From: Nicolin Chen <nicolinc@nvidia.com>
When the guest enables the Event Queue and a vIOMMU is present, allocate a
vEVENTQ object so that host-side events related to the vIOMMU can be
received and propagated back to the guest.
For cold-plugged devices using SMMUv3 acceleration, the vIOMMU is created
before the guest boots. In this case, the vEVENTQ is allocated when the
guest writes to SMMU_CR0 and sets EVENTQEN = 1.
If no cold-plugged device exists at boot (i.e. no vIOMMU initially), the
vEVENTQ is allocated when a vIOMMU is created, i.e. during the first
device hot-plug.
Event read and propagation will be added in a later patch.
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Tested-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Shameer Kolothum <skolothumtho@nvidia.com>
---
hw/arm/smmuv3-accel.c | 61 +++++++++++++++++++++++++++++++++++++++++--
hw/arm/smmuv3-accel.h | 6 +++++
hw/arm/smmuv3.c | 4 +++
3 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/hw/arm/smmuv3-accel.c b/hw/arm/smmuv3-accel.c
index c19c526fca..d92fcb1a89 100644
--- a/hw/arm/smmuv3-accel.c
+++ b/hw/arm/smmuv3-accel.c
@@ -390,6 +390,19 @@ bool smmuv3_accel_issue_inv_cmd(SMMUv3State *bs, void *cmd, SMMUDevice *sdev,
sizeof(Cmd), &entry_num, cmd, errp);
}
+static void smmuv3_accel_free_veventq(SMMUv3AccelState *accel)
+{
+ IOMMUFDVeventq *veventq = accel->veventq;
+
+ if (!veventq) {
+ return;
+ }
+ close(veventq->veventq_fd);
+ iommufd_backend_free_id(accel->viommu->iommufd, veventq->veventq_id);
+ g_free(veventq);
+ accel->veventq = NULL;
+}
+
static void smmuv3_accel_free_viommu(SMMUv3AccelState *accel)
{
IOMMUFDViommu *viommu = accel->viommu;
@@ -397,6 +410,7 @@ static void smmuv3_accel_free_viommu(SMMUv3AccelState *accel)
if (!viommu) {
return;
}
+ smmuv3_accel_free_veventq(accel);
iommufd_backend_free_id(viommu->iommufd, accel->bypass_hwpt_id);
iommufd_backend_free_id(viommu->iommufd, accel->abort_hwpt_id);
iommufd_backend_free_id(viommu->iommufd, accel->viommu->viommu_id);
@@ -404,6 +418,41 @@ static void smmuv3_accel_free_viommu(SMMUv3AccelState *accel)
accel->viommu = NULL;
}
+bool smmuv3_accel_alloc_veventq(SMMUv3State *s, Error **errp)
+{
+ SMMUv3AccelState *accel = s->s_accel;
+ IOMMUFDVeventq *veventq;
+ uint32_t veventq_id;
+ uint32_t veventq_fd;
+
+ if (!accel || !accel->viommu) {
+ return true;
+ }
+
+ if (accel->veventq) {
+ return true;
+ }
+
+ if (!smmuv3_eventq_enabled(s)) {
+ return true;
+ }
+
+ if (!iommufd_backend_alloc_veventq(accel->viommu->iommufd,
+ accel->viommu->viommu_id,
+ IOMMU_VEVENTQ_TYPE_ARM_SMMUV3,
+ 1 << s->eventq.log2size, &veventq_id,
+ &veventq_fd, errp)) {
+ return false;
+ }
+
+ veventq = g_new(IOMMUFDVeventq, 1);
+ veventq->veventq_id = veventq_id;
+ veventq->veventq_fd = veventq_fd;
+ veventq->viommu = accel->viommu;
+ accel->veventq = veventq;
+ return true;
+}
+
static bool
smmuv3_accel_alloc_viommu(SMMUv3State *s, HostIOMMUDeviceIOMMUFD *idev,
Error **errp)
