1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "cpu.h" 23 #include "exec/exec-all.h" 24 #include "exec/memory.h" 25 #include "exec/address-spaces.h" 26 #include "exec/cpu_ldst.h" 27 #include "exec/cputlb.h" 28 #include "exec/memory-internal.h" 29 #include "exec/ram_addr.h" 30 #include "tcg/tcg.h" 31 #include "qemu/error-report.h" 32 #include "exec/log.h" 33 #include "exec/helper-proto.h" 34 #include "qemu/atomic.h" 35 36 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 37 /* #define DEBUG_TLB */ 38 /* #define DEBUG_TLB_LOG */ 39 40 #ifdef DEBUG_TLB 41 # define DEBUG_TLB_GATE 1 42 # ifdef DEBUG_TLB_LOG 43 # define DEBUG_TLB_LOG_GATE 1 44 # else 45 # define DEBUG_TLB_LOG_GATE 0 46 # endif 47 #else 48 # define DEBUG_TLB_GATE 0 49 # define DEBUG_TLB_LOG_GATE 0 50 #endif 51 52 #define tlb_debug(fmt, ...) do { \ 53 if (DEBUG_TLB_LOG_GATE) { \ 54 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 55 ## __VA_ARGS__); \ 56 } else if (DEBUG_TLB_GATE) { \ 57 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 58 } \ 59 } while (0) 60 61 #define assert_cpu_is_self(this_cpu) do { \ 62 if (DEBUG_TLB_GATE) { \ 63 g_assert(!cpu->created || qemu_cpu_is_self(cpu)); \ 64 } \ 65 } while (0) 66 67 /* run_on_cpu_data.target_ptr should always be big enough for a 68 * target_ulong even on 32 bit builds */ 69 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data)); 70 71 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 72 */ 73 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 74 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 75 76 /* flush_all_helper: run fn across all cpus 77 * 78 * If the wait flag is set then the src cpu's helper will be queued as 79 * "safe" work and the loop exited creating a synchronisation point 80 * where all queued work will be finished before execution starts 81 * again. 82 */ 83 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 84 run_on_cpu_data d) 85 { 86 CPUState *cpu; 87 88 CPU_FOREACH(cpu) { 89 if (cpu != src) { 90 async_run_on_cpu(cpu, fn, d); 91 } 92 } 93 } 94 95 size_t tlb_flush_count(void) 96 { 97 CPUState *cpu; 98 size_t count = 0; 99 100 CPU_FOREACH(cpu) { 101 CPUArchState *env = cpu->env_ptr; 102 103 count += atomic_read(&env->tlb_flush_count); 104 } 105 return count; 106 } 107 108 /* This is OK because CPU architectures generally permit an 109 * implementation to drop entries from the TLB at any time, so 110 * flushing more entries than required is only an efficiency issue, 111 * not a correctness issue. 112 */ 113 static void tlb_flush_nocheck(CPUState *cpu) 114 { 115 CPUArchState *env = cpu->env_ptr; 116 117 /* The QOM tests will trigger tlb_flushes without setting up TCG 118 * so we bug out here in that case. 119 */ 120 if (!tcg_enabled()) { 121 return; 122 } 123 124 assert_cpu_is_self(cpu); 125 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1); 126 tlb_debug("(count: %zu)\n", tlb_flush_count()); 127 128 tb_lock(); 129 130 memset(env->tlb_table, -1, sizeof(env->tlb_table)); 131 memset(env->tlb_v_table, -1, sizeof(env->tlb_v_table)); 132 cpu_tb_jmp_cache_clear(cpu); 133 134 env->vtlb_index = 0; 135 env->tlb_flush_addr = -1; 136 env->tlb_flush_mask = 0; 137 138 tb_unlock(); 139 140 atomic_mb_set(&cpu->pending_tlb_flush, 0); 141 } 142 143 static void tlb_flush_global_async_work(CPUState *cpu, run_on_cpu_data data) 144 { 145 tlb_flush_nocheck(cpu); 146 } 147 148 void tlb_flush(CPUState *cpu) 149 { 150 if (cpu->created && !qemu_cpu_is_self(cpu)) { 151 if (atomic_mb_read(&cpu->pending_tlb_flush) != ALL_MMUIDX_BITS) { 152 atomic_mb_set(&cpu->pending_tlb_flush, ALL_MMUIDX_BITS); 153 async_run_on_cpu(cpu, tlb_flush_global_async_work, 154 RUN_ON_CPU_NULL); 155 } 156 } else { 157 tlb_flush_nocheck(cpu); 158 } 159 } 160 161 void tlb_flush_all_cpus(CPUState *src_cpu) 162 { 163 const run_on_cpu_func fn = tlb_flush_global_async_work; 164 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL); 165 fn(src_cpu, RUN_ON_CPU_NULL); 166 } 167 168 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 169 { 170 const run_on_cpu_func fn = tlb_flush_global_async_work; 171 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL); 172 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_NULL); 173 } 174 175 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 176 { 177 