target-arm queue: mostly smallish stuff. I expect to send

out another pullreq at the end of this week, but since this

is up to 32 patches already I'd rather send it out now

than accumulate a monster sized patchset.

The following changes since commit 0ab4c574a55448a37b9f616259b82950742c9427:

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20180626-pull-request' into staging (2018-06-26 16:44:57 +0100)

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180626

for you to fetch changes up to 9b945a9ee36a34eaeca412ef9ef35fbfe33c2c85:

aspeed/timer: use the APB frequency from the SCU (2018-06-26 17:50:42 +0100)

* aspeed: set APB clocks correctly (fixes slowdown on palmetto)

* smmuv3: cache config data and TLB entries

* v7m/v8m: support read/write from MPU regions smaller than 1K

* various: clean up logging/debug messages

* xilinx_spips: Make dma transactions as per dma_burst_size

Cédric Le Goater (6):

aspeed/smc: fix dummy cycles count when in dual IO mode

aspeed/smc: fix HW strapping

aspeed/smc: rename aspeed_smc_flash_send_addr() to aspeed_smc_flash_setup()

aspeed/scu: introduce clock frequencies

aspeed: initialize the SCU controller first

aspeed/timer: use the APB frequency from the SCU

Eric Auger (3):

hw/arm/smmuv3: Cache/invalidate config data

hw/arm/smmuv3: IOTLB emulation

hw/arm/smmuv3: Add notifications on invalidation

Jia He (1):

hw/arm/smmuv3: Fix translate error handling

Joel Stanley (1):

MAINTAINERS: Add ASPEED BMCs

Peter Maydell (3):

tcg: Support MMU protection regions smaller than TARGET_PAGE_SIZE

target/arm: Set page (region) size in get_phys_addr_pmsav7()

target/arm: Handle small regions in get_phys_addr_pmsav8()

Philippe Mathieu-Daudé (17):

MAINTAINERS: Adopt the Gumstix computers-on-module machines

hw/input/pckbd: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/input/tsc2005: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/dma/omap_dma: Use qemu_log_mask(UNIMP) instead of printf

hw/dma/omap_dma: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/ssi/omap_spi: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/sd/omap_mmc: Use qemu_log_mask(UNIMP) instead of printf

hw/i2c/omap_i2c: Use qemu_log_mask(UNIMP) instead of fprintf

hw/arm/omap1: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/arm/omap: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

hw/arm/stellaris: Use qemu_log_mask(UNIMP) instead of fprintf

hw/net/stellaris_enet: Fix a typo

hw/net/stellaris_enet: Use qemu_log_mask(GUEST_ERROR) instead of hw_error

hw/net/smc91c111: Use qemu_log_mask(GUEST_ERROR) instead of hw_error

hw/net/smc91c111: Use qemu_log_mask(UNIMP) instead of fprintf

hw/arm/stellaris: Fix gptm_write() error message

hw/arm/stellaris: Use HWADDR_PRIx to display register address

From: Jia He <hejianet@gmail.com>

In case the STE's config is "Bypass" we currently don't set the

IOMMUTLBEntry perm flags and the access does not succeed. Also

if the config is 0b0xx (Aborted/Reserved), decode_ste and

smmuv3_decode_config currently returns -EINVAL and we don't enter

the expected code path: we record an event whereas we should not.

This patch fixes those bugs and simplifies the error handling.

decode_ste and smmuv3_decode_config now return 0 if aborted or

bypassed config was found. Only bad config info produces negative

error values. In smmuv3_translate we more clearly differentiate

errors, bypass/smmu disabled, aborted and success cases. Also

trace points are differentiated.

