1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "cpu.h" 23 #include "exec/exec-all.h" 24 #include "exec/memory.h" 25 #include "exec/address-spaces.h" 26 #include "exec/cpu_ldst.h" 27 #include "exec/cputlb.h" 28 #include "exec/memory-internal.h" 29 #include "exec/ram_addr.h" 30 #include "tcg/tcg.h" 31 #include "qemu/error-report.h" 32 #include "exec/log.h" 33 #include "exec/helper-proto.h" 34 #include "qemu/atomic.h" 35 36 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 37 /* #define DEBUG_TLB */ 38 /* #define DEBUG_TLB_LOG */ 39 40 #ifdef DEBUG_TLB 41 # define DEBUG_TLB_GATE 1 42 # ifdef DEBUG_TLB_LOG 43 # define DEBUG_TLB_LOG_GATE 1 44 # else 45 # define DEBUG_TLB_LOG_GATE 0 46 # endif 47 #else 48 # define DEBUG_TLB_GATE 0 49 # define DEBUG_TLB_LOG_GATE 0 50 #endif 51 52 #define tlb_debug(fmt, ...) do { \ 53 if (DEBUG_TLB_LOG_GATE) { \ 54 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 55 ## __VA_ARGS__); \ 56 } else if (DEBUG_TLB_GATE) { \ 57 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 58 } \ 59 } while (0) 60 61 #define assert_cpu_is_self(this_cpu) do { \ 62 if (DEBUG_TLB_GATE) { \ 63 g_assert(!cpu->created || qemu_cpu_is_self(cpu)); \ 64 } \ 65 } while (0) 66 67 /* run_on_cpu_data.target_ptr should always be big enough for a 68 * target_ulong even on 32 bit builds */ 69 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data)); 70 71 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 72 */ 73 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 74 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 75 76 /* flush_all_helper: run fn across all cpus 77 * 78 * If the wait flag is set then the src cpu's helper will be queued as 79 * "safe" work and the loop exited creating a synchronisation point 80 * where all queued work will be finished before execution starts 81 * again. 82 */ 83 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 84 run_on_cpu_data d) 85 { 86 CPUState *cpu; 87 88 CPU_FOREACH(cpu) { 89 if (cpu != src) { 90 async_run_on_cpu(cpu, fn, d); 91 } 92 } 93 } 94 95 size_t tlb_flush_count(void) 96 { 97 CPUState *cpu; 98 size_t count = 0; 99 100 CPU_FOREACH(cpu) { 101 CPUArchState *env = cpu->env_ptr; 102 103 count += atomic_read(&env->tlb_flush_count); 104 } 105 return count; 106 } 107 108 /* This is OK because CPU architectures generally permit an 109 * implementation to drop entries from the TLB at any time, so 110 * flushing more entries than required is only an efficiency issue, 111 * not a correctness issue. 112 */ 113 static void tlb_flush_nocheck(CPUState *cpu) 114 { 115 CPUArchState *env = cpu->env_ptr; 116 117 /* The QOM tests will trigger tlb_flushes without setting up TCG 118 * so we bug out here in that case. 119 */ 120 if (!tcg_enabled()) { 121 return; 122 } 123 124 assert_cpu_is_self(cpu); 125 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1); 126 tlb_debug("(count: %zu)\n", tlb_flush_count()); 127 128 memset(env->tlb_table, -1, sizeof(env->tlb_table)); 129 memset(env->tlb_v_table, -1, sizeof(env->tlb_v_table)); 130 cpu_tb_jmp_cache_clear(cpu); 131 132 env->vtlb_index = 0; 133 env->tlb_flush_addr = -1; 134 env->tlb_flush_mask = 0; 135 136 atomic_mb_set(&cpu->pending_tlb_flush, 0); 137 } 138 139 static void tlb_flush_global_async_work(CPUState *cpu, run_on_cpu_data data) 140 { 141 tlb_flush_nocheck(cpu); 142 } 143 144 void tlb_flush(CPUState *cpu) 145 { 146 if (cpu->created && !qemu_cpu_is_self(cpu)) { 147 if (atomic_mb_read(&cpu->pending_tlb_flush) != ALL_MMUIDX_BITS) { 148 atomic_mb_set(&cpu->pending_tlb_flush, ALL_MMUIDX_BITS); 149 async_run_on_cpu(cpu, tlb_flush_global_async_work, 150 RUN_ON_CPU_NULL); 151 } 152 } else { 153 tlb_flush_nocheck(cpu); 154 } 155 } 156 157 void tlb_flush_all_cpus(CPUState *src_cpu) 158 { 159 const run_on_cpu_func fn = tlb_flush_global_async_work; 160 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL); 161 fn(src_cpu, RUN_ON_CPU_NULL); 162 } 163 164 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 165 { 166 const run_on_cpu_func fn = tlb_flush_global_async_work; 167 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL); 168 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_NULL); 169 } 170 171 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 