = addr;
325         return -EINVAL;
326     }
327     trace_smmu_get_pte(baseaddr, index, addr, *pte);
328     return 0;
329 }
330 
331 /* VMSAv8-64 Translation Table Format Descriptor Decoding */
332 
333 /**
334  * get_page_pte_address - returns the L3 descriptor output address,
335  * ie. the page frame
336  * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format
337  */
338 static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz)
339 {
340     return PTE_ADDRESS(pte, granule_sz);
341 }
342 
343 /**
344  * get_table_pte_address - return table descriptor output address,
345  * ie. address of next level table
346  * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
347  */
348 static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
349 {
350     return PTE_ADDRESS(pte, granule_sz);
351 }
352 
353 /**
354  * get_block_pte_address - return block descriptor output address and block size
355  * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
356  */
357 static inline hwaddr get_block_pte_address(uint64_t pte, int level,
358                                            int granule_sz, uint64_t *bsz)
359 {
360     int n = level_shift(level, granule_sz);
361 
362     *bsz = 1ULL << n;
363     return PTE_ADDRESS(pte, n);
364 }
365 
366 SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
367 {
368     bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi);
369     uint8_t tbi_byte = tbi * 8;
370 
371     if (cfg->tt[0].tsz &&
372         !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) {
373         /* there is a ttbr0 region and we are in it (high bits all zero) */
374         return &cfg->tt[0];
375     } else if (cfg->tt[1].tsz &&
376         sextract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte) == -1) {
377         /* there is a ttbr1 region and we are in it (high bits all one) */
378         return &cfg->tt[1];
379     } else if (!cfg->tt[0].tsz) {
380         /* ttbr0 region is "everything not in the ttbr1 region" */
381         return &cfg->tt[0];
382     } else if (!cfg->tt[1].tsz) {
383         /* ttbr1 region is "everything not in the ttbr0 region" */
384         return &cfg->tt[1];
385     }
386     /* in the gap between the two regions, this is a Translation fault */
387     return NULL;
388 }
389 
390 /* Translate stage-1 table address using stage-2 page table. */
391 static inline int translate_table_addr_ipa(SMMUState *bs,
392                                            dma_addr_t *table_addr,
393                                            SMMUTransCfg *cfg,
394                                            SMMUPTWEventInfo *info)
395 {
396     dma_addr_t addr = *table_addr;
397     SMMUTLBEntry *cached_entry;
398     int asid;
399 
400     /*
401      * The translation table walks performed from TTB0 or TTB1 are always
402      * performed in IPA space if stage 2 translations are enabled.
403      */
404     asid = cfg->asid;
405     cfg->stage = SMMU_STAGE_2;
406     cfg->asid = -1;
407     cached_entry = smmu_translate(bs, cfg, addr, IOMMU_RO, info);
408     cfg->asid = asid;
409     cfg->stage = SMMU_NESTED;
410 
411     if (cached_entry) {
412         *table_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr);
413         return 0;
414     }
415 
416     info->stage = SMMU_STAGE_2;
417     info->addr = addr;
418     info->is_ipa_descriptor = true;
419     return -EINVAL;
420 }
421 
422 /**
423  * smmu_ptw_64_s1 - VMSAv8-64 Walk of the page tables for a given IOVA
424  * @bs: smmu state which includes TLB instance
425  * @cfg: translation config
426  * @iova: iova to translate
427  * @perm: access type
428  * @tlbe: SMMUTLBEntry (out)
429  * @info: handle to an error info
430  *
431  * Return 0 on success, < 0 on error. In case of error, @info is filled
432  * and tlbe->perm is set to IOMMU_NONE.
433  * Upon success, @tlbe is filled with translated_addr and entry
434  * permission rights.