Fixes: 9bde7f0674fe ("hw/arm/smmuv3: Implement translate callback")

Reported-by: jia.he@hxt-semitech.com

Signed-off-by: jia.he@hxt-semitech.com

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Message-id: 1529653501-15358-2-git-send-email-eric.auger@redhat.com

hw/arm/smmuv3-internal.h | 12 ++++-

hw/arm/smmuv3.c | 96 +++++++++++++++++++++++++++-------------

hw/arm/trace-events | 7 +--

3 files changed, 80 insertions(+), 35 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h

--- a/hw/arm/smmuv3-internal.h

+++ b/hw/arm/smmuv3-internal.h

@@ -XXX,XX +XXX,XX @@

#include "hw/arm/smmu-common.h"

+typedef enum SMMUTranslationStatus {

+ SMMU_TRANS_DISABLE,

+ SMMU_TRANS_ABORT,

+ SMMU_TRANS_BYPASS,

+ SMMU_TRANS_ERROR,

+ SMMU_TRANS_SUCCESS,

+} SMMUTranslationStatus;

/* MMIO Registers */

REG32(IDR0, 0x0)

@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */

/* Events */

typedef enum SMMUEventType {

- SMMU_EVT_OK = 0x00,

+ SMMU_EVT_NONE = 0x00,

SMMU_EVT_F_UUT ,

SMMU_EVT_C_BAD_STREAMID ,

SMMU_EVT_F_STE_FETCH ,

@@ -XXX,XX +XXX,XX @@ typedef enum SMMUEventType {

} SMMUEventType;

static const char *event_stringify[] = {

- [SMMU_EVT_OK] = "SMMU_EVT_OK",

+ [SMMU_EVT_NONE] = "no recorded event",

[SMMU_EVT_F_UUT] = "SMMU_EVT_F_UUT",

[SMMU_EVT_C_BAD_STREAMID] = "SMMU_EVT_C_BAD_STREAMID",

[SMMU_EVT_F_STE_FETCH] = "SMMU_EVT_F_STE_FETCH",

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

@@ -XXX,XX +XXX,XX @@

#include "hw/qdev-core.h"

#include "hw/pci/pci.h"

#include "exec/address-spaces.h"

+#include "cpu.h"

#include "trace.h"

#include "qemu/log.h"

#include "qemu/error-report.h"

@@ -XXX,XX +XXX,XX @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)

EVT_SET_SID(&evt, info->sid);

switch (info->type) {

- case SMMU_EVT_OK:

+ case SMMU_EVT_NONE:

return;

case SMMU_EVT_F_UUT:

EVT_SET_SSID(&evt, info->u.f_uut.ssid);

@@ -XXX,XX +XXX,XX @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,

return 0;

-/* Returns <0 if the caller has no need to continue the translation */

+/* Returns < 0 in case of invalid STE, 0 otherwise */

static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,

STE *ste, SMMUEventInfo *event)

uint32_t config;

- int ret = -EINVAL;

if (!STE_VALID(ste)) {

goto bad_ste;

@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,

config = STE_CONFIG(ste);

if (STE_CFG_ABORT(config)) {

- cfg->aborted = true; /* abort but don't record any event */

- return ret;

+ cfg->aborted = true;

+ return 0;

if (STE_CFG_BYPASS(config)) {

cfg->bypassed = true;

- return ret;

+ return 0;

}

if (STE_CFG_S2_ENABLED(config)) {

@@ -XXX,XX +XXX,XX @@ bad_cd:

* the different configuration decoding steps

* @event: must be zero'ed by the caller

*

- * return < 0 if the translation needs to be aborted (@event is filled

+ * return < 0 in case of config decoding error (@event is filled

* accordingly). Return 0 otherwise.