172 { 173 CPUArchState *env = cpu->env_ptr; 174 unsigned long mmu_idx_bitmask = data.host_int; 175 int mmu_idx; 176 177 assert_cpu_is_self(cpu); 178 179 tlb_debug("start: mmu_idx:0x%04lx\n", mmu_idx_bitmask); 180 181 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 182 183 if (test_bit(mmu_idx, &mmu_idx_bitmask)) { 184 tlb_debug("%d\n", mmu_idx); 185 186 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0])); 187 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0])); 188 } 189 } 190 191 cpu_tb_jmp_cache_clear(cpu); 192 193 tlb_debug("done\n"); 194 } 195 196 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 197 { 198 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 199 200 if (!qemu_cpu_is_self(cpu)) { 201 uint16_t pending_flushes = idxmap; 202 pending_flushes &= ~atomic_mb_read(&cpu->pending_tlb_flush); 203 204 if (pending_flushes) { 205 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", pending_flushes); 206 207 atomic_or(&cpu->pending_tlb_flush, pending_flushes); 208 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work, 209 RUN_ON_CPU_HOST_INT(pending_flushes)); 210 } 211 } else { 212 tlb_flush_by_mmuidx_async_work(cpu, 213 RUN_ON_CPU_HOST_INT(idxmap)); 214 } 215 } 216 217 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap) 218 { 219 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 220 221 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 222 223 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 224 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap)); 225 } 226 227 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 228 uint16_t idxmap) 229 { 230 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 231 232 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 233 234 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 235 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 236 } 237 238 239 240 static inline void tlb_flush_entry(CPUTLBEntry *tlb_entry, target_ulong addr) 241 { 242 if (addr == (tlb_entry->addr_read & 243 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) || 244 addr == (tlb_entry->addr_write & 245 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) || 246 addr == (tlb_entry->addr_code & 247 (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 248 memset(tlb_entry, -1, sizeof(*tlb_entry)); 249 } 250 } 251 252 static void tlb_flush_page_async_work(CPUState *cpu, run_on_cpu_data data) 253 { 254 CPUArchState *env = cpu->env_ptr; 255 target_ulong addr = (target_ulong) data.target_ptr; 256 int i; 257 int mmu_idx; 258 259 assert_cpu_is_self(cpu); 260 261 tlb_debug("page :" TARGET_FMT_lx "\n", addr); 262 263 /* Check if we need to flush due to large pages. */ 264 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) { 265 tlb_debug("forcing full flush (" 266 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 267 env->tlb_flush_addr, env->tlb_flush_mask); 268 269 tlb_flush(cpu); 270 return; 271 } 272 273 addr &= TARGET_PAGE_MASK; 274 i = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 275 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 276 tlb_flush_entry(&env->tlb_table[mmu_idx][i], addr); 277 } 278 279 /* check whether there are entries that need to be flushed in the vtlb */ 280 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 281 int k; 282 for (k = 0; k < CPU_VTLB_SIZE; k++) { 283 tlb_flush_entry(&env->tlb_v_table[mmu_idx][k], addr); 284 } 285 } 286 287 tb_flush_jmp_cache(cpu, addr); 288 } 289 290 void tlb_flush_page(CPUState *cpu, target_ulong addr) 291 { 292 tlb_debug("page :" TARGET_FMT_lx "\n", addr); 293 294 if (!qemu_cpu_is_self(cpu)) { 295 async_run_on_cpu(cpu, tlb_flush_page_async_work, 296 RUN_ON_CPU_TARGET_PTR(addr)); 297 } else { 298 tlb_flush_page_async_work(cpu, RUN_ON_CPU_TARGET_PTR(addr)); 299 } 300 } 301 302 /* As we are going to hijack the bottom bits of the page address for a 303 * mmuidx bit mask we need to fail to build if we can't do that 304 */ 305 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN); 306 307 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu, 308 run_on_cpu_data data) 309 { 310 CPUArchState *env = cpu->env_ptr; 311 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 