1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "cpu.h" 23 #include "exec/exec-all.h" 24 #include "exec/memory.h" 25 #include "exec/address-spaces.h" 26 #include "exec/cpu_ldst.h" 27 #include "exec/cputlb.h" 28 #include "exec/memory-internal.h" 29 #include "exec/ram_addr.h" 30 #include "tcg/tcg.h" 31 #include "qemu/error-report.h" 32 #include "exec/log.h" 33 #include "exec/helper-proto.h" 34 #include "qemu/atomic.h" 35 #include "qemu/atomic128.h" 36 37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 38 /* #define DEBUG_TLB */ 39 /* #define DEBUG_TLB_LOG */ 40 41 #ifdef DEBUG_TLB 42 # define DEBUG_TLB_GATE 1 43 # ifdef DEBUG_TLB_LOG 44 # define DEBUG_TLB_LOG_GATE 1 45 # else 46 # define DEBUG_TLB_LOG_GATE 0 47 # endif 48 #else 49 # define DEBUG_TLB_GATE 0 50 # define DEBUG_TLB_LOG_GATE 0 51 #endif 52 53 #define tlb_debug(fmt, ...) do { \ 54 if (DEBUG_TLB_LOG_GATE) { \ 55 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 56 ## __VA_ARGS__); \ 57 } else if (DEBUG_TLB_GATE) { \ 58 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 59 } \ 60 } while (0) 61 62 #define assert_cpu_is_self(cpu) do { \ 63 if (DEBUG_TLB_GATE) { \ 64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \ 65 } \ 66 } while (0) 67 68 /* run_on_cpu_data.target_ptr should always be big enough for a 69 * target_ulong even on 32 bit builds */ 70 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data)); 71 72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 73 */ 74 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 76 77 void tlb_init(CPUState *cpu) 78 { 79 CPUArchState *env = cpu->env_ptr; 80 81 qemu_spin_init(&env->tlb_c.lock); 82 83 /* Ensure that cpu_reset performs a full flush. */ 84 env->tlb_c.dirty = ALL_MMUIDX_BITS; 85 } 86 87 /* flush_all_helper: run fn across all cpus 88 * 89 * If the wait flag is set then the src cpu's helper will be queued as 90 * "safe" work and the loop exited creating a synchronisation point 91 * where all queued work will be finished before execution starts 92 * again. 93 */ 94 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 95 run_on_cpu_data d) 96 { 97 CPUState *cpu; 98 99 CPU_FOREACH(cpu) { 100 if (cpu != src) { 101 async_run_on_cpu(cpu, fn, d); 102 } 103 } 104 } 105 106 void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide) 107 { 108 CPUState *cpu; 109 size_t full = 0, part = 0, elide = 0; 110 111 CPU_FOREACH(cpu) { 112 CPUArchState *env = cpu->env_ptr; 113 114 full += atomic_read(&env->tlb_c.full_flush_count); 115 part += atomic_read(&env->tlb_c.part_flush_count); 116 elide += atomic_read(&env->tlb_c.elide_flush_count); 117 } 118 *pfull = full; 119 *ppart = part; 120 *pelide = elide; 121 } 122 123 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx) 124 { 125 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0])); 126 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0])); 127 env->tlb_d[mmu_idx].large_page_addr = -1; 128 env->tlb_d[mmu_idx].large_page_mask = -1; 129 env->tlb_d[mmu_idx].vindex = 0; 130 } 131 132 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 133 { 134 CPUArchState *env = cpu->env_ptr; 135 uint16_t asked = data.host_int; 136 uint16_t all_dirty, work, to_clean; 137 138 assert_cpu_is_self(cpu); 139 140 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked); 141 142 qemu_spin_lock(&env->tlb_c.lock); 143 144 all_dirty = env->tlb_c.dirty; 145 to_clean = asked & all_dirty; 146 all_dirty &= ~to_clean; 147 env->tlb_c.dirty = all_dirty; 148 149 for (work = to_clean; work != 0; work &= work - 1) { 150 int mmu_idx = ctz32(work); 151 tlb_flush_one_mmuidx_locked(env, mmu_idx); 152 } 153 154 qemu_spin_unlock(&env->tlb_c.lock); 155 156 cpu_tb_jmp_cache_clear(cpu); 157 158 if (to_clean == ALL_MMUIDX_BITS) { 159 atomic_set(&env->tlb_c.full_flush_count, 160 env->tlb_c.full_flush_count + 1); 161 } else { 162 atomic_set(&env->tlb_c.part_flush_count, 163 env->tlb_c.part_flush_count + ctpop16(to_clean)); 164 if (to_clean != asked) { 165 atomic_set(&env->tlb_c.elide_flush_count, 166 env->tlb_c.elide_flush_count + 167 ctpop16(asked & ~to_clean)); 168 } 169 } 170 } 171 172 