Skip to content

7 Faults, errors and Event queue

Chapter 7 Faults, errors and Event queue There are three ways that unexpected or erroneous events can be reported to software: 1. Commands given to the SMMU might be in some way incorrect and the Command queue has a mechanism to report such problems. 2. A set of configuration errors and faults are recorded in the Event queue. These include events that arise from incoming device traffic, such as a configuration error (discovered when configuration is fetched on receipt of device traffic) or a page fault arising from the device traffic address. 3. A global register-based SMMU_GERROR mechanism reports events arising from a failure to record into the Event or PRI queues and other catastrophic events that cannot be written to memory. This might happen when the Event queue base pointer incorrectly indicates non-existent memory, or queue overflow. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 937

Chapter 7. Faults, errors and Event queue 7.1. Command queue errors 7.1 Command queue errors The Command queue entry formats are described in Chapter 4 Commands, which defines what is considered to be a valid command. Commands are consumed in-order and when a command error or command fetch abort is detected: • Command consumption stops. • Older commands (prior to the erroneous command in the queue) have been consumed. Note: By definition, earlier commands must have been consumed for a later invalid command to be indicated using CMDQ_CONS. Note: See also section 4.8 Command Consumption summary. • SMMU_()CMDQ_CONS.RD remains pointing to the erroneous command in the Command queue. The CONS index is not permitted to increment in the case where a command fetch experiences an external abort, meaning that external aborts on command read are synchronous. • The SMMU()CMDQ_CONS.ERR field is updated to provide an error code. • The global Command queue Error is triggered: SMMU()GERROR.CMDQ_ERR is activated (indicating that SMMU()CMDQ_CONS.ERR has been updated). Commands are not consumed from the affected queue while this error is active, see 7.5 Global error recording and SMMU_GERROR. • Commands newer than the erroneous command have no effect, and if they have been fetched they are discarded. Note: A GPC fault on a Command queue is reported here as an external abort. See 3.25.5 SMMU behavior if a GPC fault is active for details on how other aspects of the GPC fault are reported. Arm recommends that software rectifies the cause of the command error, then restarts command processing by acknowledging the CMDQ_ERR by writing an appropriate value to SMMU()GERRORN. Software is not required to write SMMU()CMDQ_PROD to re-trigger command processing. While the error is active, additional commands might be submitted and CMDQ_PROD might be moved backwards as far as the CMDQ_CONS position so that previously-submitted but non-consumed commands are removed from the queue. This is the only condition in which it is permissible to change CMDQ_PROD in a manner that is not an increment/wrap while the queue is enabled, see section 3.21.2 Queues. Commands at or after the CMDQ_CONS.RD position are fetched or re-fetched after command processing is restarted by acknowledging CMDQ_ERR. Note: A Command queue error is completely recoverable and, when the erroneous command is fixed or replaced with a valid command, consumption can be restarted. Older commands are unaffected by a later Command queue error. It is acceptable for software to change the contents of the erroneous command and newer commands while the error is active, as such commands are re-fetched when command processing is restarted. The SMMU()CMDQ_CONS.ERR field is updated with the error reason code after detecting a command error. The error reason code is made visible to software before the SMMU makes the global error visible. Note: It is not possible for software to observe that an error has occurred through GERROR without being able to observe the error code. Note: If software polls SMMU()CMDQ_CONS waiting for prior commands to complete, Arm recommends that GERROR.CMDQ_ERR is also be checked to avoid an infinite loop in the event of a command error. A Command queue error can be raised for the following reasons: SMMU(*_)CMDQ_CONS.ERR value Error name Cause 0x00 CERROR_NONE No error. This value is defined for completeness only, and is not provided by the SMMU in any error case. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 938

Chapter 7. Faults, errors and Event queue 7.1. Command queue errors SMMU_(*_)CMDQ_CONS.ERR value Error name Cause 0x01 CERROR_ILL Command illegal and cannot be correctly consumed because of an: • Unknown command opcode, including architecture-defined commands irrelevant to an implementation without certain feature or Security state. For example, stage 1 invalidation commands on an SMMU without stage 1, Secure invalidation commands from the Non-secure command queue. • Command valid but Reserved field or invalid value used. 0x02 CERROR_ABT Abort on command fetch: an external abort was returned for a read of the command queue, if an interconnect can detect and report such an event. 0x03 CERROR_ATC_INV_SYNC A CMD_SYNC failed to successfully complete one or more previous CMD_ATC_INV commands. This is the result of an ATS Invalidation Completion timeout. See section 3.9.1.4 ATS Invalidation timeout. 7.1.1 Direct-mode Enhanced Command Queue error summary The table below is a summary of various scenarios resulting in a hypervisor-serviced error and whether this is additionally reported as an event on the Event queue: Scenario Hypervisor-serviced error code Event record For more details, see: Configuration errors in STE HERROR_IPA C_BAD_STE C_BAD_STREAMID 3.5.7.7.3 Hypervisor-serviced errors Error or external abort during STE fetch HERROR_IPA F_STE_FETCH 3.5.7.7.3 Hypervisor-serviced errors External abort during translation table fetch HERROR_IPA F_WALK_EABT 3.5.7.7.3 Hypervisor-serviced errors TLB conflict during address translation HERROR_IPA F_TLB_CONFLICT 3.5.7.7.3 Hypervisor-serviced errors Configuration cache conflict during STE lookup HERROR_IPA F_CFG_CONFLICT 3.5.7.7.3 Hypervisor-serviced errors Faults during address translation HERROR_IPA F_TRANSLATION F_PERMISSION F_ADDR_SIZE F_ACCESS 3.5.7.7.3 Hypervisor-serviced errors Abort of MSI following CMD_SYNC HERROR_MSI_ABT No event 3.5.7.7.4 DCMDQ MSIs GPC fault during DCMDQ-related transaction Error code depends on access type No event 3.25.7 DCMDQ-related GPC faults Errors during SID translation HERROR_SID_CONFIG No event 3.5.9.4 vSID Errors and external aborts ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 939

Chapter 7. Faults, errors and Event queue 7.1. Command queue errors Scenario Hypervisor-serviced error code Event record For more details, see: External abort during CIT/VSTT lookup HERROR_SID_EABT No event 3.5.9.4 vSID Errors and external aborts ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 940

