{"id":2225831,"url":"http://patchwork.ozlabs.org/api/patches/2225831/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260421162912.3295598-5-jim.shu@sifive.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260421162912.3295598-5-jim.shu@sifive.com>","list_archive_url":null,"date":"2026-04-21T16:29:11","name":"[v2,4/5] accel/tcg: Add IOMMU lazy translation function","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"fef0c9308bfc9801f136974a53149b9235df6e77","submitter":{"id":83153,"url":"http://patchwork.ozlabs.org/api/people/83153/?format=json","name":"Jim Shu","email":"jim.shu@sifive.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260421162912.3295598-5-jim.shu@sifive.com/mbox/","series":[{"id":500851,"url":"http://patchwork.ozlabs.org/api/series/500851/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500851","date":"2026-04-21T16:29:09","name":"Defer the IOMMU translation and support access_type","version":2,"mbox":"http://patchwork.ozlabs.org/series/500851/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225831/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225831/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=sifive.com header.i=@sifive.com header.a=rsa-sha256\n header.s=google header.b=C+LELdZC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0SYb23m8z1yGt\n\tfor ; Wed, 22 Apr 2026 02:32:03 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wFDzE-0000NM-Jn; Tue, 21 Apr 2026 12:30:08 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wFDz4-00005S-4B\n for qemu-devel@nongnu.org; Tue, 21 Apr 2026 12:30:02 -0400","from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wFDyz-0005kC-Nh\n for qemu-devel@nongnu.org; Tue, 21 Apr 2026 12:29:56 -0400","by mail-pj1-x1030.google.com with SMTP id\n 98e67ed59e1d1-35fb7c1a455so1795896a91.3\n for ; Tue, 21 Apr 2026 09:29:50 -0700 (PDT)","from hsinchu26.internal.sifive.com ([210.176.154.34])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-36140ff2e1esm13529470a91.8.2026.04.21.09.29.42\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 21 Apr 2026 09:29:47 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=sifive.com; s=google; t=1776788989; x=1777393789; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=APky2fuLBKI2WECyMzceROTH37228n1Vh/hCfj/U6G4=;\n b=C+LELdZC8QEdqIZKXRfz1JIFDFuG0IqsPl9lyu6cF84qkQeEnpanuLWFZF9gnAj9+G\n quRFGfCKrQg7FM3Nua1hR2A3659WbH+mYtOkhrScuKPVmjyM5u9+wAiqVb+96BQfBieN\n dOedK5UnDUpa3kJ+OXR5IVGLeCCYKrV+cv8AB36clNohIfG/YO/RCIpBC0AoXWjUsDxx\n qIQRqaYeBWRH1Xm4Ia5IAxJfw7D0r9U+vSXvCqfMjVtAGeRVILR+HQLN6E8Kez35FFMx\n EQ8capYjVi+j1NETDMcHZ5KLFzp4zEqab0iIM3uv1jYC6Y9SPekuZowXlYPBkiBVhTBV\n Bt6Q==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776788989; x=1777393789;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=APky2fuLBKI2WECyMzceROTH37228n1Vh/hCfj/U6G4=;\n b=hyHCQnTgrbOTh/p+CEbAL0lW5RJ19YTQZ+V/UThQiG2+WyFF1ZNcGFLkAgkpQGnw5b\n ixKiYGcdXDRfZP0hZfCSGBBJPLNzaFxxzzaVpHJ0TnZ5gqdEMwWSWKh1iOKYj67asEfE\n zDpJyHDGLkZC+f0A9uLj4qbtQGGIZ/kXzp7qWoLBVCCraEertaBmUX+RkLhYJm7orHmX\n