2 * PowerPC MMU, TLB and BAT emulation helpers for QEMU.
4 * Copyright (c) 2003-2007 Jocelyn Mayer
5 * Copyright (c) 2013 David Gibson, IBM Corporation
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
23 #include "sysemu/kvm.h"
25 #include "mmu-hash32.h"
31 # define LOG_MMU(...) qemu_log(__VA_ARGS__)
32 # define LOG_MMU_STATE(env) log_cpu_state((env), 0)
34 # define LOG_MMU(...) do { } while (0)
35 # define LOG_MMU_STATE(...) do { } while (0)
39 # define LOG_BATS(...) qemu_log(__VA_ARGS__)
41 # define LOG_BATS(...) do { } while (0)
44 struct mmu_ctx_hash32
{
45 hwaddr raddr
; /* Real address */
46 int prot
; /* Protection bits */
47 int key
; /* Access key */
48 int nx
; /* Non-execute area */
51 static int ppc_hash32_pp_check(int key
, int pp
, int nx
)
55 /* Compute access rights */
78 access
= PAGE_READ
| PAGE_WRITE
;
89 static int ppc_hash32_check_prot(int prot
, int rwx
)
94 if (prot
& PAGE_EXEC
) {
100 if (prot
& PAGE_WRITE
) {
106 if (prot
& PAGE_READ
) {
116 /* Perform BAT hit & translation */
117 static void hash32_bat_size_prot(CPUPPCState
*env
, target_ulong
*blp
,
118 int *validp
, int *protp
,
119 target_ulong batu
, target_ulong batl
)
124 bl
= (batu
& BATU32_BL
) << 15;
127 if (((msr_pr
== 0) && (batu
& BATU32_VS
)) ||
128 ((msr_pr
!= 0) && (batu
& BATU32_VP
))) {
130 pp
= batl
& BATL32_PP
;
132 prot
= PAGE_READ
| PAGE_EXEC
;
143 static void hash32_bat_601_size_prot(CPUPPCState
*env
, target_ulong
*blp
,
144 int *validp
, int *protp
,
145 target_ulong batu
, target_ulong batl
)
148 int key
, pp
, valid
, prot
;
150 bl
= (batl
& BATL32_601_BL
) << 17;
151 LOG_BATS("b %02x ==> bl " TARGET_FMT_lx
" msk " TARGET_FMT_lx
"\n",
152 (uint8_t)(batl
& BATL32_601_BL
), bl
, ~bl
);
154 valid
= !!(batl
& BATL32_601_V
);
156 pp
= batu
& BATU32_601_PP
;
158 key
= !!(batu
& BATU32_601_KS
);
160 key
= !!(batu
& BATU32_601_KP
);
162 prot
= ppc_hash32_pp_check(key
, pp
, 0);
169 static int ppc_hash32_get_bat(CPUPPCState
*env
, struct mmu_ctx_hash32
*ctx
,
170 target_ulong
virtual, int rwx
)
172 target_ulong
*BATlt
, *BATut
;
173 target_ulong BEPIl
, BEPIu
, bl
;
177 LOG_BATS("%s: %cBAT v " TARGET_FMT_lx
"\n", __func__
,
178 rwx
== 2 ? 'I' : 'D', virtual);
180 BATlt
= env
->IBAT
[1];
181 BATut
= env
->IBAT
[0];
183 BATlt
= env
->DBAT
[1];
184 BATut
= env
->DBAT
[0];
186 for (i
= 0; i
< env
->nb_BATs
; i
++) {
187 target_ulong batu
= BATut
[i
];
188 target_ulong batl
= BATlt
[i
];
190 BEPIu
= batu
& BATU32_BEPIU
;
191 BEPIl
= batu
& BATU32_BEPIL
;
192 if (unlikely(env
->mmu_model
== POWERPC_MMU_601
)) {
193 hash32_bat_601_size_prot(env
, &bl
, &valid
, &prot
, batu
, batl
);
195 hash32_bat_size_prot(env
, &bl
, &valid
, &prot
, batu
, batl
);
197 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx
" BATu " TARGET_FMT_lx
198 " BATl " TARGET_FMT_lx
"\n", __func__
,
199 type
== ACCESS_CODE
? 'I' : 'D', i
, virtual, batu
, batl
);
