Hi Shameer,
On 4/15/26 12:55 PM, Shameer Kolothum wrote:
> From: Nicolin Chen <[email protected]>
>
> CMDQV HW reads guest queue memory in its host physical address setup via
> IOMMUFD. This requires the guest queue memory is not only contiguous in
> guest PA space but also in host PA space. With Tegra241 CMDQV enabled, we
> must only advertise a CMDQS that the host can safely back with physically
s/a CMDQS/ a command queue size (CMDQS)
> contiguous memory. Allowing a queue larger than the host page size could
a queue size
> cause the hardware to DMA across page boundaries, leading to faults.
>
> Walk the RAMBlock list to find the smallest memory-backend page size, then
> limit IDR1.CMDQS so the guest cannot configure a command queue that exceeds
what is the minimal CMDQS required?
> that contiguous backing. Fall back to the real host page size if no
> memory-backend RAM blocks are found.
>
> Signed-off-by: Nicolin Chen <[email protected]>
> Signed-off-by: Shameer Kolothum <[email protected]>
> ---
> hw/arm/tegra241-cmdqv.c | 41 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 41 insertions(+)
>
> diff --git a/hw/arm/tegra241-cmdqv.c b/hw/arm/tegra241-cmdqv.c
> index af68add2f0..2870886783 100644
> --- a/hw/arm/tegra241-cmdqv.c
> +++ b/hw/arm/tegra241-cmdqv.c
> @@ -14,6 +14,9 @@
> #include "hw/arm/smmuv3.h"
> #include "hw/core/irq.h"
> #include "smmuv3-accel.h"
> +#include "smmuv3-internal.h"
> +#include "system/ramblock.h"
> +#include "system/ramlist.h"
> #include "tegra241-cmdqv.h"
> #include "trace.h"
>
> @@ -646,9 +649,38 @@ free_viommu:
> return false;
> }
>
> +static size_t tegra241_cmdqv_min_ram_pagesize(void)
shouldn't we put that rather in system/physmem.c
there we also have qemu_ram_pagesize_largest() for instance
> +{
> + RAMBlock *rb;
> + size_t pg, min_pg = SIZE_MAX;
> +
> + RAMBLOCK_FOREACH(rb) {
> + MemoryRegion *mr = rb->mr;
> +
> + /* Only consider real RAM regions */
> + if (!mr || !memory_region_is_ram(mr)) {
> + continue;
> + }
> +
> + /* Skip RAM regions that are not backed by a memory-backend */
> + if (!object_dynamic_cast(mr->owner, TYPE_MEMORY_BACKEND)) {
> + continue;
> + }
> +
> + pg = qemu_ram_pagesize(rb);
> + if (pg && pg < min_pg) {
> + min_pg = pg;
> + }
> + }
> +
> + return (min_pg == SIZE_MAX) ? qemu_real_host_page_size() : min_pg;
> +}
> +
> static void tegra241_cmdqv_init_regs(SMMUv3State *s, Tegra241CMDQV *cmdqv)
> {
> int i;
> + size_t pgsize;
> + uint32_t val;
>
> cmdqv->config = V_CONFIG_RESET;
> cmdqv->param = FIELD_DP32(0, PARAM, CMDQV_VER, CMDQV_VER);
> @@ -681,6 +713,15 @@ static void tegra241_cmdqv_init_regs(SMMUv3State *s,
> Tegra241CMDQV *cmdqv)
> cmdqv->vcmdq_base[i] = 0;
> cmdqv->vcmdq_cons_indx_base[i] = 0;
> }
> +
> + /*
> + * CMDQ must not cross a physical RAM backend page. Adjust CMDQS so the
> + * queue fits entirely within the smallest backend page size, ensuring
> + * the command queue is physically contiguous in host memory.
> + */
> + pgsize = tegra241_cmdqv_min_ram_pagesize();
> + val = FIELD_EX32(s->idr[1], IDR1, CMDQS);
> + s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS, MIN(ctz64(pgsize) - 4,
> val));
> }
>
> static void tegra241_cmdqv_reset(SMMUv3State *s)
Eric