435  */
436 static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg,
437                           dma_addr_t iova, IOMMUAccessFlags perm,
438                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
439 {
440     dma_addr_t baseaddr, indexmask;
441     SMMUStage stage = cfg->stage;
442     SMMUTransTableInfo *tt = select_tt(cfg, iova);
443     uint8_t level, granule_sz, inputsize, stride;
444 
445     if (!tt || tt->disabled) {
446         info->type = SMMU_PTW_ERR_TRANSLATION;
447         goto error;
448     }
449 
450     granule_sz = tt->granule_sz;
451     stride = VMSA_STRIDE(granule_sz);
452     inputsize = 64 - tt->tsz;
453     level = 4 - (inputsize - 4) / stride;
454     indexmask = VMSA_IDXMSK(inputsize, stride, level);
455 
456     baseaddr = extract64(tt->ttb, 0, cfg->oas);
457     baseaddr &= ~indexmask;
458 
459     while (level < VMSA_LEVELS) {
460         uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
461         uint64_t mask = subpage_size - 1;
462         uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);
463         uint64_t pte, gpa;
464         dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
465         uint8_t ap;
466 
467         if (get_pte(baseaddr, offset, &pte, info)) {
468                 goto error;
469         }
470         trace_smmu_ptw_level(stage, level, iova, subpage_size,
471                              baseaddr, offset, pte);
472 
473         if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
474             trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
475                                        pte_addr, offset, pte);
476             break;
477         }
478 
479         if (is_table_pte(pte, level)) {
480             ap = PTE_APTABLE(pte);
481 
482             if (is_permission_fault(ap, perm) && !tt->had) {
483                 info->type = SMMU_PTW_ERR_PERMISSION;
484                 goto error;
485             }
486             baseaddr = get_table_pte_address(pte, granule_sz);
487             if (cfg->stage == SMMU_NESTED) {
488                 if (translate_table_addr_ipa(bs, &baseaddr, cfg, info)) {
489                     goto error;
490                 }
491             }
492             level++;
493             continue;
494         } else if (is_page_pte(pte, level)) {
495             gpa = get_page_pte_address(pte, granule_sz);
496             trace_smmu_ptw_page_pte(stage, level, iova,
497                                     baseaddr, pte_addr, pte, gpa);
498         } else {
499             uint64_t block_size;
500 
501             gpa = get_block_pte_address(pte, level, granule_sz,
502                                         &block_size);
503             trace_smmu_ptw_block_pte(stage, level, baseaddr,
504                                      pte_addr, pte, iova, gpa,
505                                      block_size >> 20);
506         }
507 
508         /*
509          * QEMU does not currently implement HTTU, so if AFFD and PTE.AF
510          * are 0 we take an Access flag fault. (5.4. Context Descriptor)
511          * An Access flag fault takes priority over a Permission fault.
512          */
513         if (!PTE_AF(pte) && !cfg->affd) {
514             info->type = SMMU_PTW_ERR_ACCESS;
515             goto error;
516         }
517 
518         ap = PTE_AP(pte);
519         if (is_permission_fault(ap, perm)) {
520             info->type = SMMU_PTW_ERR_PERMISSION;
521             goto error;
522         }
523 
524         /*
525          * The address output from the translation causes a stage 1 Address
526          * Size fault if it exceeds the range of the effective IPA size for
527          * the given CD.
528          */
529         if (gpa >= (1ULL << cfg->oas)) {
530             info->type = SMMU_PTW_ERR_ADDR_SIZE;
531             goto error;
532         }
533 
534         tlbe->entry.translated_addr = gpa;
535         tlbe->entry.iova = iova & ~mask;
536         tlbe->entry.addr_mask = mask;
537         tlbe->parent_perm = PTE_AP_TO_PERM(ap);
538         tlbe->entry.perm = tlbe->parent_perm;
539         tlbe->level = level;
540         tlbe->granule = granule_sz;
541         return 0;
542     }
543     info->type = SMMU_PTW_ERR_TRANSLATION;
544 
545 error:
546     info->stage = SMMU_STAGE_1;
547     tlbe->entry.perm = IOMMU_NONE;
548     return -EINVAL;
549 }
550 
551 /**
552  * smmu_ptw_64_s2 - VMSAv8-64 Walk of the page tables for a given ipa
553  * for stage-2.
