Message ID | 20211211191135.1764649-21-peter.maydell@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series | arm gicv3 ITS: Various bug fixes and refactorings | expand |
On 12/11/21 11:11 AM, Peter Maydell wrote: > When an ITS detects an error in a command, it has an > implementation-defined (CONSTRAINED UNPREDICTABLE) choice of whether > to ignore the command, proceeding to the next one in the queue, or to > stall the ITS command queue, processing nothing further. The > behaviour required when the read of the command packet from memory > fails is less clearly documented, but the same set of choices as for > command errors seem reasonable. > > The intention of the QEMU implementation, as documented in the > comments, is that if we encounter a memory error reading the command > packet or one of the various data tables then we should stall, but > for command parameter errors we should ignore the queue and continue. > However, we don't actually do this. To get the desired behaviour, > the various process_* functions need to return true to cause > process_cmdq() to advance to the next command and keep processing, > and false to stall command processing. What they mostly do is return > false for any kind of error. > > To make the code clearer, replace the 'bool' return from the process_ > functions with an enum which may be either CMD_STALL or CMD_CONTINUE. > In this commit no behaviour changes; in subsequent commits we will > adjust the error-return paths for the process_ functions one by one. > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/intc/arm_gicv3_its.c | 59 ++++++++++++++++++++++++++--------------- > 1 file changed, 38 insertions(+), 21 deletions(-) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
On 12/11/21 20:11, Peter Maydell wrote: > When an ITS detects an error in a command, it has an > implementation-defined (CONSTRAINED UNPREDICTABLE) choice of whether > to ignore the command, proceeding to the next one in the queue, or to > stall the ITS command queue, processing nothing further. The > behaviour required when the read of the command packet from memory > fails is less clearly documented, but the same set of choices as for > command errors seem reasonable. > > The intention of the QEMU implementation, as documented in the > comments, is that if we encounter a memory error reading the command > packet or one of the various data tables then we should stall, but > for command parameter errors we should ignore the queue and continue. > However, we don't actually do this. To get the desired behaviour, > the various process_* functions need to return true to cause > process_cmdq() to advance to the next command and keep processing, > and false to stall command processing. What they mostly do is return > false for any kind of error. > > To make the code clearer, replace the 'bool' return from the process_ > functions with an enum which may be either CMD_STALL or CMD_CONTINUE. > In this commit no behaviour changes; in subsequent commits we will > adjust the error-return paths for the process_ functions one by one. > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/intc/arm_gicv3_its.c | 59 ++++++++++++++++++++++++++--------------- > 1 file changed, 38 insertions(+), 21 deletions(-) > > diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c > index f3eba92946d..59dd564d91c 100644 > --- a/hw/intc/arm_gicv3_its.c > +++ b/hw/intc/arm_gicv3_its.c > @@ -45,6 +45,23 @@ typedef struct { > uint64_t itel; > } IteEntry; > > +/* > + * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options > + * if a command parameter is not correct. These include both "stall > + * processing of the command queue" and "ignore this command, and > + * keep processing the queue". In our implementation we choose that > + * memory transaction errors reading the command packet provoke a > + * stall, but errors in parameters cause us to ignore the command > + * and continue processing. > + * The process_* functions which handle invididual ITS commands all Typo "individual". > + * return an ItsCmdResult which tells process_cmdq() whether it should > + * stall or keep going. > + */ > +typedef enum ItsCmdResult { > + CMD_STALL = 0, > + CMD_CONTINUE = 1, > +} ItsCmdResult; Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Peter Maydell <peter.maydell@linaro.org> writes: > When an ITS detects an error in a command, it has an > implementation-defined (CONSTRAINED UNPREDICTABLE) choice of whether > to ignore the command, proceeding to the next one in the queue, or to > stall the ITS command queue, processing nothing further. The > behaviour required when the read of the command packet from memory > fails is less clearly documented, but the same set of choices as for > command errors seem reasonable. > > The intention of the QEMU implementation, as documented in the > comments, is that if we encounter a memory error reading the command > packet or one of the various data tables then we should stall, but > for command parameter errors we should ignore the queue and continue. > However, we don't actually do this. To get the desired behaviour, > the various process_* functions need to return true to cause > process_cmdq() to advance to the next command and keep processing, > and false to stall command processing. What they mostly do is return > false for any kind of error. > > To make the code clearer, replace the 'bool' return from the process_ > functions with an enum which may be either CMD_STALL or CMD_CONTINUE. > In this commit no behaviour changes; in subsequent commits we will > adjust the error-return paths for the process_ functions one by one. > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c index f3eba92946d..59dd564d91c 100644 --- a/hw/intc/arm_gicv3_its.c +++ b/hw/intc/arm_gicv3_its.c @@ -45,6 +45,23 @@ typedef struct { uint64_t itel; } IteEntry; +/* + * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options + * if a command parameter is not correct. These include both "stall + * processing of the command queue" and "ignore this command, and + * keep processing the queue". In our implementation we choose that + * memory transaction errors reading the command packet provoke a + * stall, but errors in parameters cause