312 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 313 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 314 int page = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 315 int mmu_idx; 316 int i; 317 318 assert_cpu_is_self(cpu); 319 320 tlb_debug("page:%d addr:"TARGET_FMT_lx" mmu_idx:0x%lx\n", 321 page, addr, mmu_idx_bitmap); 322 323 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 324 if (test_bit(mmu_idx, &mmu_idx_bitmap)) { 325 tlb_flush_entry(&env->tlb_table[mmu_idx][page], addr); 326 327 /* check whether there are vltb entries that need to be flushed */ 328 for (i = 0; i < CPU_VTLB_SIZE; i++) { 329 tlb_flush_entry(&env->tlb_v_table[mmu_idx][i], addr); 330 } 331 } 332 } 333 334 tb_flush_jmp_cache(cpu, addr); 335 } 336 337 static void tlb_check_page_and_flush_by_mmuidx_async_work(CPUState *cpu, 338 run_on_cpu_data data) 339 { 340 CPUArchState *env = cpu->env_ptr; 341 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr; 342 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK; 343 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS; 344 345 tlb_debug("addr:"TARGET_FMT_lx" mmu_idx: %04lx\n", addr, mmu_idx_bitmap); 346 347 /* Check if we need to flush due to large pages. */ 348 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) { 349 tlb_debug("forced full flush (" 350 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 351 env->tlb_flush_addr, env->tlb_flush_mask); 352 353 tlb_flush_by_mmuidx_async_work(cpu, 354 RUN_ON_CPU_HOST_INT(mmu_idx_bitmap)); 355 } else { 356 tlb_flush_page_by_mmuidx_async_work(cpu, data); 357 } 358 } 359 360 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap) 361 { 362 target_ulong addr_and_mmu_idx; 363 364 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap); 365 366 /* This should already be page aligned */ 367 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 368 addr_and_mmu_idx |= idxmap; 369 370 if (!qemu_cpu_is_self(cpu)) { 371 async_run_on_cpu(cpu, tlb_check_page_and_flush_by_mmuidx_async_work, 372 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 373 } else { 374 tlb_check_page_and_flush_by_mmuidx_async_work( 375 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 376 } 377 } 378 379 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr, 380 uint16_t idxmap) 381 { 382 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work; 383 target_ulong addr_and_mmu_idx; 384 385 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 386 387 /* This should already be page aligned */ 388 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 389 addr_and_mmu_idx |= idxmap; 390 391 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 392 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 393 } 394 395 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 396 target_ulong addr, 397 uint16_t idxmap) 398 { 399 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work; 400 target_ulong addr_and_mmu_idx; 401 402 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 403 404 /* This should already be page aligned */ 405 addr_and_mmu_idx = addr & TARGET_PAGE_MASK; 406 addr_and_mmu_idx |= idxmap; 407 408 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 409 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx)); 410 } 411 412 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr) 413 { 414 const run_on_cpu_func fn = tlb_flush_page_async_work; 415 416 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 417 fn(src, RUN_ON_CPU_TARGET_PTR(addr)); 418 } 419 420 void tlb_flush_page_all_cpus_synced(CPUState *src, 421 target_ulong addr) 422 { 423 const run_on_cpu_func fn = tlb_flush_page_async_work; 424 425 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 426 async_safe_run_on_cpu(src, fn, RUN_ON_CPU_TARGET_PTR(addr)); 427 } 428 429 /* update the TLBs so that writes to code in the virtual page 'addr' 430 can be detected */ 431 void tlb_protect_code(ram_addr_t ram_addr) 432 { 433 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE, 434 DIRTY_MEMORY_CODE); 435 } 436 437 /* update the TLB so that writes in physical page 'phys_addr' are no longer 438 tested for self modifying code */ 439 void tlb_unprotect_code(ram_addr_t ram_addr) 440 { 441 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 442 } 443 444 445 /* 446 * Dirty write flag handling 447 * 448 * When the TCG code writes to a location it looks up the address in 449 * the TLB and uses that data to compute the final address. If any of 450 * the lower bits of the address are set then the slow path is forced. 