554  * @cfg: translation config
555  * @ipa: ipa to translate
556  * @perm: access type
557  * @tlbe: SMMUTLBEntry (out)
558  * @info: handle to an error info
559  *
560  * Return 0 on success, < 0 on error. In case of error, @info is filled
561  * and tlbe->perm is set to IOMMU_NONE.
562  * Upon success, @tlbe is filled with translated_addr and entry
563  * permission rights.
564  */
565 static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
566                           dma_addr_t ipa, IOMMUAccessFlags perm,
567                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
568 {
569     const SMMUStage stage = SMMU_STAGE_2;
570     int granule_sz = cfg->s2cfg.granule_sz;
571     /* ARM DDI0487I.a: Table D8-7. */
572     int inputsize = 64 - cfg->s2cfg.tsz;
573     int level = get_start_level(cfg->s2cfg.sl0, granule_sz);
574     int stride = VMSA_STRIDE(granule_sz);
575     int idx = pgd_concat_idx(level, granule_sz, ipa);
576     /*
577      * Get the ttb from concatenated structure.
578      * The offset is the idx * size of each ttb(number of ptes * (sizeof(pte))
579      */
580     uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, cfg->s2cfg.eff_ps) +
581                                   (1 << stride) * idx * sizeof(uint64_t);
582     dma_addr_t indexmask = VMSA_IDXMSK(inputsize, stride, level);
583 
584     baseaddr &= ~indexmask;
585 
586     /*
587      * On input, a stage 2 Translation fault occurs if the IPA is outside the
588      * range configured by the relevant S2T0SZ field of the STE.
589      */
590     if (ipa >= (1ULL << inputsize)) {
591         info->type = SMMU_PTW_ERR_TRANSLATION;
592         goto error_ipa;
593     }
594 
595     while (level < VMSA_LEVELS) {
596         uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
597         uint64_t mask = subpage_size - 1;
598         uint32_t offset = iova_level_offset(ipa, inputsize, level, granule_sz);
599         uint64_t pte, gpa;
600         dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
601         uint8_t s2ap;
602 
603         if (get_pte(baseaddr, offset, &pte, info)) {
604                 goto error;
605         }
606         trace_smmu_ptw_level(stage, level, ipa, subpage_size,
607                              baseaddr, offset, pte);
608         if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
609             trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
610                                        pte_addr, offset, pte);
611             break;
612         }
613 
614         if (is_table_pte(pte, level)) {
615             baseaddr = get_table_pte_address(pte, granule_sz);
616             level++;
617             continue;
618         } else if (is_page_pte(pte, level)) {
619             gpa = get_page_pte_address(pte, granule_sz);
620             trace_smmu_ptw_page_pte(stage, level, ipa,
621                                     baseaddr, pte_addr, pte, gpa);
622         } else {
623             uint64_t block_size;
624 
625             gpa = get_block_pte_address(pte, level, granule_sz,
626                                         &block_size);
627             trace_smmu_ptw_block_pte(stage, level, baseaddr,
628                                      pte_addr, pte, ipa, gpa,
629                                      block_size >> 20);
630         }
631 
632         /*
633          * If S2AFFD and PTE.AF are 0 => fault. (5.2. Stream Table Entry)
634          * An Access fault takes priority over a Permission fault.
635          */
636         if (!PTE_AF(pte) && !cfg->s2cfg.affd) {
637             info->type = SMMU_PTW_ERR_ACCESS;
638             goto error_ipa;
639         }
640 
641         s2ap = PTE_AP(pte);
642         if (is_permission_fault_s2(s2ap, perm)) {
643             info->type = SMMU_PTW_ERR_PERMISSION;
644             goto error_ipa;
645         }
646 
647         /*
648          * The address output from the translation causes a stage 2 Address
649          * Size fault if it exceeds the effective PA output range.