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 173 { 174 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 175 176 if (cpu->created && !qemu_cpu_is_self(cpu)) { 177 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work, 178 RUN_ON_CPU_HOST_INT(idxmap)); 179 } else { 180 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap)); 181 } 182 } 183 184 void tlb_flush(CPUState *cpu) 185 { 186 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS); 187 } 188 189 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap) 190 { 191 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 192 193 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 194 195 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 196 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap)); 197 } 198 199 void tlb_flush_all_cpus(CPUState *src_cpu) 200 { 201 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS); 202 } 203 204 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap) 205 { 206 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 207 208 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 209 210 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 211 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 212 } 213 214 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 215 { 216 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS); 217 } 218 219 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry, 220 target_ulong page) 221 { 222 return tlb_hit_page(tlb_entry->addr_read, page) || 223 tlb_hit_page(tlb_addr_write(tlb_entry), page) || 224 tlb_hit_page(tlb_entry->addr_code, page); 225 } 226 227 /** 228 * tlb_entry_is_empty - return true if the entry is not in use 229 * @te: pointer to CPUTLBEntry 230 */ 231 static inline bool tlb_entry_is_empty(const CPUTLBEntry *te) 232 { 233 return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1; 234 } 235 236 /* Called with tlb_c.lock held */ 237 static inline void tlb_flush_entry_locked(CPUTLBEntry *tlb_entry, 238 target_ulong page) 239 { 240 if (tlb_hit_page_anyprot(tlb_entry, page)) { 241 memset(tlb_entry, -1, sizeof(*tlb_entry)); 242 } 243 } 244 245 /* Called with tlb_c.lock held */ 246 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx, 247 target_ulong page) 248 { 249 int k; 250 251 assert_cpu_is_self(ENV_GET_CPU(env)); 252 for (k = 0; k < CPU_VTLB_SIZE; k++) { 253 tlb_flush_entry_locked(&env->tlb_v_table[mmu_idx][k], page); 254 } 255 } 256 257 static void tlb_flush_page_locked(CPUArchState *env, int midx, 258 target_ulong page) 259 { 260 target_ulong lp_addr = env->tlb_d[midx].large_page_addr; 261 target_ulong lp_mask = env->tlb_d[midx].large_page_mask; 262 263 /* Check if we need to flush due to large pages. */ 264 if ((page & lp_mask) == lp_addr) { 265 tlb_debug("forcing full flush midx %d (" 266 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 267 midx, lp_addr, lp_mask); 268 tlb_flush_one_mmuidx_locked(env, midx); 269 } else { 270 tlb_flush_entry_locked(tlb_entry(env, midx, page), page); 271 tlb_flush_vtlb_page_locked(env, midx, page); 272 } 273 } 274 275 /* As we are going to hijack the bottom bits of the page address for a 276 * mmuidx bit mask we need to fail to build if we can't do that 277 */ 278 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN); 279 280 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu, 281 run_on_cpu_data data) 282 { 283 CPUArchState *env = cpu->env_ptr; 284 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 285 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 286 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 287 int mmu_idx; 288 289 assert_cpu_is_self(cpu); 290 291 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n", 292 addr, mmu_idx_bitmap); 293 294 qemu_spin_lock(&env->tlb_c.lock); 295 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 296 if (test_bit(mmu_idx, &mmu_idx_bitmap)) { 297 tlb_flush_page_locked(env, mmu_idx, addr); 298 } 299 } 300 qemu_spin_unlock(&env->tlb_c.lock); 301 302 tb_flush_jmp_cache(cpu, addr); 303 } 304 305 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap) 306 { 307 target_ulong