vAvnC+/iQ9m8IJyUOYx+AxFYJkBaVI+jxtUobUiIcxxc09Id7FH6puNsFUFDWg/S1oT9\n leo/lj4g4pztmrYXkmumZSn2wSBlvKQBdxw2ekhTOd7P4gdlw2o0+ZSerLNmJ7P3qIsw\n Yw2g==","X-Gm-Message-State":"AOJu0YzLKGO1Mvk4Unm8VOMKF1jdQXohVofaPEH9pUF7HstQD2BxuQ2r\n 0HO1Uq0WczwG48gouESId3M6nZf7gThORxSe8iVsmN2QNASDb3pqE2jLpwNj4pnrAD7tkjroxnk\n RLgbmRplLvgQw/WtYCVlI76Kech1C2NaywuY+MD32m75Yk71VMuwn1wVWv8zsUpdySK6I5y9sYr\n aDk8ibtyXnD969wKTuAbh2LiiKvcyvpyVqJVWc2kWR","X-Gm-Gg":"AeBDiesGjVGQxYfkUQ7s5lOxTu56qZ0T932fkU+KypIqDCZ0Rn+AeTuoa5umVME0wyA\n BO81otsccqGO+ZQ3tD1YF80d10aipfNXXDluxBmnjaLx+qV2VbSuQkSwf6MsEhXjCgGTfqh18pP\n 89R4Nh6hLQk4NUDPt90a1K2qXwwFOZvPzaAVH5uMpRjyduK3TYGmyDepObaYrjDG/7WxdYHxRD6\n zAQk89ctnqYOSiyu85KLEXrYZpXv5oiw6QiN6OMzMEvNJZdIG0h9Uwn00jN4Az0nX3dYiqUBeXe\n /zOpJiQecz4JEbfkFq9kQE6220+20IjQ5J8rxsOm3EoQN58A1Mdz4HuePqUHIOs/HOA5yl84vDR\n LHoP49cAX0VIkW5QAMXmzbeM5qeSno4dufBCT0OCoNCdDcfNjf1GIcQBM1U0U3GB1LD4CUmROc/\n ea7VXkoTmQgwjUQwfVV9qJ46v6jJaj5lSyip+EYyDQnF+ld9T+bDSCJlZbpLwh09DhZg==","X-Received":"by 2002:a17:90b:2891:b0:359:fd9a:c50c with SMTP id\n 98e67ed59e1d1-361404ae963mr17422285a91.22.1776788988528;\n Tue, 21 Apr 2026 09:29:48 -0700 (PDT)","From":"Jim Shu ","To":"qemu-devel@nongnu.org,\n\tqemu-riscv@nongnu.org","Cc":"Richard Henderson ,\n Paolo Bonzini ,\n =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= ,\n Marcel Apfelbaum ,\n Yanan Wang , Zhao Liu ,\n Peter Xu , Michael Rolnik ,\n Helge Deller , Song Gao ,\n Laurent Vivier ,\n \"Edgar E. Iglesias\" ,\n Aurelien Jarno , Jiaxun Yang ,\n Aleksandar Rikalo , Stafford Horne ,\n Nicholas Piggin , Chinmay Rath ,\n Glenn Miles , Palmer Dabbelt ,\n Alistair Francis , Weiwei Li ,\n Daniel Henrique Barboza ,\n Liu Zhiwei ,\n Chao Liu ,\n Yoshinori Sato ,\n Ilya Leoshkevich , David Hildenbrand ,\n Cornelia Huck , Eric Farman ,\n Matthew Rosato ,\n Mark Cave-Ayland ,\n Artyom Tarasenko ,\n Bastian Koppelmann ,\n Max Filippov ,\n qemu-ppc@nongnu.org (open list:PowerPC TCG CPUs),\n qemu-s390x@nongnu.org (open list:S390 TCG CPUs), Jim Shu ","Subject":"[PATCH v2 4/5] accel/tcg: Add IOMMU lazy translation function","Date":"Wed, 22 Apr 2026 00:29:11 +0800","Message-ID":"<20260421162912.3295598-5-jim.shu@sifive.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260421162912.3295598-1-jim.shu@sifive.com>","References":"<20260421162912.3295598-1-jim.shu@sifive.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::1030;\n envelope-from=jim.shu@sifive.com; helo=mail-pj1-x1030.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"The lazy translation will translate IOMMU regions of the specific\naccess_type and store the result into the CPUTLBEntryFull.\n\nFor CPUTLBEntry, lazy translation may update 'addend' and 'addr_idx'\narray. We restrict IOMMU region to have a single non-zero 'addend'\nacross all permissions. Also, lazy translation only updates the\n'addr_idx' for the permissions specified in @prot.