*/

static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,

@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,

SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);

uint32_t sid = smmu_get_sid(sdev);

SMMUv3State *s = sdev->smmu;

- int ret = -EINVAL;

+ int ret;

STE ste;

CD cd;

- if (smmu_find_ste(s, sid, &ste, event)) {

+ ret = smmu_find_ste(s, sid, &ste, event);

+ if (ret) {

return ret;

}

- if (decode_ste(s, cfg, &ste, event)) {

+ ret = decode_ste(s, cfg, &ste, event);

+ if (ret) {

return ret;

}

- if (smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event)) {

+ if (cfg->aborted || cfg->bypassed) {

+ return 0;

+ }

+

+ ret = smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event);

+ if (ret) {

return ret;

}

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);

SMMUv3State *s = sdev->smmu;

uint32_t sid = smmu_get_sid(sdev);

- SMMUEventInfo event = {.type = SMMU_EVT_OK, .sid = sid};

+ SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};

SMMUPTWEventInfo ptw_info = {};

+ SMMUTranslationStatus status;

SMMUTransCfg cfg = {};

IOMMUTLBEntry entry = {

.target_as = &address_space_memory,

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

.addr_mask = ~(hwaddr)0,

.perm = IOMMU_NONE,

};

- int ret = 0;

if (!smmu_enabled(s)) {

- goto out;

+ status = SMMU_TRANS_DISABLE;

+ goto epilogue;

}

- ret = smmuv3_decode_config(mr, &cfg, &event);

- if (ret) {

- goto out;

+ if (smmuv3_decode_config(mr, &cfg, &event)) {

+ status = SMMU_TRANS_ERROR;

+ goto epilogue;

}

if (cfg.aborted) {

- goto out;

+ status = SMMU_TRANS_ABORT;

+ goto epilogue;

}

- ret = smmu_ptw(&cfg, addr, flag, &entry, &ptw_info);

- if (ret) {

+ if (cfg.bypassed) {

+ status = SMMU_TRANS_BYPASS;

+ goto epilogue;

+ }

+

+ if (smmu_ptw(&cfg, addr, flag, &entry, &ptw_info)) {

switch (ptw_info.type) {

case SMMU_PTW_ERR_WALK_EABT:

event.type = SMMU_EVT_F_WALK_EABT;

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

default:

g_assert_not_reached();

}

+ status = SMMU_TRANS_ERROR;

+ } else {

+ status = SMMU_TRANS_SUCCESS;

}

-out:

- if (ret) {

- qemu_log_mask(LOG_GUEST_ERROR,

- "%s translation failed for iova=0x%"PRIx64"(%d)\n",

- mr->parent_obj.name, addr, ret);

- entry.perm = IOMMU_NONE;

- smmuv3_record_event(s, &event);

- } else if (!cfg.aborted) {

+

+epilogue:

+ switch (status) {

+ case SMMU_TRANS_SUCCESS:

entry.perm = flag;

- trace_smmuv3_translate(mr->parent_obj.name, sid, addr,

- entry.translated_addr, entry.perm);

+ trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr,

+ entry.translated_addr, entry.perm);

+ break;

+ case SMMU_TRANS_DISABLE:

+ entry.perm = flag;

+ entry.addr_mask = ~TARGET_PAGE_MASK;

+ trace_smmuv3_translate_disable(mr->parent_obj.name, sid, addr,

+ entry.perm);

+ break;

+ case SMMU_TRANS_BYPASS:

+ entry.perm = flag;

+ entry.addr_mask = ~TARGET_PAGE_MASK;

+ trace_smmuv3_translate_bypass(mr->parent_obj.name, sid, addr,

+ entry.perm);

+ break;

+ case SMMU_TRANS_ABORT:

+ /* no event is recorded on abort */

+ trace_smmuv3_translate_abort(mr->parent_obj.name, sid, addr,

+ entry.perm);

+ break;

+ case SMMU_TRANS_ERROR:

+ qemu_log_mask(LOG_GUEST_ERROR,

+ "%s translation failed for iova=0x%"PRIx64"(%s)\n",

+ mr->parent_obj.name, addr, smmu_event_string(event.type));

+ smmuv3_record_event(s, &event);

+ break;

}

return entry;

diff --git a/hw/arm/trace-events b/hw/arm/trace-events

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/trace-events

+++ b/hw/arm/trace-events

@@ -XXX,XX +XXX,XX @@ smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"

smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"

smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%"PRIx64" l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"

smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64

-smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass iova:0x%"PRIx64" is_write=%d"