200 if ((virtual & BATU32_BEPIU
) == BEPIu
&&
201 ((virtual & BATU32_BEPIL
) & ~bl
) == BEPIl
) {
204 /* Get physical address */
205 ctx
->raddr
= (batl
& BATL32_BRPNU
) |
206 ((virtual & BATU32_BEPIL
& bl
) | (batl
& BATL32_BRPNL
)) |
207 (virtual & 0x0001F000);
208 /* Compute access rights */
210 ret
= ppc_hash32_check_prot(ctx
->prot
, rwx
);
212 LOG_BATS("BAT %d match: r " TARGET_FMT_plx
" prot=%c%c\n",
213 i
, ctx
->raddr
, ctx
->prot
& PAGE_READ
? 'R' : '-',
214 ctx
->prot
& PAGE_WRITE
? 'W' : '-');
221 #if defined(DEBUG_BATS)
222 if (qemu_log_enabled()) {
223 LOG_BATS("no BAT match for " TARGET_FMT_lx
":\n", virtual);
224 for (i
= 0; i
< 4; i
++) {
227 BEPIu
= *BATu
& BATU32_BEPIU
;
228 BEPIl
= *BATu
& BATU32_BEPIL
;
229 bl
= (*BATu
& 0x00001FFC) << 15;
230 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx
" BATu " TARGET_FMT_lx
231 " BATl " TARGET_FMT_lx
"\n\t" TARGET_FMT_lx
" "
232 TARGET_FMT_lx
" " TARGET_FMT_lx
"\n",
233 __func__
, type
== ACCESS_CODE
? 'I' : 'D', i
, virtual,
234 *BATu
, *BATl
, BEPIu
, BEPIl
, bl
);
243 static int ppc_hash32_direct_store(CPUPPCState
*env
, target_ulong sr
,
244 target_ulong eaddr
, int rwx
,
245 hwaddr
*raddr
, int *prot
)
247 int key
= !!(msr_pr
? (sr
& SR32_KP
) : (sr
& SR32_KS
));
249 LOG_MMU("direct store...\n");
251 if ((sr
& 0x1FF00000) >> 20 == 0x07f) {
252 /* Memory-forced I/O controller interface access */
253 /* If T=1 and BUID=x'07F', the 601 performs a memory access
254 * to SR[28-31] LA[4-31], bypassing all protection mechanisms.
256 *raddr
= ((sr
& 0xF) << 28) | (eaddr
& 0x0FFFFFFF);
257 *prot
= PAGE_READ
| PAGE_WRITE
| PAGE_EXEC
;
262 /* No code fetch is allowed in direct-store areas */
266 switch (env
->access_type
) {
268 /* Integer load/store : only access allowed */
271 /* Floating point load/store */
274 /* lwarx, ldarx or srwcx. */
277 /* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */
278 /* Should make the instruction do no-op.
279 * As it already do no-op, it's quite easy :-)
287 qemu_log("ERROR: instruction should not need "
288 "address translation\n");
291 if ((rwx
== 1 || key
!= 1) && (rwx
== 0 || key
!= 0)) {
299 static int ppc_hash32_pte_update_flags(struct mmu_ctx_hash32
*ctx
, uint32_t *pte1p
,
304 /* Update page flags */
305 if (!(*pte1p
& HPTE32_R_R
)) {
306 /* Update accessed flag */
307 *pte1p
|= HPTE32_R_R
;
310 if (!(*pte1p
& HPTE32_R_C
)) {
311 if (rwx
== 1 && ret
== 0) {
312 /* Update changed flag */
313 *pte1p
|= HPTE32_R_C
;
316 /* Force page fault for first write access */
317 ctx
->prot
&= ~PAGE_WRITE
;
324 hwaddr
get_pteg_offset32(CPUPPCState
*env
, hwaddr hash
)
326 return (hash
* HASH_PTEG_SIZE_32
) & env
->htab_mask
;
329 static hwaddr
ppc_hash32_pteg_search(CPUPPCState
*env
, hwaddr pteg_off
,
330 bool secondary
, target_ulong ptem
,
331 ppc_hash_pte32_t
*pte
)
333 hwaddr pte_offset
= pteg_off
;
334 target_ulong pte0
, pte1
;
337 for (i
= 0; i
