2 * PowerPC MMU, TLB and BAT emulation helpers for QEMU.
4 * Copyright (c) 2003-2007 Jocelyn Mayer
5 * Copyright (c) 2013 David Gibson, IBM Corporation
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
23 #include "sysemu/kvm.h"
25 #include "mmu-hash32.h"
31 # define LOG_MMU(...) qemu_log(__VA_ARGS__)
32 # define LOG_MMU_STATE(env) log_cpu_state((env), 0)
34 # define LOG_MMU(...) do { } while (0)
35 # define LOG_MMU_STATE(...) do { } while (0)
39 # define LOG_BATS(...) qemu_log(__VA_ARGS__)
41 # define LOG_BATS(...) do { } while (0)
44 struct mmu_ctx_hash32 {
45 hwaddr raddr; /* Real address */
46 hwaddr eaddr; /* Effective address */
47 int prot; /* Protection bits */
48 hwaddr hash[2]; /* Pagetable hash values */
49 target_ulong ptem; /* Virtual segment ID | API */
50 int key; /* Access key */
51 int nx; /* Non-execute area */
54 #define PTE_CHECK_MASK (TARGET_PAGE_MASK | 0x7B)
56 static int ppc_hash32_pp_check(int key, int pp, int nx)
60 /* Compute access rights */
83 access = PAGE_READ | PAGE_WRITE;
94 static int ppc_hash32_check_prot(int prot, int rw, int access_type)
98 if (access_type == ACCESS_CODE) {
99 if (prot & PAGE_EXEC) {
105 if (prot & PAGE_WRITE) {
111 if (prot & PAGE_READ) {
121 /* Perform BAT hit & translation */
122 static void hash32_bat_size_prot(CPUPPCState *env, target_ulong *blp,
123 int *validp, int *protp, target_ulong *BATu,
129 bl = (*BATu & BATU32_BL) << 15;
132 if (((msr_pr == 0) && (*BATu & BATU32_VS)) ||
133 ((msr_pr != 0) && (*BATu & BATU32_VP))) {
135 pp = *BATl & BATL32_PP;
137 prot = PAGE_READ | PAGE_EXEC;
148 static void hash32_bat_601_size_prot(CPUPPCState *env, target_ulong *blp,
149 int *validp, int *protp,
150 target_ulong *BATu, target_ulong *BATl)
153 int key, pp, valid, prot;
155 bl = (*BATl & BATL32_601_BL) << 17;
156 LOG_BATS("b %02x ==> bl " TARGET_FMT_lx " msk " TARGET_FMT_lx "\n",
157 (uint8_t)(*BATl & BATL32_601_BL), bl, ~bl);
159 valid = !!(*BATl & BATL32_601_V);
161 pp = *BATu & BATU32_601_PP;
163 key = !!(*BATu & BATU32_601_KS);
165 key = !!(*BATu & BATU32_601_KP);
167 prot = ppc_hash32_pp_check(key, pp, 0);
174 static int ppc_hash32_get_bat(CPUPPCState *env, struct mmu_ctx_hash32 *ctx,
175 target_ulong virtual, int rw, int type)
177 target_ulong *BATlt, *BATut, *BATu, *BATl;
178 target_ulong BEPIl, BEPIu, bl;
182 LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,
183 type == ACCESS_CODE ? 'I' : 'D', virtual);
186 BATlt = env->IBAT[1];
187 BATut = env->IBAT[0];
190 BATlt = env->DBAT[1];
191 BATut = env->DBAT[0];
194 for (i = 0; i < env->nb_BATs; i++) {
197 BEPIu = *BATu & BATU32_BEPIU;
198 BEPIl = *BATu & BATU32_BEPIL;
199 if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
200 hash32_bat_601_size_prot(env, &bl, &valid, &prot, BATu, BATl);
202 hash32_bat_size_prot(env, &bl, &valid, &prot, BATu, BATl);
204 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
205 " BATl " TARGET_FMT_lx "\n", __func__,
206 type == ACCESS_CODE ? 'I' : 'D', i, virtual, *BATu, *BATl);
207 if ((virtual & BATU32_BEPIU) == BEPIu &&
208 ((virtual & BATU32_BEPIL) & ~bl) == BEPIl) {
211 /* Get physical address */
212 ctx->raddr = (*BATl & BATL32_BRPNU) |
213 ((virtual & BATU32_BEPIL & bl) | (*BATl & BATL32_BRPNL)) |
214 (virtual & 0x0001F000);
