1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "cpu.h" 23 #include "exec/exec-all.h" 24 #include "exec/memory.h" 25 #include "exec/address-spaces.h" 26 #include "exec/cpu_ldst.h" 27 #include "exec/cputlb.h" 28 #include "exec/memory-internal.h" 29 #include "exec/ram_addr.h" 30 #include "tcg/tcg.h" 31 #include "qemu/error-report.h" 32 #include "exec/log.h" 33 #include "exec/helper-proto.h" 34 #include "qemu/atomic.h" 35 #include "qemu/atomic128.h" 36 37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 38 /* #define DEBUG_TLB */ 39 /* #define DEBUG_TLB_LOG */ 40 41 #ifdef DEBUG_TLB 42 # define DEBUG_TLB_GATE 1 43 # ifdef DEBUG_TLB_LOG 44 # define DEBUG_TLB_LOG_GATE 1 45 # else 46 # define DEBUG_TLB_LOG_GATE 0 47 # endif 48 #else 49 # define DEBUG_TLB_GATE 0 50 # define DEBUG_TLB_LOG_GATE 0 51 #endif 52 53 #define tlb_debug(fmt, ...) do { \ 54 if (DEBUG_TLB_LOG_GATE) { \ 55 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 56 ## __VA_ARGS__); \ 57 } else if (DEBUG_TLB_GATE) { \ 58 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 59 } \ 60 } while (0) 61 62 #define assert_cpu_is_self(cpu) do { \ 63 if (DEBUG_TLB_GATE) { \ 64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \ 65 } \ 66 } while (0) 67 68 /* run_on_cpu_data.target_ptr should always be big enough for a 69 * target_ulong even on 32 bit builds */ 70 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data)); 71 72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 73 */ 74 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 76 77 void tlb_init(CPUState *cpu) 78 { 79 CPUArchState *env = cpu->env_ptr; 80 81 qemu_spin_init(&env->tlb_c.lock); 82 83 /* Ensure that cpu_reset performs a full flush. */ 84 env->tlb_c.dirty = ALL_MMUIDX_BITS; 85 } 86 87 /* flush_all_helper: run fn across all cpus 88 * 89 * If the wait flag is set then the src cpu's helper will be queued as 90 * "safe" work and the loop exited creating a synchronisation point 91 * where all queued work will be finished before execution starts 92 * again. 93 */ 94 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 95 run_on_cpu_data d) 96 { 97 CPUState *cpu; 98 99 CPU_FOREACH(cpu) { 100 if (cpu != src) { 101 async_run_on_cpu(cpu, fn, d); 102 } 103 } 104 } 105 106 void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide) 107 { 108 CPUState *cpu; 109 size_t full = 0, part = 0, elide = 0; 110 111 CPU_FOREACH(cpu) { 112 CPUArchState *env = cpu->env_ptr; 113 114 full += atomic_read(&env->tlb_c.full_flush_count); 115 part += atomic_read(&env->tlb_c.part_flush_count); 116 elide += atomic_read(&env->tlb_c.elide_flush_count); 117 } 118 *pfull = full; 119 *ppart = part; 120 *pelide = elide; 121 } 122 123 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx) 124 { 125 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0])); 126 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0])); 127 env->tlb_d[mmu_idx].large_page_addr = -1; 128 env->tlb_d[mmu_idx].large_page_mask = -1; 129 env->tlb_d[mmu_idx].vindex = 0; 130 } 131 132 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 133 { 134 CPUArchState *env = cpu->env_ptr; 135 uint16_t asked = data.host_int; 136 uint16_t all_dirty, work, to_clean; 137 138 assert_cpu_is_self(cpu); 139 140 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked); 141 142 qemu_spin_lock(&env->tlb_c.lock); 143 144 all_dirty = env->tlb_c.dirty; 145 to_clean = asked & all_dirty; 146 all_dirty &= ~to_clean; 147 env->tlb_c.dirty = all_dirty; 148 149 for (work = to_clean; work != 0; work &= work - 1) { 150 int mmu_idx = ctz32(work); 151 tlb_flush_one_mmuidx_locked(env, mmu_idx); 152 } 153 154 qemu_spin_unlock(&env->tlb_c.lock); 155 156 cpu_tb_jmp_cache_clear(cpu); 157 158 if (to_clean == ALL_MMUIDX_BITS) { 159 atomic_set(&env->tlb_c.full_flush_count, 160 env->tlb_c.full_flush_count + 1); 161 } else { 162 atomic_set(&env->tlb_c.part_flush_count, 163 env->tlb_c.part_flush_count + ctpop16(to_clean)); 164 if (to_clean != asked) { 165 atomic_set(&env->tlb_c.elide_flush_count, 166 env->tlb_c.elide_flush_count + 167 ctpop16(asked & ~to_clean)); 168 } 169 } 170 } 171 172 