CPUArchState *env = cpu->env_ptr; 178 unsigned long mmu_idx_bitmask = data.host_int; 179 int mmu_idx; 180 181 assert_cpu_is_self(cpu); 182 183 tb_lock(); 184 185 tlb_debug("start: mmu_idx:0x%04lx\n", mmu_idx_bitmask); 186 187 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 188 189 if (test_bit(mmu_idx, &mmu_idx_bitmask)) { 190 tlb_debug("%d\n", mmu_idx); 191 192 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0])); 193 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0])); 194 } 195 } 196 197 cpu_tb_jmp_cache_clear(cpu); 198 199 tlb_debug("done\n"); 200 201 tb_unlock(); 202 } 203 204 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 205 { 206 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 207 208 if (!qemu_cpu_is_self(cpu)) { 209 uint16_t pending_flushes = idxmap; 210 pending_flushes &= ~atomic_mb_read(&cpu->pending_tlb_flush); 211 212 if (pending_flushes) { 213 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", pending_flushes); 214 215 atomic_or(&cpu->pending_tlb_flush, pending_flushes); 216 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work, 217 RUN_ON_CPU_HOST_INT(pending_flushes)); 218 } 219 } else { 220 tlb_flush_by_mmuidx_async_work(cpu, 221 RUN_ON_CPU_HOST_INT(idxmap)); 222 } 223 } 224 225 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap) 226 { 227 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 228 229 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 230 231 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 232 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap)); 233 } 234 235 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 236 uint16_t idxmap) 237 { 238 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 239 240 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 241 242 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 243 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 244 } 245 246 247 248 static inline void tlb_flush_entry(CPUTLBEntry *tlb_entry, target_ulong addr) 249 { 250 if (addr == (tlb_entry->addr_read & 251 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) || 252 addr == (tlb_entry->addr_write & 253 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) || 254 addr == (tlb_entry->addr_code & 255 (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 256 memset(tlb_entry, -1, sizeof(*tlb_entry)); 257 } 258 } 259 260 static void tlb_flush_page_async_work(CPUState *cpu, run_on_cpu_data data) 261 { 262 CPUArchState *env = cpu->env_ptr; 263 target_ulong addr = (target_ulong) data.target_ptr; 264 int i; 265 int mmu_idx; 266 267 assert_cpu_is_self(cpu); 268 269 tlb_debug("page :" TARGET_FMT_lx "\n", addr); 270 271 /* Check if we need to flush due to large pages. */ 272 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) { 273 tlb_debug("forcing full flush (" 274 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 275 env->tlb_flush_addr, env->tlb_flush_mask); 276 277 tlb_flush(cpu); 278 return; 279 } 280 281 addr &= TARGET_PAGE_MASK; 282 i = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 283 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 284 tlb_flush_entry(&env->tlb_table[mmu_idx][i], addr); 285 } 286 287 /* check whether there are entries that need to be flushed in the vtlb */ 288 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 289 int k; 290 for (k = 0; k < CPU_VTLB_SIZE; k++) { 291 tlb_flush_entry(&env->tlb_v_table[mmu_idx][k], addr); 292 } 293 } 294 295 tb_flush_jmp_cache(cpu, addr); 296 } 297 298 void tlb_flush_page(CPUState *cpu, target_ulong addr) 299 { 300 tlb_debug("page :" TARGET_FMT_lx "\n", addr); 301 302 if (!qemu_cpu_is_self(cpu)) { 303 async_run_on_cpu(cpu, tlb_flush_page_async_work, 304 RUN_ON_CPU_TARGET_PTR(addr)); 305 } else { 306 tlb_flush_page_async_work(cpu, RUN_ON_CPU_TARGET_PTR(addr)); 307 } 308 } 309 310 /* As we are going to hijack the bottom bits of the page address for a 311 * mmuidx bit mask we need to fail to build if we can't do that 312 */ 313 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN); 314 315 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu, 316 run_on_cpu_data data) 317 { 318 CPUArchState *env = cpu->env_ptr; 319 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 320 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 321 