1 /* 2 * PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU. 3 * 4 * Copyright (c) 2003-2007 Jocelyn Mayer 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/units.h" 22 #include "cpu.h" 23 #include "sysemu/kvm.h" 24 #include "kvm_ppc.h" 25 #include "mmu-hash64.h" 26 #include "mmu-hash32.h" 27 #include "exec/exec-all.h" 28 #include "exec/page-protection.h" 29 #include "exec/log.h" 30 #include "helper_regs.h" 31 #include "qemu/error-report.h" 32 #include "qemu/qemu-print.h" 33 #include "internal.h" 34 #include "mmu-book3s-v3.h" 35 #include "mmu-radix64.h" 36 37 /* #define DUMP_PAGE_TABLES */ 38 39 void ppc_store_sdr1(CPUPPCState *env, target_ulong value) 40 { 41 PowerPCCPU *cpu = env_archcpu(env); 42 qemu_log_mask(CPU_LOG_MMU, "%s: " TARGET_FMT_lx "\n", __func__, value); 43 assert(!cpu->env.has_hv_mode || !cpu->vhyp); 44 #if defined(TARGET_PPC64) 45 if (mmu_is_64bit(env->mmu_model)) { 46 target_ulong sdr_mask = SDR_64_HTABORG | SDR_64_HTABSIZE; 47 target_ulong htabsize = value & SDR_64_HTABSIZE; 48 49 if (value & ~sdr_mask) { 50 qemu_log_mask(LOG_GUEST_ERROR, "Invalid bits 0x"TARGET_FMT_lx 51 " set in SDR1", value & ~sdr_mask); 52 value &= sdr_mask; 53 } 54 if (htabsize > 28) { 55 qemu_log_mask(LOG_GUEST_ERROR, "Invalid HTABSIZE 0x" TARGET_FMT_lx 56 " stored in SDR1", htabsize); 57 return; 58 } 59 } 60 #endif /* defined(TARGET_PPC64) */ 61 /* FIXME: Should check for valid HTABMASK values in 32-bit case */ 62 env->spr[SPR_SDR1] = value; 63 } 64 65 /*****************************************************************************/ 66 /* PowerPC MMU emulation */ 67 68 static int pp_check(int key, int pp, int nx) 69 { 70 int access; 71 72 /* Compute access rights */ 73 access = 0; 74 if (key == 0) { 75 switch (pp) { 76 case 0x0: 77 case 0x1: 78 case 0x2: 79 access |= PAGE_WRITE; 80 /* fall through */ 81 case 0x3: 82 access |= PAGE_READ; 83 break; 84 } 85 } else { 86 switch (pp) { 87 case 0x0: 88 access = 0; 89 break; 90 case 0x1: 91 case 0x3: 92 access = PAGE_READ; 93 break; 94 case 0x2: 95 access = PAGE_READ | PAGE_WRITE; 96 break; 97 } 98 } 99 if (nx == 0) { 100 access |= PAGE_EXEC; 101 } 102 103 return access; 104 } 105 106 static int check_prot(int prot, MMUAccessType access_type) 107 { 108 return prot & prot_for_access_type(access_type) ? 0 : -2; 109 } 110 111 int ppc6xx_tlb_getnum(CPUPPCState *env, target_ulong eaddr, 112 int way, int is_code) 113 { 114 int nr; 115 116 /* Select TLB num in a way from address */ 117 nr = (eaddr >> TARGET_PAGE_BITS) & (env->tlb_per_way - 1); 118 /* Select TLB way */ 119 nr += env->tlb_per_way * way; 120 /* 6xx have separate TLBs for instructions and data */ 121 if (is_code && env->id_tlbs == 1) { 122 nr += env->nb_tlb; 123 } 124 125 return nr; 126 } 127 128 static int ppc6xx_tlb_pte_check(mmu_ctx_t *ctx, target_ulong pte0, 129 target_ulong pte1, int h, 130 MMUAccessType access_type) 131 { 132 target_ulong ptem, mmask; 133 int access, ret, pteh, ptev, pp; 134 135 ret = -1; 136 /* Check validity and table match */ 137 ptev = pte_is_valid(pte0); 138 pteh = (pte0 >> 6) & 1; 139 if (ptev && h == pteh) { 140 /* Check vsid & api */ 141 ptem = pte0 & PTE_PTEM_MASK; 142 mmask = PTE_CHECK_MASK; 143 pp = pte1 & 0x00000003; 144 if (ptem == ctx->ptem) { 145 if (ctx->raddr != (hwaddr)-1ULL) { 146 /* all matches should have equal RPN, WIMG & PP */ 147 if ((ctx->raddr & mmask) != (pte1 & mmask)) { 148 qemu_log_mask(CPU_LOG_MMU, "Bad RPN/WIMG/PP\n"); 149 return -3; 150 } 151 } 152 /* Compute access rights */ 153 access = pp_check(ctx->key, pp, ctx->nx); 154 /* Keep the matching PTE information */ 155 ctx->raddr = pte1; 156 ctx->prot = access; 157 ret = check_prot(ctx->prot, access_type); 158 if (ret == 0) { 159 /* Access granted */ 160 qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n"); 161 } else { 162 /* Access right violation */ 163 qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n"); 164 } 165 } 166 } 167 168 return ret; 169 } 170 171 static int pte_update_flags(mmu_ctx_t *ctx, target_ulong *pte1p, 172 int ret, MMUAccessType access_type) 173 { 174 int store = 0; 175 176 /* Update page flags */ 177 if (!(*pte1p & 0x00000100)) { 178 /* Update accessed flag */ 179 *pte1p |= 0x00000100; 180 store = 1; 181 } 182 if (!(*pte1p & 0x00000080)) { 183 if (access_type == MMU_DATA_STORE && ret == 0) { 184 /* Update changed flag */ 185 *pte1p |= 0x00000080; 186 store = 1; 187 } else { 188 /* Force page fault for first write access */ 189 ctx->prot &= ~PAGE_WRITE; 190 } 191 } 192 193 return store; 194 } 195 196 /* Software driven TLB helpers */ 197 198 static int ppc6xx_tlb_check(CPUPPCState *env, mmu_ctx_t *ctx, 199 target_ulong eaddr, MMUAccessType access_type) 200 { 201 ppc6xx_tlb_t *tlb; 202 int nr, best, way; 203 int ret; 204 205 best = -1; 206 ret = -1; /* No TLB found */ 207 for (way = 0; way < env->nb_ways; way++) { 208 nr = ppc6xx_tlb_getnum(env, eaddr, way, access_type == MMU_INST_FETCH); 209 tlb = &env->tlb.tlb6[nr]; 210 /* This test "emulates" the PTE index match for hardware TLBs */ 211 if ((eaddr & TARGET_PAGE_MASK) != tlb->EPN) { 212 qemu_log_mask(CPU_LOG_MMU, "TLB %d/%d %s [" TARGET_FMT_lx 213 " " TARGET_FMT_lx "] <> " TARGET_FMT_lx "\n", 214 nr, env->nb_tlb, 215 pte_is_valid(tlb->pte0) ? "valid" : "inval", 216 tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE, eaddr); 217 continue; 218 } 219 qemu_log_mask(CPU_LOG_MMU, "TLB %d/%d %s " TARGET_FMT_lx " <> " 220 TARGET_FMT_lx " " TARGET_FMT_lx " %c %c\n", 221 nr, env->nb_tlb, 222 pte_is_valid(tlb->pte0) ? "valid" : "inval", 223 tlb->EPN, eaddr, tlb->pte1, 224 access_type == MMU_DATA_STORE ? 