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 173 { 174 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 175 176 if (cpu->created && !qemu_cpu_is_self(cpu)) { 177 CPUArchState *env = cpu->env_ptr; 178 uint16_t pending, to_clean; 179 180 qemu_spin_lock(&env->tlb_c.lock); 181 pending = env->tlb_c.pending_flush; 182 to_clean = idxmap & ~pending; 183 env->tlb_c.pending_flush = pending | idxmap; 184 qemu_spin_unlock(&env->tlb_c.lock); 185 186 if (to_clean) { 187 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", to_clean); 188 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work, 189 RUN_ON_CPU_HOST_INT(to_clean)); 190 } 191 } else { 192 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap)); 193 } 194 } 195 196 void tlb_flush(CPUState *cpu) 197 { 198 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS); 199 } 200 201 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap) 202 { 203 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 204 205 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 206 207 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 208 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap)); 209 } 210 211 void tlb_flush_all_cpus(CPUState *src_cpu) 212 { 213 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS); 214 } 215 216 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap) 217 { 218 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 219 220 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 221 222 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 223 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 224 } 225 226 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 227 { 228 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS); 229 } 230 231 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry, 232 target_ulong page) 233 { 234 return tlb_hit_page(tlb_entry->addr_read, page) || 235 tlb_hit_page(tlb_addr_write(tlb_entry), page) || 236 tlb_hit_page(tlb_entry->addr_code, page); 237 } 238 239 /* Called with tlb_c.lock held */ 240 static inline void tlb_flush_entry_locked(CPUTLBEntry *tlb_entry, 241 target_ulong page) 242 { 243 if (tlb_hit_page_anyprot(tlb_entry, page)) { 244 memset(tlb_entry, -1, sizeof(*tlb_entry)); 245 } 246 } 247 248 /* Called with tlb_c.lock held */ 249 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx, 250 target_ulong page) 251 { 252 int k; 253 254 assert_cpu_is_self(ENV_GET_CPU(env)); 255 for (k = 0; k < CPU_VTLB_SIZE; k++) { 256 tlb_flush_entry_locked(&env->tlb_v_table[mmu_idx][k], page); 257 } 258 } 259 260 static void tlb_flush_page_locked(CPUArchState *env, int midx, 261 target_ulong page) 262 { 263 target_ulong lp_addr = env->tlb_d[midx].large_page_addr; 264 target_ulong lp_mask = env->tlb_d[midx].large_page_mask; 265 266 /* Check if we need to flush due to large pages. */ 267 if ((page & lp_mask) == lp_addr) { 268 tlb_debug("forcing full flush midx %d (" 269 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 270 midx, lp_addr, lp_mask); 271 tlb_flush_one_mmuidx_locked(env, midx); 272 } else { 273 tlb_flush_entry_locked(tlb_entry(env, midx, page), page); 274 tlb_flush_vtlb_page_locked(env, midx, page); 275 } 276 } 277 278 /* As we are going to hijack the bottom bits of the page address for a 279 * mmuidx bit mask we need to fail to build if we can't do that 280 */ 281 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN); 282 283 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu, 284 run_on_cpu_data data) 285 { 286 CPUArchState *env = cpu->env_ptr; 287 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 288 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 289 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 290 int mmu_idx; 291 292 assert_cpu_is_self(cpu); 293 294 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n", 295 addr, mmu_idx_bitmap); 296 297 qemu_spin_lock(&env->tlb_c.lock); 298 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 299 if (test_bit(mmu_idx, &mmu_idx_bitmap)) { 300 tlb_flush_page_locked(env, mmu_idx, addr); 301 } 302 } 303 qemu_spin_unlock(&env->tlb_c.lock); 304 305 tb_flush_jmp_cache(cpu, addr); 306 } 307 308 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap) 309 { 310 target_ulong addr_and_mmu_idx; 311 312 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap); 313 314 /* This should already be page aligned */ 315 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 316 addr_and_mmu_idx |= idxmap; 317 318 if (!qemu_cpu_is_self(cpu)) { 319 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work, 320 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 321 } else { 322 tlb_flush_page_by_mmuidx_async_work( 323 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 324 } 325 } 326 327 void tlb_flush_page(CPUState *cpu, target_ulong addr) 328 { 329 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS); 330 } 331 332 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr, 333 uint16_t idxmap) 334 { 335 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work; 336 target_ulong addr_and_mmu_idx; 337 338 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 339 340 /* This should already be page aligned */ 341 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 342 addr_and_mmu_idx |= idxmap; 343 344 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 345 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 346 } 347 348 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr) 349 { 350 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS); 351 } 352 353 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 354 target_ulong addr, 355 uint16_t idxmap) 356 { 357 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work; 358 target_ulong addr_and_mmu_idx; 359 360 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 361 362 /* This should already be page aligned */ 363 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 364 addr_and_mmu_idx |= idxmap; 365 366 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 367 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 368 } 369 370 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr) 371 { 372 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS); 373 } 374 375 /* update the TLBs so that writes to code in the virtual page 'addr' 376 can be detected */ 377 void tlb_protect_code(ram_addr_t ram_addr) 378 { 379 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE, 380 DIRTY_MEMORY_CODE); 381 } 382 383 /* update the TLB so that writes in physical page 'phys_addr' are no longer 384 tested for self modifying code */ 385 void tlb_unprotect_code(ram_addr_t ram_addr) 386 { 387 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 388 } 389 390 391 /* 392 * Dirty write flag handling 393 * 394 * When the TCG code writes to a location it looks up the address in 395 * the TLB and uses that data to compute the final address. If any of 396 * the lower bits of the address are set then the slow path is forced. 397 * There are a number of reasons to do this but for normal RAM the 398 * most usual is detecting writes to code regions which may invalidate 399 * generated code. 400 * 401 * Other vCPUs might be reading their TLBs during guest execution, so we update 402 * te->addr_write with atomic_set. We don't need to worry about this for 403 * oversized guests as MTTCG is disabled for them. 404 * 405 * Called with tlb_c.lock held. 406 */ 407 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry, 408 uintptr_t start, uintptr_t length) 409 { 410 uintptr_t addr = tlb_entry->addr_write; 411 412 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 413 addr &= TARGET_PAGE_MASK; 414 addr += tlb_entry->addend; 415 if ((addr - start) < length) { 416 #if TCG_OVERSIZED_GUEST 417 tlb_entry->addr_write |= TLB_NOTDIRTY; 418 #else 419 atomic_set(&tlb_entry->addr_write, 420 tlb_entry->addr_write | TLB_NOTDIRTY); 421 #endif 422 } 423 } 424 } 425 426 /* 427 * Called with tlb_c.lock held. 428 * Called only from the vCPU context, i.e. the TLB's owner thread. 429 */ 430 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s) 431 { 432 *d = *s; 433 } 434 435 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 436 * the target vCPU). 