215 /* Compute access rights */
217 ret = ppc_hash32_check_prot(ctx->prot, rw, type);
219 LOG_BATS("BAT %d match: r " TARGET_FMT_plx " prot=%c%c\n",
220 i, ctx->raddr, ctx->prot & PAGE_READ ? 'R' : '-',
221 ctx->prot & PAGE_WRITE ? 'W' : '-');
228 #if defined(DEBUG_BATS)
229 if (qemu_log_enabled()) {
230 LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", virtual);
231 for (i = 0; i < 4; i++) {
234 BEPIu = *BATu & BATU32_BEPIU;
235 BEPIl = *BATu & BATU32_BEPIL;
236 bl = (*BATu & 0x00001FFC) << 15;
237 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
238 " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
239 TARGET_FMT_lx " " TARGET_FMT_lx "\n",
240 __func__, type == ACCESS_CODE ? 'I' : 'D', i, virtual,
241 *BATu, *BATl, BEPIu, BEPIl, bl);
250 static int pte_check_hash32(struct mmu_ctx_hash32 *ctx, target_ulong pte0,
251 target_ulong pte1, int h, int rw, int type)
257 /* Check validity and table match */
258 if ((pte0 & HPTE32_V_VALID) && (h == !!(pte0 & HPTE32_V_SECONDARY))) {
259 /* Check vsid & api */
260 mmask = PTE_CHECK_MASK;
261 pp = pte1 & HPTE32_R_PP;
262 if (HPTE32_V_COMPARE(pte0, ctx->ptem)) {
263 if (ctx->raddr != (hwaddr)-1ULL) {
264 /* all matches should have equal RPN, WIMG & PP */
265 if ((ctx->raddr & mmask) != (pte1 & mmask)) {
266 qemu_log("Bad RPN/WIMG/PP\n");
270 /* Compute access rights */
271 access = ppc_hash32_pp_check(ctx->key, pp, ctx->nx);
272 /* Keep the matching PTE informations */
275 ret = ppc_hash32_check_prot(ctx->prot, rw, type);
278 LOG_MMU("PTE access granted !\n");
280 /* Access right violation */
281 LOG_MMU("PTE access rejected\n");
289 static int ppc_hash32_pte_update_flags(struct mmu_ctx_hash32 *ctx, target_ulong *pte1p,
294 /* Update page flags */
295 if (!(*pte1p & HPTE32_R_R)) {
296 /* Update accessed flag */
297 *pte1p |= HPTE32_R_R;
300 if (!(*pte1p & HPTE32_R_C)) {
301 if (rw == 1 && ret == 0) {
302 /* Update changed flag */
303 *pte1p |= HPTE32_R_C;
306 /* Force page fault for first write access */
307 ctx->prot &= ~PAGE_WRITE;
314 hwaddr get_pteg_offset32(CPUPPCState *env, hwaddr hash)
316 return (hash * HASH_PTEG_SIZE_32) & env->htab_mask;
319 /* PTE table lookup */
320 static int find_pte32(CPUPPCState *env, struct mmu_ctx_hash32 *ctx, int h,
321 int rw, int type, int target_page_bits)
324 target_ulong pte0, pte1;
328 ret = -1; /* No entry found */
329 pteg_off = get_pteg_offset32(env, ctx->hash[h]);
330 for (i = 0; i < HPTES_PER_GROUP; i++) {
331 if (env->external_htab) {
332 pte0 = ldl_p(env->external_htab + pteg_off + (i * 8));
333 pte1 = ldl_p(env->external_htab + pteg_off + (i * 8) + 4);
335 pte0 = ldl_phys(env->htab_base + pteg_off + (i * 8));
336 pte1 = ldl_phys(env->htab_base + pteg_off + (i * 8) + 4);
338 r = pte_check_hash32(ctx, pte0, pte1, h, rw, type);
339 LOG_MMU("Load pte from %08" HWADDR_PRIx " => " TARGET_FMT_lx " "
340 TARGET_FMT_lx " %d %d %d " TARGET_FMT_lx "\n",
341 pteg_off + (i * 8), pte0, pte1, (int)(pte0 >> 31), h,
342 (int)((pte0 >> 6) & 1), ctx->ptem);
345 /* PTE inconsistency */
348 /* Access violation */
358 /* XXX: we should go on looping to check all PTEs consistency
359 * but if we can speed-up the whole thing as the
360 * result would be undefined if PTEs are not consistent.
