On Thu, 29 Jan 2026 at 16:09, Peter Maydell <[email protected]> wrote:
>
> From: Nicolin Chen <[email protected]>
>
> A device placed behind a vSMMU instance must have corresponding vSTEs
> (bypass, abort, or translate) installed. The bypass and abort proxy nested
> HWPTs are pre-allocated.
>
> For translat HWPT, a vDEVICE object is allocated and associated with the
> vIOMMU for each guest device. This allows the host kernel to establish a
> virtual SID to physical SID mapping, which is required for handling
> invalidations and event reporting.
>
> An translate HWPT is allocated based on the guest STE configuration and
> attached to the device when the guest issues SMMU_CMD_CFGI_STE or
> SMMU_CMD_CFGI_STE_RANGE, provided the STE enables S1 translation.
>
> If the guest STE is invalid or S1 translation is disabled, the device is
> attached to one of the pre-allocated ABORT or BYPASS HWPTs instead.
>
> While at it, export smmu_find_ste() for use here.
Hi; Coverity points out what looks like a missing
deallocation on an error-exit path in this function (CID 1644832):
> +bool smmuv3_accel_install_ste(SMMUv3State *s, SMMUDevice *sdev, int sid,
> + Error **errp)
> +{
[...]
> + /*
> + * Install the STE based on SMMU enabled/config:
> + * - attach a pre-allocated HWPT for abort/bypass
> + * - or a new HWPT for translate STE
> + *
> + * Note: The vdev remains associated with accel_dev even if HWPT
> + * attach/alloc fails, since the Guest–Host SID mapping stays
> + * valid as long as the device is behind the accelerated SMMUv3.
> + */
> + if (!smmu_enabled(s)) {
> + hwpt_id = smmuv3_accel_gbpa_hwpt(s, accel);
> + } else {
> + config = STE_CONFIG(&ste);
> +
> + if (!STE_VALID(&ste) || STE_CFG_ABORT(config)) {
> + hwpt_id = accel->abort_hwpt_id;
> + } else if (STE_CFG_BYPASS(config)) {
> + hwpt_id = accel->bypass_hwpt_id;
> + } else if (STE_CFG_S1_TRANSLATE(config)) {
> + s1_hwpt = smmuv3_accel_dev_alloc_translate(accel_dev, &ste,
> errp);
In this function we allocate memory and return it, assigning
it to s1_hwpt...
> + if (!s1_hwpt) {
> + return false;
> + }
> + hwpt_id = s1_hwpt->hwpt_id;
> + }
> + }
> +
> + if (!hwpt_id) {
> + error_setg(errp, "Invalid STE config for sid 0x%x",
> + smmu_get_sid(&accel_dev->sdev));
> + return false;
...but in this error-exit code path we don't free it.
> + }
> +
> + if (!host_iommu_device_iommufd_attach_hwpt(idev, hwpt_id, errp)) {
> + if (s1_hwpt) {
> + iommufd_backend_free_id(idev->iommufd, s1_hwpt->hwpt_id);
> + g_free(s1_hwpt);
> + }
Compare the error-handling here which does tidy up s1_hwpt.
> + return false;
> + }
thanks
-- PMM