@@ -429,6 +478,7 @@ smmuv3_accel_alloc_viommu(SMMUv3State *s, HostIOMMUDeviceIOMMUFD *idev,
viommu->viommu_id = viommu_id;
viommu->s2_hwpt_id = s2_hwpt_id;
viommu->iommufd = idev->iommufd;
+ accel->viommu = viommu;
/*
* Pre-allocate HWPTs for S1 bypass and abort cases. These will be attached
@@ -448,14 +498,20 @@ smmuv3_accel_alloc_viommu(SMMUv3State *s, HostIOMMUDeviceIOMMUFD *idev,
goto free_abort_hwpt;
}
+ /* Allocate a vEVENTQ if guest has enabled event queue */
+ if (!smmuv3_accel_alloc_veventq(s, errp)) {
+ goto free_bypass_hwpt;
+ }
+
/* Attach a HWPT based on SMMUv3 GBPA.ABORT value */
hwpt_id = smmuv3_accel_gbpa_hwpt(s, accel);
if (!host_iommu_device_iommufd_attach_hwpt(idev, hwpt_id, errp)) {
- goto free_bypass_hwpt;
+ goto free_veventq;
}
- accel->viommu = viommu;
return true;
+free_veventq:
+ smmuv3_accel_free_veventq(accel);
free_bypass_hwpt:
iommufd_backend_free_id(idev->iommufd, accel->bypass_hwpt_id);
free_abort_hwpt:
@@ -463,6 +519,7 @@ free_abort_hwpt:
free_viommu:
iommufd_backend_free_id(idev->iommufd, viommu->viommu_id);
g_free(viommu);
+ accel->viommu = NULL;
return false;
}
diff --git a/hw/arm/smmuv3-accel.h b/hw/arm/smmuv3-accel.h
index a8a64802ec..dba6c71de5 100644
--- a/hw/arm/smmuv3-accel.h
+++ b/hw/arm/smmuv3-accel.h
@@ -22,6 +22,7 @@
*/
typedef struct SMMUv3AccelState {
IOMMUFDViommu *viommu;
+ IOMMUFDVeventq *veventq;
uint32_t bypass_hwpt_id;
uint32_t abort_hwpt_id;
QLIST_HEAD(, SMMUv3AccelDevice) device_list;
@@ -50,6 +51,7 @@ bool smmuv3_accel_attach_gbpa_hwpt(SMMUv3State *s, Error **errp);
bool smmuv3_accel_issue_inv_cmd(SMMUv3State *s, void *cmd, SMMUDevice *sdev,
Error **errp);
void smmuv3_accel_idr_override(SMMUv3State *s);
+bool smmuv3_accel_alloc_veventq(SMMUv3State *s, Error **errp);
void smmuv3_accel_reset(SMMUv3State *s);
#else
static inline void smmuv3_accel_init(SMMUv3State *s)
@@ -80,6 +82,10 @@ smmuv3_accel_issue_inv_cmd(SMMUv3State *s, void *cmd, SMMUDevice *sdev,
static inline void smmuv3_accel_idr_override(SMMUv3State *s)
{
}
+static inline bool smmuv3_accel_alloc_veventq(SMMUv3State *s, Error **errp)
+{
+ return true;
+}
static inline void smmuv3_accel_reset(SMMUv3State *s)
{
}
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index c08d58c579..210ac038fe 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -1605,6 +1605,10 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
s->cr0ack = data & ~SMMU_CR0_RESERVED;
/* in case the command queue has been enabled */
smmuv3_cmdq_consume(s, &local_err);
+ /* Allocate vEVENTQ if EventQ is enabled and a vIOMMU is available */
+ if (local_err == NULL) {
+ smmuv3_accel_alloc_veventq(s, &local_err);
+ }
break;
case A_CR1:
s->cr[1] = data;
--
2.43.0On Wed, Feb 11, 2026 at 08:34:13AM +0000, Shameer Kolothum wrote:
> For cold-plugged devices using SMMUv3 acceleration, the vIOMMU is created
> before the guest boots. In this case, the vEVENTQ is allocated when the
> guest writes to SMMU_CR0 and sets EVENTQEN = 1.
[...]