'S' : 'L', 225 access_type == MMU_INST_FETCH ? 'I' : 'D'); 226 switch (ppc6xx_tlb_pte_check(ctx, tlb->pte0, tlb->pte1, 227 0, access_type)) { 228 case -2: 229 /* Access violation */ 230 ret = -2; 231 best = nr; 232 break; 233 case -1: /* No match */ 234 case -3: /* TLB inconsistency */ 235 default: 236 break; 237 case 0: 238 /* access granted */ 239 /* 240 * XXX: we should go on looping to check all TLBs 241 * consistency but we can speed-up the whole thing as 242 * the result would be undefined if TLBs are not 243 * consistent. 244 */ 245 ret = 0; 246 best = nr; 247 goto done; 248 } 249 } 250 if (best != -1) { 251 done: 252 qemu_log_mask(CPU_LOG_MMU, "found TLB at addr " HWADDR_FMT_plx 253 " prot=%01x ret=%d\n", 254 ctx->raddr & TARGET_PAGE_MASK, ctx->prot, ret); 255 /* Update page flags */ 256 pte_update_flags(ctx, &env->tlb.tlb6[best].pte1, ret, access_type); 257 } 258 #if defined(DUMP_PAGE_TABLES) 259 if (qemu_loglevel_mask(CPU_LOG_MMU)) { 260 CPUState *cs = env_cpu(env); 261 hwaddr base = ppc_hash32_hpt_base(env_archcpu(env)); 262 hwaddr len = ppc_hash32_hpt_mask(env_archcpu(env)) + 0x80; 263 uint32_t a0, a1, a2, a3; 264 265 qemu_log("Page table: " HWADDR_FMT_plx " len " HWADDR_FMT_plx "\n", 266 base, len); 267 for (hwaddr curaddr = base; curaddr < base + len; curaddr += 16) { 268 a0 = ldl_phys(cs->as, curaddr); 269 a1 = ldl_phys(cs->as, curaddr + 4); 270 a2 = ldl_phys(cs->as, curaddr + 8); 271 a3 = ldl_phys(cs->as, curaddr + 12); 272 if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) { 273 qemu_log(HWADDR_FMT_plx ": %08x %08x %08x %08x\n", 274 curaddr, a0, a1, a2, a3); 275 } 276 } 277 } 278 #endif 279 return ret; 280 } 281 282 /* Perform BAT hit & translation */ 283 static inline void bat_size_prot(CPUPPCState *env, target_ulong *blp, 284 int *validp, int *protp, target_ulong *BATu, 285 target_ulong *BATl) 286 { 287 target_ulong bl; 288 int pp, valid, prot; 289 290 bl = (*BATu & 0x00001FFC) << 15; 291 valid = 0; 292 prot = 0; 293 if ((!FIELD_EX64(env->msr, MSR, PR) && (*BATu & 0x00000002)) || 294 (FIELD_EX64(env->msr, MSR, PR) && (*BATu & 0x00000001))) { 295 valid = 1; 296 pp = *BATl & 0x00000003; 297 if (pp != 0) { 298 prot = PAGE_READ | PAGE_EXEC; 299 if (pp == 0x2) { 300 prot |= PAGE_WRITE; 301 } 302 } 303 } 304 *blp = bl; 305 *validp = valid; 306 *protp = prot; 307 } 308 309 static int get_bat_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx, 310 target_ulong virtual, MMUAccessType access_type) 311 { 312 target_ulong *BATlt, *BATut, *BATu, *BATl; 313 target_ulong BEPIl, BEPIu, bl; 314 int i, valid, prot; 315 int ret = -1; 316 bool ifetch = access_type == MMU_INST_FETCH; 317 318 qemu_log_mask(CPU_LOG_MMU, "%s: %cBAT v " TARGET_FMT_lx "\n", __func__, 319 ifetch ? 'I' : 'D', virtual); 320 if (ifetch) { 321 BATlt = env->IBAT[1]; 322 BATut = env->IBAT[0]; 323 } else { 324 BATlt = env->DBAT[1]; 325 BATut = env->DBAT[0]; 326 } 327 for (i = 0; i < env->nb_BATs; i++) { 328 BATu = &BATut[i]; 329 BATl = &BATlt[i]; 330 BEPIu = *BATu & 0xF0000000; 331 BEPIl = *BATu & 0x0FFE0000; 332 bat_size_prot(env, &bl, &valid, &prot, BATu, BATl); 333 qemu_log_mask(CPU_LOG_MMU, "%s: %cBAT%d v " TARGET_FMT_lx " BATu " 334 TARGET_FMT_lx " BATl " TARGET_FMT_lx "\n", __func__, 335 ifetch ? 'I' : 'D', i, virtual, *BATu, *BATl); 336 if ((virtual & 0xF0000000) == BEPIu && 337 ((virtual & 0x0FFE0000) & ~bl) == BEPIl) { 338 /* BAT matches */ 339 if (valid != 0) { 340 /* Get physical address */ 341 ctx->raddr = (*BATl & 0xF0000000) | 342 ((virtual & 0x0FFE0000 & bl) | (*BATl & 0x0FFE0000)) | 343 (virtual & 0x0001F000); 344 /* Compute access rights */ 345 ctx->prot = prot; 346 ret = check_prot(ctx->prot, access_type); 347 if (ret == 0) { 348 qemu_log_mask(CPU_LOG_MMU, "BAT %d match: r " HWADDR_FMT_plx 349 " prot=%c%c\n", i, ctx->raddr, 350 ctx->prot & PAGE_READ ? 'R' : '-', 351 ctx->prot & PAGE_WRITE ? 'W' : '-'); 352 } 353 break; 354 } 355 } 356 } 357 if (ret < 0) { 358 if (qemu_log_enabled()) { 359 qemu_log_mask(CPU_LOG_MMU, "no BAT match for " 360 TARGET_FMT_lx ":\n", virtual); 361 for (i = 0; i < 4; i++) { 362 BATu = &BATut[i]; 363 BATl = &BATlt[i]; 364 BEPIu = *BATu & 0xF0000000; 365 BEPIl = *BATu & 0x0FFE0000; 366 bl = (*BATu & 0x00001FFC) << 15; 367 qemu_log_mask(CPU_LOG_MMU, "%s: %cBAT%d v " TARGET_FMT_lx 368 " BATu " TARGET_FMT_lx " BATl " TARGET_FMT_lx 369 "\n\t" TARGET_FMT_lx " " TARGET_FMT_lx " " 370 TARGET_FMT_lx "\n", __func__, ifetch ? 'I' : 'D', 371 i, virtual, *BATu, *BATl, BEPIu, BEPIl, bl); 372 } 373 } 374 } 375 /* No hit */ 376 return ret; 377 } 378 379 static int mmu6xx_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx, 380 target_ulong eaddr, 381 MMUAccessType access_type, int type) 382 { 383 PowerPCCPU *cpu = env_archcpu(env); 384 hwaddr hash; 385 target_ulong vsid, sr, pgidx; 386 int ds, target_page_bits; 387 bool pr; 388 389 /* First try to find a BAT entry if there are any */ 390 if (env->nb_BATs && get_bat_6xx_tlb(env, ctx, eaddr, access_type) == 0) { 391 return 0; 392 } 393 394 /* Perform segment based translation when no BATs matched */ 395 pr = FIELD_EX64(env->msr, MSR, PR); 396 ctx->eaddr = eaddr; 397 398 sr = env->sr[eaddr >> 28]; 399 ctx->key = (((sr & 0x20000000) && pr) || 400 ((sr & 0x40000000) && !pr)) ? 