Chapter 7. Faults, errors and Event queue 7.2. Event queue recorded faults and events 7.2 Event queue recorded faults and events Three categories of events might be recorded into the Event queue: • Configuration errors. • Faults from the translation process. • Miscellaneous. Configuration errors result from improper register, STE or CD contents and are associated with the translation of an incoming transaction. An improper configuration in memory is not reported until the data structures are used in response to a transaction. A fault from translation is reported only when a transaction attempts a translation. Any incoming transaction might cause at most one event report which might be a configuration error or, if configuration is all valid, one of several kinds of translation fault (which might be applicable to stage 1 or stage 2). An SMMU implementation might prefetch configuration and TLB entries in an IMPLEMENTATION SPECIFIC manner. A prefetched erroneous configuration does not record a configuration error (even if prefetched in response to an explicit CMD_PREFETCH_ command). A translation fault or configuration error is recorded only on receipt of a transaction. Miscellaneous events are recorded asynchronously to incoming data transactions, for example E_PAGE_REQUEST. 7.2.1 Recording of events and conditions for writing to the Event queue Events are delivered into an Event queue if the queue is “writable”. The Event queue is writable when all of the following are true: • The queue is enabled, through SMMU_(_)CR0.EVENTQEN for the Security state of the queue. • The queue is not full (see section 7.4 Event queue overflow regarding overflow). • No unacknowledged GERROR.EVENTQ_ABT_ERR condition exists for the queue. When the queue is not writable, events not associated with stalled faults are silently discarded. In addition, a queue overflow condition is triggered when events are discarded because the queue is unwritable because it is full, see section 7.4 Event queue overflow. Events caused by stalled transactions are not discarded. A stalled faulting transaction that has not recorded an event because the queue is unwritable has one of the following behaviors: • If the stalled transaction is affected by a configuration or translation invalidation and CMD_SYNC, the transaction must be retried after the queue becomes writable again (non-full, enabled and without a queue abort condition). This either results in the transaction succeeding (because of a new configuration or translation) in which case no event is recorded for the transaction, or the generation of a new fault (reflecting new configuration or translation) which attempts to record an event into the queue, see section 4.7.3 CMD_SYNC(ComplSignal, MSIAddress, MSIData, MSIWriteAttributes). – A transaction that was not affected by an invalidation or CMD_SYNC is permitted but not required to be retried in the same way as a transaction that is affected. The transaction might be retried at the point that the queue becomes writable. • Alternatively, the transaction retries while the queue is unwritable: – If the retry translates successfully, the original event is permitted, but not required, to be recorded. – A fault that is encountered during a retry replaces any previous faults for the transaction. If the new fault causes the transaction to stall again, the new stall event is recorded in the Event queue when the queue becomes writable again. If the new fault causes the transaction to be terminated while the queue is still unwritable, the recording of the terminate event is lost. • If the transaction is not retried, the original fault event record is recorded into the queue when it becomes writable. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 941

Chapter 7. Faults, errors and Event queue 7.2. Event queue recorded faults and events Refer also to the event delivery effects of CMD_STALL_TERM ( 4.7.2 CMD_STALL_TERM(StreamID, SSec)), CMD_SYNC ( 4.7.3 CMD_SYNC(ComplSignal, MSIAddress, MSIData, MSIWriteAttributes)) and SMMUEN ( 6.3.9.6 SMMUEN). An external abort on write of the Event queue might cause written event data to be lost, including stall event records. See section 7.2.2 Event queue access external abort. An event is permitted, but not required, to be recorded for a stalled faulting transaction when: • The stalled transaction has early-retried and translated successfully before the SMMU has attempted to write out its event record, see section 3.12.2.2 Early retry of Stalled transactions. Note: As the transaction has completed, there is no benefit in recording the original stall to software because software intervention is not required to progress the transaction. Events arising from terminated faulting transactions commit to being recorded into the Event queue if it is writable. When EVENTQEN is transitioned to 0, committed events are written out and guaranteed to be visible by the time the update completes and all uncommitted events from terminated faulting transactions are discarded. If accesses to the Event queue aborted (see section 7.2.2 Event queue access external abort below), the condition is made visible in GERROR by the time the EVENTQEN update completes. See sections 6.3.9.4 EVENTQEN and 6.3.9.6 SMMUEN. Note: There is no dependency required between EVENTQEN and visibility of any GERROR MSI that might arise from completion of outstanding queue writes that abort. Some events are permitted to be recorded when SMMU_()CR0.SMMUEN == 0 where explicitly stated in the event descriptions in this section. The remainder of events are related to the translation process and are not generated when translation is disabled with SMMUEN == 0. Note: This means that SMMUEN == 0 does not imply EVENTQEN == 0. 7.2.2 Event queue access external abort An external abort detected while accessing the Event queue, for example when writing a record, activates the SMMU()GERROR.EVENTQ_ABT_ERR Global Error. It is IMPLEMENTATION DEFINED as to whether the interconnect to the memory system can report transaction aborts. If EVENTQ_ABT_ERR is triggered, one or more events might have been lost, including stall fault event records. An implementation is permitted to read any address within the bounds of the Event queue when the queue is enabled. In addition to writes of new records to the queue, such reads might also lead to an external abort. The SMMU only writes to the Event queue when the queue is both enabled and writable, see section 7.2.1 Recording of events and conditions for writing to the Event queue. It is IMPLEMENTATION DEFINED whether an external abort on write is synchronous or asynchronous: • If a queue write abort is synchronous, queue entry validity semantics are maintained so that all entries up to the SMMU()EVENTQ_PROD index are valid successfully-written event records. All outstanding queue writes are completed before the error is flagged in SMMU(_)GERROR.EVENTQ_ABT_ERR. Where multiple outstanding record writes are performed simultaneously, records written at and beyond the queue location of the aborting record location are not visible to software even if they are written successfully, and are lost. The PROD index is not incremented for entries that caused a synchronous abort. In the scenario where a write of an event to an empty Event queue causes a synchronous abort, the PROD index is not incremented, the queue remains empty and the queue non-empty IRQ therefore is not triggered. – Note: Software can consume and process all valid entries in the Event queue. • If a queue write abort is asynchronous, queue validity semantics are broken. The PROD index is permitted to be incremented for entries that caused an asynchronous abort. Software must assume all Event queue entries are invalid at the point of receiving the Global Error, and Arm strongly recommends that the queue is made empty either by re-initialization or by the consumption or discarding of all (invalid) entries. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 942

Chapter 7. Faults, errors and Event queue 7.2. Event queue recorded faults and events – Note: An IRQ might be observed for the activation of the SMMU_()GERROR.EVENTQ_ABT_ERR condition in any order relative to an IRQ relating to the Event queue going non-empty as a result of the SMMU incrementing the PROD index for a queue entry that experiences an asynchronous external abort. If the stalling fault model is implemented and enabled, software must terminate all stalling transactions that could be present in the SMMU by using CMD_STALL_TERM or a transition of SMMU(_)CR0.SMMUEN through 0. See section 8.2 Miscellaneous for similar PRI queue write abort behavior. 7.2.3 Secure and Non-secure Event queues If Secure state is implemented, the Secure Event queue receives events relating to transactions from Secure streams. The Non-secure Event queue receives events relating to transactions from Non-secure streams. The Event queues for different Security states are independent. Note: For example, this means that both: • Non-secure faults or errors do not cause Secure event records. • Secure faults or errors do not cause Non-secure event records. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 943