437 * We must take tlb_c.lock to avoid racing with another vCPU update. The only 438 * thing actually updated is the target TLB entry ->addr_write flags. 439 */ 440 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 441 { 442 CPUArchState *env; 443 444 int mmu_idx; 445 446 env = cpu->env_ptr; 447 qemu_spin_lock(&env->tlb_c.lock); 448 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 449 unsigned int i; 450 451 for (i = 0; i < CPU_TLB_SIZE; i++) { 452 tlb_reset_dirty_range_locked(&env->tlb_table[mmu_idx][i], start1, 453 length); 454 } 455 456 for (i = 0; i < CPU_VTLB_SIZE; i++) { 457 tlb_reset_dirty_range_locked(&env->tlb_v_table[mmu_idx][i], start1, 458 length); 459 } 460 } 461 qemu_spin_unlock(&env->tlb_c.lock); 462 } 463 464 /* Called with tlb_c.lock held */ 465 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry, 466 target_ulong vaddr) 467 { 468 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) { 469 tlb_entry->addr_write = vaddr; 470 } 471 } 472 473 /* update the TLB corresponding to virtual page vaddr 474 so that it is no longer dirty */ 475 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr) 476 { 477 CPUArchState *env = cpu->env_ptr; 478 int mmu_idx; 479 480 assert_cpu_is_self(cpu); 481 482 vaddr &= TARGET_PAGE_MASK; 483 qemu_spin_lock(&env->tlb_c.lock); 484 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 485 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr); 486 } 487 488 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 489 int k; 490 for (k = 0; k < CPU_VTLB_SIZE; k++) { 491 tlb_set_dirty1_locked(&env->tlb_v_table[mmu_idx][k], vaddr); 492 } 493 } 494 qemu_spin_unlock(&env->tlb_c.lock); 495 } 496 497 /* Our TLB does not support large pages, so remember the area covered by 498 large pages and trigger a full TLB flush if these are invalidated. */ 499 static void tlb_add_large_page(CPUArchState *env, int mmu_idx, 500 target_ulong vaddr, target_ulong size) 501 { 502 target_ulong lp_addr = env->tlb_d[mmu_idx].large_page_addr; 503 target_ulong lp_mask = ~(size - 1); 504 505 if (lp_addr == (target_ulong)-1) { 506 /* No previous large page. */ 507 lp_addr = vaddr; 508 } else { 509 /* Extend the existing region to include the new page. 510 This is a compromise between unnecessary flushes and 511 the cost of maintaining a full variable size TLB. */ 512 lp_mask &= env->tlb_d[mmu_idx].large_page_mask; 513 while (((lp_addr ^ vaddr) & lp_mask) != 0) { 514 lp_mask <<= 1; 515 } 516 } 517 env->tlb_d[mmu_idx].large_page_addr = lp_addr & lp_mask; 518 env->tlb_d[mmu_idx].large_page_mask = lp_mask; 519 } 520 521 /* Add a new TLB entry. At most one entry for a given virtual address 522 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 523 * supplied size is only used by tlb_flush_page. 524 * 525 * Called from TCG-generated code, which is under an RCU read-side 526 * critical section. 527 */ 528 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr, 529 hwaddr paddr, MemTxAttrs attrs, int prot, 530 int mmu_idx, target_ulong size) 531 { 532 CPUArchState *env = cpu->env_ptr; 533 MemoryRegionSection *section; 534 unsigned int index; 535 target_ulong address; 536 target_ulong code_address; 537 uintptr_t addend; 538 CPUTLBEntry *te, tn; 539 hwaddr iotlb, xlat, sz, paddr_page; 540 target_ulong vaddr_page; 541 int asidx = cpu_asidx_from_attrs(cpu, attrs); 542 543 assert_cpu_is_self(cpu); 544 545 if (size <= TARGET_PAGE_SIZE) { 546 sz = TARGET_PAGE_SIZE; 547 } else { 548 tlb_add_large_page(env, mmu_idx, vaddr, size); 549 sz = size; 550 } 551 vaddr_page = vaddr & TARGET_PAGE_MASK; 552 paddr_page = paddr & TARGET_PAGE_MASK; 553 554 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, 555 &xlat, &sz, attrs, &prot); 556 assert(sz >= TARGET_PAGE_SIZE); 557 558 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx 559 " prot=%x idx=%d\n", 560 vaddr, paddr, prot, mmu_idx); 561 562 address = vaddr_page; 563 if (size < TARGET_PAGE_SIZE) { 564 /* 565 * Slow-path the TLB entries; we will repeat the MMU check and TLB 566 * fill on every access. 