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 322 int page = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 323 int mmu_idx; 324 int i; 325 326 assert_cpu_is_self(cpu); 327 328 tlb_debug("page:%d addr:"TARGET_FMT_lx" mmu_idx:0x%lx\n", 329 page, addr, mmu_idx_bitmap); 330 331 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 332 if (test_bit(mmu_idx, &mmu_idx_bitmap)) { 333 tlb_flush_entry(&env->tlb_table[mmu_idx][page], addr); 334 335 /* check whether there are vltb entries that need to be flushed */ 336 for (i = 0; i < CPU_VTLB_SIZE; i++) { 337 tlb_flush_entry(&env->tlb_v_table[mmu_idx][i], addr); 338 } 339 } 340 } 341 342 tb_flush_jmp_cache(cpu, addr); 343 } 344 345 static void tlb_check_page_and_flush_by_mmuidx_async_work(CPUState *cpu, 346 run_on_cpu_data data) 347 { 348 CPUArchState *env = cpu->env_ptr; 349 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 350 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 351 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 352 353 tlb_debug("addr:"TARGET_FMT_lx" mmu_idx: %04lx\n", addr, mmu_idx_bitmap); 354 355 /* Check if we need to flush due to large pages. */ 356 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) { 357 tlb_debug("forced full flush (" 358 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 359 env->tlb_flush_addr, env->tlb_flush_mask); 360 361 tlb_flush_by_mmuidx_async_work(cpu, 362 RUN_ON_CPU_HOST_INT(mmu_idx_bitmap)); 363 } else { 364 tlb_flush_page_by_mmuidx_async_work(cpu, data); 365 } 366 } 367 368 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap) 369 { 370 target_ulong addr_and_mmu_idx; 371 372 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap); 373 374 /* This should already be page aligned */ 375 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 376 addr_and_mmu_idx |= idxmap; 377 378 if (!qemu_cpu_is_self(cpu)) { 379 async_run_on_cpu(cpu, tlb_check_page_and_flush_by_mmuidx_async_work, 380 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 381 } else { 382 tlb_check_page_and_flush_by_mmuidx_async_work( 383 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 384 } 385 } 386 387 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr, 388 uint16_t idxmap) 389 { 390 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work; 391 target_ulong addr_and_mmu_idx; 392 393 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 394 395 /* This should already be page aligned */ 396 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 397 addr_and_mmu_idx |= idxmap; 398 399 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 400 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 401 } 402 403 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 404 target_ulong addr, 405 uint16_t idxmap) 406 { 407 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work; 408 target_ulong addr_and_mmu_idx; 409 410 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 411 412 /* This should already be page aligned */ 413 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 414 addr_and_mmu_idx |= idxmap; 415 416 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 417 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 418 } 419 420 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr) 421 { 422 const run_on_cpu_func fn = tlb_flush_page_async_work; 423 424 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 425 fn(src, RUN_ON_CPU_TARGET_PTR(addr)); 426 } 427 428 void tlb_flush_page_all_cpus_synced(CPUState *src, 429 target_ulong addr) 430 { 431 const run_on_cpu_func fn = tlb_flush_page_async_work; 432 433 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 434 async_safe_run_on_cpu(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 435 } 436 437 /* update the TLBs so that writes to code in the virtual page 'addr' 438 can be detected */ 439 void tlb_protect_code(ram_addr_t ram_addr) 440 { 441 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE, 442 DIRTY_MEMORY_CODE); 443 } 444 445 /* update the TLB so that writes in physical page 'phys_addr' are no longer 446 tested for self modifying code */ 447 void tlb_unprotect_code(ram_addr_t ram_addr) 448 { 449 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 450 } 451 452 453 /* 454 * Dirty write flag handling 455 * 456 * When the TCG code writes to a location it looks up the address in 457 * the TLB and uses that data to compute the final address. If any of 458 * the lower bits of the address are set then the slow path is forced. 