451 * There are a number of reasons to do this but for normal RAM the 452 * most usual is detecting writes to code regions which may invalidate 453 * generated code. 454 * 455 * Because we want other vCPUs to respond to changes straight away we 456 * update the te->addr_write field atomically. If the TLB entry has 457 * been changed by the vCPU in the mean time we skip the update. 458 * 459 * As this function uses atomic accesses we also need to ensure 460 * updates to tlb_entries follow the same access rules. We don't need 461 * to worry about this for oversized guests as MTTCG is disabled for 462 * them. 463 */ 464 465 static void tlb_reset_dirty_range(CPUTLBEntry *tlb_entry, uintptr_t start, 466 uintptr_t length) 467 { 468 #if TCG_OVERSIZED_GUEST 469 uintptr_t addr = tlb_entry->addr_write; 470 471 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 472 addr &= TARGET_PAGE_MASK; 473 addr += tlb_entry->addend; 474 if ((addr - start) < length) { 475 tlb_entry->addr_write |= TLB_NOTDIRTY; 476 } 477 } 478 #else 479 /* paired with atomic_mb_set in tlb_set_page_with_attrs */ 480 uintptr_t orig_addr = atomic_mb_read(&tlb_entry->addr_write); 481 uintptr_t addr = orig_addr; 482 483 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) { 484 addr &= TARGET_PAGE_MASK; 485 addr += atomic_read(&tlb_entry->addend); 486 if ((addr - start) < length) { 487 uintptr_t notdirty_addr = orig_addr | TLB_NOTDIRTY; 488 atomic_cmpxchg(&tlb_entry->addr_write, orig_addr, notdirty_addr); 489 } 490 } 491 #endif 492 } 493 494 /* For atomic correctness when running MTTCG we need to use the right 495 * primitives when copying entries */ 496 static inline void copy_tlb_helper(CPUTLBEntry *d, CPUTLBEntry *s, 497 bool atomic_set) 498 { 499 #if TCG_OVERSIZED_GUEST 500 *d = *s; 501 #else 502 if (atomic_set) { 503 d->addr_read = s->addr_read; 504 d->addr_code = s->addr_code; 505 atomic_set(&d->addend, atomic_read(&s->addend)); 506 /* Pairs with flag setting in tlb_reset_dirty_range */ 507 atomic_mb_set(&d->addr_write, atomic_read(&s->addr_write)); 508 } else { 509 d->addr_read = s->addr_read; 510 d->addr_write = atomic_read(&s->addr_write); 511 d->addr_code = s->addr_code; 512 d->addend = atomic_read(&s->addend); 513 } 514 #endif 515 } 516 517 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 518 * the target vCPU). As such care needs to be taken that we don't 519 * dangerously race with another vCPU update. The only thing actually 520 * updated is the target TLB entry ->addr_write flags. 521 */ 522 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 523 { 524 CPUArchState *env; 525 526 int mmu_idx; 527 528 env = cpu->env_ptr; 529 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 530 unsigned int i; 531 532 for (i = 0; i < CPU_TLB_SIZE; i++) { 533 tlb_reset_dirty_range(&env->tlb_table[mmu_idx][i], 534 start1, length); 535 } 536 537 for (i = 0; i < CPU_VTLB_SIZE; i++) { 538 tlb_reset_dirty_range(&env->tlb_v_table[mmu_idx][i], 539 start1, length); 540 } 541 } 542 } 543 544 static inline void tlb_set_dirty1(CPUTLBEntry *tlb_entry, target_ulong vaddr) 545 { 546 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) { 547 tlb_entry->addr_write = vaddr; 548 } 549 } 550 551 /* update the TLB corresponding to virtual page vaddr 552 so that it is no longer dirty */ 553 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr) 554 { 555 CPUArchState *env = cpu->env_ptr; 556 int i; 557 int mmu_idx; 558 559 assert_cpu_is_self(cpu); 560 561 vaddr &= TARGET_PAGE_MASK; 562 i = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 563 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 564 tlb_set_dirty1(&env->tlb_table[mmu_idx][i], vaddr); 565 } 566 567 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 568 int k; 569 for (k = 0; k < CPU_VTLB_SIZE; k++) { 570 tlb_set_dirty1(&env->tlb_v_table[mmu_idx][k], vaddr); 571 } 572 } 573 } 574 575 /* Our TLB does not support