addr_and_mmu_idx; 308 309 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap); 310 311 /* This should already be page aligned */ 312 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 313 addr_and_mmu_idx |= idxmap; 314 315 if (!qemu_cpu_is_self(cpu)) { 316 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work, 317 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 318 } else { 319 tlb_flush_page_by_mmuidx_async_work( 320 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 321 } 322 } 323 324 void tlb_flush_page(CPUState *cpu, target_ulong addr) 325 { 326 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS); 327 } 328 329 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr, 330 uint16_t idxmap) 331 { 332 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work; 333 target_ulong addr_and_mmu_idx; 334 335 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 336 337 /* This should already be page aligned */ 338 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 339 addr_and_mmu_idx |= idxmap; 340 341 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 342 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 343 } 344 345 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr) 346 { 347 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS); 348 } 349 350 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 351 target_ulong addr, 352 uint16_t idxmap) 353 { 354 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work; 355 target_ulong addr_and_mmu_idx; 356 357 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 358 359 /* This should already be page aligned */ 360 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 361 addr_and_mmu_idx |= idxmap; 362 363 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 364 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 365 } 366 367 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr) 368 { 369 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS); 370 } 371 372 /* update the TLBs so that writes to code in the virtual page 'addr' 373 can be detected */ 374 void tlb_protect_code(ram_addr_t ram_addr) 375 { 376 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE, 377 DIRTY_MEMORY_CODE); 378 } 379 380 /* update the TLB so that writes in physical page 'phys_addr' are no longer 381 tested for self modifying code */ 382 void tlb_unprotect_code(ram_addr_t ram_addr) 383 { 384 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 385 } 386 387 388 /* 389 * Dirty write flag handling 390 * 391 * When the TCG code writes to a location it looks up the address in 392 * the TLB and uses that data to compute the final address. If any of 393 * the lower bits of the address are set then the slow path is forced. 394 * There are a number of reasons to do this but for normal RAM the 395 * most usual is detecting writes to code regions which may invalidate 396 * generated code. 397 * 398 * Other vCPUs might be reading their TLBs during guest execution, so we update 399 * te->addr_write with atomic_set. We don't need to worry about this for 400 * oversized guests as MTTCG is disabled for them. 401 * 402 * Called with tlb_c.lock held. 403 */ 404 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry, 405 uintptr_t start, uintptr_t length) 406 { 407 uintptr_t addr = tlb_entry->addr_write; 408 409 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 410 addr &= TARGET_PAGE_MASK; 411 addr += tlb_entry->addend; 412 if ((addr - start) < length) { 413 #if TCG_OVERSIZED_GUEST 414 tlb_entry->addr_write |= TLB_NOTDIRTY; 415 #else 416 atomic_set(&tlb_entry->addr_write, 417 tlb_entry->addr_write | TLB_NOTDIRTY); 418 #endif 419 } 420 } 421 } 422 423 /* 424 * Called with tlb_c.lock held. 425 * Called only from the vCPU context, i.e. the TLB's owner thread. 426 */ 427 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s) 428 { 429 *d = *s; 430 } 431 432 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 433 * the target vCPU). 434 * We must take tlb_c.lock to avoid racing with another vCPU update. The only 435 * thing actually updated is the target TLB entry ->addr_write flags. 