1 : 0; 401 ds = sr & 0x80000000 ? 1 : 0; 402 ctx->nx = sr & 0x10000000 ? 1 : 0; 403 vsid = sr & 0x00FFFFFF; 404 target_page_bits = TARGET_PAGE_BITS; 405 qemu_log_mask(CPU_LOG_MMU, 406 "Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx 407 " nip=" TARGET_FMT_lx " lr=" TARGET_FMT_lx 408 " ir=%d dr=%d pr=%d %d t=%d\n", 409 eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, 410 (int)FIELD_EX64(env->msr, MSR, IR), 411 (int)FIELD_EX64(env->msr, MSR, DR), pr ? 1 : 0, 412 access_type == MMU_DATA_STORE, type); 413 pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits; 414 hash = vsid ^ pgidx; 415 ctx->ptem = (vsid << 7) | (pgidx >> 10); 416 417 qemu_log_mask(CPU_LOG_MMU, "pte segment: key=%d ds %d nx %d vsid " 418 TARGET_FMT_lx "\n", ctx->key, ds, ctx->nx, vsid); 419 if (!ds) { 420 /* Check if instruction fetch is allowed, if needed */ 421 if (type == ACCESS_CODE && ctx->nx) { 422 qemu_log_mask(CPU_LOG_MMU, "No access allowed\n"); 423 return -3; 424 } 425 /* Page address translation */ 426 qemu_log_mask(CPU_LOG_MMU, "htab_base " HWADDR_FMT_plx " htab_mask " 427 HWADDR_FMT_plx " hash " HWADDR_FMT_plx "\n", 428 ppc_hash32_hpt_base(cpu), ppc_hash32_hpt_mask(cpu), hash); 429 ctx->hash[0] = hash; 430 ctx->hash[1] = ~hash; 431 432 /* Initialize real address with an invalid value */ 433 ctx->raddr = (hwaddr)-1ULL; 434 /* Software TLB search */ 435 return ppc6xx_tlb_check(env, ctx, eaddr, access_type); 436 } 437 438 /* Direct-store segment : absolutely *BUGGY* for now */ 439 qemu_log_mask(CPU_LOG_MMU, "direct store...\n"); 440 switch (type) { 441 case ACCESS_INT: 442 /* Integer load/store : only access allowed */ 443 break; 444 case ACCESS_CODE: 445 /* No code fetch is allowed in direct-store areas */ 446 return -4; 447 case ACCESS_FLOAT: 448 /* Floating point load/store */ 449 return -4; 450 case ACCESS_RES: 451 /* lwarx, ldarx or srwcx. */ 452 return -4; 453 case ACCESS_CACHE: 454 /* 455 * dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi 456 * 457 * Should make the instruction do no-op. As it already do 458 * no-op, it's quite easy :-) 459 */ 460 ctx->raddr = eaddr; 461 return 0; 462 case ACCESS_EXT: 463 /* eciwx or ecowx */ 464 return -4; 465 default: 466 qemu_log_mask(CPU_LOG_MMU, "ERROR: instruction should not need address" 467 " translation\n"); 468 return -4; 469 } 470 if ((access_type == MMU_DATA_STORE || ctx->key != 1) && 471 (access_type == MMU_DATA_LOAD || ctx->key != 0)) { 472 ctx->raddr = eaddr; 473 return 2; 474 } 475 return -2; 476 } 477 478 /* Generic TLB check function for embedded PowerPC implementations */ 479 static bool ppcemb_tlb_check(CPUPPCState *env, ppcemb_tlb_t *tlb, 480 hwaddr *raddrp, 481 target_ulong address, uint32_t pid, int i) 482 { 483 target_ulong mask; 484 485 /* Check valid flag */ 486 if (!(tlb->prot & PAGE_VALID)) { 487 return false; 488 } 489 mask = ~(tlb->size - 1); 490 qemu_log_mask(CPU_LOG_MMU, "%s: TLB %d address " TARGET_FMT_lx 491 " PID %u <=> " TARGET_FMT_lx " " TARGET_FMT_lx " %u %x\n", 492 __func__, i, address, pid, tlb->EPN, 493 mask, (uint32_t)tlb->PID, tlb->prot); 494 /* Check PID */ 495 if (tlb->PID != 0 && tlb->PID != pid) { 496 return false; 497 } 498 /* Check effective address */ 499 if ((address & mask) != tlb->EPN) { 500 return false; 501 } 502 *raddrp = (tlb->RPN & mask) | (address & ~mask); 503 return true; 504 } 505 506 /* Generic TLB search function for PowerPC embedded implementations */ 507 int ppcemb_tlb_search(CPUPPCState *env, target_ulong address, uint32_t pid) 508 { 509 ppcemb_tlb_t *tlb; 510 hwaddr raddr; 511 int i; 512 513 for (i = 0; i < env->nb_tlb; i++) { 514 tlb = &env->tlb.tlbe[i]; 515 if (ppcemb_tlb_check(env, tlb, &raddr, address, pid, i)) { 516 return i; 517 } 518 } 519 return -1; 520 } 521 522 static int mmu40x_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx, 523 target_ulong address, 524 MMUAccessType access_type) 525 { 526 ppcemb_tlb_t *tlb; 527 hwaddr raddr; 528 int i, ret, zsel, zpr, pr; 529 530 ret = -1; 531 raddr = (hwaddr)-1ULL; 532 pr = FIELD_EX64(env->msr, MSR, PR); 533 for (i = 0; i < env->nb_tlb; i++) { 534 tlb = &env->tlb.tlbe[i]; 535 if (!ppcemb_tlb_check(env, tlb, &raddr, address, 536 env->spr[SPR_40x_PID], i)) { 537 continue; 538 } 539 zsel = (tlb->attr >> 4) & 0xF; 540 zpr = (env->spr[SPR_40x_ZPR] >> (30 - (2 * zsel))) & 0x3; 541 qemu_log_mask(CPU_LOG_MMU, 542 "%s: TLB %d zsel %d zpr %d ty %d attr %08x\n", 543 __func__, i, zsel, zpr, access_type, tlb->attr); 544 /* Check execute enable bit */ 545 switch (zpr) { 546 case 0x2: 547 if (pr != 0) { 548 goto check_perms; 549 } 550 /* fall through */ 551 case 0x3: 552 /* All accesses granted */ 553 ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; 554 ret = 0; 555 break; 556 case 0x0: 557 if (pr != 0) { 558 /* Raise Zone protection fault. */ 559 env->spr[SPR_40x_ESR] = 1 << 22; 560 ctx->prot = 0; 561 ret = -2; 562 break; 563 } 564 /* fall through */ 565 case 0x1: 566 check_perms: 567 /* Check from TLB entry */ 568 ctx->prot = tlb->prot; 569 ret = check_prot(ctx->prot, access_type); 570 if (ret == -2) { 571 env->spr[SPR_40x_ESR] = 0; 572 } 573 break; 574 } 575 if (ret >= 0) { 576 ctx->raddr = raddr; 577 qemu_log_mask(CPU_LOG_MMU, "%s: access granted " TARGET_FMT_lx 578 " => " HWADDR_FMT_plx 579 " %d %d\n", __func__, address, ctx->raddr, ctx->prot, 580 ret); 581 return 0; 582 } 583 } 584 qemu_log_mask(CPU_LOG_MMU, "%s: access refused " TARGET_FMT_lx 585 " => " HWADDR_FMT_plx " %d %d\n", 586 __func__, address, raddr, ctx->prot, ret); 587 588 return ret; 589 } 590 591 static bool mmubooke_check_pid(CPUPPCState *env, ppcemb_tlb_t *tlb, 592 hwaddr *raddr, target_ulong addr, int i) 593 { 594 if (ppcemb_tlb_check(env, tlb, raddr, addr, env->spr[SPR_BOOKE_PID], i)) { 595 if (!env->nb_pids) { 596 /* Extend the physical address to 36 bits */ 597 *raddr |= (uint64_t)(tlb->RPN & 0xF) << 32; 598 } 599 return true; 600 } else if (!env->nb_pids) { 601 return false; 602 } 603 if (env->spr[SPR_BOOKE_PID1] && 604 ppcemb_tlb_check(env, tlb, raddr, addr, env->spr[SPR_BOOKE_PID1], i)) { 605 return true; 606 } 607 if (env->spr[SPR_BOOKE_PID2] && 608 ppcemb_tlb_check(env, tlb, raddr, addr, env->spr[SPR_BOOKE_PID2], i)) { 609 return true; 610 } 611 return false; 612 } 613 614 static int mmubooke_check_tlb(CPUPPCState *env, ppcemb_tlb_t *tlb, 615 hwaddr *raddr, int *prot, target_ulong address, 616 MMUAccessType access_type, int i) 617 { 618 if (!mmubooke_check_pid(env, tlb, raddr, address, i)) { 619 qemu_log_mask(CPU_LOG_MMU, "%s: TLB entry not found\n", __func__); 620 return -1; 621 } 622 623 /* Check the address space */ 624 if ((access_type == MMU_INST_FETCH ? 625 FIELD_EX64(env->msr, MSR, IR) : 626 FIELD_EX64(env->msr, MSR, DR)) != (tlb->attr & 1)) { 627 qemu_log_mask(CPU_LOG_MMU, "%s: AS doesn't match\n", __func__); 628 return -1; 629 } 630 631 if (FIELD_EX64(env->msr, MSR, PR)) { 632 *prot = tlb->prot & 0xF; 633 } else { 634 *prot = (tlb->prot >> 4) & 0xF; 635 } 636 if (*prot & prot_for_access_type(access_type)) { 637 qemu_log_mask(CPU_LOG_MMU, "%s: good TLB!\n", __func__); 638 return 0; 639 } 640 641 qemu_log_mask(CPU_LOG_MMU, "%s: no prot match: %x\n", __func__, *prot); 642 return access_type == MMU_INST_FETCH ? -3 : -2; 643 } 644 645 static int mmubooke_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx, 646 target_ulong address, 647 MMUAccessType access_type) 648 { 649 ppcemb_tlb_t *tlb; 650 hwaddr raddr; 651 int i, ret; 652 653 ret = -1; 654 raddr = (hwaddr)-1ULL; 655 for (i = 0; i < env->nb_tlb; i++) { 656 tlb = &env->tlb.tlbe[i]; 657 ret = mmubooke_check_tlb(env, tlb, &raddr, &ctx->prot, address, 658 access_type, i); 659 if (ret != -1) { 660 break; 661 } 662 } 663 664 if (ret >= 0) { 665 ctx->raddr = raddr; 666 qemu_log_mask(CPU_LOG_MMU, "%s: access granted " TARGET_FMT_lx 667 " => " HWADDR_FMT_plx " %d %d\n", __func__, 668 address, ctx->raddr, ctx->prot, ret); 669 } else { 670 qemu_log_mask(CPU_LOG_MMU, "%s: access refused " TARGET_FMT_lx 671 " => " HWADDR_FMT_plx " %d %d\n", __func__, 672 address, raddr, ctx->prot, ret); 673 } 674 675 return ret; 676 } 677 678 hwaddr booke206_tlb_to_page_size(CPUPPCState *env, ppcmas_tlb_t *tlb) 679 { 680 int tlbm_size; 681 682 tlbm_size = (tlb->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT; 683 684 return 1024ULL << tlbm_size; 685 } 686 687 /* TLB check function for MAS based SoftTLBs */ 688 int ppcmas_tlb_check(CPUPPCState *env, ppcmas_tlb_t *tlb, hwaddr *raddrp, 689 target_ulong address, uint32_t pid) 690 { 691 hwaddr mask; 692 uint32_t tlb_pid; 693 694 if (!FIELD_EX64(env->msr, MSR, CM)) { 695 /* In 32bit mode we can only address 32bit EAs */ 696 address = (uint32_t)address; 697 } 698 699 /* Check valid flag */ 700 if (!(tlb->mas1 & MAS1_VALID)) { 701 return -1; 702 } 703 704 mask = ~(booke206_tlb_to_page_size(env, tlb) - 1); 705 qemu_log_mask(CPU_LOG_MMU, "%s: TLB ADDR=0x" TARGET_FMT_lx 706 " PID=0x%x MAS1=0x%x MAS2=0x%" PRIx64 " mask=0x%" 707 HWADDR_PRIx " MAS7_3=0x%" PRIx64 " MAS8=0x%" PRIx32 "\n", 708 __func__, address, pid, tlb->mas1, tlb->mas2, mask, 709 tlb->mas7_3, tlb->mas8); 710 711 /* Check PID */ 712 tlb_pid = (tlb->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT; 713 if (tlb_pid != 0 && tlb_pid != pid) { 714 return -1; 715 } 716 717 /* Check effective address */ 718 if ((address & mask) != (tlb->mas2 & MAS2_EPN_MASK)) { 719 return -1; 720 } 721 722 if (raddrp) { 723 *raddrp = (tlb->mas7_3 & mask) | (address & ~mask); 724 } 725 726 return 0; 727 } 728 729 static bool is_epid_mmu(int mmu_idx) 730 { 731 return mmu_idx == PPC_TLB_EPID_STORE || mmu_idx == PPC_TLB_EPID_LOAD; 732 } 733 734 static uint32_t mmubooke206_esr(int mmu_idx, MMUAccessType access_type) 735 { 736 uint32_t esr = 0; 737 if (access_type == MMU_DATA_STORE) { 738 esr |= ESR_ST; 739 } 740 if (is_epid_mmu(mmu_idx)) { 741 esr |= ESR_EPID; 742 } 743 return esr; 744 } 745 746 /* 747 * Get EPID register given the mmu_idx. If this is regular load, 748 * construct the EPID access bits from current processor state 749 * 750 * Get the effective AS and PR bits and the PID. The PID is returned 751 * only if EPID load is requested, otherwise the caller must detect 752 * the correct EPID. Return true if valid EPID is returned. 753 */ 754 static bool mmubooke206_get_as(CPUPPCState *env, 755 int mmu_idx, uint32_t *epid_out, 756 bool *as_out, bool *pr_out) 757 { 758 if (is_epid_mmu(mmu_idx)) { 759 uint32_t epidr; 760 if (mmu_idx == PPC_TLB_EPID_STORE) { 761 epidr = env->spr[SPR_BOOKE_EPSC]; 762 } else { 763 epidr = env->spr[SPR_BOOKE_EPLC]; 764 } 765 *epid_out = (epidr & EPID_EPID) >> EPID_EPID_SHIFT; 766 *as_out = !!(epidr & EPID_EAS); 767 *pr_out = !!