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3 Event records Event records are 32 bytes in size, and are defined later in this section. All Event records are little-endian. Event records are recorded into the Event queue appropriate to the Security status of the StreamID causing the event, unless otherwise specified. Common fields provided in events are: • StreamID: The StreamID of the requester that issued the incoming transaction that led to the event • RnW: The Read/Write nature of the incoming transaction that led to the event – 0: Write – 1: Read Note: The value of this field depends on what triggered the Event. For CMOs see 16.7.2 Non-data transfer transactions, for ATS TR see 3.9.1 ATS Interface and for transactions see 13.1.1 Attribute definitions. • PnU: Privileged/Unprivileged (post-STE override) – 0: Unprivileged – 1: Privileged • InD: Instruction/Data (post-STE override) – 0: Data – 1: Instruction • InputAddr: The 64-bit address input to the SMMU for the transaction that led to the event. The address includes any sign-extension that might occur before the SMMU input, as described in section 3.4.1 Input address size and Virtual Address size. TBI does not affect the InputAddr field, which includes bits [63:56] in the same form as they were supplied to the SMMU. – Note: This field might be interpreted as a VA, an IPA or a PA depending on the scenario and the event number. For example, if F_TRANSLATION is generated for a stage 1 fault, then InputAddr is a VA. • SSV: The SubstreamID validity flag – 0: No SubstreamID was provided with the transaction and the SubstreamID field is UNKNOWN. – 1: A SubstreamID was provided and the SubstreamID field is valid. • SubstreamID: The SubstreamID provided with the transaction that led to the event – Note: Only valid if SSV == 1. • S2: Stage of fault – 0: Stage 1 fault occurred – 1: Stage 2 fault occurred • CLASS: The class of the operation that caused the fault – 0b00: CD, CD fetch. – 0b01: TTD, Stage 1 translation table fetch. – 0b10: IN, Input address caused fault. – 0b11: Reserved. • NSIPA: Non-secure IPA – In events that record an IPA InputAddr relating to a Secure stream, an NSIPA bit is required to differentiate whether the fault occurred as part of accessing the Secure or Non-secure IPA space. – This bit is zero unless the event is recorded on the Secure event queue and S2 == 1, in which case this bit equals the NS bit that was output from stage 1 for the faulting access. – Note: This evaluation is made from STE.NSCFG if stage 1 translation was bypassed, or uses the target IPA space from the stage 1 translation. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 944

Chapter 7. Faults, errors and Event queue 7.3. Event records – Note: In the case of a stage 2 fault on a Secure stream, this bit indicates whether a translation attempt was made through STE.S2TTB or STE.S_S2TTB. • GPCF: Granule Protection Check Fault – 0: External abort did not arise from a GPC fault. – 1: The Event record arose from a GPC fault. See also 3.25.3 SMMU-originated accesses. Note: Arm recommends that software treats receipt of any event that is not architected here as a non-fatal occurrence. The F_STE_FETCH, F_CD_FETCH, F_VMS_FETCH and F_WALK_EABT events contain fields that report a fetch address, which is the address of a specific structure or descriptor that an aborting transaction was originally initiated to access. This STE, CD, VMS or TTD address is as was calculated by a Stream table, CD table or VMS access or translation table walk. Portions of event records that are not explicitly defined in this section are RES0. 7.3.1 Event record merging Events originating from a stream are permitted to be merged when the stream has not been configured to explicitly inhibit merging with STE.MEV == 0. A merged event record is a single record written to the Event queue representing more than one occurrence of an event. Two or more events are permitted but not required to be merged by an implementation when: • The events are identical, or differ only as explicitly stated in event record definitions, and • If the event type has a Stall field, Stall == 0. Events with a Stall parameter are never merged if Stall == 1. • The events are not separated by a significant amount of time. – Note: The merging feature is intended to rate-limit events occurring at an unusually high frequency. Arm strongly recommends that an implementation writes separate records for events that do not occur in quick succession. For the purposes of merging events, events are considered identical if all defined fields are the same except where explicitly indicated by an event definition. The STE.MEV flag controls whether events resulting from a particular stream are merged. When STE.MEV == 0, events (other than listed below) are not merged; this can be useful for debug visibility where one transaction can be matched to one fault event. As STE.MEV is contained in an STE, it can only control the merging of events that are generated after a valid STE is located. The following events might occur before an STE is located, so might always be merged: • F_UUT. • C_BAD_STREAMID. • F_STE_FETCH. • C_BAD_STE. Hardware implementations are required to respect STE.MEV == 0, so that (other than the four events listed in this section) no events are merged. Arm recommends that software expects that event records might be merged even if STE.MEV == 0. Note: In particular, software running in a virtual machine might set STE.MEV == 0 but a hypervisor might deem merging to remain valuable and cause it to remain enabled. Note: An event that is recorded when STE.MEV == 1 and where Stall == 0 can therefore be interpreted as representing one or more transactions that faulted for the same reason. Note: Converting an event to F_PROTECTED occurs after event merging. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 945

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.2 F_UUT RES0 255 224 RES0 223 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 RES0 127 100 RnW 99 InD 98 PnU 97 96 RES0 RES0 95 80 Reason (IMPLEMENTATION DEFINED) 79 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x01 7 0 Event number Reason 0x01 Unsupported Upstream Transaction. This event is caused for IMPLEMENTATION DEFINED reasons, depending on the bus system, a client device might express an unsupported or illegal transaction type. See section 16.7.1 Reporting of Unsupported Client Transactions. An IMPLEMENTATION DEFINED cause is provided in Reason. The InD/PnU attributes provided in this event are the incoming attributes, not the post-STE override versions. This event is permitted to be recorded when SMMUEN == 0. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 946

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.3 C_BAD_STREAMID RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x02 7 0 Event number Reason 0x02 Transaction StreamID out of range. Recorded when SMMU_()CR2.RECINVSID == 1 and any of the following conditions arises: 1. Incoming StreamID >= 2(SMMU()STRTAB_BASE_CFG.LOG2SIZE) 2. When SMMU()STRTAB_BASE_CFG.FMT == 2-level, given StreamID reaches a level 1 descriptor where: a) L1STD.Span == 0 b) L1STD.Span > SMMU(_)STRTAB_BASE_CFG.SPLIT + 1 c) The given StreamID[SPLIT - 1:0] >= 2L1STD.Span-1. For out-of-range Secure StreamIDs, this event is recorded on the Secure Event queue and for Non-secure StreamIDs, the Non-secure Event queue. Each Security state might have a different number of StreamIDs (controlled by SMMU_STRTAB_BASE_CFG and SMMU_S_STRTAB_BASE_CFG. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 947

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.4 F_STE_FETCH RES0 255 248 FetchAddr[55:3] 247 224 FetchAddr[55:3] 223 195 RES0 194 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 81 80 Reason (IMPLEMENTATION DEFINED) 79 64 GPCF StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x03 7 0 Event number Reason 0x03 Fetch of STE caused external abort (access aborted by system/interconnect/Completer, or consumed external error where RAS features available), or the address was out of range as described in 3.4.3 Address sizes of SMMU-originated accesses. FetchAddr is the Physical Address used for the fetch. In SMMUv3.0, bits [47:OAS] are UNKNOWN. In SMMUv3.1, bits [51:OAS] are UNKNOWN. An IMPLEMENTATION DEFINED cause is provided in Reason. Note: This event might be injected into a guest VM, as though from a virtual SMMU, when a hypervisor detects invalid guest configuration that would cause a guest STE fetch from an illegal IPA. Arm recommends that an implementation with RAS features differentiates a failure that arose because of the consumption of an error from a failure caused by the use of an illegal address. FetchAddr bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 948

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.5 C_BAD_STE RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x04 7 0 Event number Reason 0x04 Used STE invalid (V == 0, Reserved field, incorrect configuration). See section 5.2.2 Validity of STE for invalid STE configurations. 7.3.6 F_BAD_ATS_TREQ RES0 255 224 RES0 223 192 InputAddr[63:12] 191 160 InputAddr[63:12] 159 140 RES0 139 128 RES0 127 96 R 95 W 94 X 93 P 92 RES0 91 68 Span 67 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x05 7 0 ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 949