567 */ 568 address |= TLB_RECHECK; 569 } 570 if (!memory_region_is_ram(section->mr) && 571 !memory_region_is_romd(section->mr)) { 572 /* IO memory case */ 573 address |= TLB_MMIO; 574 addend = 0; 575 } else { 576 /* TLB_MMIO for rom/romd handled below */ 577 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 578 } 579 580 code_address = address; 581 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page, 582 paddr_page, xlat, prot, &address); 583 584 index = tlb_index(env, mmu_idx, vaddr_page); 585 te = tlb_entry(env, mmu_idx, vaddr_page); 586 587 /* 588 * Hold the TLB lock for the rest of the function. We could acquire/release 589 * the lock several times in the function, but it is faster to amortize the 590 * acquisition cost by acquiring it just once. Note that this leads to 591 * a longer critical section, but this is not a concern since the TLB lock 592 * is unlikely to be contended. 593 */ 594 qemu_spin_lock(&env->tlb_c.lock); 595 596 /* Note that the tlb is no longer clean. */ 597 env->tlb_c.dirty |= 1 << mmu_idx; 598 599 /* Make sure there's no cached translation for the new page. */ 600 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page); 601 602 /* 603 * Only evict the old entry to the victim tlb if it's for a 604 * different page; otherwise just overwrite the stale data. 605 */ 606 if (!tlb_hit_page_anyprot(te, vaddr_page)) { 607 unsigned vidx = env->tlb_d[mmu_idx].vindex++ % CPU_VTLB_SIZE; 608 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx]; 609 610 /* Evict the old entry into the victim tlb. */ 611 copy_tlb_helper_locked(tv, te); 612 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index]; 613 } 614 615 /* refill the tlb */ 616 /* 617 * At this point iotlb contains a physical section number in the lower 618 * TARGET_PAGE_BITS, and either 619 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM) 620 * + the offset within section->mr of the page base (otherwise) 621 * We subtract the vaddr_page (which is page aligned and thus won't 622 * disturb the low bits) to give an offset which can be added to the 623 * (non-page-aligned) vaddr of the eventual memory access to get 624 * the MemoryRegion offset for the access. Note that the vaddr we 625 * subtract here is that of the page base, and not the same as the 626 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code(). 627 */ 628 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page; 629 env->iotlb[mmu_idx][index].attrs = attrs; 630 631 /* Now calculate the new entry */ 632 tn.addend = addend - vaddr_page; 633 if (prot & PAGE_READ) { 634 tn.addr_read = address; 635 } else { 636 tn.addr_read = -1; 637 } 638 639 if (prot & PAGE_EXEC) { 640 tn.addr_code = code_address; 641 } else { 642 tn.addr_code = -1; 643 } 644 645 tn.addr_write = -1; 646 if (prot & PAGE_WRITE) { 647 if ((memory_region_is_ram(section->mr) && section->readonly) 648 || memory_region_is_romd(section->mr)) { 649 /* Write access calls the I/O callback. */ 650 tn.addr_write = address | TLB_MMIO; 651 } else if (memory_region_is_ram(section->mr) 652 && cpu_physical_memory_is_clean( 653 memory_region_get_ram_addr(section->mr) + xlat)) { 654 tn.addr_write = address | TLB_NOTDIRTY; 655 } else { 656 tn.addr_write = address; 657 } 658 if (prot & PAGE_WRITE_INV) { 659 tn.addr_write |= TLB_INVALID_MASK; 660 } 661 } 662 663 copy_tlb_helper_locked(te, &tn); 664 qemu_spin_unlock(&env->tlb_c.lock); 665 } 666 667 /* Add a new TLB entry, but without specifying the memory 668 * transaction attributes to be used. 669 */ 670 void tlb_set_page(CPUState *cpu, target_ulong vaddr, 671 hwaddr paddr, int prot, 672 int mmu_idx, target_ulong size) 673 { 674 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED, 675 prot, mmu_idx, size); 676 } 677 678 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr) 679 { 680 ram_addr_t ram_addr; 681 682 ram_addr = qemu_ram_addr_from_host(ptr); 683 if (ram_addr == RAM_ADDR_INVALID) { 684 error_report("Bad ram pointer %p", ptr); 685 abort(); 686 } 687 return ram_addr; 688 } 689 690 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 691 int mmu_idx, 692 target_ulong addr, uintptr_t retaddr, 693 bool recheck, MMUAccessType access_type, int size) 694 { 695 CPUState *cpu = ENV_GET_CPU(env); 696 hwaddr mr_offset; 697 MemoryRegionSection *section; 698 MemoryRegion *mr; 699 uint64_t val; 700 bool locked = false; 701 MemTxResult r; 702 703 if (recheck) { 704 /* 705 * This is a TLB_RECHECK access, where the MMU protection 706 * covers a smaller range than a target page, and we must 707 * repeat the MMU check here. This tlb_fill() call might 708 * longjump out if this access should cause a guest exception. 