-smmuv3_translate_in(uint16_t sid, int pci_bus_num, uint64_t strtab_base) "SID:0x%x bus:%d strtab_base:0x%"PRIx64

+smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"

+smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d STE bypass iova:0x%"PRIx64" is_write=%d"

+smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d abort on iova:0x%"PRIx64" is_write=%d"

+smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"

smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64

-smmuv3_translate(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"

smmuv3_decode_cd(uint32_t oas) "oas=%d"

smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"

2.17.1

Allow ARMv8M to handle small MPU and SAU region sizes, by making

get_phys_add_pmsav8() set the page size to the 1 if the MPU or

SAU region covers less than a TARGET_PAGE_SIZE.

We choose to use a size of 1 because it makes no difference to

the core code, and avoids having to track both the base and

limit for SAU and MPU and then convert into an artificially

restricted "page size" that the core code will then ignore.

Since the core TCG code can't handle execution from small

MPU regions, we strip the exec permission from them so that

any execution attempts will cause an MPU exception, rather

than allowing it to end up with a cpu_abort() in

get_page_addr_code().

(The previous code's intention was to make any small page be

treated as having no permissions, but unfortunately errors

in the implementation meant that it didn't behave that way.

It's possible that some binaries using small regions were

accidentally working with our old behaviour and won't now.)

We also retain an existing bug, where we ignored the possibility

that the SAU region might not cover the entire page, in the

case of executable regions. This is necessary because some

currently-working guest code images rely on being able to

execute from addresses which are covered by a page-sized

MPU region but a smaller SAU region. We can remove this

workaround if we ever support execution from small regions.

Message-id: 20180620130619.11362-4-peter.maydell@linaro.org

target/arm/helper.c | 78 ++++++++++++++++++++++++++++++++-------------

1 file changed, 55 insertions(+), 23 deletions(-)

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,

/* Security attributes for an address, as returned by v8m_security_lookup. */

typedef struct V8M_SAttributes {

+ bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */

bool ns;

bool nsc;

uint8_t sregion;

@@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address,

int r;

bool idau_exempt = false, idau_ns = true, idau_nsc = true;

int idau_region = IREGION_NOTVALID;

+ uint32_t addr_page_base = address & TARGET_PAGE_MASK;

+ uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);

if (cpu->idau) {

IDAUInterfaceClass *iic = IDAU_INTERFACE_GET_CLASS(cpu->idau);

@@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address,

uint32_t limit = env->sau.rlar[r] | 0x1f;

if (base <= address && limit >= address) {

+ if (base > addr_page_base || limit < addr_page_limit) {

+ sattrs->subpage = true;

+ }

if (sattrs->srvalid) {

/* If we hit in more than one region then we must report

* as Secure, not NS-Callable, with no valid region

@@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address,

static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

MMUAccessType access_type, ARMMMUIdx mmu_idx,

hwaddr *phys_ptr, MemTxAttrs *txattrs,

- int *prot, ARMMMUFaultInfo *fi, uint32_t *mregion)

+ int *prot, bool *is_subpage,

+ ARMMMUFaultInfo *fi, uint32_t *mregion)

/* Perform a PMSAv8 MPU lookup (without also doing the SAU check

* that a full phys-to-virt translation does).

* mregion is (if not NULL) set to the region number which matched,

* or -1 if no region number is returned (MPU off, address did not

* hit a region, address hit in multiple regions).

+ * We set is_subpage to true if the region hit doesn't cover the

+ * entire TARGET_PAGE the address is within.