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0x05 Address Translation Request disallowed for a StreamID and a PCIe ATS Translation Request received. R/W/X/PRIV are the Read/Write/Execute/Privilege permissions requested in the ATS Translation Request, before STE.{INSTCFG/PRIVCFG} overrides are applied: • Write == !NW. • For PCIe ATS, R (Read) is always 1 in a request. Span equals the number of STUs requested. Reported in response to an ATS Translation Request in any of the following conditions: • SMMU_CR0.SMMUEN == 0 • STE.V == 1 and effective STE.EATS == 0b00 – Note: See STE.EATS for details. The effective value of EATS is treated as 0b00 in some situations including if STE.Config == 0b100, or STE is Secure. • If it is possible for an implementation to observe a Secure ATS Translation Request, this event is recorded. Note: This event is intended to provide visibility of situations where an ATS Translation Request is prohibited, but an ordinary transaction to the same address from the same StreamID or SubstreamID might complete successfully (where a failure of a TR might otherwise be difficult to debug by issuing an ordinary transaction). Translation Requests do not cause other events (such as C_BAD_STE) to be recorded. A UR response is made for an ATS Translation Request that causes this event. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.7 F_STREAM_DISABLED RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 RES0 31 8 0x06 7 0 ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 950

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0x06 The STE of a transaction marks non-substream transactions disabled (when STE.Config == 0b1x1 and STE.S1CDMax > 0 and STE.S1DSS == 0b00) and the transaction was presented without a SubstreamID. Or, a transaction was presented with SubstreamID 0 when STE.Config == 0b1x1 and STE.S1CDMax > 0 and STE.S1DSS == 0b10 (CD 0 is Reserved for non-substream traffic). Note: This also applies to ATS Translated transactions in implementations with SMMU_IDR3.PASIDTT == 1 when SMMU_CR2.REC_CFG_ATS == 1. If STE.V == 1 and STE.Config == 0b000, incoming traffic is terminated without recording an event. 7.3.8 F_TRANSL_FORBIDDEN RES0 255 224 RES0 223 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 RES0 127 100 RnW 99 RES0 98 96 RES0 95 64 StreamID 63 32 RES0 31 8 0x07 7 0 Event number Reason 0x07 An incoming PCIe transaction is marked Translated but SMMU bypass is disallowed for this StreamID. This event is permitted to be recorded when SMMUEN == 0. Reported in response to an ATS Translated transaction in any of the following conditions: • SMMU_CR0.ATSCHK == 1, STE is valid and either: – STE disallows ATS in STE.EATS. – STE selects stage 1 bypass & stage 2 bypass (STE.Config == 0b100). • StreamID is Secure, according to SEC_SID. • SMMUEN == 0. • SMMU_(R_)IDR3.DPT == 1 and either: ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 951

Chapter 7. Faults, errors and Event queue 7.3. Event records – The DPT lookup process succeeds, but does not grant access for the transaction being checked. This is referred to as a Device Access fault. – The DPT lookup process fails. This fault is also reported in SMMU_(R_)DPT_CFG_FAR. Note: This event is intended to provide visibility of situations where an ATS Translated transaction is prohibited, but an ordinary (Untranslated) transaction from the same StreamID or SubstreamID might complete successfully, that is where behavior differs from an ordinary transaction because of the Translated nature of the transaction. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.9 C_BAD_SUBSTREAMID RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 SubstreamID 31 12 RES0 11 8 0x08 7 0 Event number Reason 0x08 Incoming SubstreamID present and one of the following is true: • Stage 1 translation disabled (STE.Config == 0b1x0). • Substreams disabled (STE.S1CDMax == 0). This also applies to ATS Translated transactions if SMMU_IDR3.PASIDTT == 1 and SMMU_CR2.REC_CFG_ATS == 1. • SubstreamID >= 2STE.S1CDMax. • A two-level CD fetch encounters an L1CD structure with V == 0, or an L1CD structure that contains an L2Ptr that is out of range (see 3.4.3 Address sizes of SMMU-originated accesses). • SMMU_IDR1.SSIDSIZE == 0. • When SMMU_IDR3.PASIDTT == 1 and SMMU_CR2.REC_CFG_ATS == 1, an ATS Translated transaction is presented to the SMMU with SSV = 1, and either the SubstreamID associated with the transaction exceeds the value permitted by the corresponding STE.S1CDMax configuration or stage 1 translation is disabled. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 952

Chapter 7. Faults, errors and Event queue 7.3. Event records When caused by supply of a SubstreamID without stage 1 translation (STE.Config == 0b1x0), this behavior arises independent of whether stage 2 translation is enabled. When this event is generated because of an L1CD.L2Ptr that is out of range, the SubstreamID field indicates the index of the CD that was intended to be fetched when the erroneous L1CD.L2Ptr was used. In the case that an incoming transaction without a SubstreamID caused (through use of STE.S1DSS == 0b10) an erroneous L1CD.L2Ptr to be encountered during fetch of the CD at index 0, the SubstreamID is recorded as 0. Otherwise, the SubstreamID that was input with the transaction is recorded. Note: In this event, SubstreamID is always valid (there is no SSV qualifier). 7.3.10 F_CD_FETCH RES0 255 248 FetchAddr[55:3] 247 224 FetchAddr[55:3] 223 195 RES0 194 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 81 80 Reason (IMPLEMENTATION DEFINED) 79 64 GPCF StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x09 7 0 Event number Reason 0x09 Fetch of CD caused external abort (access aborted by system/interconnect/Completer, or consumed external error where RAS features available), or in SMMUv3.0 the address was out of range as described in section 3.4.3 Address sizes of SMMU-originated accesses. FetchAddr is the Physical Address used for the fetch. In SMMUv3.0, bits [47:OAS] are UNKNOWN. An IMPLEMENTATION DEFINED cause is provided in Reason. Note: This event might be injected into a guest VM, as though from a virtual SMMU, when a hypervisor receives a stage 2 Translation-related fault indicating CD fetch as a cause (with CLASS == CD). Note: F_CD_FETCH does not include an NS bit for FetchAddr. The effective value of NS for FetchAddr can be determined as follows: • For the Non-secure event queue, Non-secure PA space. • For the Secure event queue when stage 2 translation is disabled, Secure PA space. • For the Secure event queue when stage 2 translation is enabled, the target PA space is determined by the value of STE.S2SA for the stream. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 953

Chapter 7. Faults, errors and Event queue 7.3. Event records FetchAddr bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. 7.3.11 C_BAD_CD RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x0a 7 0 Event number Reason 0x0A Fetched CD invalid (V == 0, or V == 1 but ILLEGAL configuration). See section 5.4.2 Validity of CD for invalid CD configurations. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 954

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.12 F_WALK_EABT RES0 255 248 FetchAddr[55:3] 247 224 FetchAddr[55:3] 223 195 RES0 194 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 RES0 127 106 CLASS 105 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 NSIPA RES0 RES0 95 81 80 Reason (IMPLEMENTATION DEFINED) 79 64 GPCF StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x0b 7 0 ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 955