369 LOG_MMU("found PTE at addr %08" HWADDR_PRIx " prot=%01x ret=%d\n",
370 ctx->raddr, ctx->prot, ret);
371 /* Update page flags */
373 if (ppc_hash32_pte_update_flags(ctx, &pte1, ret, rw) == 1) {
374 if (env->external_htab) {
375 stl_p(env->external_htab + pteg_off + (good * 8) + 4,
378 stl_phys_notdirty(env->htab_base + pteg_off +
379 (good * 8) + 4, pte1);
384 /* We have a TLB that saves 4K pages, so let's
385 * split a huge page to 4k chunks */
386 if (target_page_bits != TARGET_PAGE_BITS) {
387 ctx->raddr |= (ctx->eaddr & ((1 << target_page_bits) - 1))
393 static int get_segment32(CPUPPCState *env, struct mmu_ctx_hash32 *ctx,
394 target_ulong eaddr, int rw, int type)
398 int ds, pr, target_page_bits;
400 target_ulong sr, pgidx;
405 sr = env->sr[eaddr >> 28];
406 ctx->key = (((sr & SR32_KP) && (pr != 0)) ||
407 ((sr & SR32_KS) && (pr == 0))) ? 1 : 0;
408 ds = !!(sr & SR32_T);
409 ctx->nx = !!(sr & SR32_NX);
410 vsid = sr & SR32_VSID;
411 target_page_bits = TARGET_PAGE_BITS;
412 LOG_MMU("Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx " nip="
413 TARGET_FMT_lx " lr=" TARGET_FMT_lx
414 " ir=%d dr=%d pr=%d %d t=%d\n",
415 eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, (int)msr_ir,
416 (int)msr_dr, pr != 0 ? 1 : 0, rw, type);
417 pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits;
419 ctx->ptem = (vsid << 7) | (pgidx >> 10);
421 LOG_MMU("pte segment: key=%d ds %d nx %d vsid " TARGET_FMT_lx "\n",
422 ctx->key, ds, ctx->nx, vsid);
425 /* Check if instruction fetch is allowed, if needed */
426 if (type != ACCESS_CODE || ctx->nx == 0) {
427 /* Page address translation */
428 LOG_MMU("htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx
429 " hash " TARGET_FMT_plx "\n",
430 env->htab_base, env->htab_mask, hash);
432 ctx->hash[1] = ~hash;
434 /* Initialize real address with an invalid value */
435 ctx->raddr = (hwaddr)-1ULL;
436 LOG_MMU("0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
437 " vsid=" TARGET_FMT_lx " ptem=" TARGET_FMT_lx
438 " hash=" TARGET_FMT_plx "\n",
439 env->htab_base, env->htab_mask, vsid, ctx->ptem,
441 /* Primary table lookup */
442 ret = find_pte32(env, ctx, 0, rw, type, target_page_bits);
444 /* Secondary table lookup */
445 LOG_MMU("1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
446 " vsid=" TARGET_FMT_lx " api=" TARGET_FMT_lx
447 " hash=" TARGET_FMT_plx "\n", env->htab_base,
448 env->htab_mask, vsid, ctx->ptem, ctx->hash[1]);
449 ret2 = find_pte32(env, ctx, 1, rw, type,
455 #if defined(DUMP_PAGE_TABLES)
456 if (qemu_log_enabled()) {
458 uint32_t a0, a1, a2, a3;
460 qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx
461 "\n", sdr, mask + 0x80);
462 for (curaddr = sdr; curaddr < (sdr + mask + 0x80);
464 a0 = ldl_phys(curaddr);
465 a1 = ldl_phys(curaddr + 4);
466 a2 = ldl_phys(curaddr + 8);
467 a3 = ldl_phys(curaddr + 12);
468 if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) {
469 qemu_log(TARGET_FMT_plx ": %08x %08x %08x %08x\n",
470 curaddr, a0, a1, a2, a3);
476 LOG_MMU("No access allowed\n");
482 LOG_MMU("direct store...\n");
483 /* Direct-store segment : absolutely *BUGGY* for now */
485 /* Direct-store implies a 32-bit MMU.
486 * Check the Segment Register's bus unit ID (BUID).
488 sr = env->sr[eaddr >> 28];
489 if ((sr & 0x1FF00000) >> 20 == 0x07f) {
490 /* Memory-forced I/O controller interface access */
491 /* If T=1 and BUID=x'07F', the 601 performs a memory access
492 * to SR[28-31] LA[4-31], bypassing all protection mechanisms.
