The location of the RNMI/E trap vectors in the Smrnmi extension is
implementation-defined, so platforms with vendor-specific NMI vector
mechanisms must install the firmware's NMI entry points themselves.
Add an smrnmi_handlers_init() callback to sbi_platform_operations that
receives the firmware entry points and lets platform code install them
at the hardware-specific vector locations. Two pointers are passed:
- _trap_rnmi_handler: the dedicated RNMI entry point that saves
context using the Smrnmi MN* CSRs and returns via mnret.
- _trap_handler: the regular M-mode trap entry since RNME is taken
as a regular M-mode trap with NMIE=0.
When Smrnmi is present, install the platform's NMI vectors via the new
callback, initialize MNSCRATCH with the per-hart scratch pointer, and
set MNSTATUS.NMIE.
Smrnmi-enabled platforms must register smrnmi_handlers_init; if the
extension is detected but no callback is registered, sbi_panic() is
called since enabling NMIs without handlers in place would route
subsequent traps into nowhere.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/88b1470e1e3348d454b4b995a11a85c01914f7af.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Current placement of entropy initialization via Zkr extension requires a
trap-based mechanism to handle absent Zkr extension case. In presence of
Smrnmi extension no trap-based mechanisms should be used before Smrnmi is
detected and enabled otherwise trap will jump to undefined location.
Move stack guard initialization into init_coldboot function body after
device tree has been parsed so we know if Zkr extension is implemented by
the platform which helps to avoid trap-based discovery.
init_coldboot() is a safe place to initialize entropy because it doesn't
return so no check of __stack_chk_guard against value on entry
will be done.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/acd52b0f3468758bc5f09e6a45662341b31d4d87.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Implement basic Resumable NMI (RNMI) handler support for the RISC-V
Smrnmi extension.
The new _trap_rnmi_handler assembly entry point saves context using the
Smrnmi MN* CSRs (MNSCRATCH, MNEPC, MNSTATUS, MNCAUSE) and returns via
mnret. It dispatches to sbi_trap_rnmi_handler(), which optionally calls
a platform-specific ops->rnmi_handler callback for actual NMI
processing. If no platform handler is registered or it fails, the
event is reported as an unhandled NMI.
The RNMI handler reuses the generic trap context structure but stores MN*
CSR values (MNEPC, MNSTATUS, MNCAUSE) into the corresponding generic
fields (mepc, mstatus, cause) for compatibility with existing trap
infrastructure.
Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/050ae6d2762ba8d5b9dfb3cc1960a23aa3d6c549.1778176768.git.evvoevod@tenstorrent.com
Signed-off-by: Anup Patel <anup@brainfault.org>
The original sbi_strchr implementation did not conform to the C standard
behavior. According to the C standard and POSIX specification, strchr(s, 0)
should return a pointer to the null terminator at the end of string s.
The previous implementation used a while loop that would terminate when
either reaching the end of string or finding the character, but it would
return NULL when searching for the null terminator instead of returning
a pointer to the null terminator itself.
The fixed implementation uses a do-while loop that ensures even when
searching for the null terminator, the function correctly returns a
pointer to the null terminator position rather than NULL.
This fix ensures sbi_strchr behavior aligns with standard library
function semantics, making it more predictable and safe for users
expecting standard C library behavior.
Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260306094425.1918-3-cp0613@linux.alibaba.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Set a default MMIO region with a single SmePMP entry, which allows us
to save entries for M-mode only devices. The default entry has M-/S-mode
shared permission, so system-level resource protection, such as RISC-V
World extension and WorldGuard checker, will be introduced to protect
M-mode only region access from lower privilege modes.
Reviewed-by: Greentime Hu <greentime.hu@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Link: https://lore.kernel.org/r/20260224031733.3817148-3-peter.lin@sifive.com
Signed-off-by: Anup Patel <anup@brainfault.org>
It is possible to have platform where an irqchip device targets
a subset of harts and there are multiple irqchip devices to cover
all harts.
To support this scenario:
1) Add target_harts hartmask to struct sbi_irqchip_device which
represents the set of harts targetted by the irqchip device
2) Call warm_init() and process_hwirqs() callbacks of an irqchip
device on a hart only if irqchip device targets that particular
hart
Signed-off-by: Anup Patel <anup.patel@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260213055342.3124872-6-anup.patel@oss.qualcomm.com
Signed-off-by: Anup Patel <anup@brainfault.org>
UBSan detected undefined behavior in sbi_hart.c and sbi_fwft.c (in
the case of sbi_fwft.c, the bug comes from a macro call defined at
sbi_ecall_interface.h) caused by shifting a signed integer into the
sign bit (1 << 31)
This can be fixed by using the 1UL literal, ensuring defined arithmetic.
Please let me know if there’s any other most suitable solution for
this bug.
Signed-off-by: Marcos Oduardo <marcos.oduardo@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223001202.284612-1-marcos.oduardo@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
In sbi_domain.h, when checking if a memory region is a subset of
another, an undefined behavior arithmetic operation was caught
when sanitizing with UBSan (shift exponent __riscv_xlen).
This patch adds a check to handle the case where the region order
is __riscv_xlen, avoiding the illegal shift and ensuring the operation
remains defined.
Please let me know if there’s any other most suitable solution for
this bug.
Signed-off-by: Marcos Oduardo <marcos.oduardo@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260222235219.276432-1-marcos.oduardo@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
SBI code arranges domain PMP regions in a way that last entry is
all-inclusive "0..~0 RWX" and the rest of entries are not programmed.