436 */ 437 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 438 { 439 CPUArchState *env; 440 441 int mmu_idx; 442 443 env = cpu->env_ptr; 444 qemu_spin_lock(&env->tlb_c.lock); 445 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 446 unsigned int i; 447 448 for (i = 0; i < CPU_TLB_SIZE; i++) { 449 tlb_reset_dirty_range_locked(&env->tlb_table[mmu_idx][i], start1, 450 length); 451 } 452 453 for (i = 0; i < CPU_VTLB_SIZE; i++) { 454 tlb_reset_dirty_range_locked(&env->tlb_v_table[mmu_idx][i], start1, 455 length); 456 } 457 } 458 qemu_spin_unlock(&env->tlb_c.lock); 459 } 460 461 /* Called with tlb_c.lock held */ 462 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry, 463 target_ulong vaddr) 464 { 465 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) { 466 tlb_entry->addr_write = vaddr; 467 } 468 } 469 470 /* update the TLB corresponding to virtual page vaddr 471 so that it is no longer dirty */ 472 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr) 473 { 474 CPUArchState *env = cpu->env_ptr; 475 int mmu_idx; 476 477 assert_cpu_is_self(cpu); 478 479 vaddr &= TARGET_PAGE_MASK; 480 qemu_spin_lock(&env->tlb_c.lock); 481 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 482 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr); 483 } 484 485 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 486 int k; 487 for (k = 0; k < CPU_VTLB_SIZE; k++) { 488 tlb_set_dirty1_locked(&env->tlb_v_table[mmu_idx][k], vaddr); 489 } 490 } 491 qemu_spin_unlock(&env->tlb_c.lock); 492 } 493 494 /* Our TLB does not support large pages, so remember the area covered by 495 large pages and trigger a full TLB flush if these are invalidated. */ 496 static void tlb_add_large_page(CPUArchState *env, int mmu_idx, 497 target_ulong vaddr, target_ulong size) 498 { 499 target_ulong lp_addr = env->tlb_d[mmu_idx].large_page_addr; 500 target_ulong lp_mask = ~(size - 1); 501 502 if (lp_addr == (target_ulong)-1) { 503 /* No previous large page. */ 504 lp_addr = vaddr; 505 } else { 506 /* Extend the existing region to include the new page. 507 This is a compromise between unnecessary flushes and 508 the cost of maintaining a full variable size TLB. */ 509 lp_mask &= env->tlb_d[mmu_idx].large_page_mask; 510 while (((lp_addr ^ vaddr) & lp_mask) != 0) { 511 lp_mask <<= 1; 512 } 513 } 514 env->tlb_d[mmu_idx].large_page_addr = lp_addr & lp_mask; 515 env->tlb_d[mmu_idx].large_page_mask = lp_mask; 516 } 517 518 /* Add a new TLB entry. At most one entry for a given virtual address 519 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 520 * supplied size is only used by tlb_flush_page. 521 * 522 * Called from TCG-generated code, which is under an RCU read-side 523 * critical section. 524 */ 525 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr, 526 hwaddr paddr, MemTxAttrs attrs, int prot, 527 int mmu_idx, target_ulong size) 528 { 529 CPUArchState *env = cpu->env_ptr; 530 MemoryRegionSection *section; 531 unsigned int index; 532 target_ulong address; 533 target_ulong code_address; 534 uintptr_t addend; 535 CPUTLBEntry *te, tn; 536 hwaddr iotlb, xlat, sz, paddr_page; 537 target_ulong vaddr_page; 538 int asidx = cpu_asidx_from_attrs(cpu, attrs); 539 540 assert_cpu_is_self(cpu); 541 542 if (size <= TARGET_PAGE_SIZE) { 543 sz = TARGET_PAGE_SIZE; 544 } else { 545 tlb_add_large_page(env, mmu_idx, vaddr, size); 546 sz = size; 547 } 548 vaddr_page = vaddr & TARGET_PAGE_MASK; 549 paddr_page = paddr & TARGET_PAGE_MASK; 550 551 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, 552 &xlat, &sz, attrs, &prot); 553 assert(sz >= TARGET_PAGE_SIZE); 554 555 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx 556 " prot=%x idx=%d\n", 557 vaddr, paddr, prot, mmu_idx); 558 559 address = vaddr_page; 560 if (size < TARGET_PAGE_SIZE) { 561 /* 562 * Slow-path the TLB entries; we will repeat the MMU check and TLB 563 * fill on every access. 