*/

ARMCPU *cpu = arm_env_get_cpu(env);

bool is_user = regime_is_user(env, mmu_idx);

@@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

int n;

int matchregion = -1;

bool hit = false;

+ uint32_t addr_page_base = address & TARGET_PAGE_MASK;

+ uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);

+ *is_subpage = false;

*phys_ptr = address;

*prot = 0;

if (mregion) {

@@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

continue;

}

+ if (base > addr_page_base || limit < addr_page_limit) {

+ *is_subpage = true;

+ }

+

if (hit) {

/* Multiple regions match -- always a failure (unlike

* PMSAv7 where highest-numbered-region wins)

@@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

matchregion = n;

hit = true;

- if (base & ~TARGET_PAGE_MASK) {

- qemu_log_mask(LOG_UNIMP,

- "MPU_RBAR[%d]: No support for MPU region base"

- "address of 0x%" PRIx32 ". Minimum alignment is "

- "%d\n",

- n, base, TARGET_PAGE_BITS);

- continue;

- }

- if ((limit + 1) & ~TARGET_PAGE_MASK) {

- qemu_log_mask(LOG_UNIMP,

- "MPU_RBAR[%d]: No support for MPU region limit"

- "address of 0x%" PRIx32 ". Minimum alignment is "

- "%d\n",

- n, limit, TARGET_PAGE_BITS);

- continue;

- }

}

@@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

fi->type = ARMFault_Permission;

fi->level = 1;

+ * Core QEMU code can't handle execution from small pages yet, so

+ * don't try it. This means any attempted execution will generate

+ * an MPU exception, rather than eventually causing QEMU to exit in

+ * get_page_addr_code().

+ if (*is_subpage && (*prot & PAGE_EXEC)) {

+ qemu_log_mask(LOG_UNIMP,

+ "MPU: No support for execution from regions "

+ "smaller than 1K\n");

+ *prot &= ~PAGE_EXEC;

+ }

return !(*prot & (1 << access_type));

}

@@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,

static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,

MMUAccessType access_type, ARMMMUIdx mmu_idx,

hwaddr *phys_ptr, MemTxAttrs *txattrs,

- int *prot, ARMMMUFaultInfo *fi)

+ int *prot, target_ulong *page_size,

+ ARMMMUFaultInfo *fi)

{

uint32_t secure = regime_is_secure(env, mmu_idx);

V8M_SAttributes sattrs = {};

+ bool ret;

+ bool mpu_is_subpage;

if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

v8m_security_lookup(env, address, access_type, mmu_idx, &sattrs);

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,

} else {

fi->type = ARMFault_QEMU_SFault;

}

+ *page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;

*phys_ptr = address;

*prot = 0;

return true;

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,

* for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt().

*/

fi->type = ARMFault_QEMU_SFault;

+ *page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;

*phys_ptr = address;

*prot = 0;

return true;

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,

}

- return pmsav8_mpu_lookup(env, address, access_type, mmu_idx, phys_ptr,

- txattrs, prot, fi, NULL);

+ ret = pmsav8_mpu_lookup(env, address, access_type, mmu_idx, phys_ptr,

+ txattrs, prot, &mpu_is_subpage, fi, NULL);

+ /*

+ * TODO: this is a temporary hack to ignore the fact that the SAU region

+ * is smaller than a page if this is an executable region. We never

+ * supported small MPU regions, but we did (accidentally) allow small

+ * SAU regions, and if we now made small SAU regions not be executable

+ * then this would break previously working guest code. We can't

+ * remove this until/unless we implement support for execution from

+ * small regions.

+ */

+ if (*prot & PAGE_EXEC) {

+ sattrs.subpage = false;

+ }

+ *page_size = sattrs.subpage || mpu_is_subpage ? 1 : TARGET_PAGE_SIZE;

+ return ret;

}

static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,

@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,

if (arm_feature(env, ARM_FEATURE_V8)) {

/* PMSAv8 */

ret = get_phys_addr_pmsav8(env, address, access_type, mmu_idx,

- phys_ptr, attrs, prot, fi);

+ phys_ptr, attrs, prot, page_size, fi);

} else if (arm_feature(env, ARM_FEATURE_V7)) {

/* PMSAv7 */

ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx,

@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)

uint32_t mregion;

bool targetpriv;

bool targetsec = env->v7m.secure;

+ bool is_subpage;

/* Work out what the security state and privilege level we're

* interested in is...