459 * There are a number of reasons to do this but for normal RAM the 460 * most usual is detecting writes to code regions which may invalidate 461 * generated code. 462 * 463 * Because we want other vCPUs to respond to changes straight away we 464 * update the te->addr_write field atomically. If the TLB entry has 465 * been changed by the vCPU in the mean time we skip the update. 466 * 467 * As this function uses atomic accesses we also need to ensure 468 * updates to tlb_entries follow the same access rules. We don't need 469 * to worry about this for oversized guests as MTTCG is disabled for 470 * them. 471 */ 472 473 static void tlb_reset_dirty_range(CPUTLBEntry *tlb_entry, uintptr_t start, 474 uintptr_t length) 475 { 476 #if TCG_OVERSIZED_GUEST 477 uintptr_t addr = tlb_entry->addr_write; 478 479 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 480 addr &= TARGET_PAGE_MASK; 481 addr += tlb_entry->addend; 482 if ((addr - start) < length) { 483 tlb_entry->addr_write |= TLB_NOTDIRTY; 484 } 485 } 486 #else 487 /* paired with atomic_mb_set in tlb_set_page_with_attrs */ 488 uintptr_t orig_addr = atomic_mb_read(&tlb_entry->addr_write); 489 uintptr_t addr = orig_addr; 490 491 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 492 addr &= TARGET_PAGE_MASK; 493 addr += atomic_read(&tlb_entry->addend); 494 if ((addr - start) < length) { 495 uintptr_t notdirty_addr = orig_addr | TLB_NOTDIRTY; 496 atomic_cmpxchg(&tlb_entry->addr_write, orig_addr, notdirty_addr); 497 } 498 } 499 #endif 500 } 501 502 /* For atomic correctness when running MTTCG we need to use the right 503 * primitives when copying entries */ 504 static inline void copy_tlb_helper(CPUTLBEntry *d, CPUTLBEntry *s, 505 bool atomic_set) 506 { 507 #if TCG_OVERSIZED_GUEST 508 *d = *s; 509 #else 510 if (atomic_set) { 511 d->addr_read = s->addr_read; 512 d->addr_code = s->addr_code; 513 atomic_set(&d->addend, atomic_read(&s->addend)); 514 /* Pairs with flag setting in tlb_reset_dirty_range */ 515 atomic_mb_set(&d->addr_write, atomic_read(&s->addr_write)); 516 } else { 517 d->addr_read = s->addr_read; 518 d->addr_write = atomic_read(&s->addr_write); 519 d->addr_code = s->addr_code; 520 d->addend = atomic_read(&s->addend); 521 } 522 #endif 523 } 524 525 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 526 * the target vCPU). As such care needs to be taken that we don't 527 * dangerously race with another vCPU update. The only thing actually 528 * updated is the target TLB entry ->addr_write flags. 529 */ 530 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 531 { 532 CPUArchState *env; 533 534 int mmu_idx; 535 536 env = cpu->env_ptr; 537 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 538 unsigned int i; 539 540 for (i = 0; i < CPU_TLB_SIZE; i++) { 541 tlb_reset_dirty_range(&env->tlb_table[mmu_idx][i], 542 start1, length); 543 } 544 545 for (i = 0; i < CPU_VTLB_SIZE; i++) { 546 tlb_reset_dirty_range(&env->tlb_v_table[mmu_idx][i], 547 start1, length); 548 } 549 } 550 } 551 552 static inline void tlb_set_dirty1(CPUTLBEntry *tlb_entry, target_ulong vaddr) 553 { 554 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) { 555 tlb_entry->addr_write = vaddr; 556 } 557 } 558 559 /* update the TLB corresponding to virtual page vaddr 560 so that it is no longer dirty */ 561 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr) 562 { 563 CPUArchState *env = cpu->env_ptr; 564 int i; 565 int mmu_idx; 566 567 assert_cpu_is_self(cpu); 568 569 vaddr &= TARGET_PAGE_MASK; 570 i = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 571 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 572 tlb_set_dirty1(&env->tlb_table[mmu_idx][i], vaddr); 573 } 574 575 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 576 int k; 577 for (k = 0; k < CPU_VTLB_SIZE; k++) { 578 tlb_set_dirty1(&env->tlb_v_table[mmu_idx][k], vaddr); 579 } 580 } 581 } 582 583 /* Our TLB does not support large pages, so remember the area covered by 584 large pages and trigger a full TLB flush if these are invalidated. */ 585 static void tlb_add_large_page(CPUArchState *env, target_ulong vaddr, 586 