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0x0B An external abort occurred fetching (or updating) a translation table descriptor (access aborted by system/interconnect/Completer, or consumed external error where RAS features available). The InD/PnU attributes are the post-STE override values. RnW pertains to the input transaction (InputAddr), not the access causing the abort. InD == 0 when RnW == 0 (see section 13.1.2 Attribute support). A stage 1-only table walk that encounters EABT on physical access to a descriptor is reported as S2 == 0 (stage 1), CLASS == TT. The SMMU input transaction address (InputAddr) and descriptor fetch PA (FetchAddr) are provided. Note: This behavior of CLASS == TT when S2 == 0 differs from other F_TRANSLATION, F_ADDR_SIZE, F_ACCESS, F_PERMISSION events relating to a stage 1 fault. A stage 2 table walk can encounter EABT accessing the physical address of a stage 2 descriptor, because of a: • Translation of an IPA for CD fetch – S2 == 1 (stage 2), CLASS == CD – The SMMU input address (InputAddr) and S2 descriptor fetch PA (FetchAddr) are provided • Translation of an IPA for Stage 1 descriptor fetch – S2 == 1 (stage 2), CLASS == TT – The SMMU input address (InputAddr) and S2 descriptor fetch PA (FetchAddr) are provided • Translation of an IPA after successful stage 1 translation (or, in stage 2-only configuration, an input IPA) – S2 == 1 (stage 2), CLASS == IN (Input to stage) – The SMMU input address (InputAddr) and S2 descriptor fetch PA (FetchAddr) are provided. In a nested configuration, a stage 1 walk can encounter EABT accessing the physical address of a stage 1 descriptors having successfully translated the IPA of the descriptor to a PA through stage 2: • S2 == 0 (stage 1), CLASS == TT • This is equivalent to the stage 1-only case. • The SMMU input address (InputAddr) and S1 descriptor fetch PA (FetchAddr) are provided. An IMPLEMENTATION DEFINED cause is provided in Reason. Note: This event occurs because of an incorrect configuration or, for systems supporting RAS features, consumption of an external error. A stage 1-only translation failing to walk a translation table might result from use of an incorrect or out of range PA in the table. When virtualization is in use, stage 2 translations would normally be fetched correctly. In addition, Arm recommends that hypervisor software does not allow a stage 1 walk to fetch a descriptor from an IPA that successfully translates to PA that causes an abort on access. When a VMSAv8-32 LPAE translation table descriptor fetch leads to an F_WALK_EABT on a system that has OAS < 40, a 40-bit descriptor address was truncated to the OAS to make the fetch. In this case, bits FetchAddr[47:OAS] are UNKNOWN. Note: To create the illusion of a guest VM having a stage 1-only virtual SMMU, this event can be injected into the guest if a stage 2 Translation, Access flag, Permission or Address Size fault occurs because of an access made by a stage 1 translation table walk (CLASS == TT). InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. FetchAddr bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 956

Chapter 7. Faults, errors and Event queue 7.3. Event records If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.13 F_TRANSLATION RES0 255 248 IPA[55:12] 247 224 IPA[55:12] 223 204 RES0 203 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 IMPL_DEF 127 112 RES0 111 106 CLASS 105 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 NSIPA RES0 95 RES0 94 80 STAG 79 64 Stall StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x10 7 0 Event number Reason 0x10 Translation fault: The address provided to a stage of translation failed the range check defined by TxSZ/SLx, the address was within a disabled TTBx, or a valid translation table descriptor was not found for the address. The RnW, InD and PnU fields provide the access attributes of the input transaction. The InD/PnU attributes are the post-STE override values. InD == 0 when RnW == 0. If fault occurs at stage 1, S2 == 0 and: • CLASS == IN, IPA is UNKNOWN. If fault occurs at stage 2, S2 == 1 and: • If fetching a CD, CLASS == CD, IPA is CD address • If walking stage 1 translation table, CLASS == TT, IPA is the stage 1 translation table descriptor address • If translating an IPA for a transaction (whether by input to stage 2-only configuration, or after successful stage 1 translation), CLASS == IN, and IPA is provided. If Stall == 1, not merged. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. IPA bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. If SMMU_R_IDR3.MEC == 1 then F_TRANSLATION can be generated as a result of the AMEC bit in some situations. See Chapter 18 Support for Memory Encryption Contexts. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 957

Chapter 7. Faults, errors and Event queue 7.3. Event records If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.14 F_ADDR_SIZE RES0 255 248 IPA[55:12] 247 224 IPA[55:12] 223 204 RES0 203 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 IMPL_DEF 127 112 RES0 111 106 CLASS 105 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 NSIPA RES0 95 RES0 94 80 STAG 79 64 Stall StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x11 7 0 Event number Reason 0x11 Address Size fault: Output address of a translation stage caused Address Size fault. When the stage performs translation, this fault occurs when an intermediate or leaf translation table descriptor outputs an address outside of the effective xPS associated with the translation table (see CD.IPS and STE.S2PS). This does not include a TTB address out of range before the TTW begins as, in this condition, the CD or STE is invalid which results in C_BAD_CD or C_BAD_STE. When stage 1 bypasses translation, this fault occurs when the output address (identical to the input address) is outside the address range implemented, see section 3.4 Address sizes. Refer to F_TRANSLATION for the definition of the CLASS, IPA and S2 fields. The RnW, InD and PnU fields provide the access attributes of the input transaction. The InD/PnU attributes are the post-STE override values. InD == 0 when RnW == 0. If caused by stage 1 translation bypass (because of stage 1 being disabled, unimplemented, or bypassed when STE.S1DSS == 0b01), CLASS == IN and S2 == 0 (stage 2 bypass does not cause this fault). If Stall == 1, not merged. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. IPA bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 958

Chapter 7. Faults, errors and Event queue 7.3. Event records event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.15 F_ACCESS RES0 255 248 IPA[55:12] 247 224 IPA[55:12] 223 204 RES0 203 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 IMPL_DEF 127 112 RES0 111 106 CLASS 105 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 NSIPA RES0 95 RES0 94 80 STAG 79 64 Stall StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x12 7 0 Event number Reason 0x12 Access flag fault due to AF == 0 in a Page or Block descriptor. If HTTU is supported and enabled, a descriptor with AF == 0 is modified such that AF == 1 and this fault is not recorded. Refer to F_TRANSLATION for the definition of the CLASS, IPA and S2 fields. The RnW, InD and PnU fields provide the access attributes of the input transaction. The InD/PnU attributes are the post-STE override values. InD == 0 when RnW == 0. If Stall == 1, not merged. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. IPA bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 959

Chapter 7. Faults, errors and Event queue 7.3. Event records 7.3.16 F_PERMISSION RES0 255 248 IPA[55:12] 247 224 IPA[55:12] 223 204 RES0 203 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 IMPL_DEF 127 112 111 XT 110 109 108 107 106 CLASS 105 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 RES0 Overlay TTRnW NSIPA DirtyBit AssuredOnly RES0 95 RES0 94 80 STAG 79 64 Stall StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x13 7 0 Event number Reason 0x13 Permission fault occurred on page access. S2 indicates the stage at which fault occurred. The RnW, InD and PnU fields provide the access attributes of the input transaction. The InD/PnU attributes are the post-STE override values. InD == 0 when RnW == 0. Refer to F_TRANSLATION for the definition of the CLASS, IPA and S2 fields. The TTRnW field is valid when CLASS == TT, that is, a stage 1 translation table walk causes a Permission fault at stage 2. TTRnW is UNKNOWN when CLASS is not TT. TTRnW indicates the read/write property that actually caused the fault as follows: 0 Translation table descriptor Write caused S2 Permission fault. 1 Translation table descriptor Read caused S2 Permission fault. Note: For example, an input read might end up causing a translation table walk write permissions fault at stage 2, when HTTU updates a stage 1 Access flag. Note: When CLASS == TT, the IPA field indicates the stage 1 translation table entry address. Note: Software is expected to use the CLASS field in order to determine the access properties causing the Permission fault. When CLASS == IN, RnW/InD/PnU were inappropriate for the access at the faulting stage. When CLASS == TT, the access is implicitly Data (regardless of the input property) and the faulting R/W property is given by TTRnW. When CLASS == CD, the access is implicitly Data and a read. If Stall == 1, not merged. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. In SMMUv3.0, IPA bits [51:48] are RES0. In an SMMU with RME DA, a translation results in F_PERMISSION in the following scenarios: ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 960