@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)

if (arm_current_el(env) != 0 || alt) {

/* We can ignore the return value as prot is always set */

pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,

- &phys_addr, &attrs, &prot, &fi, &mregion);

+ &phys_addr, &attrs, &prot, &is_subpage,

+ &fi, &mregion);

if (mregion == -1) {

mrvalid = false;

mregion = 0;

2.17.1

From: Eric Auger <eric.auger@redhat.com>

Let's cache config data to avoid fetching and parsing STE/CD

structures on each translation. We invalidate them on data structure

invalidation commands.

We put in place a per-smmu mutex to protect the config cache. This

will be useful too to protect the IOTLB cache. The caches can be

accessed without BQL, ie. in IO dataplane. The same kind of mutex was

put in place in the intel viommu.

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Message-id: 1529653501-15358-3-git-send-email-eric.auger@redhat.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

include/hw/arm/smmu-common.h | 5 ++

include/hw/arm/smmuv3.h | 1 +

hw/arm/smmu-common.c | 24 ++++++-

hw/arm/smmuv3.c | 135 +++++++++++++++++++++++++++++++++--

hw/arm/trace-events | 6 ++

5 files changed, 164 insertions(+), 7 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h

--- a/include/hw/arm/smmu-common.h

+++ b/include/hw/arm/smmu-common.h

@@ -XXX,XX +XXX,XX @@ typedef struct SMMUDevice {

int devfn;

IOMMUMemoryRegion iommu;

AddressSpace as;

+ uint32_t cfg_cache_hits;

+ uint32_t cfg_cache_misses;

} SMMUDevice;

typedef struct SMMUNotifierNode {

@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,

*/

SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova);

+/* Return the iommu mr associated to @sid, or NULL if none */

+IOMMUMemoryRegion *smmu_iommu_mr(SMMUState *s, uint32_t sid);

+

#endif /* HW_ARM_SMMU_COMMON */

diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h

index XXXXXXX..XXXXXXX 100644

--- a/include/hw/arm/smmuv3.h

+++ b/include/hw/arm/smmuv3.h

@@ -XXX,XX +XXX,XX @@ typedef struct SMMUv3State {

SMMUQueue eventq, cmdq;

qemu_irq irq[4];

+ QemuMutex mutex;

} SMMUv3State;

typedef enum {

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmu-common.c

+++ b/hw/arm/smmu-common.c

@@ -XXX,XX +XXX,XX @@ static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)

return &sdev->as;

+IOMMUMemoryRegion *smmu_iommu_mr(SMMUState *s, uint32_t sid)

+ uint8_t bus_n, devfn;

+ SMMUPciBus *smmu_bus;

+ SMMUDevice *smmu;

+

+ bus_n = PCI_BUS_NUM(sid);

+ smmu_bus = smmu_find_smmu_pcibus(s, bus_n);

+ if (smmu_bus) {

+ devfn = sid & 0x7;

+ smmu = smmu_bus->pbdev[devfn];

+ if (smmu) {

+ return &smmu->iommu;

+ }

+ }

+ return NULL;

static void smmu_base_realize(DeviceState *dev, Error **errp)

SMMUState *s = ARM_SMMU(dev);

@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)

error_propagate(errp, local_err);

return;

-

+ s->configs = g_hash_table_new_full(NULL, NULL, NULL, g_free);

s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);

if (s->primary_bus) {

@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)

static void smmu_base_reset(DeviceState *dev)

{

- /* will be filled later on */

+ SMMUState *s = ARM_SMMU(dev);

+

+ g_hash_table_remove_all(s->configs);

static Property smmu_dev_properties[] = {

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,

return decode_cd(cfg, &cd, event);

+/**

+ * smmuv3_get_config - Look up for a cached copy of configuration data for

+ * @sdev and on cache miss performs a configuration structure decoding from

+ * guest RAM.