target_ulong size) 587 { 588 target_ulong mask = ~(size - 1); 589 590 if (env->tlb_flush_addr == (target_ulong)-1) { 591 env->tlb_flush_addr = vaddr & mask; 592 env->tlb_flush_mask = mask; 593 return; 594 } 595 /* Extend the existing region to include the new page. 596 This is a compromise between unnecessary flushes and the cost 597 of maintaining a full variable size TLB. */ 598 mask &= env->tlb_flush_mask; 599 while (((env->tlb_flush_addr ^ vaddr) & mask) != 0) { 600 mask <<= 1; 601 } 602 env->tlb_flush_addr &= mask; 603 env->tlb_flush_mask = mask; 604 } 605 606 /* Add a new TLB entry. At most one entry for a given virtual address 607 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 608 * supplied size is only used by tlb_flush_page. 609 * 610 * Called from TCG-generated code, which is under an RCU read-side 611 * critical section. 612 */ 613 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr, 614 hwaddr paddr, MemTxAttrs attrs, int prot, 615 int mmu_idx, target_ulong size) 616 { 617 CPUArchState *env = cpu->env_ptr; 618 MemoryRegionSection *section; 619 unsigned int index; 620 target_ulong address; 621 target_ulong code_address; 622 uintptr_t addend; 623 CPUTLBEntry *te, *tv, tn; 624 hwaddr iotlb, xlat, sz; 625 unsigned vidx = env->vtlb_index++ % CPU_VTLB_SIZE; 626 int asidx = cpu_asidx_from_attrs(cpu, attrs); 627 628 assert_cpu_is_self(cpu); 629 assert(size >= TARGET_PAGE_SIZE); 630 if (size != TARGET_PAGE_SIZE) { 631 tlb_add_large_page(env, vaddr, size); 632 } 633 634 sz = size; 635 section = address_space_translate_for_iotlb(cpu, asidx, paddr, &xlat, &sz); 636 assert(sz >= TARGET_PAGE_SIZE); 637 638 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx 639 " prot=%x idx=%d\n", 640 vaddr, paddr, prot, mmu_idx); 641 642 address = vaddr; 643 if (!memory_region_is_ram(section->mr) && !memory_region_is_romd(section->mr)) { 644 /* IO memory case */ 645 address |= TLB_MMIO; 646 addend = 0; 647 } else { 648 /* TLB_MMIO for rom/romd handled below */ 649 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 650 } 651 652 code_address = address; 653 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr, paddr, xlat, 654 prot, &address); 655 656 index = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 657 te = &env->tlb_table[mmu_idx][index]; 658 /* do not discard the translation in te, evict it into a victim tlb */ 659 tv = &env->tlb_v_table[mmu_idx][vidx]; 660 661 /* addr_write can race with tlb_reset_dirty_range */ 662 copy_tlb_helper(tv, te, true); 663 664 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index]; 665 666 /* refill the tlb */ 667 env->iotlb[mmu_idx][index].addr = iotlb - vaddr; 668 env->iotlb[mmu_idx][index].attrs = attrs; 669 670 /* Now calculate the new entry */ 671 tn.addend = addend - vaddr; 672 if (prot & PAGE_READ) { 673 tn.addr_read = address; 674 } else { 675 tn.addr_read = -1; 676 } 677 678 if (prot & PAGE_EXEC) { 679 tn.addr_code = code_address; 680 } else { 681 tn.addr_code = -1; 682 } 683 684 tn.addr_write = -1; 685 if (prot & PAGE_WRITE) { 686 if ((memory_region_is_ram(section->mr) && section->readonly) 687 || memory_region_is_romd(section->mr)) { 688 /* Write access calls the I/O callback. */ 689 tn.addr_write = address | TLB_MMIO; 690 } else if (memory_region_is_ram(section->mr) 691 && cpu_physical_memory_is_clean( 692 memory_region_get_ram_addr(section->mr) + xlat)) { 693 tn.addr_write = address | TLB_NOTDIRTY; 694 } else { 695 tn.addr_write = address; 696 } 697 } 698 699 /* Pairs with flag setting in tlb_reset_dirty_range */ 700 copy_tlb_helper(te, &tn, true); 701 /* atomic_mb_set(&te->addr_write, write_address); */ 702 } 703 704 /* Add a new TLB entry, but without specifying the memory 705 * transaction attributes to be used. 706 */ 707 void tlb_set_page(CPUState *cpu, target_ulong vaddr, 708 hwaddr paddr, int prot, 709 int mmu_idx, target_ulong size) 710 { 711 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED, 712 prot, mmu_idx, size); 713 } 714 715 static void report_bad_exec(CPUState *cpu, target_ulong addr) 716 { 717 /* Accidentally executing outside RAM or ROM is quite common for 718 * several user-error situations, so report it in a way that 719 * makes it clear that this isn't a QEMU bug and provide suggestions 720 * about what a user could do to fix things. 