Chapter 7. Faults, errors and Event queue 7.3. Event records • If the stage 2 translation for the fetch of a Realm L1CD or CD results in a Non-secure address, that results in F_PERMISSION at stage 2. • Consistent with FEAT_RME [2], if the stage 2 translation for a stage 1 translation table walk resolves to a Non-secure address, that results in F_PERMISSION at stage 2. • Consistent with FEAT_RME [2], any Realm instruction fetch that resolves to an Non-secure address results in F_PERMISSION at the stage that configured the Non-secure output address. If SMMU_IDR3.S2PO is 1, then the Overlay bit is set to 1 for stage 2 Permission faults generated as a result of the stage 2 Overlay permission preventing the access. Otherwise, Overlay is reported as 0. If SMMU_IDR3.S2PI is 1, then the AssuredOnly bit is set to 1 for stage 2 Permission faults generated only because of the AssuredOnly check. Otherwise, AssuredOnly is 0. If SMMU_R_IDR3.XT is 1, then the XT bit is set to 1 for Permission faults generated as a result of the XT checks, as specified in the table in 3.9.4.3 XT bit on Untranslated transactions, Translation requests and Translated transactions. Otherwise, XT is reported as 0. If either SMMU_IDR3.S2PI or SMMU_IDR3.S1PI is 1, then the DirtyBit is set to 1 for Permission faults generated from a stage of translation using the Indirect Permission Scheme that has hardware updates of dirty state disabled, and if hardware update of dirty state were enabled the access that caused the fault would have caused an update to the dirty state. Otherwise, DirtyBit is 0. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.17 F_TLB_CONFLICT RES0 255 248 IPA[55:12] 247 224 IPA[55:12] 223 204 RES0 203 192 InputAddr[63:0] 191 160 InputAddr[63:0] 159 128 RES0 127 104 S2 103 102 RES0 101 100 RnW 99 InD 98 PnU 97 96 NSIPA RES0 Reason (IMPLEMENTATION DEFINED) 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x20 7 0 ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 961

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0x20 A TLB conflict occurred because of the transaction. The nature of this is IMPLEMENTATION DEFINED, defined by the TLB geometry of the implementation. The input address might not be the address that causes the issue, for example an IPA to PA TLB entry might experience the problem, so both addresses are provided. The RnW, InD and PnU fields provide the access attributes of the input transaction. The InD/PnU attributes are the post-STE override values. InD == 0 when RnW == 0. An IMPLEMENTATION DEFINED conflict reason is provided in Reason. This information might be specific to the TLB geometry of the implementation. IPA is valid when S2 == 1, otherwise it is UNKNOWN. InputAddr[11:0] are IGNORED for the purposes of determining identical events for merging. IPA bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event, and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.18 F_CFG_CONFLICT RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 Reason (IMPLEMENTATION DEFINED) 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x21 7 0 ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 962

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0x21 A configuration cache conflict occurred due to the transaction. The nature of this is IMPLEMENTATION DEFINED, defined by the configuration cache geometry of the implementation. The STE.CONT property of an STE cache entry causes an overlap of another STE that is not identical , as described in STE.CONT, and this has caused a multiple-match on lookup. An IMPLEMENTATION DEFINED conflict reason is provided in Reason. This information might be specific to the configuration cache geometry of the implementation. It is not possible to cause this error by any CD misconfiguration. Note: A guest VM cannot arrange configuration that would affect any other streams. 7.3.19 E_PAGE_REQUEST RES0 255 224 RES0 223 192 InputAddr[63:12] 191 160 InputAddr[63:12] 159 140 RES0 139 128 RES0 127 116 Span 115 108 RES0 107 104 pR 103 pW 102 pX 101 100 uR 99 uW 98 uX 97 96 RES0 RES0 RES0 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x24 7 0 Event number Reason 0x24 Speculative page request hint from a client device to system software, hinting that the given address span will be accessed by a device in the near future. The access is expected to require the read/write/execute properties provided for user/kernel privilege levels. No response or action is required, but system software might use this hint to begin a (potentially long-running) page-in of the given address, to decrease the chance of a subsequent access from the device experiencing a page miss. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 963

Chapter 7. Faults, errors and Event queue 7.3. Event records Flag fields Access anticipated pR Privileged Read pW Privileged Write pX Privileged Execute uR Unprivileged Read uW Unprivileged Write uX Unprivileged Execute Span is encoded as a positive integer where the size of the intended access span in bytes is (Span*4096). If SMMU_ROOT_IDR0.GDI is 1, and a transaction has PM = 1, this event is converted to an F_PROTECTED event before being written to the event queue. The SMMU behavior remains unchanged with respect to the original event, except for the conversion to the F_PROTECTED event record and compliance with the Protected Mode restrictions. See 3.25.10.1.1 Protected Mode. 7.3.20 F_VMS_FETCH RES0 255 248 FetchAddr[55:3] 247 224 FetchAddr[55:3] 223 195 RES0 194 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 81 80 Reason (IMPLEMENTATION DEFINED) 79 64 GPCF StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x25 7 0 Event number Reason 0x25 Fetch of VMS caused external abort (access aborted by system/interconnect/Completer, or consumed external error where RAS features available). FetchAddr is the Physical Address used for the fetch. In SMMUv3.0, bits [47:OAS] are UNKNOWN. In SMMUv3.1 and later, bits [51:OAS] are UNKNOWN. An IMPLEMENTATION DEFINED cause is provided in Reason. The F_VMS_FETCH event has a lower priority than the C_BAD_STE event. The priority with respect to ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 964

Chapter 7. Faults, errors and Event queue 7.3. Event records subsequent possible events is IMPLEMENTATION DEFINED. See sections 7.3.23 Event queue record priorities and 9.1.5 *ATOS_PAR.FAULTCODE encodings. Note: If a F_VMS_FETCH event is reported, a C_BAD_STE has not been reported because a valid STE is required to fetch the VMS. The point at which the VMS is fetched relative to the remainder of the configuration structure walk and translation process is not specified. FetchAddr bits [55:OAS] are RES0 if OAS is smaller than 56, where OAS is the system physical address size reported by SMMU_IDR5.OAS. 7.3.21 F_PROTECTED RES0 255 224 RES0 223 192 RES0 191 160 RES0 159 128 RES0 127 96 RES0 95 64 StreamID 63 32 SubstreamID 31 12 SSV 11 RES0 10 8 0x26 7 0 Event number Reason 0x26 A transaction with PM = 1 generated one of the following events: • F_UTT. • F_BAD_ATS_TREQ. • F_TRANSL_FORBIDDEN. • F_WALK_EABT. • F_TRANSLATION. • F_ADDR_SIZE. • F_ACCESS. • F_PERMISSION. • F_TLB_CONFLICT. • E_PAGE_REQUEST. The SMMU behavior is unchanged with respect to the original event, other than converting it to the F_PROTECTED event record and conforming to the behaviors specificed in section 3.25.10.1.1 Protected Mode. 7.3.22 IMPDEF_EVENTn ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 965