+ *

+ * @sdev: SMMUDevice handle

+ * @event: output event info

+ *

+ * The configuration cache contains data resulting from both STE and CD

+ * decoding under the form of an SMMUTransCfg struct. The hash table is indexed

+ * by the SMMUDevice handle.

+ */

+static SMMUTransCfg *smmuv3_get_config(SMMUDevice *sdev, SMMUEventInfo *event)

+ SMMUv3State *s = sdev->smmu;

+ SMMUState *bc = &s->smmu_state;

+ SMMUTransCfg *cfg;

+

+ cfg = g_hash_table_lookup(bc->configs, sdev);

+ if (cfg) {

+ sdev->cfg_cache_hits++;

+ trace_smmuv3_config_cache_hit(smmu_get_sid(sdev),

+ sdev->cfg_cache_hits, sdev->cfg_cache_misses,

+ 100 * sdev->cfg_cache_hits /

+ (sdev->cfg_cache_hits + sdev->cfg_cache_misses));

+ } else {

+ sdev->cfg_cache_misses++;

+ trace_smmuv3_config_cache_miss(smmu_get_sid(sdev),

+ sdev->cfg_cache_hits, sdev->cfg_cache_misses,

+ 100 * sdev->cfg_cache_hits /

+ (sdev->cfg_cache_hits + sdev->cfg_cache_misses));

+ cfg = g_new0(SMMUTransCfg, 1);

+

+ if (!smmuv3_decode_config(&sdev->iommu, cfg, event)) {

+ g_hash_table_insert(bc->configs, sdev, cfg);

+ } else {

+ g_free(cfg);

+ cfg = NULL;

+ }

+ return cfg;

+static void smmuv3_flush_config(SMMUDevice *sdev)

+ SMMUv3State *s = sdev->smmu;

+ SMMUState *bc = &s->smmu_state;

+

+ trace_smmuv3_config_cache_inv(smmu_get_sid(sdev));

+ g_hash_table_remove(bc->configs, sdev);

static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

IOMMUAccessFlags flag, int iommu_idx)

{

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};

SMMUPTWEventInfo ptw_info = {};

SMMUTranslationStatus status;

- SMMUTransCfg cfg = {};

+ SMMUTransCfg *cfg = NULL;

IOMMUTLBEntry entry = {

.target_as = &address_space_memory,

.iova = addr,

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

.perm = IOMMU_NONE,

};

+ qemu_mutex_lock(&s->mutex);

+

if (!smmu_enabled(s)) {

status = SMMU_TRANS_DISABLE;

goto epilogue;

- if (smmuv3_decode_config(mr, &cfg, &event)) {

+ cfg = smmuv3_get_config(sdev, &event);

+ if (!cfg) {

status = SMMU_TRANS_ERROR;

goto epilogue;

}

- if (cfg.aborted) {

+ if (cfg->aborted) {

status = SMMU_TRANS_ABORT;

goto epilogue;

}

- if (cfg.bypassed) {

+ if (cfg->bypassed) {

status = SMMU_TRANS_BYPASS;

goto epilogue;

}

- if (smmu_ptw(&cfg, addr, flag, &entry, &ptw_info)) {

+ if (smmu_ptw(cfg, addr, flag, &entry, &ptw_info)) {

switch (ptw_info.type) {

case SMMU_PTW_ERR_WALK_EABT:

event.type = SMMU_EVT_F_WALK_EABT;

@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,

}

epilogue:

+ qemu_mutex_unlock(&s->mutex);

switch (status) {

case SMMU_TRANS_SUCCESS:

entry.perm = flag;

@@ -XXX,XX +XXX,XX @@ epilogue:

static int smmuv3_cmdq_consume(SMMUv3State *s)

{

+ SMMUState *bs = ARM_SMMU(s);

SMMUCmdError cmd_error = SMMU_CERROR_NONE;

SMMUQueue *q = &s->cmdq;