us to ignore the command + * and continue processing. + * The process_* functions which handle invididual ITS commands all + * return an ItsCmdResult which tells process_cmdq() whether it should + * stall or keep going. + */ +typedef enum ItsCmdResult { + CMD_STALL = 0, + CMD_CONTINUE = 1, +} ItsCmdResult; + static uint64_t baser_base_addr(uint64_t value, uint32_t page_sz) { uint64_t result = 0; @@ -217,8 +234,8 @@ static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res) * 3. handling of ITS CLEAR command * 4. handling of ITS DISCARD command */ -static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset, - ItsCmdType cmd) +static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value, + uint32_t offset, ItsCmdType cmd) { AddressSpace *as = &s->gicv3->dma_as; uint32_t devid, eventid; @@ -231,7 +248,7 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset, bool ite_valid = false; uint64_t cte = 0; bool cte_valid = false; - bool result = false; + ItsCmdResult result = CMD_STALL; uint64_t rdbase; if (cmd == NONE) { @@ -323,15 +340,15 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset, if (cmd == DISCARD) { IteEntry ite = {}; /* remove mapping from interrupt translation table */ - result = update_ite(s, eventid, dte, ite); + result = update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL; } } return result; } -static bool process_mapti(GICv3ITSState *s, uint64_t value, uint32_t offset, - bool ignore_pInt) +static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value, + uint32_t offset, bool ignore_pInt) { AddressSpace *as = &s->gicv3->dma_as; uint32_t devid, eventid; @@ -341,7 +358,7 @@ static bool process_mapti(GICv3ITSState *s, uint64_t value, uint32_t offset, MemTxResult res = MEMTX_OK; uint16_t icid = 0; uint64_t dte = 0; - bool result = false; + ItsCmdResult result = CMD_STALL; devid = ((value & DEVID_MASK) >> DEVID_SHIFT); offset += NUM_BYTES_IN_DW; @@ -402,7 +419,7 @@ static bool process_mapti(GICv3ITSState *s, uint64_t value, uint32_t offset, ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS); ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid); - result = update_ite(s, eventid, dte, ite); + result = update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL; } return result; @@ -470,14 +487,14 @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid, } } -static bool process_mapc(GICv3ITSState *s, uint32_t offset) +static ItsCmdResult process_mapc(GICv3ITSState *s, uint32_t offset) { AddressSpace *as = &s->gicv3->dma_as; uint16_t icid; uint64_t rdbase; bool valid; MemTxResult res = MEMTX_OK; - bool result = false; + ItsCmdResult result = CMD_STALL; uint64_t value; offset += NUM_BYTES_IN_DW; @@ -507,7 +524,7 @@ static bool process_mapc(GICv3ITSState *s, uint32_t offset) * command in the queue */ } else { - result = update_cte(s, icid, valid, rdbase); + result = update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL; } return result; @@ -576,7 +593,8 @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid, } } -static bool process_mapd(GICv3ITSState *s, uint64_t value, uint32_t offset) +static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value, + uint32_t offset) { AddressSpace *as = &s->gicv3->dma_as; uint32_t devid; @@ -584,7 +602,7 @@ static bool process_mapd(GICv3ITSState *s, uint64_t value, uint32_t offset) uint64_t itt_addr; bool valid; MemTxResult res = MEMTX_OK; - bool result = false; + ItsCmdResult result = CMD_STALL; devid = ((value & DEVID_MASK) >> DEVID_SHIFT); @@ -621,7 +639,7 @@ static bool process_mapd(GICv3ITSState *s, uint64_t value, uint32_t offset) * command in the queue */ } else { - result = update_dte(s, devid, valid, size, itt_addr); + result = update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL; } return result; @@ -639,7 +657,6 @@ static void process_cmdq(GICv3ITSState *s) uint64_t data; AddressSpace *as = &s->gicv3->dma_as; MemTxResult res = MEMTX_OK; - bool result = true; uint8_t cmd; int i; @@ -666,6 +683,8 @@ static void process_cmdq(GICv3ITSState *s) } while (wr_offset != rd_offset) { + ItsCmdResult result = CMD_CONTINUE; + cq_offset = (rd_offset * GITS_CMDQ_ENTRY_SIZE); data = address_space_ldq_le(as, s->cq.base_addr + cq_offset, MEMTXATTRS_UNSPECIFIED, &res); @@ -724,18 +743,16 @@ static void process_cmdq(GICv3ITSState *s) default: break; } - if (result) { + if (result == CMD_CONTINUE) { rd_offset++; rd_offset %= s->cq.num_entries; s->creadr = FIELD_DP64(s->creadr, GITS_CREADR, OFFSET, rd_offset); } else { - /* - * in this implementation, in case of dma read/write error - * we stall the command processing - */ + /* CMD_STALL */ s->creadr = FIELD_DP64(s->creadr, GITS_CREADR, STALLED, 1); qemu_log_mask(LOG_GUEST_ERROR, - "%s: %x cmd processing failed\n", __func__, cmd); + "%s: 0x%x cmd processing failed, stalling\n", + __func__, cmd); break; } }
When an ITS detects an error in a command, it has an implementation-defined (CONSTRAINED UNPREDICTABLE) choice of whether to ignore the command, proceeding to the next one in the queue, or to stall the ITS command queue, processing nothing further. The behaviour required when the read of the command packet from memory fails is less clearly documented, but the same set of choices as for command errors seem reasonable. The intention of the QEMU implementation, as documented in the comments, is that if we encounter a memory error reading the command packet or one of the various data tables then we should stall, but for command parameter errors we should ignore the queue and continue. However, we don't actually do this. To get the desired behaviour, the various process_* functions need to return true to cause process_cmdq() to advance to the next command and keep processing, and false to stall command processing. What they mostly do is return false for any kind of error. To make the code clearer, replace the 'bool' return from the process_ functions with an enum which may be either CMD_STALL or CMD_CONTINUE. In this commit no behaviour changes; in subsequent commits we will adjust the error-return paths for the process_ functions one by one. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/intc/arm_gicv3_its.c | 59 ++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 21 deletions(-)