650          */
651         if (gpa >= (1ULL << cfg->s2cfg.eff_ps)) {
652             info->type = SMMU_PTW_ERR_ADDR_SIZE;
653             goto error_ipa;
654         }
655 
656         tlbe->entry.translated_addr = gpa;
657         tlbe->entry.iova = ipa & ~mask;
658         tlbe->entry.addr_mask = mask;
659         tlbe->parent_perm = s2ap;
660         tlbe->entry.perm = tlbe->parent_perm;
661         tlbe->level = level;
662         tlbe->granule = granule_sz;
663         return 0;
664     }
665     info->type = SMMU_PTW_ERR_TRANSLATION;
666 
667 error_ipa:
668     info->addr = ipa;
669 error:
670     info->stage = SMMU_STAGE_2;
671     tlbe->entry.perm = IOMMU_NONE;
672     return -EINVAL;
673 }
674 
675 /*
676  * combine S1 and S2 TLB entries into a single entry.
677  * As a result the S1 entry is overriden with combined data.
678  */
679 static void combine_tlb(SMMUTLBEntry *tlbe, SMMUTLBEntry *tlbe_s2,
680                         dma_addr_t iova, SMMUTransCfg *cfg)
681 {
682     if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) {
683         tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask;
684         tlbe->granule = tlbe_s2->granule;
685         tlbe->level = tlbe_s2->level;
686     }
687 
688     tlbe->entry.translated_addr = CACHED_ENTRY_TO_ADDR(tlbe_s2,
689                                     tlbe->entry.translated_addr);
690 
691     tlbe->entry.iova = iova & ~tlbe->entry.addr_mask;
692     /* parent_perm has s2 perm while perm keeps s1 perm. */
693     tlbe->parent_perm = tlbe_s2->entry.perm;
694     return;
695 }
696 
697 /**
698  * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
699  *
700  * @bs: smmu state which includes TLB instance
701  * @cfg: translation configuration
702  * @iova: iova to translate
703  * @perm: tentative access type
704  * @tlbe: returned entry
705  * @info: ptw event handle
706  *
707  * return 0 on success
708  */
709 int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova,
710              IOMMUAccessFlags perm, SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
711 {
712     int ret;
713     SMMUTLBEntry tlbe_s2;
714     dma_addr_t ipa;
715 
716     if (cfg->stage == SMMU_STAGE_1) {
717         return smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
718     } else if (cfg->stage == SMMU_STAGE_2) {
719         /*
720          * If bypassing stage 1(or unimplemented), the input address is passed
721          * directly to stage 2 as IPA. If the input address of a transaction
722          * exceeds the size of the IAS, a stage 1 Address Size fault occurs.
723          * For AA64, IAS = OAS according to (IHI 0070.E.a) "3.4 Address sizes"
724          */
725         if (iova >= (1ULL << cfg->oas)) {
726             info->type = SMMU_PTW_ERR_ADDR_SIZE;
727             info->stage = SMMU_STAGE_1;
728             tlbe->entry.perm = IOMMU_NONE;
729             return -EINVAL;
730         }
731 
732         return smmu_ptw_64_s2(cfg, iova, perm, tlbe, info);
733     }
734 
735     /* SMMU_NESTED. */
736     ret = smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
737     if (ret) {
738         return ret;
739     }
740 
741     ipa = CACHED_ENTRY_TO_ADDR(tlbe, iova);
742     ret = smmu_ptw_64_s2(cfg, ipa, perm, &tlbe_s2, info);
743     if (ret) {
744         return ret;
745     }
746 
747     combine_tlb(tlbe, &tlbe_s2, iova, cfg);
748     return 0;
749 }
750 
751 SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
752                              IOMMUAccessFlags flag, SMMUPTWEventInfo *info)
753 {
754     SMMUTLBEntry *cached_entry = NULL;
755     SMMUTransTableInfo *tt;
756     int status;
757 
758     /*
759      * Combined attributes used for TLB lookup, holds the attributes for
760      * the input stage.