SMMUCommandType type = 0;

@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)

trace_smmuv3_cmdq_opcode(smmu_cmd_string(type));

+ qemu_mutex_lock(&s->mutex);

switch (type) {

case SMMU_CMD_SYNC:

if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) {

@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)

break;

case SMMU_CMD_PREFETCH_CONFIG:

case SMMU_CMD_PREFETCH_ADDR:

+ break;

case SMMU_CMD_CFGI_STE:

+ {

+ uint32_t sid = CMD_SID(&cmd);

+ IOMMUMemoryRegion *mr = smmu_iommu_mr(bs, sid);

+ SMMUDevice *sdev;

+

+ if (CMD_SSEC(&cmd)) {

+ cmd_error = SMMU_CERROR_ILL;

+ break;

+ }

+

+ if (!mr) {

+ break;

+ }

+

+ trace_smmuv3_cmdq_cfgi_ste(sid);

+ sdev = container_of(mr, SMMUDevice, iommu);

+ smmuv3_flush_config(sdev);

+

+ break;

+ }

case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */

+ {

+ uint32_t start = CMD_SID(&cmd), end, i;

+ uint8_t range = CMD_STE_RANGE(&cmd);

+

+ if (CMD_SSEC(&cmd)) {

+ cmd_error = SMMU_CERROR_ILL;

+ break;

+ }

+

+ end = start + (1 << (range + 1)) - 1;

+ trace_smmuv3_cmdq_cfgi_ste_range(start, end);

+

+ for (i = start; i <= end; i++) {

+ IOMMUMemoryRegion *mr = smmu_iommu_mr(bs, i);

+ SMMUDevice *sdev;

+

+ if (!mr) {

+ continue;

+ }

+ sdev = container_of(mr, SMMUDevice, iommu);

+ smmuv3_flush_config(sdev);

+ }

+ break;

+ }

case SMMU_CMD_CFGI_CD:

case SMMU_CMD_CFGI_CD_ALL:

+ {

+ uint32_t sid = CMD_SID(&cmd);

+ IOMMUMemoryRegion *mr = smmu_iommu_mr(bs, sid);

+ SMMUDevice *sdev;

+

+ if (CMD_SSEC(&cmd)) {

+ cmd_error = SMMU_CERROR_ILL;

+ break;

+ }

+

+ if (!mr) {

+ break;

+ }

+

+ trace_smmuv3_cmdq_cfgi_cd(sid);

+ sdev = container_of(mr, SMMUDevice, iommu);

+ smmuv3_flush_config(sdev);

+ break;

+ }

case SMMU_CMD_TLBI_NH_ALL:

case SMMU_CMD_TLBI_NH_ASID:

case SMMU_CMD_TLBI_NH_VA:

@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)

"Illegal command type: %d\n", CMD_TYPE(&cmd));

break;

}

+ qemu_mutex_unlock(&s->mutex);

if (cmd_error) {

break;

}

@@ -XXX,XX +XXX,XX @@ static void smmu_realize(DeviceState *d, Error **errp)

return;

}

+ qemu_mutex_init(&s->mutex);

+

memory_region_init_io(&sys->iomem, OBJECT(s),

&smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000);

diff --git a/hw/arm/trace-events b/hw/arm/trace-events

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/trace-events

+++ b/hw/arm/trace-events

@@ -XXX,XX +XXX,XX @@ smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t tr

smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64

smmuv3_decode_cd(uint32_t oas) "oas=%d"

smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"

+smmuv3_cmdq_cfgi_ste(int streamid) "streamid =%d"

+smmuv3_cmdq_cfgi_ste_range(int start, int end) "start=0x%d - end=0x%d"

+smmuv3_cmdq_cfgi_cd(uint32_t sid) "streamid = %d"

+smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid %d (hits=%d, misses=%d, hit rate=%d)"

+smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid %d (hits=%d, misses=%d, hit rate=%d)"

+smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid %d"

2.17.1