> @@ -1605,6 +1605,10 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
> s->cr0ack = data & ~SMMU_CR0_RESERVED;
> /* in case the command queue has been enabled */
> smmuv3_cmdq_consume(s, &local_err);
> + /* Allocate vEVENTQ if EventQ is enabled and a vIOMMU is available */
Nit: though it is just following smmuv3_cmdq_consume(), it'd be
likely clearer to verify the EVENTQEN in the callers.
> + if (local_err == NULL) {
Does eventq need to rely on !local_err from cmdq?
> + smmuv3_accel_alloc_veventq(s, &local_err);
> + }
Should probably validate s->accel before calling it?
Nicolin
On 2/11/26 7:07 PM, Nicolin Chen wrote:
> On Wed, Feb 11, 2026 at 08:34:13AM +0000, Shameer Kolothum wrote:
>> For cold-plugged devices using SMMUv3 acceleration, the vIOMMU is created
>> before the guest boots. In this case, the vEVENTQ is allocated when the
>> guest writes to SMMU_CR0 and sets EVENTQEN = 1.
> [...]
>> @@ -1605,6 +1605,10 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
>> s->cr0ack = data & ~SMMU_CR0_RESERVED;
>> /* in case the command queue has been enabled */
>> smmuv3_cmdq_consume(s, &local_err);
>> + /* Allocate vEVENTQ if EventQ is enabled and a vIOMMU is available */
> Nit: though it is just following smmuv3_cmdq_consume(), it'd be
> likely clearer to verify the EVENTQEN in the callers.
>
>> + if (local_err == NULL) {
> Does eventq need to rely on !local_err from cmdq?
if local_err is NULL we can safely use it, no? Or maybe I miss your
point. maybe test !local_err directly?
>
>> + smmuv3_accel_alloc_veventq(s, &local_err);
>> + }
> Should probably validate s->accel before calling it?
it is done in smmuv3_accel_alloc_veventq now
>
> Nicolin
>
On Wed, Feb 11, 2026 at 07:14:40PM +0100, Eric Auger wrote:
> On 2/11/26 7:07 PM, Nicolin Chen wrote:
> > On Wed, Feb 11, 2026 at 08:34:13AM +0000, Shameer Kolothum wrote:
> >> For cold-plugged devices using SMMUv3 acceleration, the vIOMMU is created
> >> before the guest boots. In this case, the vEVENTQ is allocated when the
> >> guest writes to SMMU_CR0 and sets EVENTQEN = 1.
> > [...]
> >> @@ -1605,6 +1605,10 @@ static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
> >> s->cr0ack = data & ~SMMU_CR0_RESERVED;
> >> /* in case the command queue has been enabled */
> >> smmuv3_cmdq_consume(s, &local_err);
> >> + /* Allocate vEVENTQ if EventQ is enabled and a vIOMMU is available */
> > Nit: though it is just following smmuv3_cmdq_consume(), it'd be
> > likely clearer to verify the EVENTQEN in the callers.
> >
> >> + if (local_err == NULL) {
> > Does eventq need to rely on !local_err from cmdq?
> if local_err is NULL we can safely use it, no? Or maybe I miss your
> point. maybe test !local_err directly?
Point is: if local_err isn't NULL, why can't we allocate vEVENTQ?
E.g. if IOMMU_HWPT_INVALIDATE fails, yes there is something wrong
with the CMDQ, yet it shouldn't block vEVENTQ allocation?
> >> + smmuv3_accel_alloc_veventq(s, &local_err);
> >> + }
> > Should probably validate s->accel before calling it?
> it is done in smmuv3_accel_alloc_veventq now
Oh, I just realized I was looking at the v4 branch..