721 */ 722 error_report("Trying to execute code outside RAM or ROM at 0x" 723 TARGET_FMT_lx, addr); 724 error_printf("This usually means one of the following happened:\n\n" 725 "(1) You told QEMU to execute a kernel for the wrong machine " 726 "type, and it crashed on startup (eg trying to run a " 727 "raspberry pi kernel on a versatilepb QEMU machine)\n" 728 "(2) You didn't give QEMU a kernel or BIOS filename at all, " 729 "and QEMU executed a ROM full of no-op instructions until " 730 "it fell off the end\n" 731 "(3) Your guest kernel has a bug and crashed by jumping " 732 "off into nowhere\n\n" 733 "This is almost always one of the first two, so check your " 734 "command line and that you are using the right type of kernel " 735 "for this machine.\n" 736 "If you think option (3) is likely then you can try debugging " 737 "your guest with the -d debug options; in particular " 738 "-d guest_errors will cause the log to include a dump of the " 739 "guest register state at this point.\n\n" 740 "Execution cannot continue; stopping here.\n\n"); 741 742 /* Report also to the logs, with more detail including register dump */ 743 qemu_log_mask(LOG_GUEST_ERROR, "qemu: fatal: Trying to execute code " 744 "outside RAM or ROM at 0x" TARGET_FMT_lx "\n", addr); 745 log_cpu_state_mask(LOG_GUEST_ERROR, cpu, CPU_DUMP_FPU | CPU_DUMP_CCOP); 746 } 747 748 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr) 749 { 750 ram_addr_t ram_addr; 751 752 ram_addr = qemu_ram_addr_from_host(ptr); 753 if (ram_addr == RAM_ADDR_INVALID) { 754 error_report("Bad ram pointer %p", ptr); 755 abort(); 756 } 757 return ram_addr; 758 } 759 760 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 761 int mmu_idx, 762 target_ulong addr, uintptr_t retaddr, int size) 763 { 764 CPUState *cpu = ENV_GET_CPU(env); 765 hwaddr physaddr = iotlbentry->addr; 766 MemoryRegion *mr = iotlb_to_region(cpu, physaddr, iotlbentry->attrs); 767 uint64_t val; 768 bool locked = false; 769 MemTxResult r; 770 771 physaddr = (physaddr & TARGET_PAGE_MASK) + addr; 772 cpu->mem_io_pc = retaddr; 773 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 774 cpu_io_recompile(cpu, retaddr); 775 } 776 777 cpu->mem_io_vaddr = addr; 778 779 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 780 qemu_mutex_lock_iothread(); 781 locked = true; 782 } 783 r = memory_region_dispatch_read(mr, physaddr, 784 &val, size, iotlbentry->attrs); 785 if (r != MEMTX_OK) { 786 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_LOAD, 787 mmu_idx, iotlbentry->attrs, r, retaddr); 788 } 789 if (locked) { 790 qemu_mutex_unlock_iothread(); 791 } 792 793 return val; 794 } 795 796 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 797 int mmu_idx, 798 uint64_t val, target_ulong addr, 799 uintptr_t retaddr, int size) 800 { 801 CPUState *cpu = ENV_GET_CPU(env); 802 hwaddr physaddr = iotlbentry->addr; 803 MemoryRegion *mr = iotlb_to_region(cpu, physaddr, iotlbentry->attrs); 804 bool locked = false; 805 MemTxResult r; 806 807 physaddr = (physaddr & TARGET_PAGE_MASK) + addr; 808 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 809 cpu_io_recompile(cpu, retaddr); 810 } 811 cpu->mem_io_vaddr = addr; 812 cpu->mem_io_pc = retaddr; 813 814 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 815 qemu_mutex_lock_iothread(); 816 locked = true; 817 } 818 r = memory_region_dispatch_write(mr, physaddr, 819 val, size, iotlbentry->attrs); 820 if (r != MEMTX_OK) { 821 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE, 822 mmu_idx, iotlbentry->attrs, r, retaddr); 823 } 824 if (locked) { 825 qemu_mutex_unlock_iothread(); 826 } 827 } 828 829 /* Return true if ADDR is present in the victim tlb, and has been copied 830 back to the main tlb. */ 831 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index, 832 size_t elt_ofs, target_ulong page) 833 { 834 size_t vidx; 835 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 836 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx]; 837 target_ulong cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs); 838 839 if (cmp == page) { 840 /* Found entry in victim tlb, swap tlb and iotlb. */ 841 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index]; 842 843 copy_tlb_helper(&tmptlb, tlb, false); 844 copy_tlb_helper(tlb, vtlb, true); 845 