\n\nSigned-off-by: Jim Shu \n---\n accel/tcg/cputlb.c | 168 ++++++++++++++++++++++++++++++++++++++++++\n include/hw/core/cpu.h | 15 ++++\n 2 files changed, 183 insertions(+)","diff":"diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c\nindex f0c049e1551..5735f632896 100644\n--- a/accel/tcg/cputlb.c\n+++ b/accel/tcg/cputlb.c\n@@ -1272,6 +1272,174 @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,\n mmu_idx, retaddr);\n }\n \n+/*\n+ * Perform lazy IOMMU translation for a CPUTLBEntry/CPUTLBEntryFull.\n+ * This is called when CPU utilize the TLB entry in the slow path.\n+ * Updates both entry and full entry to IOMMU translated data for the\n+ * specific access type.\n+ */\n+static void\n+tlb_translate_iommu(CPUState *cpu, int mmu_idx,\n+ vaddr addr, MMUAccessType access_type,\n+ CPUTLBEntryFull *full)\n+{\n+ CPUTLB *tlb = &cpu->neg.tlb;\n+ MemoryRegionSection *section;\n+ unsigned int read_flags, write_flags;\n+ uintptr_t addend;\n+ CPUTLBEntry *te;\n+ hwaddr iotlb, xlat, sz, paddr_page;\n+ vaddr addr_page;\n+ int asidx, wp_flags, prot;\n+ bool is_ram, is_romd;\n+\n+ if (!full->is_iommu || (full->iommu_last_at == access_type)) {\n+ return;\n+ }\n+\n+ assert_cpu_is_self(cpu);\n+\n+ if (full->lg_page_size <= TARGET_PAGE_BITS) {\n+ sz = TARGET_PAGE_SIZE;\n+ } else {\n+ sz = (hwaddr)1 << full->lg_page_size;\n+ tlb_add_large_page(cpu, mmu_idx, addr, sz);\n+ }\n+ addr_page = addr & TARGET_PAGE_MASK;\n+ paddr_page = full->phys_addr & TARGET_PAGE_MASK;\n+\n+ prot = full->prot;\n+ asidx = cpu_asidx_from_attrs(cpu, full->attrs);\n+\n+ section = address_space_translate_for_iotlb_late(cpu, asidx, paddr_page,\n+ &xlat, &sz, full->attrs,\n+ &prot, access_type);\n+\n+ assert(sz >= TARGET_PAGE_SIZE);\n+\n+ tlb_debug(\"vaddr=%016\" VADDR_PRIx \" paddr=0x\" HWADDR_FMT_plx\n+ \" prot=%x idx=%d\\n\",\n+ addr, full->phys_addr, prot, mmu_idx);\n+\n+ is_ram = memory_region_is_ram(section->mr);\n+ is_romd = memory_region_is_romd(section->mr);\n+\n+ read_flags = full->tlb_fill_flags;\n+ if (full->lg_page_size < TARGET_PAGE_BITS) {\n+ /* Repeat the MMU check and TLB fill on every access. */\n+ read_flags |= TLB_INVALID_MASK;\n+ }\n+\n+ if (is_ram || is_romd) {\n+ /* RAM and ROMD both have associated host memory. */\n+ addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;\n+ } else {\n+ /* I/O and IOMMU does not; force the host address to NULL. */\n+ addend = 0;\n+ }\n+\n+ write_flags = read_flags;\n+\n+ if (is_ram) {\n+ iotlb = memory_region_get_ram_addr(section->mr) + xlat;\n+ assert(!(iotlb & ~TARGET_PAGE_MASK));\n+ /*\n+ * Computing is_clean is expensive; avoid all that unless\n+ * the page is actually writable.\n+ */\n+ if (prot & PAGE_WRITE) {\n+ if (section->readonly) {\n+ write_flags |= TLB_DISCARD_WRITE;\n+ } else if (physical_memory_is_clean(iotlb)) {\n+ write_flags |= TLB_NOTDIRTY;\n+ }\n+ }\n+ } else {\n+ /* I/O or ROMD */\n+ iotlb = xlat;\n+ /*\n+ * Writes to romd devices must go through MMIO to enable write.\n+ * Reads to romd devices go through the ram_ptr found above,\n+ * but of course reads to I/O must go through MMIO.