709 */ 710 CPUTLBEntry *entry; 711 target_ulong tlb_addr; 712 713 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr); 714 715 entry = tlb_entry(env, mmu_idx, addr); 716 tlb_addr = entry->addr_read; 717 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) { 718 /* RAM access */ 719 uintptr_t haddr = addr + entry->addend; 720 721 return ldn_p((void *)haddr, size); 722 } 723 /* Fall through for handling IO accesses */ 724 } 725 726 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 727 mr = section->mr; 728 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 729 cpu->mem_io_pc = retaddr; 730 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 731 cpu_io_recompile(cpu, retaddr); 732 } 733 734 cpu->mem_io_vaddr = addr; 735 cpu->mem_io_access_type = access_type; 736 737 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 738 qemu_mutex_lock_iothread(); 739 locked = true; 740 } 741 r = memory_region_dispatch_read(mr, mr_offset, 742 &val, size, iotlbentry->attrs); 743 if (r != MEMTX_OK) { 744 hwaddr physaddr = mr_offset + 745 section->offset_within_address_space - 746 section->offset_within_region; 747 748 cpu_transaction_failed(cpu, physaddr, addr, size, access_type, 749 mmu_idx, iotlbentry->attrs, r, retaddr); 750 } 751 if (locked) { 752 qemu_mutex_unlock_iothread(); 753 } 754 755 return val; 756 } 757 758 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 759 int mmu_idx, 760 uint64_t val, target_ulong addr, 761 uintptr_t retaddr, bool recheck, int size) 762 { 763 CPUState *cpu = ENV_GET_CPU(env); 764 hwaddr mr_offset; 765 MemoryRegionSection *section; 766 MemoryRegion *mr; 767 bool locked = false; 768 MemTxResult r; 769 770 if (recheck) { 771 /* 772 * This is a TLB_RECHECK access, where the MMU protection 773 * covers a smaller range than a target page, and we must 774 * repeat the MMU check here. This tlb_fill() call might 775 * longjump out if this access should cause a guest exception. 776 */ 777 CPUTLBEntry *entry; 778 target_ulong tlb_addr; 779 780 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr); 781 782 entry = tlb_entry(env, mmu_idx, addr); 783 tlb_addr = tlb_addr_write(entry); 784 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) { 785 /* RAM access */ 786 uintptr_t haddr = addr + entry->addend; 787 788 stn_p((void *)haddr, size, val); 789 return; 790 } 791 /* Fall through for handling IO accesses */ 792 } 793 794 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 795 mr = section->mr; 796 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 797 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 798 cpu_io_recompile(cpu, retaddr); 799 } 800 cpu->mem_io_vaddr = addr; 801 cpu->mem_io_pc = retaddr; 802 803 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 804 qemu_mutex_lock_iothread(); 805 locked = true; 806 } 807 r = memory_region_dispatch_write(mr, mr_offset, 808 val, size, iotlbentry->attrs); 809 if (r != MEMTX_OK) { 810 hwaddr physaddr = mr_offset + 811 section->offset_within_address_space - 812 section->offset_within_region; 813 814 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE, 815 mmu_idx, iotlbentry->attrs, r, retaddr); 816 } 817 if (locked) { 818 qemu_mutex_unlock_iothread(); 819 } 820 } 821 822 /* Return true if ADDR is present in the victim tlb, and has been copied 823 back to the main tlb. */ 824 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index, 825 size_t elt_ofs, target_ulong page) 826 { 827 size_t vidx; 828 829 assert_cpu_is_self(ENV_GET_CPU(env)); 830 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 831 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx]; 832 target_ulong cmp; 833 834 /* elt_ofs might correspond to .addr_write, so use atomic_read */ 835 #if TCG_OVERSIZED_GUEST 836 