copy_tlb_helper(vtlb, &tmptlb, true); 846 847 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index]; 848 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx]; 849 tmpio = *io; *io = *vio; *vio = tmpio; 850 return true; 851 } 852 } 853 return false; 854 } 855 856 /* Macro to call the above, with local variables from the use context. */ 857 #define VICTIM_TLB_HIT(TY, ADDR) \ 858 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \ 859 (ADDR) & TARGET_PAGE_MASK) 860 861 /* NOTE: this function can trigger an exception */ 862 /* NOTE2: the returned address is not exactly the physical address: it 863 * is actually a ram_addr_t (in system mode; the user mode emulation 864 * version of this function returns a guest virtual address). 865 */ 866 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) 867 { 868 int mmu_idx, index, pd; 869 void *p; 870 MemoryRegion *mr; 871 CPUState *cpu = ENV_GET_CPU(env); 872 CPUIOTLBEntry *iotlbentry; 873 hwaddr physaddr; 874 875 index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 876 mmu_idx = cpu_mmu_index(env, true); 877 if (unlikely(env->tlb_table[mmu_idx][index].addr_code != 878 (addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK)))) { 879 if (!VICTIM_TLB_HIT(addr_read, addr)) { 880 tlb_fill(ENV_GET_CPU(env), addr, MMU_INST_FETCH, mmu_idx, 0); 881 } 882 } 883 iotlbentry = &env->iotlb[mmu_idx][index]; 884 pd = iotlbentry->addr & ~TARGET_PAGE_MASK; 885 mr = iotlb_to_region(cpu, pd, iotlbentry->attrs); 886 if (memory_region_is_unassigned(mr)) { 887 qemu_mutex_lock_iothread(); 888 if (memory_region_request_mmio_ptr(mr, addr)) { 889 qemu_mutex_unlock_iothread(); 890 /* A MemoryRegion is potentially added so re-run the 891 * get_page_addr_code. 892 */ 893 return get_page_addr_code(env, addr); 894 } 895 qemu_mutex_unlock_iothread(); 896 897 /* Give the new-style cpu_transaction_failed() hook first chance 898 * to handle this. 899 * This is not the ideal place to detect and generate CPU 900 * exceptions for instruction fetch failure (for instance 901 * we don't know the length of the access that the CPU would 902 * use, and it would be better to go ahead and try the access 903 * and use the MemTXResult it produced). However it is the 904 * simplest place we have currently available for the check. 905 */ 906 physaddr = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 907 cpu_transaction_failed(cpu, physaddr, addr, 0, MMU_INST_FETCH, mmu_idx, 908 iotlbentry->attrs, MEMTX_DECODE_ERROR, 0); 909 910 cpu_unassigned_access(cpu, addr, false, true, 0, 4); 911 /* The CPU's unassigned access hook might have longjumped out 912 * with an exception. If it didn't (or there was no hook) then 913 * we can't proceed further. 914 */ 915 report_bad_exec(cpu, addr); 916 exit(1); 917 } 918 p = (void *)((uintptr_t)addr + env->tlb_table[mmu_idx][index].addend); 919 return qemu_ram_addr_from_host_nofail(p); 920 } 921 922 /* Probe for whether the specified guest write access is permitted. 923 * If it is not permitted then an exception will be taken in the same 924 * way as if this were a real write access (and we will not return). 925 * Otherwise the function will return, and there will be a valid 926 * entry in the TLB for this access. 927 */ 928 void probe_write(CPUArchState *env, target_ulong addr, int mmu_idx, 929 uintptr_t retaddr) 930 { 931 int index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 932 target_ulong tlb_addr = env->tlb_table[mmu_idx][index].addr_write; 933 934 if ((addr & TARGET_PAGE_MASK) 935 != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 936 /* TLB entry is for a different page */ 937 if (!VICTIM_TLB_HIT(addr_write, addr)) { 938 tlb_fill(ENV_GET_CPU(env), addr, MMU_DATA_STORE, mmu_idx, retaddr); 939 } 940 } 941 } 942 943 /* Probe for a read-modify-write atomic operation. Do not allow unaligned 944 * operations, or io operations to proceed. Return the host address. */ 945 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, 946 TCGMemOpIdx oi, uintptr_t retaddr) 947 { 948 size_t mmu_idx = get_mmuidx(oi); 949 size_t index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 950 CPUTLBEntry *tlbe = &env->tlb_table[mmu_idx][index]; 951 target_ulong tlb_addr = tlbe->addr_write; 952 TCGMemOp mop = get_memop(oi); 953 int a_bits = get_alignment_bits(mop); 954 int s_bits = mop & MO_SIZE; 955 956 /* Adjust the given return address. */ 957 retaddr -= GETPC_ADJ; 958 959 /* Enforce guest required alignment. */ 960 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) { 961 /* ??? Maybe indicate atomic op to cpu_unaligned_access */ 962 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE, 963 mmu_idx, retaddr); 964 } 965 966 /* Enforce qemu required alignment. */ 967 if (unlikely(addr & ((1 << s_bits) - 1))) { 968 /* We get here if guest alignment was not requested, 969 or was not enforced by cpu_unaligned_access above. 