564 */ 565 address |= TLB_RECHECK; 566 } 567 if (!memory_region_is_ram(section->mr) && 568 !memory_region_is_romd(section->mr)) { 569 /* IO memory case */ 570 address |= TLB_MMIO; 571 addend = 0; 572 } else { 573 /* TLB_MMIO for rom/romd handled below */ 574 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 575 } 576 577 code_address = address; 578 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page, 579 paddr_page, xlat, prot, &address); 580 581 index = tlb_index(env, mmu_idx, vaddr_page); 582 te = tlb_entry(env, mmu_idx, vaddr_page); 583 584 /* 585 * Hold the TLB lock for the rest of the function. We could acquire/release 586 * the lock several times in the function, but it is faster to amortize the 587 * acquisition cost by acquiring it just once. Note that this leads to 588 * a longer critical section, but this is not a concern since the TLB lock 589 * is unlikely to be contended. 590 */ 591 qemu_spin_lock(&env->tlb_c.lock); 592 593 /* Note that the tlb is no longer clean. */ 594 env->tlb_c.dirty |= 1 << mmu_idx; 595 596 /* Make sure there's no cached translation for the new page. */ 597 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page); 598 599 /* 600 * Only evict the old entry to the victim tlb if it's for a 601 * different page; otherwise just overwrite the stale data. 602 */ 603 if (!tlb_hit_page_anyprot(te, vaddr_page) && !tlb_entry_is_empty(te)) { 604 unsigned vidx = env->tlb_d[mmu_idx].vindex++ % CPU_VTLB_SIZE; 605 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx]; 606 607 /* Evict the old entry into the victim tlb. */ 608 copy_tlb_helper_locked(tv, te); 609 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index]; 610 } 611 612 /* refill the tlb */ 613 /* 614 * At this point iotlb contains a physical section number in the lower 615 * TARGET_PAGE_BITS, and either 616 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM) 617 * + the offset within section->mr of the page base (otherwise) 618 * We subtract the vaddr_page (which is page aligned and thus won't 619 * disturb the low bits) to give an offset which can be added to the 620 * (non-page-aligned) vaddr of the eventual memory access to get 621 * the MemoryRegion offset for the access. Note that the vaddr we 622 * subtract here is that of the page base, and not the same as the 623 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code(). 624 */ 625 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page; 626 env->iotlb[mmu_idx][index].attrs = attrs; 627 628 /* Now calculate the new entry */ 629 tn.addend = addend - vaddr_page; 630 if (prot & PAGE_READ) { 631 tn.addr_read = address; 632 } else { 633 tn.addr_read = -1; 634 } 635 636 if (prot & PAGE_EXEC) { 637 tn.addr_code = code_address; 638 } else { 639 tn.addr_code = -1; 640 } 641 642 tn.addr_write = -1; 643 if (prot & PAGE_WRITE) { 644 if ((memory_region_is_ram(section->mr) && section->readonly) 645 || memory_region_is_romd(section->mr)) { 646 /* Write access calls the I/O callback. */ 647 tn.addr_write = address | TLB_MMIO; 648 } else if (memory_region_is_ram(section->mr) 649 && cpu_physical_memory_is_clean( 650 memory_region_get_ram_addr(section->mr) + xlat)) { 651 tn.addr_write = address | TLB_NOTDIRTY; 652 } else { 653 tn.addr_write = address; 654 } 655 if (prot & PAGE_WRITE_INV) { 656 tn.addr_write |= TLB_INVALID_MASK; 657 } 658 } 659 660 copy_tlb_helper_locked(te, &tn); 661 qemu_spin_unlock(&env->tlb_c.lock); 662 } 663 664 /* Add a new TLB entry, but without specifying the memory 665 * transaction attributes to be used. 666 */ 667 void tlb_set_page(CPUState *cpu, target_ulong vaddr, 668 hwaddr paddr, int prot, 669 int mmu_idx, target_ulong size) 670 { 671 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED, 672 prot, mmu_idx, size); 673 } 674 675 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr) 676 { 677 ram_addr_t ram_addr; 678 679 ram_addr = qemu_ram_addr_from_host(ptr); 680 if (ram_addr == RAM_ADDR_INVALID) { 681 error_report("Bad ram pointer %p", ptr); 682 abort(); 683 } 684 return ram_addr; 685 } 686 687 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 688 int mmu_idx, 689 target_ulong addr, uintptr_t retaddr, 690 bool recheck, MMUAccessType access_type, int size) 691 { 692 CPUState *cpu = ENV_GET_CPU(env); 693 hwaddr mr_offset; 694 MemoryRegionSection *section; 695 MemoryRegion *mr; 696 uint64_t val; 697 bool locked = false; 698 MemTxResult r; 699 700 if (recheck) { 701 /* 702 * This is a TLB_RECHECK access, where the MMU protection 703 * covers a smaller range than a target page, and we must 704 * repeat the MMU check here. This tlb_fill() call might 705 * longjump out if this access should cause a guest exception. 