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs); 837 #else 838 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs)); 839 #endif 840 841 if (cmp == page) { 842 /* Found entry in victim tlb, swap tlb and iotlb. */ 843 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index]; 844 845 qemu_spin_lock(&env->tlb_c.lock); 846 copy_tlb_helper_locked(&tmptlb, tlb); 847 copy_tlb_helper_locked(tlb, vtlb); 848 copy_tlb_helper_locked(vtlb, &tmptlb); 849 qemu_spin_unlock(&env->tlb_c.lock); 850 851 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index]; 852 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx]; 853 tmpio = *io; *io = *vio; *vio = tmpio; 854 return true; 855 } 856 } 857 return false; 858 } 859 860 /* Macro to call the above, with local variables from the use context. */ 861 #define VICTIM_TLB_HIT(TY, ADDR) \ 862 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \ 863 (ADDR) & TARGET_PAGE_MASK) 864 865 /* NOTE: this function can trigger an exception */ 866 /* NOTE2: the returned address is not exactly the physical address: it 867 * is actually a ram_addr_t (in system mode; the user mode emulation 868 * version of this function returns a guest virtual address). 869 */ 870 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) 871 { 872 uintptr_t mmu_idx = cpu_mmu_index(env, true); 873 uintptr_t index = tlb_index(env, mmu_idx, addr); 874 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 875 void *p; 876 877 if (unlikely(!tlb_hit(entry->addr_code, addr))) { 878 if (!VICTIM_TLB_HIT(addr_code, addr)) { 879 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); 880 } 881 assert(tlb_hit(entry->addr_code, addr)); 882 } 883 884 if (unlikely(entry->addr_code & (TLB_RECHECK | TLB_MMIO))) { 885 /* 886 * Return -1 if we can't translate and execute from an entire 887 * page of RAM here, which will cause us to execute by loading 888 * and translating one insn at a time, without caching: 889 * - TLB_RECHECK: means the MMU protection covers a smaller range 890 * than a target page, so we must redo the MMU check every insn 891 * - TLB_MMIO: region is not backed by RAM 892 */ 893 return -1; 894 } 895 896 p = (void *)((uintptr_t)addr + entry->addend); 897 return qemu_ram_addr_from_host_nofail(p); 898 } 899 900 /* Probe for whether the specified guest write access is permitted. 901 * If it is not permitted then an exception will be taken in the same 902 * way as if this were a real write access (and we will not return). 903 * Otherwise the function will return, and there will be a valid 904 * entry in the TLB for this access. 905 */ 906 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx, 907 uintptr_t retaddr) 908 { 909 uintptr_t index = tlb_index(env, mmu_idx, addr); 910 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 911 912 if (!tlb_hit(tlb_addr_write(entry), addr)) { 913 /* TLB entry is for a different page */ 914 if (!VICTIM_TLB_HIT(addr_write, addr)) { 915 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE, 916 mmu_idx, retaddr); 917 } 918 } 919 } 920 921 /* Probe for a read-modify-write atomic operation. Do not allow unaligned 922 * operations, or io operations to proceed. Return the host address. */ 923 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, 924 TCGMemOpIdx oi, uintptr_t retaddr, 925 NotDirtyInfo *ndi) 926 { 927 size_t mmu_idx = get_mmuidx(oi); 928 uintptr_t index = tlb_index(env, mmu_idx, addr); 929 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr); 930 target_ulong tlb_addr = tlb_addr_write(tlbe); 931 TCGMemOp mop = get_memop(oi); 932 int a_bits = get_alignment_bits(mop); 933 int s_bits = mop & MO_SIZE; 934 void *hostaddr; 935 936 /* Adjust the given return address. */ 937 retaddr -= GETPC_ADJ; 938 939 /* Enforce guest required alignment. */ 940 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) { 941 /* ??? Maybe indicate atomic op to cpu_unaligned_access */ 942 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE, 943 mmu_idx, retaddr); 944 } 945 946 /* Enforce qemu required alignment. */ 947 if (unlikely(addr & ((1 << s_bits) - 1))) { 948 /* We get here if guest alignment was not requested, 949 or was not enforced by cpu_unaligned_access above. 