761      */
762     SMMUTransTableInfo tt_combined;
763 
764     if (cfg->stage == SMMU_STAGE_2) {
765         /* Stage2. */
766         tt_combined.granule_sz = cfg->s2cfg.granule_sz;
767         tt_combined.tsz = cfg->s2cfg.tsz;
768     } else {
769         /* Select stage1 translation table. */
770         tt = select_tt(cfg, addr);
771         if (!tt) {
772             info->type = SMMU_PTW_ERR_TRANSLATION;
773             info->stage = SMMU_STAGE_1;
774             return NULL;
775         }
776         tt_combined.granule_sz = tt->granule_sz;
777         tt_combined.tsz = tt->tsz;
778     }
779 
780     cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr);
781     if (cached_entry) {
782         if ((flag & IOMMU_WO) && !(cached_entry->entry.perm &
783             cached_entry->parent_perm & IOMMU_WO)) {
784             info->type = SMMU_PTW_ERR_PERMISSION;
785             info->stage = !(cached_entry->entry.perm & IOMMU_WO) ?
786                           SMMU_STAGE_1 :
787                           SMMU_STAGE_2;
788             return NULL;
789         }
790         return cached_entry;
791     }
792 
793     cached_entry = g_new0(SMMUTLBEntry, 1);
794     status = smmu_ptw(bs, cfg, addr, flag, cached_entry, info);
795     if (status) {
796             g_free(cached_entry);
797             return NULL;
798     }
799     smmu_iotlb_insert(bs, cfg, cached_entry);
800     return cached_entry;
801 }
802 
803 /**
804  * The bus number is used for lookup when SID based invalidation occurs.
805  * In that case we lazily populate the SMMUPciBus array from the bus hash
806  * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus
807  * numbers may not be always initialized yet.
808  */
809 SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num)
810 {
811     SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num];
812     GHashTableIter iter;
813 
814     if (smmu_pci_bus) {
815         return smmu_pci_bus;
816     }
817 
818     g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr);
819     while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) {
820         if (pci_bus_num(smmu_pci_bus->bus) == bus_num) {
821             s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus;
822             return smmu_pci_bus;
823         }
824     }
825 
826     return NULL;
827 }
828 
829 static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)
830 {
831     SMMUState *s = opaque;
832     SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus);
833     SMMUDevice *sdev;
834     static unsigned int index;
835 
836     if (!sbus) {
837         sbus = g_malloc0(sizeof(SMMUPciBus) +
838                          sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX);
839         sbus->bus = bus;
840         g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus);
841     }
842 
843     sdev = sbus->pbdev[devfn];
844     if (!sdev) {
845         char *name = g_strdup_printf("%s-%d-%d", s->mrtypename, devfn, index++);
846 
847         sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1);
848 
849         sdev->smmu = s;
850         sdev->bus = bus;
851         sdev->devfn = devfn;
852 
853         memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu),
854                                  s->mrtypename,
855                                  OBJECT(s), name, UINT64_MAX);
856         address_space_init(&sdev->as,
857                            MEMORY_REGION(&sdev->iommu), name);
858         trace_smmu_add_mr(name);