706 */ 707 CPUTLBEntry *entry; 708 target_ulong tlb_addr; 709 710 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr); 711 712 entry = tlb_entry(env, mmu_idx, addr); 713 tlb_addr = entry->addr_read; 714 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) { 715 /* RAM access */ 716 uintptr_t haddr = addr + entry->addend; 717 718 return ldn_p((void *)haddr, size); 719 } 720 /* Fall through for handling IO accesses */ 721 } 722 723 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 724 mr = section->mr; 725 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 726 cpu->mem_io_pc = retaddr; 727 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 728 cpu_io_recompile(cpu, retaddr); 729 } 730 731 cpu->mem_io_vaddr = addr; 732 cpu->mem_io_access_type = access_type; 733 734 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 735 qemu_mutex_lock_iothread(); 736 locked = true; 737 } 738 r = memory_region_dispatch_read(mr, mr_offset, 739 &val, size, iotlbentry->attrs); 740 if (r != MEMTX_OK) { 741 hwaddr physaddr = mr_offset + 742 section->offset_within_address_space - 743 section->offset_within_region; 744 745 cpu_transaction_failed(cpu, physaddr, addr, size, access_type, 746 mmu_idx, iotlbentry->attrs, r, retaddr); 747 } 748 if (locked) { 749 qemu_mutex_unlock_iothread(); 750 } 751 752 return val; 753 } 754 755 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 756 int mmu_idx, 757 uint64_t val, target_ulong addr, 758 uintptr_t retaddr, bool recheck, int size) 759 { 760 CPUState *cpu = ENV_GET_CPU(env); 761 hwaddr mr_offset; 762 MemoryRegionSection *section; 763 MemoryRegion *mr; 764 bool locked = false; 765 MemTxResult r; 766 767 if (recheck) { 768 /* 769 * This is a TLB_RECHECK access, where the MMU protection 770 * covers a smaller range than a target page, and we must 771 * repeat the MMU check here. This tlb_fill() call might 772 * longjump out if this access should cause a guest exception. 773 */ 774 CPUTLBEntry *entry; 775 target_ulong tlb_addr; 776 777 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr); 778 779 entry = tlb_entry(env, mmu_idx, addr); 780 tlb_addr = tlb_addr_write(entry); 781 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) { 782 /* RAM access */ 783 uintptr_t haddr = addr + entry->addend; 784 785 stn_p((void *)haddr, size, val); 786 return; 787 } 788 /* Fall through for handling IO accesses */ 789 } 790 791 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 792 mr = section->mr; 793 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 794 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 795 cpu_io_recompile(cpu, retaddr); 796 } 797 cpu->mem_io_vaddr = addr; 798 cpu->mem_io_pc = retaddr; 799 800 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 801 qemu_mutex_lock_iothread(); 802 locked = true; 803 } 804 r = memory_region_dispatch_write(mr, mr_offset, 805 val, size, iotlbentry->attrs); 806 if (r != MEMTX_OK) { 807 hwaddr physaddr = mr_offset + 808 section->offset_within_address_space - 809 section->offset_within_region; 810 811 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE, 812 mmu_idx, iotlbentry->attrs, r, retaddr); 813 } 814 if (locked) { 815 qemu_mutex_unlock_iothread(); 816 } 817 } 818 819 /* Return true if ADDR is present in the victim tlb, and has been copied 820 back to the main tlb. */ 821 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index, 822 size_t elt_ofs, target_ulong page) 823 { 824 size_t vidx; 825 826 assert_cpu_is_self(ENV_GET_CPU(env)); 827 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 828 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx]; 829 target_ulong cmp; 830 831 /* elt_ofs might correspond to .addr_write, so use atomic_read */ 832 #if TCG_OVERSIZED_GUEST 833 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs); 