large pages, so remember the area covered by 576 large pages and trigger a full TLB flush if these are invalidated. */ 577 static void tlb_add_large_page(CPUArchState *env, target_ulong vaddr, 578 target_ulong size) 579 { 580 target_ulong mask = ~(size - 1); 581 582 if (env->tlb_flush_addr == (target_ulong)-1) { 583 env->tlb_flush_addr = vaddr & mask; 584 env->tlb_flush_mask = mask; 585 return; 586 } 587 /* Extend the existing region to include the new page. 588 This is a compromise between unnecessary flushes and the cost 589 of maintaining a full variable size TLB. */ 590 mask &= env->tlb_flush_mask; 591 while (((env->tlb_flush_addr ^ vaddr) & mask) != 0) { 592 mask <<= 1; 593 } 594 env->tlb_flush_addr &= mask; 595 env->tlb_flush_mask = mask; 596 } 597 598 /* Add a new TLB entry. At most one entry for a given virtual address 599 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 600 * supplied size is only used by tlb_flush_page. 601 * 602 * Called from TCG-generated code, which is under an RCU read-side 603 * critical section. 604 */ 605 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr, 606 hwaddr paddr, MemTxAttrs attrs, int prot, 607 int mmu_idx, target_ulong size) 608 { 609 CPUArchState *env = cpu->env_ptr; 610 MemoryRegionSection *section; 611 unsigned int index; 612 target_ulong address; 613 target_ulong code_address; 614 uintptr_t addend; 615 CPUTLBEntry *te, *tv, tn; 616 hwaddr iotlb, xlat, sz; 617 unsigned vidx = env->vtlb_index++ % CPU_VTLB_SIZE; 618 int asidx = cpu_asidx_from_attrs(cpu, attrs); 619 620 assert_cpu_is_self(cpu); 621 assert(size >= TARGET_PAGE_SIZE); 622 if (size != TARGET_PAGE_SIZE) { 623 tlb_add_large_page(env, vaddr, size); 624 } 625 626 sz = size; 627 section = address_space_translate_for_iotlb(cpu, asidx, paddr, &xlat, &sz, 628 attrs, &prot); 629 assert(sz >= TARGET_PAGE_SIZE); 630 631 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx 632 " prot=%x idx=%d\n", 633 vaddr, paddr, prot, mmu_idx); 634 635 address = vaddr; 636 if (!memory_region_is_ram(section->mr) && !memory_region_is_romd(section->mr)) { 637 /* IO memory case */ 638 address |= TLB_MMIO; 639 addend = 0; 640 } else { 641 /* TLB_MMIO for rom/romd handled below */ 642 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 643 } 644 645 code_address = address; 646 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr, paddr, xlat, 647 prot, &address); 648 649 index = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 650 te = &env->tlb_table[mmu_idx][index]; 651 /* do not discard the translation in te, evict it into a victim tlb */ 652 tv = &env->tlb_v_table[mmu_idx][vidx]; 653 654 /* addr_write can race with tlb_reset_dirty_range */ 655 copy_tlb_helper(tv, te, true); 656 657 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index]; 658 659 /* refill the tlb */ 660 /* 661 * At this point iotlb contains a physical section number in the lower 662 * TARGET_PAGE_BITS, and either 663 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM) 664 * + the offset within section->mr of the page base (otherwise) 665 * We subtract the vaddr (which is page aligned and thus won't 666 * disturb the low bits) to give an offset which can be added to the 667 * (non-page-aligned) vaddr of the eventual memory access to get 668 * the MemoryRegion offset for the access. Note that the vaddr we 669 * subtract here is that of the page base, and not the same as the 670 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code(). 671 */ 672 env->iotlb[mmu_idx][index].addr = iotlb - vaddr; 673 env->iotlb[mmu_idx][index].attrs = attrs; 674 675 /* Now calculate the new entry */ 676 tn.addend = addend - vaddr; 677 if (prot & PAGE_READ) { 678 tn.addr_read = address; 679 } else { 680 tn.addr_read = -1; 681 } 682 683 if (prot & PAGE_EXEC) { 684 tn.addr_code = code_address; 685 } else { 686 tn.addr_code = -1; 687 } 688 689 tn.addr_write = -1; 690 if (prot & PAGE_WRITE) { 691 if ((memory_region_is_ram(section->mr) && section->readonly) 692 || memory_region_is_romd(section->mr)) { 693 /* Write access calls the I/O callback. */ 694 tn.addr_write = address | TLB_MMIO; 695 } else if (memory_region_is_ram(section->mr) 696 && cpu_physical_memory_is_clean( 697 