Chapter 7. Faults, errors and Event queue 7.3. Event records Event number Reason 0xE0-0xEF IMPLEMENTATION DEFINED event allocation. Notes: Arm recommends that software treats receipt of these events as a non-fatal occurrence even if the exact nature of the event is not recognized. All other event numbers are Reserved. Events with a Stall parameter (F_TRANSLATION, F_ADDR_SIZE, F_ACCESS, F_PERMISSION) indicate whether a transaction is stalling as a result of the event. When a transaction causes any other event, the transaction is terminated and an abort returned to the client. If a transaction is stalled, the STAG parameter provides a token used to uniquely identify the transaction. Note: The StreamID and STAG must be provided to a subsequent CMD_RESUME. Every stall event must have either one associated CMD_RESUME or a CMD_STALL_TERM. A configuration error always terminates the instigating transaction with an abort to the device. Multiple addresses might be reported in one event record: • InputAddr is the address input with the transaction to the SMMU. • IPA is the post-stage 1 address of the transaction, valid only if the fault occurred at stage 2. • Fetch PA is the physical address accessed causing the fault to be raised. The input address is the 64-bit address presented to the SMMU, see section 3.4.1 Input address size and Virtual Address size. 7.3.23 Event queue record priorities Events arising from an ordinary incoming transaction are recorded in the following order, listed from the first that might occur when a transaction is processed to the last that might occur before the transaction is deemed successful, unless otherwise specified. This means that if any event occurs, events prior to that event in this list cannot have occurred: 1. C_BAD_STREAMID 2. F_STE_FETCH 3. C_BAD_STE 4. F_VMS_FETCH F_VMS_FETCH is only lower priority than C_BAD_STE. Its priority relative to other lower priority events in this list is IMPLEMENTATION DEFINED. 5. C_BAD_SUBSTREAMID 6. F_STREAM_DISABLED 7. Faults from translation (stage 2, for fetch of CD) 8. F_CD_FETCH 9. C_BAD_CD 10. Faults from translation (stage 1 or stage 2, for data access of a transaction) Faults from translation can occur because of a fetch of a CD or stage 1 translation requiring a stage 2 translation, or the final translation for the given transaction address. A single stage of translation table walk might experience faults in this order: 1. F_TRANSLATION (for input address outside range defined by TxSZ/SL0, or EPDx == 1) 2. For each level of translation table walked: a. F_WALK_EABT (on fetch of descriptor) b. F_TRANSLATION (from fetched descriptor) ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 966

Chapter 7. Faults, errors and Event queue 7.3. Event records c. F_ADDR_SIZE (for output of descriptor, indicating next descriptor or walk output address) 3. F_ACCESS (On the final-level descriptor) 4. F_PERMISSION (On the final-level descriptor) A nested Stage 1 + Stage 2 translation table walk might experience faults in this order: 1. F_TRANSLATION (For stage 1 input address outside range defined by stage 1 TxSZ/SL0, or EPDx == 1) 2. For each level of stage 1 translation table walked, the stage 2 translation for the descriptor of the stage 1s IPA might experience: a. F_TRANSLATION (For stage 2 input address outside range defined by stage 2 T0SZ/SL0) b. F_WALK_EABT (For stage 2 descriptor fetch) c. F_TRANSLATION (From fetched stage 2 descriptor) d. F_ADDR_SIZE (For output of stage 2 descriptor, indicating next descriptor or walk output address) e. F_ACCESS (On the final-level stage 2 descriptor) f. F_PERMISSION (On the final-level stage 2 descriptor) 3. For each level of stage 1 translation table walked, after the PA of the descriptor is determined the following might occur: a. F_WALK_EABT (For stage 1 descriptor fetch) b. F_TRANSLATION (From fetched stage 1 descriptor) c. F_ADDR_SIZE (For output of stage 1 descriptor) 4. For the final level stage 1 descriptor, the following might then occur: a. F_ACCESS b. F_PERMISSION 5. The IPA relating to the input VA has been determined and permissions have been checked, but the following might occur for each level of the stage 2 translation of that final IPA: a. F_TRANSLATION (For stage 2 input address outside range defined by stage 2 T0SZ/SL0) b. F_WALK_EABT (For stage 2 descriptor fetch) c. F_TRANSLATION (From fetched stage 2 descriptor) d. F_ADDR_SIZE (For output of stage 2 descriptor, indicating next descriptor or walk output address) e. F_ACCESS (On the final-level stage 2 descriptor) f. F_PERMISSION (On the final-level stage 2 descriptor) Note: F_TLB_CONFLICT, F_CFG_CONFLICT and F_UUT are raised with IMPLEMENTATION SPECIFIC prioritization. Note: Converting an event to F_PROTECTED occurs after priority has been resolved for the original event. For an SMMU with RME, then each of F_STE_FETCH, F_CD_FETCH, F_VMS_FETCH and F_WALK_EABT can also occur as the result of a granule protection check fault. This does not affect the error reporting priority described in this section. See also section 3.25.3 SMMU-originated accesses. The flow of events that an incoming ordinary transaction might raise can be characterized as: • An unsupported transaction fault from the client device might be raised on input. • Configuration is fetched, in the order of STE then (if relevant) CD: – If a CD is fetched, it uses stage 2 translations to do so, if stage 2 is enabled. – Stage 2 walk occurs, which might experience an external abort on fetch. – Stage 2 page fault on the CD address might occur when the walk completes. – External abort on CD fetch might occur. • When a CD is successfully fetched, start walking stage 1 TT. Stage 2 page faults (or external aborts) might arise from walking stage 1, in the same way as for the initial CD fetch ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 967

Chapter 7. Faults, errors and Event queue 7.3. Event records • When a S1 translation is determined, stage 1 might fault. • Stage 2 walk occurs for a successful output of stage 1 translation, and this might also fault. ATS Translation Requests do not lead to the same set of possible errors as, in general, ATS translation errors are reported to the requesting device using the ATS Translation Completion rather than to software through the Event queue. The only Event queue record that can be generated is F_BAD_ATS_TREQ, which can be raised at several points in the translation process. ATS Translated transactions also differ from ordinary transactions and one of the following behaviors can occur: • F_TRANSL_FORBIDDEN can be raised on input when ATS is disabled/invalid. See section 7.3.8 F_TRANSL_FORBIDDEN. • If SMMU_(R_)CR0.SMMUEN == 1, SMMU_(R_)CR0.ATSCHK == 1 and SMMU_(R_)CR2.REC_CFG_ATS == 1, then if the SMMU encounters an error when fetching a configuration structure, the appropriate event is recorded. See section 3.9.1.3 Handling of ATS Translated transactions. • An ATS Translated transaction that locates the correct configuration and then encounters stage 2 translation (through STE.EATS == 0b10 configuration) can raise stage 2 Translation-related faults. • Otherwise, any other error on receipt of an ATS Translated transaction (for example, an invalid STE) causes the transaction to be silently terminated. See Chapter 15 Translation procedure for more details on the translation procedure and possible events at each step. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 968