834 #else 835 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs)); 836 #endif 837 838 if (cmp == page) { 839 /* Found entry in victim tlb, swap tlb and iotlb. */ 840 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index]; 841 842 qemu_spin_lock(&env->tlb_c.lock); 843 copy_tlb_helper_locked(&tmptlb, tlb); 844 copy_tlb_helper_locked(tlb, vtlb); 845 copy_tlb_helper_locked(vtlb, &tmptlb); 846 qemu_spin_unlock(&env->tlb_c.lock); 847 848 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index]; 849 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx]; 850 tmpio = *io; *io = *vio; *vio = tmpio; 851 return true; 852 } 853 } 854 return false; 855 } 856 857 /* Macro to call the above, with local variables from the use context. */ 858 #define VICTIM_TLB_HIT(TY, ADDR) \ 859 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \ 860 (ADDR) & TARGET_PAGE_MASK) 861 862 /* NOTE: this function can trigger an exception */ 863 /* NOTE2: the returned address is not exactly the physical address: it 864 * is actually a ram_addr_t (in system mode; the user mode emulation 865 * version of this function returns a guest virtual address). 866 */ 867 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) 868 { 869 uintptr_t mmu_idx = cpu_mmu_index(env, true); 870 uintptr_t index = tlb_index(env, mmu_idx, addr); 871 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 872 void *p; 873 874 if (unlikely(!tlb_hit(entry->addr_code, addr))) { 875 if (!VICTIM_TLB_HIT(addr_code, addr)) { 876 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); 877 } 878 assert(tlb_hit(entry->addr_code, addr)); 879 } 880 881 if (unlikely(entry->addr_code & (TLB_RECHECK | TLB_MMIO))) { 882 /* 883 * Return -1 if we can't translate and execute from an entire 884 * page of RAM here, which will cause us to execute by loading 885 * and translating one insn at a time, without caching: 886 * - TLB_RECHECK: means the MMU protection covers a smaller range 887 * than a target page, so we must redo the MMU check every insn 888 * - TLB_MMIO: region is not backed by RAM 889 */ 890 return -1; 891 } 892 893 p = (void *)((uintptr_t)addr + entry->addend); 894 return qemu_ram_addr_from_host_nofail(p); 895 } 896 897 /* Probe for whether the specified guest write access is permitted. 898 * If it is not permitted then an exception will be taken in the same 899 * way as if this were a real write access (and we will not return). 900 * Otherwise the function will return, and there will be a valid 901 * entry in the TLB for this access. 902 */ 903 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx, 904 uintptr_t retaddr) 905 { 906 uintptr_t index = tlb_index(env, mmu_idx, addr); 907 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 908 909 if (!tlb_hit(tlb_addr_write(entry), addr)) { 910 /* TLB entry is for a different page */ 911 if (!VICTIM_TLB_HIT(addr_write, addr)) { 912 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE, 913 mmu_idx, retaddr); 914 } 915 } 916 } 917 918 /* Probe for a read-modify-write atomic operation. Do not allow unaligned 919 * operations, or io operations to proceed. Return the host address. */ 920 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, 921 TCGMemOpIdx oi, uintptr_t retaddr, 922 NotDirtyInfo *ndi) 923 { 924 size_t mmu_idx = get_mmuidx(oi); 925 uintptr_t index = tlb_index(env, mmu_idx, addr); 926 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr); 927 target_ulong tlb_addr = tlb_addr_write(tlbe); 928 TCGMemOp mop = get_memop(oi); 929 int a_bits = get_alignment_bits(mop); 930 int s_bits = mop & MO_SIZE; 931 void *hostaddr; 932 933 /* Adjust the given return address. */ 934 retaddr -= GETPC_ADJ; 935 936 /* Enforce guest required alignment. */ 937 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) { 938 /* ??? Maybe indicate atomic op to cpu_unaligned_access */ 939 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE, 940 mmu_idx, retaddr); 941 } 942 943 /* Enforce qemu required alignment. */ 944 if (unlikely(addr & ((1 << s_bits) - 1))) { 945 /* We get here if guest alignment was not requested, 946 or was not enforced by cpu_unaligned_access above. 