< HPTES_PER_GROUP
; i
++) {
338 pte0
= ppc_hash32_load_hpte0(env
, pte_offset
);
339 pte1
= ppc_hash32_load_hpte1(env
, pte_offset
);
341 if ((pte0
& HPTE32_V_VALID
)
342 && (secondary
== !!(pte0
& HPTE32_V_SECONDARY
))
343 && HPTE32_V_COMPARE(pte0
, ptem
)) {
349 pte_offset
+= HASH_PTE_SIZE_32
;
355 static hwaddr
ppc_hash32_htab_lookup(CPUPPCState
*env
,
356 target_ulong sr
, target_ulong eaddr
,
357 ppc_hash_pte32_t
*pte
)
359 hwaddr pteg_off
, pte_offset
;
361 uint32_t vsid
, pgidx
, ptem
;
363 vsid
= sr
& SR32_VSID
;
364 pgidx
= (eaddr
& ~SEGMENT_MASK_256M
) >> TARGET_PAGE_BITS
;
366 ptem
= (vsid
<< 7) | (pgidx
>> 10);
368 /* Page address translation */
369 LOG_MMU("htab_base " TARGET_FMT_plx
" htab_mask " TARGET_FMT_plx
370 " hash " TARGET_FMT_plx
"\n",
371 env
->htab_base
, env
->htab_mask
, hash
);
373 /* Primary PTEG lookup */
374 LOG_MMU("0 htab=" TARGET_FMT_plx
"/" TARGET_FMT_plx
375 " vsid=%" PRIx32
" ptem=%" PRIx32
376 " hash=" TARGET_FMT_plx
"\n",
377 env
->htab_base
, env
->htab_mask
, vsid
, ptem
, hash
);
378 pteg_off
= get_pteg_offset32(env
, hash
);
379 pte_offset
= ppc_hash32_pteg_search(env
, pteg_off
, 0, ptem
, pte
);
380 if (pte_offset
== -1) {
381 /* Secondary PTEG lookup */
382 LOG_MMU("1 htab=" TARGET_FMT_plx
"/" TARGET_FMT_plx
383 " vsid=%" PRIx32
" api=%" PRIx32
384 " hash=" TARGET_FMT_plx
"\n", env
->htab_base
,
385 env
->htab_mask
, vsid
, ptem
, ~hash
);
386 pteg_off
= get_pteg_offset32(env
, ~hash
);
387 pte_offset
= ppc_hash32_pteg_search(env
, pteg_off
, 1, ptem
, pte
);
393 static int ppc_hash32_translate(CPUPPCState
*env
, struct mmu_ctx_hash32
*ctx
,
394 target_ulong eaddr
, int rwx
)
399 ppc_hash_pte32_t pte
;
401 assert((rwx
== 0) || (rwx
== 1) || (rwx
== 2));
403 /* 1. Handle real mode accesses */
404 if (((rwx
== 2) && (msr_ir
== 0)) || ((rwx
!= 2) && (msr_dr
== 0))) {
405 /* Translation is off */
407 ctx
->prot
= PAGE_READ
| PAGE_EXEC
| PAGE_WRITE
;
411 /* 2. Check Block Address Translation entries (BATs) */
412 if (env
->nb_BATs
!= 0) {
413 ret
= ppc_hash32_get_bat(env
, ctx
, eaddr
, rwx
);
419 /* 3. Look up the Segment Register */
420 sr
= env
->sr
[eaddr
>> 28];
422 /* 4. Handle direct store segments */
424 return ppc_hash32_direct_store(env
, sr
, eaddr
, rwx
,
425 &ctx
->raddr
, &ctx
->prot
);
428 /* 5. Check for segment level no-execute violation */
429 ctx
->nx
= !!(sr
& SR32_NX
);
430 if ((rwx
== 2) && ctx
->nx
) {
434 /* 6. Locate the PTE in the hash table */
435 pte_offset
= ppc_hash32_htab_lookup(env
, sr
, eaddr
, &pte
);
436 if (pte_offset
== -1) {
439 LOG_MMU("found PTE at offset %08" HWADDR_PRIx
"\n", pte_offset
);
441 /* 7. Check access permissions */
442 ctx
->key
= (((sr
& SR32_KP
) && (msr_pr
!= 0)) ||
443 ((sr
& SR32_KS
) && (msr_pr
== 0))) ? 1 : 0;
447 pp
= pte
.pte1
& HPTE32_R_PP
;
448 /* Compute access rights */
449 access
= ppc_hash32_pp_check(ctx
->key
, pp
, ctx
->nx
);