memory_region_get_ram_addr(section->mr) + xlat)) { 698 tn.addr_write = address | TLB_NOTDIRTY; 699 } else { 700 tn.addr_write = address; 701 } 702 if (prot & PAGE_WRITE_INV) { 703 tn.addr_write |= TLB_INVALID_MASK; 704 } 705 } 706 707 /* Pairs with flag setting in tlb_reset_dirty_range */ 708 copy_tlb_helper(te, &tn, true); 709 /* atomic_mb_set(&te->addr_write, write_address); */ 710 } 711 712 /* Add a new TLB entry, but without specifying the memory 713 * transaction attributes to be used. 714 */ 715 void tlb_set_page(CPUState *cpu, target_ulong vaddr, 716 hwaddr paddr, int prot, 717 int mmu_idx, target_ulong size) 718 { 719 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED, 720 prot, mmu_idx, size); 721 } 722 723 static void report_bad_exec(CPUState *cpu, target_ulong addr) 724 { 725 /* Accidentally executing outside RAM or ROM is quite common for 726 * several user-error situations, so report it in a way that 727 * makes it clear that this isn't a QEMU bug and provide suggestions 728 * about what a user could do to fix things. 729 */ 730 error_report("Trying to execute code outside RAM or ROM at 0x" 731 TARGET_FMT_lx, addr); 732 error_printf("This usually means one of the following happened:\n\n" 733 "(1) You told QEMU to execute a kernel for the wrong machine " 734 "type, and it crashed on startup (eg trying to run a " 735 "raspberry pi kernel on a versatilepb QEMU machine)\n" 736 "(2) You didn't give QEMU a kernel or BIOS filename at all, " 737 "and QEMU executed a ROM full of no-op instructions until " 738 "it fell off the end\n" 739 "(3) Your guest kernel has a bug and crashed by jumping " 740 "off into nowhere\n\n" 741 "This is almost always one of the first two, so check your " 742 "command line and that you are using the right type of kernel " 743 "for this machine.\n" 744 "If you think option (3) is likely then you can try debugging " 745 "your guest with the -d debug options; in particular " 746 "-d guest_errors will cause the log to include a dump of the " 747 "guest register state at this point.\n\n" 748 "Execution cannot continue; stopping here.\n\n"); 749 750 /* Report also to the logs, with more detail including register dump */ 751 qemu_log_mask(LOG_GUEST_ERROR, "qemu: fatal: Trying to execute code " 752 "outside RAM or ROM at 0x" TARGET_FMT_lx "\n", addr); 753 log_cpu_state_mask(LOG_GUEST_ERROR, cpu, CPU_DUMP_FPU | CPU_DUMP_CCOP); 754 } 755 756 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr) 757 { 758 ram_addr_t ram_addr; 759 760 ram_addr = qemu_ram_addr_from_host(ptr); 761 if (ram_addr == RAM_ADDR_INVALID) { 762 error_report("Bad ram pointer %p", ptr); 763 abort(); 764 } 765 return ram_addr; 766 } 767 768 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 769 int mmu_idx, 770 target_ulong addr, uintptr_t retaddr, int size) 771 { 772 CPUState *cpu = ENV_GET_CPU(env); 773 hwaddr mr_offset; 774 MemoryRegionSection *section; 775 MemoryRegion *mr; 776 uint64_t val; 777 bool locked = false; 778 MemTxResult r; 779 780 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 781 mr = section->mr; 782 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 783 cpu->mem_io_pc = retaddr; 784 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 785 cpu_io_recompile(cpu, retaddr); 786 } 787 788 cpu->mem_io_vaddr = addr; 789 790 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 791 qemu_mutex_lock_iothread(); 792 locked = true; 793 } 794 r = memory_region_dispatch_read(mr, mr_offset, 795 &val, size, iotlbentry->attrs); 796 if (r != MEMTX_OK) { 797 hwaddr physaddr = mr_offset + 798 section->offset_within_address_space - 799 section->offset_within_region; 800 801 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_LOAD, 802 mmu_idx, iotlbentry->attrs, r, retaddr); 803 } 804 if (locked) { 805 qemu_mutex_unlock_iothread(); 806 } 807 808 return val; 809 } 810 811 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 812 int mmu_idx, 813 uint64_t val, target_ulong addr, 814 uintptr_t retaddr, int size) 815 { 816 CPUState *cpu = ENV_GET_CPU(env); 817 hwaddr mr_offset; 818 MemoryRegionSection *section; 819 MemoryRegion *mr; 820 bool locked = false; 821 MemTxResult r; 822 823 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 