947 We might widen the access and emulate, but for now 948 mark an exception and exit the cpu loop. */ 949 goto stop_the_world; 950 } 951 952 /* Check TLB entry and enforce page permissions. */ 953 if (!tlb_hit(tlb_addr, addr)) { 954 if (!VICTIM_TLB_HIT(addr_write, addr)) { 955 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE, 956 mmu_idx, retaddr); 957 } 958 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK; 959 } 960 961 /* Notice an IO access or a needs-MMU-lookup access */ 962 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) { 963 /* There's really nothing that can be done to 964 support this apart from stop-the-world. */ 965 goto stop_the_world; 966 } 967 968 /* Let the guest notice RMW on a write-only page. */ 969 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) { 970 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD, 971 mmu_idx, retaddr); 972 /* Since we don't support reads and writes to different addresses, 973 and we do have the proper page loaded for write, this shouldn't 974 ever return. But just in case, handle via stop-the-world. */ 975 goto stop_the_world; 976 } 977 978 hostaddr = (void *)((uintptr_t)addr + tlbe->addend); 979 980 ndi->active = false; 981 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 982 ndi->active = true; 983 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr, 984 qemu_ram_addr_from_host_nofail(hostaddr), 985 1 << s_bits); 986 } 987 988 return hostaddr; 989 990 stop_the_world: 991 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr); 992 } 993 994 #ifdef TARGET_WORDS_BIGENDIAN 995 # define TGT_BE(X) (X) 996 # define TGT_LE(X) BSWAP(X) 997 #else 998 # define TGT_BE(X) BSWAP(X) 999 # define TGT_LE(X) (X) 1000 #endif 1001 1002 #define MMUSUFFIX _mmu 1003 1004 #define DATA_SIZE 1 1005 #include "softmmu_template.h" 1006 1007 #define DATA_SIZE 2 1008 #include "softmmu_template.h" 1009 1010 #define DATA_SIZE 4 1011 #include "softmmu_template.h" 1012 1013 #define DATA_SIZE 8 1014 #include "softmmu_template.h" 1015 1016 /* First set of helpers allows passing in of OI and RETADDR. This makes 1017 them callable from other helpers. */ 1018 1019 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr 1020 #define ATOMIC_NAME(X) \ 1021 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu)) 1022 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi 1023 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi) 1024 #define ATOMIC_MMU_CLEANUP \ 1025 do { \ 1026 if (unlikely(ndi.active)) { \ 1027 memory_notdirty_write_complete(&ndi); \ 1028 } \ 1029 } while (0) 1030 1031 #define DATA_SIZE 1 1032 #include "atomic_template.h" 1033 1034 #define DATA_SIZE 2 1035 #include "atomic_template.h" 1036 1037 #define DATA_SIZE 4 1038 #include "atomic_template.h" 1039 1040 #ifdef CONFIG_ATOMIC64 1041 #define DATA_SIZE 8 1042 #include "atomic_template.h" 1043 #endif 1044 1045 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128 1046 #define DATA_SIZE 16 1047 #include "atomic_template.h" 1048 #endif 1049 1050 /* Second set of helpers are directly callable from TCG as helpers. */ 1051 1052 #undef EXTRA_ARGS 1053 #undef ATOMIC_NAME 1054 #undef ATOMIC_MMU_LOOKUP 1055 #define EXTRA_ARGS , TCGMemOpIdx oi 1056 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END)) 1057 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi) 1058 1059 #define DATA_SIZE 1 1060 #include "atomic_template.h" 1061 1062 #define DATA_SIZE 2 1063 #include "atomic_template.h" 1064 1065 #define DATA_SIZE 4 1066 #include "atomic_template.h" 1067 1068 #ifdef CONFIG_ATOMIC64 1069 #define DATA_SIZE 8 1070 #include "atomic_template.h" 1071 #endif 1072 1073 /* Code access functions. */ 1074 1075 #undef MMUSUFFIX 1076 #define MMUSUFFIX _cmmu 1077 #undef GETPC 1078 #define GETPC() ((uintptr_t)0) 1079 #define SOFTMMU_CODE_ACCESS 1080 1081 #define DATA_SIZE 1 1082 #include "softmmu_template.h" 1083 1084 #define DATA_SIZE 2 1085 #include "softmmu_template.h" 1086 1087 #define DATA_SIZE 4 1088 #include "softmmu_template.h" 1089 1090 #define DATA_SIZE 8 1091 #include "softmmu_template.h" 1092