Thanks
Nicolin
> -----Original Message-----
> From: Nicolin Chen <nicolinc@nvidia.com>
> Sent: 11 February 2026 18:25
> To: Eric Auger <eric.auger@redhat.com>
> Cc: Shameer Kolothum Thodi <skolothumtho@nvidia.com>; qemu-
> arm@nongnu.org; qemu-devel@nongnu.org; peter.maydell@linaro.org;
> Nathan Chen <nathanc@nvidia.com>; Matt Ochs <mochs@nvidia.com>;
> Jiandi An <jan@nvidia.com>; Jason Gunthorpe <jgg@nvidia.com>;
> jonathan.cameron@huawei.com; zhangfei.gao@linaro.org;
> zhenzhong.duan@intel.com; Krishnakant Jaju <kjaju@nvidia.com>
> Subject: Re: [PATCH v5 3/5] hw/arm/smmuv3-accel: Allocate vEVENTQ for
> accelerated SMMUv3 devices
>
> On Wed, Feb 11, 2026 at 07:14:40PM +0100, Eric Auger wrote:
> > On 2/11/26 7:07 PM, Nicolin Chen wrote:
> > > On Wed, Feb 11, 2026 at 08:34:13AM +0000, Shameer Kolothum wrote:
> > >> For cold-plugged devices using SMMUv3 acceleration, the vIOMMU is
> > >> created before the guest boots. In this case, the vEVENTQ is
> > >> allocated when the guest writes to SMMU_CR0 and sets EVENTQEN = 1.
> > > [...]
> > >> @@ -1605,6 +1605,10 @@ static MemTxResult
> smmu_writel(SMMUv3State *s, hwaddr offset,
> > >> s->cr0ack = data & ~SMMU_CR0_RESERVED;
> > >> /* in case the command queue has been enabled */
> > >> smmuv3_cmdq_consume(s, &local_err);
> > >> + /* Allocate vEVENTQ if EventQ is enabled and a vIOMMU is
> > >> + available */
> > > Nit: though it is just following smmuv3_cmdq_consume(), it'd be
> > > likely clearer to verify the EVENTQEN in the callers.
> > >
> > >> + if (local_err == NULL) {
> > > Does eventq need to rely on !local_err from cmdq?
>
> > if local_err is NULL we can safely use it, no? Or maybe I miss your
> > point. maybe test !local_err directly?
>
> Point is: if local_err isn't NULL, why can't we allocate vEVENTQ?
Technically nothing prevents that I guess.
The only thing is we have to call error_report_err() if local_err != NULL
and then set local_err == NULL before calling alloc_veventq().
Thanks,
Shameer
On Wed, Feb 11, 2026 at 10:43:04AM -0800, Shameer Kolothum Thodi wrote:
> > On Wed, Feb 11, 2026 at 07:14:40PM +0100, Eric Auger wrote:
> > > On 2/11/26 7:07 PM, Nicolin Chen wrote:
> > > > On Wed, Feb 11, 2026 at 08:34:13AM +0000, Shameer Kolothum wrote:
> > > >> + if (local_err == NULL) {
> > > > Does eventq need to rely on !local_err from cmdq?
> >
> > > if local_err is NULL we can safely use it, no? Or maybe I miss your
> > > point. maybe test !local_err directly?
> >
> > Point is: if local_err isn't NULL, why can't we allocate vEVENTQ?
>
> Technically nothing prevents that I guess.
>
> The only thing is we have to call error_report_err() if local_err != NULL
> and then set local_err == NULL before calling alloc_veventq().
Or should we use:
include/qapi/error.h-402-/*
include/qapi/error.h-403- * Append a printf-style human-readable explanation to an existing error.
include/qapi/error.h-404- * If the error is later reported to a human user with
include/qapi/error.h-405- * error_report_err() or warn_report_err(), the hints will be shown,
include/qapi/error.h-406- * too. If it's reported via QMP, the hints will be ignored.
include/qapi/error.h-407- * Intended use is adding helpful hints on the human user interface,
include/qapi/error.h-408- * e.g. a list of valid values. It's not for clarifying a confusing
include/qapi/error.h-409- * error message.
include/qapi/error.h-410- * @errp may be NULL, but not &error_fatal or &error_abort.
include/qapi/error.h-411- * Trivially the case if you call it only after error_setg() or
include/qapi/error.h-412- * error_propagate().
include/qapi/error.h-413- * May be called multiple times. The resulting hint should end with a
include/qapi/error.h-414- * newline.
include/qapi/error.h-415- */
include/qapi/error.h:416:void error_append_hint(Error *const *errp, const char *fmt, ...)
include/qapi/error.h-417- G_GNUC_PRINTF(2, 3);
?
Nicolin
© 2016 - 2026 Red Hat, Inc.