Chapter 7. Faults, errors and Event queue 7.4. Event queue overflow 7.4 Event queue overflow An SMMU output queue is full if the consumer can observe that there are no free entries for the producer to add new entries to, see section 3.5.2 Queue entry visibility semantics. The Event queue is full if it can be observed that SMMU_()EVENTQ_PROD.WR == SMMU(_)EVENTQ_CONS.RD and WRAP bits differ. Note: If the SMMU can observe that a write it made for a new queue entry is visible in memory, but PROD.WR has not yet been updated to pass the position of the new entry, the new entry is not yet visible to software in terms of the queue visibility semantics. Event queue overflow occurs when the Event queue is enabled (EVENTQEN == 1), the queue is full, and a pending event record is discarded because the queue is full. An Event queue overflow condition is entered to indicate that one or more event records have been lost: • Fault information. • Configuration errors. It is not possible for an external agent to observe an Event queue overflow condition if it could not first observe the Event queue being full. Note: An implementation must therefore prevent the overflow condition from being observable by software before an update to the PROD index is observable. A configuration error record or fault record from a terminated transaction is discarded when the SMMU attempts to insert it into a full Event queue. However, a fault record from a stalled transaction is not discarded and an event is reported for the stalled transaction when the queue is next writable. In addition, as stall fault records are not discarded, stall fault records do not cause an overflow condition. Only discarded events cause overflow. When EVENTQEN == 0, events are not delivered and non-stall event records might be discarded but do not cause an overflow condition. The Event queue overflow condition is present when: SMMU_EVENTQ_PROD.OVFLG != SMMU_EVENTQ_CONS.OVACKFLG When an overflow occurs, the SMMU toggles the SMMU_EVENTQ_PROD.OVFLG flag if the overflow condition is not already present. Note: Arm recommends that whenever software reads SMMU_EVENTQ_PROD, it checks OVFLG against its own copy. If different, the overflow condition arose. Arm recommends that software then updates its copy with the value of OVFLG, and processes the Event queue entries as quickly as possible, updating SMMU_EVENTQ_CONS in order to move on the RD pointer but also to acknowledge receipt of the overflow condition by setting OVACKFLG to the same value read from OVFLG. Note: In terms of delivering events, a queue in an unacknowledged overflow state does not behave any differently to normal queue state. If software were to consume events and free space but leave overflow unacknowledged, new events could be recorded. Because a second overflow condition cannot be indicated, a subsequent queue overflow would be invisible therefore Arm expects software to acknowledge overflow upon the first consumption of events after the condition arose. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 969

Chapter 7. Faults, errors and Event queue 7.5. Global error recording 7.5 Global error recording Global Errors pertaining to a programming interface are reported into the appropriate SMMU_()GERROR register instead of into the memory-based Event queue. SMMU()GERROR provides a one-bit flag for each of the following error conditions: Error flag Meaning CMDQ_ERR Command queue error EVENTQ_ABT_ERR Event queue access aborted Delivery into the Event queue stops when an abort is flagged, see section 7.2 Event queue recorded faults and events. PRIQ_ABT_ERR PRI queue access aborted Delivery into the PRI queue stops when an abort is flagged, see section 8.2 Miscellaneous. MSI_CMDQ_ABT_ERR CMD_SYNC MSI write aborted MSI_EVENTQ_ABT_ERR Event queue MSI write aborted MSI_PRIQ_ABT_ERR PRI queue MSI write aborted (Non-secure GERROR only) MSI_GERROR_ABT_ERR GERROR MSI write aborted SFM_ERR SMMU entered Service Failure Mode This error is common to both SMMU_GERROR and SMMU_S_GERROR, so that both Secure and Non-secure software are aware that the SMMU has entered SFM. CMDQP_ERR Command queue control page error This error signals that there was an error while fetching or processing a command related to an ECMDQ instance. The presence of the error is also indicated in SMMU()ECMDQ_CONSn.ERR and the reason for the error is available in SMMU()ECMDQ_CONSn.ERR_REASON. See section 3.5.6.3 Errors relating to an ECMDQ interface. DPT_ERR DPT Lookup fault This error indicates that one or more DPT lookup faults have occurred. The syndrome information is available in SMMU(R_)DPT_CFG_FAR. See section 3.24.4 DPT lookup errors. If this error is reported due to PM = 1, then SMMU_DPT_CFG_FAR.FADDR is set to 0. See section 3.25.10.1.1 Protected Mode. HDBSS_ERR HDBSS update error See section 3.13.9 Hardware Dirty state tracking Structure. MSI_HDBSS_ABT_ERR HDBSS table full MSI aborted See section 3.13.9 Hardware Dirty state tracking Structure. HACDBS_ERR HACDBS error See section 3.13.10 Hardware Accelerator for Cleaning Dirty State. MSI_HACDBS_ABT_ERR HACDBS processing complete MSI aborted See section 3.13.10 Hardware Accelerator for Cleaning Dirty State. DCMDQP_ERR Error on a DCMDQ control page. See section 3.5.7 Direct-mode Enhanced Command Queues. When an error condition is triggered, the error is activated by toggling the corresponding flag in GERROR. In some cases, SMMU behavior changes while the error is active: ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 970

Chapter 7. Faults, errors and Event queue 7.5. Global error recording • Commands are not consumed from the Command queue while CMDQ_ERR is active. The presence of a Global Error is acknowledged by the agent controlling the SMMU by toggling the equivalent field in the GERRORN register. An error is active when: SMMU_()GERROR[x] != SMMU()GERRORN[x] The SMMU does not toggle bit[x] if the error is already active. If one or more new errors occur while a previous error of the same type is active, the new error is not logged. Note: This handshake avoids a race condition that could otherwise lead to loss of error events. It follows that an error flag indicates that one or more of the indicated errors has occurred since the last acknowledgment. It is IMPLEMENTATION DEFINED whether the interconnect to the memory system of an implementation returns abort completions for writes, which lead to _ABT_ERR global errors. Note: A GPC fault can also result in reporting of _ABT_ERR global errors. See 3.25.5 SMMU behavior if a GPC fault is active for details on how other aspects of the GPC fault are reported. 7.5.1 GERROR interrupt notification A GERROR interrupt is triggered when the SMMU activates an error, with the exception of the following fields: • MSI_GERROR_ABT_ERR – Note: This error signifies that a prior attempt to raise a GERROR MSI had been aborted, and sending another to the same address might cause a second abort. The GERROR interrupt is triggered only when SMMU()IRQ_CTRL.GERROR_IRQEN == 1. When MSIs are used, GERROR MSI notification is configured using SMMU()GERROR_IRQ_CFG{0,1,2}. If multiple errors activate at the same time, GERROR interrupts are permitted to be coalesced. Where the architecture guarantees that a GERROR flag update is visible before the completion of an action that might have triggered an error, completion of such an action is not required to depend on the GERROR interrupt having been made visible. Note: For example, an IRQ enable update from 1 to 0 does not complete until the abort of a prior MSI is recorded as GERROR.MSI*_ABT_ERR, but the update is permitted to complete before the GERROR interrupt is triggered. ARM IHI 0070 H.a Copyright © 2016-2026 Arm Limited or its affiliates. All rights reserved. Non-confidential 971