\n+ */\n+ write_flags |= TLB_MMIO;\n+ if (!is_romd) {\n+ read_flags = write_flags;\n+ }\n+ }\n+\n+ wp_flags = cpu_watchpoint_address_matches(cpu, addr_page,\n+ TARGET_PAGE_SIZE);\n+\n+ /* Update the CPUTLBEntryFull for this access type. */\n+ full->iommu_last_at = access_type;\n+ full->xlat_offset = iotlb - addr_page;\n+ full->section = section;\n+ full->phys_addr = paddr_page;\n+\n+ /* Update the CPUTLBEntry: addend and addr_idx */\n+ tlb = &cpu->neg.tlb;\n+ te = tlb_entry(cpu, mmu_idx, addr_page);\n+\n+ qemu_spin_lock(&tlb->c.lock);\n+\n+ /*\n+ * If IOMMU region is translated to the memories (has associated\n+ * host memory), it will update the 'addend' to access memories in the\n+ * fast path. Otherwise, IO region do not update the 'addend' because\n+ * it might be already used by memory region from the other permissions.\n+ * It is fine since IO region do not use addend.\n+ */\n+ if (is_ram || is_romd) {\n+ if (te->addend + addr_page) {\n+ /* addend of untranslated IOMMU region is 0 - addr_page. */\n+\n+ /*\n+ * CPUTLBEntry only has 1 addend across all permissions.\n+ * We don't support the IOMMUMemoryRegion to be translated to\n+ * 2 different host memories from the different permissions.\n+ * QEMU will trigger an assertion for such case.\n+ */\n+ g_assert(addend == te->addend + addr_page);\n+ } else {\n+ te->addend = addend - addr_page;\n+ }\n+ }\n+\n+ /*\n+ * In the IOMMU lazy translation, we only update TLB flags for the\n+ * permissions specified in @prot. For other permissions, we still\n+ * keep the original TLB flags (e.g. TLB_IOMMU if not translated).\n+ */\n+ if (prot & PAGE_EXEC) {\n+ tlb_set_compare(full, te, addr_page, read_flags,\n+ MMU_INST_FETCH, prot & PAGE_EXEC);\n+ }\n+\n+ if (wp_flags & BP_MEM_READ) {\n+ read_flags |= TLB_WATCHPOINT;\n+ }\n+ if (prot & PAGE_READ) {\n+ tlb_set_compare(full, te, addr_page, read_flags,\n+ MMU_DATA_LOAD, prot & PAGE_READ);\n+ }\n+\n+ if (prot & PAGE_WRITE_INV) {\n+ write_flags |= TLB_INVALID_MASK;\n+ }\n+ if (wp_flags & BP_MEM_WRITE) {\n+ write_flags |= TLB_WATCHPOINT;\n+ }\n+ if (prot & PAGE_WRITE) {\n+ tlb_set_compare(full, te, addr_page, write_flags,\n+ MMU_DATA_STORE, prot & PAGE_WRITE);\n+ }\n+\n+ qemu_spin_unlock(&tlb->c.lock);\n+\n+ return;\n+}\n+\n static MemoryRegionSection *\n io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full,\n vaddr addr, uintptr_t retaddr)\ndiff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h\nindex 04e1f970caf..465614c5d9a 100644\n--- a/include/hw/core/cpu.h\n+++ b/include/hw/core/cpu.h\n@@ -254,6 +254,21 @@ struct CPUTLBEntryFull {\n */\n uint8_t slow_flags[MMU_ACCESS_COUNT];\n \n+ /*\n+ * @is_iommu indicates if the MemoryRegion is an IOMMU.\n+ * When true, IOMMU translation is deferred until the entry is used.\n+ */\n+ bool is_iommu;\n+\n+ /*\n+ * @iommu_last_at contains the access_type of last IOMMU translation.\n+ * It means that this entry currently stores the translated data of\n+ * IOMMU region with this access_type.\n+ * When it is MMU_ACCESS_COUNT, the entry stores untranslated data of\n+ * IOMMU region.\n+ */\n+ MMUAccessType iommu_last_at;\n+\n /*\n * Allow target-specific additions to this structure.\n * This may be used to cache items from the guest cpu\n","prefixes":["v2","4/5"]}