494 ctx->raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);
495 ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
501 /* Integer load/store : only access allowed */
504 /* No code fetch is allowed in direct-store areas */
507 /* Floating point load/store */
510 /* lwarx, ldarx or srwcx. */
513 /* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */
514 /* Should make the instruction do no-op.
515 * As it already do no-op, it's quite easy :-)
523 qemu_log("ERROR: instruction should not need "
524 "address translation\n");
527 if ((rw == 1 || ctx->key != 1) && (rw == 0 || ctx->key != 0)) {
538 static int ppc_hash32_get_physical_address(CPUPPCState *env, struct mmu_ctx_hash32 *ctx,
539 target_ulong eaddr, int rw,
542 bool real_mode = (access_type == ACCESS_CODE && msr_ir == 0)
543 || (access_type != ACCESS_CODE && msr_dr == 0);
547 ctx->prot = PAGE_READ | PAGE_EXEC | PAGE_WRITE;
552 /* Try to find a BAT */
553 if (env->nb_BATs != 0) {
554 ret = ppc_hash32_get_bat(env, ctx, eaddr, rw, access_type);
557 /* We didn't match any BAT entry or don't have BATs */
558 ret = get_segment32(env, ctx, eaddr, rw, access_type);
564 hwaddr ppc_hash32_get_phys_page_debug(CPUPPCState *env, target_ulong addr)
566 struct mmu_ctx_hash32 ctx;
568 if (unlikely(ppc_hash32_get_physical_address(env, &ctx, addr, 0, ACCESS_INT)
573 return ctx.raddr & TARGET_PAGE_MASK;
576 int ppc_hash32_handle_mmu_fault(CPUPPCState *env, target_ulong address, int rw,
579 struct mmu_ctx_hash32 ctx;
586 access_type = ACCESS_CODE;
589 access_type = env->access_type;
591 ret = ppc_hash32_get_physical_address(env, &ctx, address, rw, access_type);
593 tlb_set_page(env, address & TARGET_PAGE_MASK,
594 ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
595 mmu_idx, TARGET_PAGE_SIZE);
597 } else if (ret < 0) {
599 if (access_type == ACCESS_CODE) {
602 /* No matches in page tables or TLB */
603 env->exception_index = POWERPC_EXCP_ISI;
604 env->error_code = 0x40000000;
607 /* Access rights violation */
608 env->exception_index = POWERPC_EXCP_ISI;
609 env->error_code = 0x08000000;
612 /* No execute protection violation */
613 env->exception_index = POWERPC_EXCP_ISI;
614 env->error_code = 0x10000000;
617 /* Direct store exception */
618 /* No code fetch is allowed in direct-store areas */
619 env->exception_index = POWERPC_EXCP_ISI;
620 env->error_code = 0x10000000;
626 /* No matches in page tables or TLB */
627 env->exception_index = POWERPC_EXCP_DSI;
629 env->spr[SPR_DAR] = address;
631 env->spr[SPR_DSISR] = 0x42000000;
633 env->spr[SPR_DSISR] = 0x40000000;
637 /* Access rights violation */
638 env->exception_index = POWERPC_EXCP_DSI;
640 env->spr[SPR_DAR] = address;
642 env->spr[SPR_DSISR] = 0x0A000000;
644 env->spr[SPR_DSISR] = 0x08000000;
648 /* Direct store exception */
649 switch (access_type) {
651 /* Floating point load/store */
652 env->exception_index = POWERPC_EXCP_ALIGN;
653 env->error_code = POWERPC_EXCP_ALIGN_FP;
654 env->spr[SPR_DAR] = address;
657 /* lwarx, ldarx or stwcx. */
658 env->exception_index = POWERPC_EXCP_DSI;
660 env->spr[SPR_DAR] = address;
662 env->spr[SPR_DSISR] = 0x06000000;
664 env->spr[SPR_DSISR] = 0x04000000;
669 env->exception_index = POWERPC_EXCP_DSI;
671 env->spr[SPR_DAR] = address;
673 env->spr[SPR_DSISR] = 0x06100000;
675 env->spr[SPR_DSISR] = 0x04100000;
679 printf("DSI: invalid exception (%d)\n", ret);
680 env->exception_index = POWERPC_EXCP_PROGRAM;
682 POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL;
683 env->spr[SPR_DAR] = address;
690 printf("%s: set exception to %d %02x\n", __func__,
691 env->exception, env->error_code);
projects / qemu.git / blob