970 We might widen the access and emulate, but for now 971 mark an exception and exit the cpu loop. */ 972 goto stop_the_world; 973 } 974 975 /* Check TLB entry and enforce page permissions. */ 976 if ((addr & TARGET_PAGE_MASK) 977 != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 978 if (!VICTIM_TLB_HIT(addr_write, addr)) { 979 tlb_fill(ENV_GET_CPU(env), addr, MMU_DATA_STORE, mmu_idx, retaddr); 980 } 981 tlb_addr = tlbe->addr_write; 982 } 983 984 /* Check notdirty */ 985 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 986 tlb_set_dirty(ENV_GET_CPU(env), addr); 987 tlb_addr = tlb_addr & ~TLB_NOTDIRTY; 988 } 989 990 /* Notice an IO access */ 991 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) { 992 /* There's really nothing that can be done to 993 support this apart from stop-the-world. */ 994 goto stop_the_world; 995 } 996 997 /* Let the guest notice RMW on a write-only page. */ 998 if (unlikely(tlbe->addr_read != tlb_addr)) { 999 tlb_fill(ENV_GET_CPU(env), addr, MMU_DATA_LOAD, mmu_idx, retaddr); 1000 /* Since we don't support reads and writes to different addresses, 1001 and we do have the proper page loaded for write, this shouldn't 1002 ever return. But just in case, handle via stop-the-world. */ 1003 goto stop_the_world; 1004 } 1005 1006 return (void *)((uintptr_t)addr + tlbe->addend); 1007 1008 stop_the_world: 1009 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr); 1010 } 1011 1012 #ifdef TARGET_WORDS_BIGENDIAN 1013 # define TGT_BE(X) (X) 1014 # define TGT_LE(X) BSWAP(X) 1015 #else 1016 # define TGT_BE(X) BSWAP(X) 1017 # define TGT_LE(X) (X) 1018 #endif 1019 1020 #define MMUSUFFIX _mmu 1021 1022 #define DATA_SIZE 1 1023 #include "softmmu_template.h" 1024 1025 #define DATA_SIZE 2 1026 #include "softmmu_template.h" 1027 1028 #define DATA_SIZE 4 1029 #include "softmmu_template.h" 1030 1031 #define DATA_SIZE 8 1032 #include "softmmu_template.h" 1033 1034 /* First set of helpers allows passing in of OI and RETADDR. This makes 1035 them callable from other helpers. */ 1036 1037 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr 1038 #define ATOMIC_NAME(X) \ 1039 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu)) 1040 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr) 1041 1042 #define DATA_SIZE 1 1043 #include "atomic_template.h" 1044 1045 #define DATA_SIZE 2 1046 #include "atomic_template.h" 1047 1048 #define DATA_SIZE 4 1049 #include "atomic_template.h" 1050 1051 #ifdef CONFIG_ATOMIC64 1052 #define DATA_SIZE 8 1053 #include "atomic_template.h" 1054 #endif 1055 1056 #ifdef CONFIG_ATOMIC128 1057 #define DATA_SIZE 16 1058 #include "atomic_template.h" 1059 #endif 1060 1061 /* Second set of helpers are directly callable from TCG as helpers. */ 1062 1063 #undef EXTRA_ARGS 1064 #undef ATOMIC_NAME 1065 #undef ATOMIC_MMU_LOOKUP 1066 #define EXTRA_ARGS , TCGMemOpIdx oi 1067 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END)) 1068 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC()) 1069 1070 #define DATA_SIZE 1 1071 #include "atomic_template.h" 1072 1073 #define DATA_SIZE 2 1074 #include "atomic_template.h" 1075 1076 #define DATA_SIZE 4 1077 #include "atomic_template.h" 1078 1079 #ifdef CONFIG_ATOMIC64 1080 #define DATA_SIZE 8 1081 #include "atomic_template.h" 1082 #endif 1083 1084 /* Code access functions. */ 1085 1086 #undef MMUSUFFIX 1087 #define MMUSUFFIX _cmmu 1088 #undef GETPC 1089 #define GETPC() ((uintptr_t)0) 1090 #define SOFTMMU_CODE_ACCESS 1091 1092 #define DATA_SIZE 1 1093 #include "softmmu_template.h" 1094 1095 #define DATA_SIZE 2 1096 #include "softmmu_template.h" 1097 1098 #define DATA_SIZE 4 1099 #include "softmmu_template.h" 1100 1101 #define DATA_SIZE 8 1102 #include "softmmu_template.h" 1103