950 We might widen the access and emulate, but for now 951 mark an exception and exit the cpu loop. */ 952 goto stop_the_world; 953 } 954 955 /* Check TLB entry and enforce page permissions. */ 956 if (!tlb_hit(tlb_addr, addr)) { 957 if (!VICTIM_TLB_HIT(addr_write, addr)) { 958 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE, 959 mmu_idx, retaddr); 960 } 961 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK; 962 } 963 964 /* Notice an IO access or a needs-MMU-lookup access */ 965 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) { 966 /* There's really nothing that can be done to 967 support this apart from stop-the-world. */ 968 goto stop_the_world; 969 } 970 971 /* Let the guest notice RMW on a write-only page. */ 972 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) { 973 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD, 974 mmu_idx, retaddr); 975 /* Since we don't support reads and writes to different addresses, 976 and we do have the proper page loaded for write, this shouldn't 977 ever return. But just in case, handle via stop-the-world. */ 978 goto stop_the_world; 979 } 980 981 hostaddr = (void *)((uintptr_t)addr + tlbe->addend); 982 983 ndi->active = false; 984 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 985 ndi->active = true; 986 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr, 987 qemu_ram_addr_from_host_nofail(hostaddr), 988 1 << s_bits); 989 } 990 991 return hostaddr; 992 993 stop_the_world: 994 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr); 995 } 996 997 #ifdef TARGET_WORDS_BIGENDIAN 998 # define TGT_BE(X) (X) 999 # define TGT_LE(X) BSWAP(X) 1000 #else 1001 # define TGT_BE(X) BSWAP(X) 1002 # define TGT_LE(X) (X) 1003 #endif 1004 1005 #define MMUSUFFIX _mmu 1006 1007 #define DATA_SIZE 1 1008 #include "softmmu_template.h" 1009 1010 #define DATA_SIZE 2 1011 #include "softmmu_template.h" 1012 1013 #define DATA_SIZE 4 1014 #include "softmmu_template.h" 1015 1016 #define DATA_SIZE 8 1017 #include "softmmu_template.h" 1018 1019 /* First set of helpers allows passing in of OI and RETADDR. This makes 1020 them callable from other helpers. */ 1021 1022 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr 1023 #define ATOMIC_NAME(X) \ 1024 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu)) 1025 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi 1026 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi) 1027 #define ATOMIC_MMU_CLEANUP \ 1028 do { \ 1029 if (unlikely(ndi.active)) { \ 1030 memory_notdirty_write_complete(&ndi); \ 1031 } \ 1032 } while (0) 1033 1034 #define DATA_SIZE 1 1035 #include "atomic_template.h" 1036 1037 #define DATA_SIZE 2 1038 #include "atomic_template.h" 1039 1040 #define DATA_SIZE 4 1041 #include "atomic_template.h" 1042 1043 #ifdef CONFIG_ATOMIC64 1044 #define DATA_SIZE 8 1045 #include "atomic_template.h" 1046 #endif 1047 1048 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128 1049 #define DATA_SIZE 16 1050 #include "atomic_template.h" 1051 #endif 1052 1053 /* Second set of helpers are directly callable from TCG as helpers. */ 1054 1055 #undef EXTRA_ARGS 1056 #undef ATOMIC_NAME 1057 #undef ATOMIC_MMU_LOOKUP 1058 #define EXTRA_ARGS , TCGMemOpIdx oi 1059 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END)) 1060 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi) 1061 1062 #define DATA_SIZE 1 1063 #include "atomic_template.h" 1064 1065 #define DATA_SIZE 2 1066 #include "atomic_template.h" 1067 1068 #define DATA_SIZE 4 1069 #include "atomic_template.h" 1070 1071 #ifdef CONFIG_ATOMIC64 1072 #define DATA_SIZE 8 1073 #include "atomic_template.h" 1074 #endif 1075 1076 /* Code access functions. */ 1077 1078 #undef MMUSUFFIX 1079 #define MMUSUFFIX _cmmu 1080 #undef GETPC 1081 #define GETPC() ((uintptr_t)0) 1082 #define SOFTMMU_CODE_ACCESS 1083 1084 #define DATA_SIZE 1 1085 #include "softmmu_template.h" 1086 1087 #define DATA_SIZE 2 1088 #include "softmmu_template.h" 1089 1090 #define DATA_SIZE 4 1091 #include "softmmu_template.h" 1092 1093 #define DATA_SIZE 8 1094 #include "softmmu_template.h" 1095