859         g_free(name);
860     }
861 
862     return &sdev->as;
863 }
864 
865 static const PCIIOMMUOps smmu_ops = {
866     .get_address_space = smmu_find_add_as,
867 };
868 
869 SMMUDevice *smmu_find_sdev(SMMUState *s, uint32_t sid)
870 {
871     uint8_t bus_n, devfn;
872     SMMUPciBus *smmu_bus;
873 
874     bus_n = PCI_BUS_NUM(sid);
875     smmu_bus = smmu_find_smmu_pcibus(s, bus_n);
876     if (smmu_bus) {
877         devfn = SMMU_PCI_DEVFN(sid);
878         return smmu_bus->pbdev[devfn];
879     }
880     return NULL;
881 }
882 
883 /* Unmap all notifiers attached to @mr */
884 static void smmu_inv_notifiers_mr(IOMMUMemoryRegion *mr)
885 {
886     IOMMUNotifier *n;
887 
888     trace_smmu_inv_notifiers_mr(mr->parent_obj.name);
889     IOMMU_NOTIFIER_FOREACH(n, mr) {
890         memory_region_unmap_iommu_notifier_range(n);
891     }
892 }
893 
894 /* Unmap all notifiers of all mr's */
895 void smmu_inv_notifiers_all(SMMUState *s)
896 {
897     SMMUDevice *sdev;
898 
899     QLIST_FOREACH(sdev, &s->devices_with_notifiers, next) {
900         smmu_inv_notifiers_mr(&sdev->iommu);
901     }
902 }
903 
904 static void smmu_base_realize(DeviceState *dev, Error **errp)
905 {
906     SMMUState *s = ARM_SMMU(dev);
907     SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
908     Error *local_err = NULL;
909 
910     sbc->parent_realize(dev, &local_err);
911     if (local_err) {
912         error_propagate(errp, local_err);
913         return;
914     }
915     s->configs = g_hash_table_new_full(NULL, NULL, NULL, g_free);
916     s->iotlb = g_hash_table_new_full(smmu_iotlb_key_hash, smmu_iotlb_key_equal,
917                                      g_free, g_free);
918     s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
919 
920     if (s->primary_bus) {
921         pci_setup_iommu(s->primary_bus, &smmu_ops, s);
922     } else {
923         error_setg(errp, "SMMU is not attached to any PCI bus!");
924     }
925 }
926 
927 static void smmu_base_reset_hold(Object *obj, ResetType type)
928 {
929     SMMUState *s = ARM_SMMU(obj);
930 
931     memset(s->smmu_pcibus_by_bus_num, 0, sizeof(s->smmu_pcibus_by_bus_num));
932 
933     g_hash_table_remove_all(s->configs);
934     g_hash_table_remove_all(s->iotlb);
935 }
936 
937 static Property smmu_dev_properties[] = {
938     DEFINE_PROP_UINT8("bus_num", SMMUState, bus_num, 0),
939     DEFINE_PROP_LINK("primary-bus", SMMUState, primary_bus,
940                      TYPE_PCI_BUS, PCIBus *),
941     DEFINE_PROP_END_OF_LIST(),
942 };
943 
944 static void smmu_base_class_init(ObjectClass *klass, void *data)
945 {
946     DeviceClass *dc = DEVICE_CLASS(klass);
947     ResettableClass *rc = RESETTABLE_CLASS(klass);
948     SMMUBaseClass *sbc = ARM_SMMU_CLASS(klass);
949 
950     device_class_set_props(dc, smmu_dev_properties);
951     device_class_set_parent_realize(dc, smmu_base_realize,
952                                     &sbc->parent_realize);
953     rc->phases.hold = smmu_base_reset_hold;
954 }
955 
956 static const TypeInfo smmu_base_info = {
957     .name          = TYPE_ARM_SMMU,
958     .parent        = TYPE_SYS_BUS_DEVICE,
959     .instance_size = sizeof(SMMUState),
960     .class_data    = NULL,
961     .class_size    = sizeof(SMMUBaseClass),
962     .class_init    = smmu_base_class_init,
963     .abstract      = true,
964 };
965 
966 static void smmu_base_register_types(void)
967 {
968     type_register_static(&smmu_base_info);
969 }
970 
971 type_init(smmu_base_register_types)
972 
973