(epidr & EPID_EPR); 768 return true; 769 } else { 770 *as_out = FIELD_EX64(env->msr, MSR, DS); 771 *pr_out = FIELD_EX64(env->msr, MSR, PR); 772 return false; 773 } 774 } 775 776 /* Check if the tlb found by hashing really matches */ 777 static int mmubooke206_check_tlb(CPUPPCState *env, ppcmas_tlb_t *tlb, 778 hwaddr *raddr, int *prot, 779 target_ulong address, 780 MMUAccessType access_type, int mmu_idx) 781 { 782 uint32_t epid; 783 bool as, pr; 784 bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr); 785 786 if (!use_epid) { 787 if (ppcmas_tlb_check(env, tlb, raddr, address, 788 env->spr[SPR_BOOKE_PID]) >= 0) { 789 goto found_tlb; 790 } 791 792 if (env->spr[SPR_BOOKE_PID1] && 793 ppcmas_tlb_check(env, tlb, raddr, address, 794 env->spr[SPR_BOOKE_PID1]) >= 0) { 795 goto found_tlb; 796 } 797 798 if (env->spr[SPR_BOOKE_PID2] && 799 ppcmas_tlb_check(env, tlb, raddr, address, 800 env->spr[SPR_BOOKE_PID2]) >= 0) { 801 goto found_tlb; 802 } 803 } else { 804 if (ppcmas_tlb_check(env, tlb, raddr, address, epid) >= 0) { 805 goto found_tlb; 806 } 807 } 808 809 qemu_log_mask(CPU_LOG_MMU, "%s: No TLB entry found for effective address " 810 "0x" TARGET_FMT_lx "\n", __func__, address); 811 return -1; 812 813 found_tlb: 814 815 /* Check the address space and permissions */ 816 if (access_type == MMU_INST_FETCH) { 817 /* There is no way to fetch code using epid load */ 818 assert(!use_epid); 819 as = FIELD_EX64(env->msr, MSR, IR); 820 } 821 822 if (as != ((tlb->mas1 & MAS1_TS) >> MAS1_TS_SHIFT)) { 823 qemu_log_mask(CPU_LOG_MMU, "%s: AS doesn't match\n", __func__); 824 return -1; 825 } 826 827 *prot = 0; 828 if (pr) { 829 if (tlb->mas7_3 & MAS3_UR) { 830 *prot |= PAGE_READ; 831 } 832 if (tlb->mas7_3 & MAS3_UW) { 833 *prot |= PAGE_WRITE; 834 } 835 if (tlb->mas7_3 & MAS3_UX) { 836 *prot |= PAGE_EXEC; 837 } 838 } else { 839 if (tlb->mas7_3 & MAS3_SR) { 840 *prot |= PAGE_READ; 841 } 842 if (tlb->mas7_3 & MAS3_SW) { 843 *prot |= PAGE_WRITE; 844 } 845 if (tlb->mas7_3 & MAS3_SX) { 846 *prot |= PAGE_EXEC; 847 } 848 } 849 if (*prot & prot_for_access_type(access_type)) { 850 qemu_log_mask(CPU_LOG_MMU, "%s: good TLB!\n", __func__); 851 return 0; 852 } 853 854 qemu_log_mask(CPU_LOG_MMU, "%s: no prot match: %x\n", __func__, *prot); 855 return access_type == MMU_INST_FETCH ? -3 : -2; 856 } 857 858 static int mmubooke206_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx, 859 target_ulong address, 860 MMUAccessType access_type, 861 int mmu_idx) 862 { 863 ppcmas_tlb_t *tlb; 864 hwaddr raddr; 865 int i, j, ret; 866 867 ret = -1; 868 raddr = (hwaddr)-1ULL; 869 870 for (i = 0; i < BOOKE206_MAX_TLBN; i++) { 871 int ways = booke206_tlb_ways(env, i); 872 873 for (j = 0; j < ways; j++) { 874 tlb = booke206_get_tlbm(env, i, address, j); 875 if (!tlb) { 876 continue; 877 } 878 ret = mmubooke206_check_tlb(env, tlb, &raddr, &ctx->prot, address, 879 access_type, mmu_idx); 880 if (ret != -1) { 881 goto found_tlb; 882 } 883 } 884 } 885 886 found_tlb: 887 888 if (ret >= 0) { 889 ctx->raddr = raddr; 890 qemu_log_mask(CPU_LOG_MMU, "%s: access granted " TARGET_FMT_lx 891 " => " HWADDR_FMT_plx " %d %d\n", __func__, address, 892 ctx->raddr, ctx->prot, ret); 893 } else { 894 qemu_log_mask(CPU_LOG_MMU, "%s: access refused " TARGET_FMT_lx 895 " => " HWADDR_FMT_plx " %d %d\n", __func__, address, 896 raddr, ctx->prot, ret); 897 } 898 899 return ret; 900 } 901 902 static const char *book3e_tsize_to_str[32] = { 903 "1K", "2K", "4K", "8K", "16K", "32K", "64K", "128K", "256K", "512K", 904 "1M", "2M", "4M", "8M", "16M", "32M", "64M", "128M", "256M", "512M", 905 "1G", "2G", "4G", "8G", "16G", "32G", "64G", "128G", "256G", "512G", 906 "1T", "2T" 907 }; 908 909 static void mmubooke_dump_mmu(CPUPPCState *env) 910 { 911 ppcemb_tlb_t *entry; 912 int i; 913 914 #ifdef CONFIG_KVM 915 if (kvm_enabled() && !env->kvm_sw_tlb) { 916 qemu_printf("Cannot access KVM TLB\n"); 917 return; 918 } 919 #endif 920 921 qemu_printf("\nTLB:\n"); 922 qemu_printf("Effective Physical Size PID Prot " 923 "Attr\n"); 924 925 entry = &env->tlb.tlbe[0]; 926 for (i = 0; i < env->nb_tlb; i++, entry++) { 927 hwaddr ea, pa; 928 target_ulong mask; 929 uint64_t size = (uint64_t)entry->size; 930 char size_buf[20]; 931 932 /* Check valid flag */ 933 if (!(entry->prot & PAGE_VALID)) { 934 continue; 935 } 936 937 mask = ~(entry->size - 1); 938 ea = entry->EPN & mask; 939 pa = entry->RPN & mask; 940 /* Extend the physical address to 36 bits */ 941 pa |= (hwaddr)(entry->RPN & 0xF) << 32; 942 if (size >= 1 * MiB) { 943 snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "M", size / MiB); 944 } else { 945 snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "k", size / KiB); 946 } 947 qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %s %-5u %08x %08x\n", 948 (uint64_t)ea, (uint64_t)pa, size_buf, (uint32_t)entry->PID, 949 entry->prot, entry->attr); 950 } 951 952 } 953 954 static void mmubooke206_dump_one_tlb(CPUPPCState *env, int tlbn, int offset, 955 int tlbsize) 956 { 957 ppcmas_tlb_t *entry; 958 int i; 959 960 qemu_printf("\nTLB%d:\n", tlbn); 961 qemu_printf("Effective Physical Size TID TS SRWX" 962 " URWX WIMGE U0123\n"); 963 964 entry = &env->tlb.tlbm[offset]; 965 for (i = 0; i < tlbsize; i++, entry++) { 966 hwaddr ea, pa, size; 967 int tsize; 968 969 if (!(entry->mas1 & MAS1_VALID)) { 970 continue; 971 } 972 973 tsize = (entry->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT; 974 size = 1024ULL << tsize; 975 ea = entry->mas2 & ~(size - 1); 976 pa = entry->mas7_3 & ~(size - 1); 977 978 qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %4s %-5u %1u S%c%c%c" 979 " U%c%c%c %c%c%c%c%c U%c%c%c%c\n", 980 (uint64_t)ea, (uint64_t)pa, 981 book3e_tsize_to_str[tsize], 982 (entry->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT, 983 (entry->mas1 & MAS1_TS) >> MAS1_TS_SHIFT, 984 entry->mas7_3 & MAS3_SR ? 