450 /* Keep the matching PTE informations */
451 ctx
->raddr
= pte
.pte1
;
453 ret
= ppc_hash32_check_prot(ctx
->prot
, rwx
);
456 LOG_MMU("PTE access granted !\n");
458 /* Access right violation */
459 LOG_MMU("PTE access rejected\n");
462 /* Update page flags */
463 if (ppc_hash32_pte_update_flags(ctx
, &pte
.pte1
, ret
, rwx
) == 1) {
464 ppc_hash32_store_hpte1(env
, pte_offset
, pte
.pte1
);
470 hwaddr
ppc_hash32_get_phys_page_debug(CPUPPCState
*env
, target_ulong addr
)
472 struct mmu_ctx_hash32 ctx
;
474 /* FIXME: Will not behave sanely for direct store segments, but
475 * they're almost never used */
476 if (unlikely(ppc_hash32_translate(env
, &ctx
, addr
, 0)
481 return ctx
.raddr
& TARGET_PAGE_MASK
;
484 int ppc_hash32_handle_mmu_fault(CPUPPCState
*env
, target_ulong address
, int rwx
,
487 struct mmu_ctx_hash32 ctx
;
490 ret
= ppc_hash32_translate(env
, &ctx
, address
, rwx
);
492 tlb_set_page(env
, address
& TARGET_PAGE_MASK
,
493 ctx
.raddr
& TARGET_PAGE_MASK
, ctx
.prot
,
494 mmu_idx
, TARGET_PAGE_SIZE
);
496 } else if (ret
< 0) {
501 /* No matches in page tables or TLB */
502 env
->exception_index
= POWERPC_EXCP_ISI
;
503 env
->error_code
= 0x40000000;
506 /* Access rights violation */
507 env
->exception_index
= POWERPC_EXCP_ISI
;
508 env
->error_code
= 0x08000000;
511 /* No execute protection violation */
512 env
->exception_index
= POWERPC_EXCP_ISI
;
513 env
->error_code
= 0x10000000;
516 /* Direct store exception */
517 /* No code fetch is allowed in direct-store areas */
518 env
->exception_index
= POWERPC_EXCP_ISI
;
519 env
->error_code
= 0x10000000;
525 /* No matches in page tables or TLB */
526 env
->exception_index
= POWERPC_EXCP_DSI
;
528 env
->spr
[SPR_DAR
] = address
;
530 env
->spr
[SPR_DSISR
] = 0x42000000;
532 env
->spr
[SPR_DSISR
] = 0x40000000;
536 /* Access rights violation */
537 env
->exception_index
= POWERPC_EXCP_DSI
;
539 env
->spr
[SPR_DAR
] = address
;
541 env
->spr
[SPR_DSISR
] = 0x0A000000;
543 env
->spr
[SPR_DSISR
] = 0x08000000;
547 /* Direct store exception */
548 switch (env
->access_type
) {
550 /* Floating point load/store */
551 env
->exception_index
= POWERPC_EXCP_ALIGN
;
552 env
->error_code
= POWERPC_EXCP_ALIGN_FP
;
553 env
->spr
[SPR_DAR
] = address
;
556 /* lwarx, ldarx or stwcx. */
557 env
->exception_index
= POWERPC_EXCP_DSI
;
559 env
->spr
[SPR_DAR
] = address
;
561 env
->spr
[SPR_DSISR
] = 0x06000000;
563 env
->spr
[SPR_DSISR
] = 0x04000000;
568 env
->exception_index
= POWERPC_EXCP_DSI
;
570 env
->spr
[SPR_DAR
] = address
;
572 env
->spr
[SPR_DSISR
] = 0x06100000;
574 env
->spr
[SPR_DSISR
] = 0x04100000;
578 printf("DSI: invalid exception (%d)\n", ret
);
579 env
->exception_index
= POWERPC_EXCP_PROGRAM
;
581 POWERPC_EXCP_INVAL
| POWERPC_EXCP_INVAL_INVAL
;
582 env
->spr
[SPR_DAR
] = address
;
589 printf("%s: set exception to %d %02x\n", __func__
,
590 env
->exception
, env
->error_code
);