This causes a problem for the eyeq7h.
CPU can issue speculative prefetches to non-existent addresses. If this
access goes to the system NOC, it is mis-interpreted as an access
violation and error is reported, forcing system reset.
To prevent such a speculative transaction to leave a CPU cluster,
block it using PMP, by restricting memory region to physically present
memory. To achieve this, on early init:
- update flags for the last all-inclusive "0..~0 RWX" entry to be
inaccessible MMIO. MMIO serves to set up PMA attributes to uncached
non-prefetchable, preventing transactions to reach system NOC
- add an all-permissive entry matching DRAM.
Resulting memory regions:
Domain0 Region00 : 0x0000000800100000-0x000000080013ffff M: (F,R,X) S/U: ()
Domain0 Region01 : 0x0000000800100000-0x00000008001fffff M: (F,R,W) S/U: ()
Domain0 Region02 : 0x0000000048700000-0x000000004870ffff M: (I,R,W) S/U: ()
Domain0 Region03 : 0x0000000067480000-0x000000006748ffff M: (I,R,W) S/U: ()
Domain0 Region04 : 0x0000000067500000-0x000000006750ffff M: (I,R,W) S/U: ()
Domain0 Region05 : 0x0000000048740000-0x000000004875ffff M: (I,R,W) S/U: ()
Domain0 Region06 : 0x00000000674c0000-0x00000000674dffff M: (I,R,W) S/U: ()
Domain0 Region07 : 0x0000000067540000-0x000000006755ffff M: (I,R,W) S/U: ()
Domain0 Region08 : 0x0000000000000000-0x000000007fffffff M: (I,R,W) S/U: (R,W)
Domain0 Region09 : 0x0000000800000000-0x00000008ffffffff M: () S/U: (R,W,X)
Domain0 Region10 : 0x0000001000000000-0x0000001fffffffff M: (I) S/U: (R,W)
Domain0 Region11 : 0x0000000000000000-0xffffffffffffffff M: (I) S/U: ()
Here Region09 covers DRAM, region 11 set to non-accessible
uncached no-prefetch for the entire address range
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223-for-upstream-eyeq7h-v3-21-621d004d1a21@mobileye.com
Signed-off-by: Anup Patel <anup@brainfault.org>
CPU clusters 1 and 2 cannot access NCORE registers through AUX ports.
AUX ports of clusters 1 and 2 are connected to NCORE through east port.
East port has no access to NCORE registers address space.
Re-route NCORE registers range to MEM port by re-configuring MMIO
regions in the GCR. REsulting map is as below. Mind a gap between
regions [1] and [2]; this gap covering NCORE registers now routed
to the default MEM port
Cluster 0: 4 MMIO regions
[0] : 0x0000000000000000-0x000000001fff0000 AUX0 UC|UCA
[1] : 0x0000000020000000-0x00000000677f0000 AUX0 ANY
[2] : 0x0000000080000000-0x0000001fffff0000 AUX0 UC|UCA
[3] : --disabled--
Cluster 1: 4 MMIO regions
[0] : 0x0000000000000000-0x000000001fff0000 AUX0 UC|UCA
[1] : 0x0000000020000000-0x00000000677f0000 AUX0 ANY
[2] : 0x0000000080000000-0x0000001fffff0000 AUX0 UC|UCA
[3] : --disabled--
Cluster 2: 4 MMIO regions
[0] : 0x0000000000000000-0x000000001fff0000 AUX0 UC|UCA
[1] : 0x0000000020000000-0x00000000677f0000 AUX0 ANY
[2] : 0x0000000080000000-0x0000001fffff0000 AUX0 UC|UCA
[3] : --disabled--
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223-for-upstream-eyeq7h-v3-19-621d004d1a21@mobileye.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Modify the coherence manager register accessors to use the global variable
p8700_cm_info instead of the statically declared GLOBAL_CM_BASE array.
Also use p8700_cm_info to get the number of coherence managers and their
base addresses in mips_p8700_early_init() and mips_p8700_nascent_init().
Clean up the hard-coded values in mips/board.h, access to the coherence
manager is now fully based on information provided by platform compatible
from the device tree.
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223-for-upstream-eyeq7h-v3-9-621d004d1a21@mobileye.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Introduce a structure p8700_cm_info holding the number of coherence
managers and their base addresses found in a particular SoC.
Declare a global pointer to the structure that is set in
mips_p8700_platform_init(), based on the match data of the platform
compatible.
For the match data of the MIPS P8700, a single coherence manager with
a base address of 0x16100000 is declared, identical to what is found
in mips/board.h.
For now, access to the coherence manager register is still based on
the hard-coded values defined in mips/board.h.
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223-for-upstream-eyeq7h-v3-8-621d004d1a21@mobileye.com
Signed-off-by: Anup Patel <anup@brainfault.org>
In the multi-cluster system each cluster has its own CM (Coherency Manager).
Every CM has its "global" memory address where it is accessible from
any bus master.
Initially, all CMs accessible from the local cluster using same "local"
address. Transactions by local address are not routed through system bus
and thus are faster.
Remap CM in every cluster to the local address matching its global address.
Then, every CM is always accessed using same address, but when transaction
initiated from the local cluster it is routed internally.
This removes need for 2 PMP regions covering local address access.
CM accessor functions simplified because there's no need to detect whether
transaction is local or global
Access timer always in cluster 0
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260223-for-upstream-eyeq7h-v3-7-621d004d1a21@mobileye.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Anup Patel