'R' : '-', 985 entry->mas7_3 & MAS3_SW ? 'W' : '-', 986 entry->mas7_3 & MAS3_SX ? 'X' : '-', 987 entry->mas7_3 & MAS3_UR ? 'R' : '-', 988 entry->mas7_3 & MAS3_UW ? 'W' : '-', 989 entry->mas7_3 & MAS3_UX ? 'X' : '-', 990 entry->mas2 & MAS2_W ? 'W' : '-', 991 entry->mas2 & MAS2_I ? 'I' : '-', 992 entry->mas2 & MAS2_M ? 'M' : '-', 993 entry->mas2 & MAS2_G ? 'G' : '-', 994 entry->mas2 & MAS2_E ? 'E' : '-', 995 entry->mas7_3 & MAS3_U0 ? '0' : '-', 996 entry->mas7_3 & MAS3_U1 ? '1' : '-', 997 entry->mas7_3 & MAS3_U2 ? '2' : '-', 998 entry->mas7_3 & MAS3_U3 ? '3' : '-'); 999 } 1000 } 1001 1002 static void mmubooke206_dump_mmu(CPUPPCState *env) 1003 { 1004 int offset = 0; 1005 int i; 1006 1007 #ifdef CONFIG_KVM 1008 if (kvm_enabled() && !env->kvm_sw_tlb) { 1009 qemu_printf("Cannot access KVM TLB\n"); 1010 return; 1011 } 1012 #endif 1013 1014 for (i = 0; i < BOOKE206_MAX_TLBN; i++) { 1015 int size = booke206_tlb_size(env, i); 1016 1017 if (size == 0) { 1018 continue; 1019 } 1020 1021 mmubooke206_dump_one_tlb(env, i, offset, size); 1022 offset += size; 1023 } 1024 } 1025 1026 static void mmu6xx_dump_BATs(CPUPPCState *env, int type) 1027 { 1028 target_ulong *BATlt, *BATut, *BATu, *BATl; 1029 target_ulong BEPIl, BEPIu, bl; 1030 int i; 1031 1032 switch (type) { 1033 case ACCESS_CODE: 1034 BATlt = env->IBAT[1]; 1035 BATut = env->IBAT[0]; 1036 break; 1037 default: 1038 BATlt = env->DBAT[1]; 1039 BATut = env->DBAT[0]; 1040 break; 1041 } 1042 1043 for (i = 0; i < env->nb_BATs; i++) { 1044 BATu = &BATut[i]; 1045 BATl = &BATlt[i]; 1046 BEPIu = *BATu & 0xF0000000; 1047 BEPIl = *BATu & 0x0FFE0000; 1048 bl = (*BATu & 0x00001FFC) << 15; 1049 qemu_printf("%s BAT%d BATu " TARGET_FMT_lx 1050 " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " " 1051 TARGET_FMT_lx " " TARGET_FMT_lx "\n", 1052 type == ACCESS_CODE ? "code" : "data", i, 1053 *BATu, *BATl, BEPIu, BEPIl, bl); 1054 } 1055 } 1056 1057 static void mmu6xx_dump_mmu(CPUPPCState *env) 1058 { 1059 PowerPCCPU *cpu = env_archcpu(env); 1060 ppc6xx_tlb_t *tlb; 1061 target_ulong sr; 1062 int type, way, entry, i; 1063 1064 qemu_printf("HTAB base = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_base(cpu)); 1065 qemu_printf("HTAB mask = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_mask(cpu)); 1066 1067 qemu_printf("\nSegment registers:\n"); 1068 for (i = 0; i < 32; i++) { 1069 sr = env->sr[i]; 1070 if (sr & 0x80000000) { 1071 qemu_printf("%02d T=%d Ks=%d Kp=%d BUID=0x%03x " 1072 "CNTLR_SPEC=0x%05x\n", i, 1073 sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0, 1074 sr & 0x20000000 ? 1 : 0, (uint32_t)((sr >> 20) & 0x1FF), 1075 (uint32_t)(sr & 0xFFFFF)); 1076 } else { 1077 qemu_printf("%02d T=%d Ks=%d Kp=%d N=%d VSID=0x%06x\n", i, 1078 sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0, 1079 sr & 0x20000000 ? 1 : 0, sr & 0x10000000 ? 1 : 0, 1080 (uint32_t)(sr & 0x00FFFFFF)); 1081 } 1082 } 1083 1084 qemu_printf("\nBATs:\n"); 1085 mmu6xx_dump_BATs(env, ACCESS_INT); 1086 mmu6xx_dump_BATs(env, ACCESS_CODE); 1087 1088 if (env->id_tlbs != 1) { 1089 qemu_printf("ERROR: 6xx MMU should have separated TLB" 1090 " for code and data\n"); 1091 } 1092 1093 qemu_printf("\nTLBs [EPN EPN + SIZE]\n"); 1094 1095 for (type = 0; type < 2; type++) { 1096 for (way = 0; way < env->nb_ways; way++) { 1097 for (entry = env->nb_tlb * type + env->tlb_per_way * way; 1098 entry < (env->nb_tlb * type + env->tlb_per_way * (way + 1)); 1099 entry++) { 1100 1101 tlb = &env->tlb.tlb6[entry]; 1102 qemu_printf("%s TLB %02d/%02d way:%d %s [" 1103 TARGET_FMT_lx " " TARGET_FMT_lx "]\n", 1104 type ? "code" : "data", entry % env->nb_tlb, 1105 env->nb_tlb, way, 1106 pte_is_valid(tlb->pte0) ? "valid" : "inval", 1107 tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE); 1108 } 1109 } 1110 } 1111 } 1112 1113 void dump_mmu(CPUPPCState *env) 1114 { 1115 switch (env->mmu_model) { 1116 case POWERPC_MMU_BOOKE: 1117 mmubooke_dump_mmu(env); 1118 break; 1119 case POWERPC_MMU_BOOKE206: 1120 mmubooke206_dump_mmu(env); 1121 break; 1122 case POWERPC_MMU_SOFT_6xx: 1123 mmu6xx_dump_mmu(env); 1124 break; 1125 #if defined(TARGET_PPC64) 1126 case POWERPC_MMU_64B: 1127 case POWERPC_MMU_2_03: 1128 case POWERPC_MMU_2_06: 1129 case POWERPC_MMU_2_07: 1130 dump_slb(env_archcpu(env)); 1131 break; 1132 case POWERPC_MMU_3_00: 1133 if (ppc64_v3_radix(env_archcpu(env))) { 1134 qemu_log_mask(LOG_UNIMP, "%s: the PPC64 MMU is unsupported\n", 1135 __func__); 1136 } else { 1137 dump_slb(env_archcpu(env)); 1138 } 1139 break; 1140 #endif 1141 default: 1142 qemu_log_mask(LOG_UNIMP, "%s: unimplemented\n", __func__); 1143 } 1144 } 1145 1146 int get_physical_address_wtlb(CPUPPCState *env, mmu_ctx_t *ctx, 1147 target_ulong eaddr, 1148 MMUAccessType access_type, int type, 1149 int mmu_idx) 1150 { 1151 bool real_mode; 1152 1153 if (env->mmu_model == POWERPC_MMU_BOOKE) { 1154 return mmubooke_get_physical_address(env, ctx, eaddr, access_type); 1155 } else if (env->mmu_model == POWERPC_MMU_BOOKE206) { 1156 return mmubooke206_get_physical_address(env, ctx, eaddr, access_type, 1157 mmu_idx); 1158 } 1159 1160 real_mode = (type == ACCESS_CODE) ? !FIELD_EX64(env->msr, MSR, IR) 1161 : !FIELD_EX64(env->msr, MSR, DR); 1162 if (real_mode && (env->mmu_model == POWERPC_MMU_SOFT_6xx || 1163 env->mmu_model == POWERPC_MMU_SOFT_4xx || 1164 env->mmu_model == POWERPC_MMU_REAL)) { 1165 ctx->raddr = eaddr; 1166 ctx->prot = PAGE_RWX; 1167 return 0; 1168 } 1169 1170 switch (env->mmu_model) { 1171 case POWERPC_MMU_SOFT_6xx: 1172 return mmu6xx_get_physical_address(env, ctx, eaddr, access_type, type); 1173 case POWERPC_MMU_SOFT_4xx: 1174 return mmu40x_get_physical_address(env, ctx, eaddr, access_type); 1175 case POWERPC_MMU_REAL: 1176 cpu_abort(env_cpu(env), 1177 "PowerPC in real mode do not do any translation\n"); 1178 default: 1179 cpu_abort(env_cpu(env), "Unknown or invalid MMU model\n"); 1180 } 1181 } 1182 1183 static void booke206_update_mas_tlb_miss(CPUPPCState *env, target_ulong address, 1184 MMUAccessType access_type, int mmu_idx) 1185 { 1186 uint32_t epid; 1187 bool as, pr; 1188 uint32_t missed_tid = 0; 1189 bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr); 1190 1191 if (access_type == MMU_INST_FETCH) { 1192 as = FIELD_EX64(env->msr, MSR, IR); 1193 } 1194 env->spr[SPR_BOOKE_MAS0] = env->spr[SPR_BOOKE_MAS4] & MAS4_TLBSELD_MASK; 1195 env->spr[SPR_BOOKE_MAS1] = env->spr[SPR_BOOKE_MAS4] & MAS4_TSIZED_MASK; 1196 env->spr[SPR_BOOKE_MAS2] = env->spr[SPR_BOOKE_MAS4] & MAS4_WIMGED_MASK; 1197 env->spr[SPR_BOOKE_MAS3] = 0; 1198 env->spr[SPR_BOOKE_MAS6] = 0; 1199 env->spr[SPR_BOOKE_MAS7] = 0; 1200 1201 /* AS */ 1202 if (as) { 1203 env->spr[SPR_BOOKE_MAS1] |= MAS1_TS; 1204 env->spr[SPR_BOOKE_MAS6] |= MAS6_SAS; 1205 } 1206 1207 env->spr[SPR_BOOKE_MAS1] |= MAS1_VALID; 1208 env->spr[SPR_BOOKE_MAS2] |= address & MAS2_EPN_MASK; 1209 1210 if (!use_epid) { 1211 switch (env->spr[SPR_BOOKE_MAS4] & MAS4_TIDSELD_PIDZ) { 1212 case MAS4_TIDSELD_PID0: 1213 missed_tid = env->spr[SPR_BOOKE_PID]; 1214 break; 1215 case MAS4_TIDSELD_PID1: 1216 missed_tid = env->spr[SPR_BOOKE_PID1]; 1217 break; 1218 case MAS4_TIDSELD_PID2: 1219 missed_tid = env->spr[SPR_BOOKE_PID2]; 1220 break; 1221 } 1222 env->spr[SPR_BOOKE_MAS6] |= env->spr[SPR_BOOKE_PID] << 16; 1223 } else { 1224 missed_tid = epid; 1225 env->spr[SPR_BOOKE_MAS6] |= missed_tid << 16; 1226 } 1227 env->spr[SPR_BOOKE_MAS1] |= (missed_tid << MAS1_TID_SHIFT); 1228 1229 1230 /* next victim logic */ 1231 env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_ESEL_SHIFT; 1232 env->last_way++; 1233 env->last_way &= booke206_tlb_ways(env, 0) - 1; 1234 env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_NV_SHIFT; 1235 } 1236 1237 /* Perform address translation */ 1238 /* TODO: Split this by mmu_model. */ 1239 static bool ppc_jumbo_xlate(PowerPCCPU *cpu, vaddr eaddr, 1240 MMUAccessType access_type, 1241 hwaddr *raddrp, int *psizep, int *protp, 1242 int mmu_idx, bool guest_visible) 1243 { 1244 CPUState *cs = CPU(cpu); 1245 CPUPPCState *env = &cpu->env; 1246 mmu_ctx_t ctx; 1247 int type; 1248 int ret; 1249 1250 if (access_type == MMU_INST_FETCH) { 1251 /* code access */ 1252 type = ACCESS_CODE; 1253 } else if (guest_visible) { 1254 /* data access */ 1255 type = env->access_type; 1256 } else { 1257 type = ACCESS_INT; 1258 } 1259 1260 ret = get_physical_address_wtlb(env, &ctx, eaddr, access_type, 1261 type, mmu_idx); 1262 if (ret == 0) { 1263 *raddrp = ctx.raddr; 1264 *protp = ctx.prot; 1265 *psizep = TARGET_PAGE_BITS; 1266 return true; 1267 } else if (!guest_visible) { 1268 return false; 1269 } 1270 1271 log_cpu_state_mask(CPU_LOG_MMU, cs, 0); 1272 if (type == ACCESS_CODE) { 1273 switch (ret) { 1274 case -1: 1275 /* No matches in page tables or TLB */ 1276 switch (env->mmu_model) { 1277 case POWERPC_MMU_SOFT_6xx: 1278 cs->exception_index = POWERPC_EXCP_IFTLB; 1279 env->error_code = 1 << 18; 1280 env->spr[SPR_IMISS] = eaddr; 1281 env->spr[SPR_ICMP] = 0x80000000 | ctx.ptem; 1282 goto tlb_miss; 1283 case POWERPC_MMU_SOFT_4xx: 1284 cs->exception_index = POWERPC_EXCP_ITLB; 1285 env->error_code = 0; 1286 env->spr[SPR_40x_DEAR] = eaddr; 1287 env->spr[SPR_40x_ESR] = 0x00000000; 1288 break; 1289 case POWERPC_MMU_BOOKE206: 1290 booke206_update_mas_tlb_miss(env, eaddr, access_type, mmu_idx); 1291 /* fall through */ 1292 case POWERPC_MMU_BOOKE: 1293 cs->exception_index = POWERPC_EXCP_ITLB; 1294 env->error_code = 0; 1295 env->spr[SPR_BOOKE_DEAR] = eaddr; 1296 env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, access_type); 1297 break; 1298 case POWERPC_MMU_REAL: 1299 cpu_abort(cs, "PowerPC in real mode should never raise " 1300 "any MMU exceptions\n"); 1301 default: 1302 cpu_abort(cs, "Unknown or invalid MMU model\n"); 1303 } 1304 break; 1305 case -2: 1306 /* Access rights violation */ 1307 cs->exception_index = POWERPC_EXCP_ISI; 1308 if ((env->mmu_model == POWERPC_MMU_BOOKE) || 1309 (env->mmu_model == POWERPC_MMU_BOOKE206)) { 1310 env->error_code = 0; 1311 } else { 1312 env->error_code = 0x08000000; 1313 } 1314 break; 1315 case -3: 1316 /* No execute protection violation */ 1317 if ((env->mmu_model == POWERPC_MMU_BOOKE) || 1318 (env->mmu_model == POWERPC_MMU_BOOKE206)) { 1319 env->spr[SPR_BOOKE_ESR] = 0x00000000; 1320 env->error_code = 0; 1321 } else { 1322 env->error_code = 0x10000000; 1323 } 1324 cs->exception_index = POWERPC_EXCP_ISI; 1325 break; 1326 case -4: 1327 /* Direct store exception */ 1328 /* No code fetch is allowed in direct-store areas */ 1329 cs->exception_index = POWERPC_EXCP_ISI; 1330 if ((env->mmu_model == POWERPC_MMU_BOOKE) || 1331 (env->mmu_model == POWERPC_MMU_BOOKE206)) { 1332 env->error_code = 0; 1333 } else { 1334 env->error_code = 0x10000000; 1335 } 1336 break; 1337 } 1338 } else { 1339 switch (ret) { 1340 case -1: 1341 /* No matches in page tables or TLB */ 1342 switch (env->mmu_model) { 1343 case POWERPC_MMU_SOFT_6xx: 1344 if (access_type == MMU_DATA_STORE) { 1345 cs->exception_index = POWERPC_EXCP_DSTLB; 1346 env->error_code = 1 << 16; 1347 } else { 1348 cs->exception_index = POWERPC_EXCP_DLTLB; 1349 env->error_code = 0; 1350 } 1351 env->spr[SPR_DMISS] = eaddr; 1352 env->spr[SPR_DCMP] = 0x80000000 | ctx.ptem; 1353 tlb_miss: 1354 env->error_code |= ctx.key << 19; 1355 env->spr[SPR_HASH1] = ppc_hash32_hpt_base(cpu) + 1356 get_pteg_offset32(cpu, ctx.hash[0]); 1357 env->spr[SPR_HASH2] = ppc_hash32_hpt_base(cpu) + 1358 get_pteg_offset32(cpu, ctx.hash[1]); 1359 break; 1360 case POWERPC_MMU_SOFT_4xx: 1361 cs->exception_index = POWERPC_EXCP_DTLB; 1362 env->error_code = 0; 1363 env->spr[SPR_40x_DEAR] = eaddr; 1364 if (access_type == MMU_DATA_STORE) { 1365 env->spr[SPR_40x_ESR] = 0x00800000; 1366 } else { 1367 env->spr[SPR_40x_ESR] = 0x00000000; 1368 } 1369 break; 1370 case POWERPC_MMU_BOOKE206: 1371 booke206_update_mas_tlb_miss(env, eaddr, access_type, mmu_idx); 1372 /* fall through */ 1373 case POWERPC_MMU_BOOKE: 1374 cs->exception_index = POWERPC_EXCP_DTLB; 1375 env->error_code = 0; 1376 env->spr[SPR_BOOKE_DEAR] = eaddr; 1377 env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, access_type); 1378 break; 1379 case POWERPC_MMU_REAL: 1380 cpu_abort(cs, "PowerPC in real mode should never raise " 1381 "any MMU exceptions\n"); 1382 default: 1383 cpu_abort(cs, "Unknown or invalid MMU model\n"); 1384 } 1385 break; 1386 case -2: 1387 /* Access rights violation */ 1388 cs->exception_index = POWERPC_EXCP_DSI; 1389 env->error_code = 0; 1390 if (env->mmu_model == POWERPC_MMU_SOFT_4xx) { 1391 env->spr[SPR_40x_DEAR] = eaddr; 1392 if (access_type == MMU_DATA_STORE) { 1393 env->spr[SPR_40x_ESR] |= 0x00800000; 1394 } 1395 } else if ((env->mmu_model == POWERPC_MMU_BOOKE) || 1396 (env->mmu_model == POWERPC_MMU_BOOKE206)) { 1397 env->spr[SPR_BOOKE_DEAR] = eaddr; 1398 env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, access_type); 1399 } else { 1400 env->spr[SPR_DAR] = eaddr; 1401 if (access_type == MMU_DATA_STORE) { 1402 env->spr[SPR_DSISR] = 0x0A000000; 1403 } else { 1404 env->spr[SPR_DSISR] = 0x08000000; 1405 } 1406 } 1407 break; 1408 case -4: 1409 /* Direct store exception */ 1410 switch (type) { 1411 case ACCESS_FLOAT: 1412 /* Floating point load/store */ 1413 cs->exception_index = POWERPC_EXCP_ALIGN; 1414 env->error_code = POWERPC_EXCP_ALIGN_FP; 1415 env->spr[SPR_DAR] = eaddr; 1416 break; 1417 case ACCESS_RES: 1418 /* lwarx, ldarx or stwcx. */ 1419 cs->exception_index = POWERPC_EXCP_DSI; 1420 env->error_code = 0; 1421 env->spr[SPR_DAR] = eaddr; 1422 if (access_type == MMU_DATA_STORE) { 1423 env->spr[SPR_DSISR] = 0x06000000; 1424 } else { 1425 env->spr[SPR_DSISR] = 0x04000000; 1426 } 1427 break; 1428 case ACCESS_EXT: 1429 /* eciwx or ecowx */ 1430 cs->exception_index = POWERPC_EXCP_DSI; 1431 env->error_code = 0; 1432 env->spr[SPR_DAR] = eaddr; 1433 if (access_type == MMU_DATA_STORE) { 1434 env->spr[SPR_DSISR] = 0x06100000; 1435 } else { 1436 env->spr[SPR_DSISR] = 0x04100000; 1437 } 1438 break; 1439 default: 1440 printf("DSI: invalid exception (%d)\n", ret); 1441 cs->exception_index = POWERPC_EXCP_PROGRAM; 1442 env->error_code = POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL; 1443 env->spr[SPR_DAR] = eaddr; 1444 break; 1445 } 1446 break; 1447 } 1448 } 1449 return false; 1450 } 1451 1452 /*****************************************************************************/ 1453 1454 bool ppc_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type, 1455 hwaddr *raddrp, int *psizep, int *protp, 1456 int mmu_idx, bool guest_visible) 1457 { 1458 switch (cpu->env.mmu_model) { 1459 #if defined(TARGET_PPC64) 1460 case POWERPC_MMU_3_00: 1461 if (ppc64_v3_radix(cpu)) { 1462 return ppc_radix64_xlate(cpu, eaddr, access_type, raddrp, 1463 psizep, protp, mmu_idx, guest_visible); 1464 } 1465 /* fall through */ 1466 case POWERPC_MMU_64B: 1467 case POWERPC_MMU_2_03: 1468 case POWERPC_MMU_2_06: 1469 case POWERPC_MMU_2_07: 1470 return ppc_hash64_xlate(cpu, eaddr, access_type, 1471 raddrp, psizep, protp, mmu_idx, guest_visible); 1472 #endif 1473 1474 case POWERPC_MMU_32B: 1475 return ppc_hash32_xlate(cpu, eaddr, access_type, raddrp, 1476 psizep, protp, mmu_idx, guest_visible); 1477 case POWERPC_MMU_MPC8xx: 1478 cpu_abort(env_cpu(&cpu->env), "MPC8xx MMU model is not implemented\n"); 1479 default: 1480 return ppc_jumbo_xlate(cpu, eaddr, access_type, raddrp, 1481 psizep, protp, mmu_idx, guest_visible); 1482 } 1483 } 1484 1485 hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr) 1486 { 1487 PowerPCCPU *cpu = POWERPC_CPU(cs); 1488 hwaddr raddr; 1489 int s, p; 1490 1491 /* 1492 * Some MMUs have separate TLBs for code and data. If we only 1493 * try an MMU_DATA_LOAD, we may not be able to read instructions 1494 * mapped by code TLBs, so we also try a MMU_INST_FETCH. 1495 */ 1496 if (ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p, 1497 ppc_env_mmu_index(&cpu->env, false), false) || 1498 ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p, 1499 ppc_env_mmu_index(&cpu->env, true), false)) { 1500 return raddr & TARGET_PAGE_MASK; 1501 } 1502 return -1; 1503 } 1504