824 mr = section->mr; 825 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 826 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) { 827 cpu_io_recompile(cpu, retaddr); 828 } 829 cpu->mem_io_vaddr = addr; 830 cpu->mem_io_pc = retaddr; 831 832 if (mr->global_locking && !qemu_mutex_iothread_locked()) { 833 qemu_mutex_lock_iothread(); 834 locked = true; 835 } 836 r = memory_region_dispatch_write(mr, mr_offset, 837 val, size, iotlbentry->attrs); 838 if (r != MEMTX_OK) { 839 hwaddr physaddr = mr_offset + 840 section->offset_within_address_space - 841 section->offset_within_region; 842 843 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE, 844 mmu_idx, iotlbentry->attrs, r, retaddr); 845 } 846 if (locked) { 847 qemu_mutex_unlock_iothread(); 848 } 849 } 850 851 /* Return true if ADDR is present in the victim tlb, and has been copied 852 back to the main tlb. */ 853 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index, 854 size_t elt_ofs, target_ulong page) 855 { 856 size_t vidx; 857 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 858 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx]; 859 target_ulong cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs); 860 861 if (cmp == page) { 862 /* Found entry in victim tlb, swap tlb and iotlb. */ 863 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index]; 864 865 copy_tlb_helper(&tmptlb, tlb, false); 866 copy_tlb_helper(tlb, vtlb, true); 867 copy_tlb_helper(vtlb, &tmptlb, true); 868 869 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index]; 870 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx]; 871 tmpio = *io; *io = *vio; *vio = tmpio; 872 return true; 873 } 874 } 875 return false; 876 } 877 878 /* Macro to call the above, with local variables from the use context. */ 879 #define VICTIM_TLB_HIT(TY, ADDR) \ 880 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \ 881 (ADDR) & TARGET_PAGE_MASK) 882 883 /* NOTE: this function can trigger an exception */ 884 /* NOTE2: the returned address is not exactly the physical address: it 885 * is actually a ram_addr_t (in system mode; the user mode emulation 886 * version of this function returns a guest virtual address). 887 */ 888 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) 889 { 890 int mmu_idx, index; 891 void *p; 892 MemoryRegion *mr; 893 MemoryRegionSection *section; 894 CPUState *cpu = ENV_GET_CPU(env); 895 CPUIOTLBEntry *iotlbentry; 896 hwaddr physaddr, mr_offset; 897 898 index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 899 mmu_idx = cpu_mmu_index(env, true); 900 if (unlikely(env->tlb_table[mmu_idx][index].addr_code != 901 (addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK)))) { 902 if (!VICTIM_TLB_HIT(addr_read, addr)) { 903 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); 904 } 905 } 906 iotlbentry = &env->iotlb[mmu_idx][index]; 907 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 908 mr = section->mr; 909 if (memory_region_is_unassigned(mr)) { 910 qemu_mutex_lock_iothread(); 911 if (memory_region_request_mmio_ptr(mr, addr)) { 912 qemu_mutex_unlock_iothread(); 913 /* A MemoryRegion is potentially added so re-run the 914 * get_page_addr_code. 915 */ 916 return get_page_addr_code(env, addr); 917 } 918 qemu_mutex_unlock_iothread(); 919 920 /* Give the new-style cpu_transaction_failed() hook first chance 921 * to handle this. 922 * This is not the ideal place to detect and generate CPU 923 * exceptions for instruction fetch failure (for instance 924 * we don't know the length of the access that the CPU would 925 * use, and it would be better to go ahead and try the access 926 * and use the MemTXResult it produced). However it is the 927 * simplest place we have currently available for the check. 928 */ 929 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 930 physaddr = mr_offset + 931 section->offset_within_address_space - 932 section->offset_within_region; 933 cpu_transaction_failed(cpu, physaddr, addr, 0, MMU_INST_FETCH, mmu_idx, 934 iotlbentry->attrs, MEMTX_DECODE_ERROR, 0); 935 936 cpu_unassigned_access(cpu, addr, false, true, 0, 4); 937 /* The CPU's unassigned access hook might have longjumped out 938 * with an exception. If it didn't (or there was no hook) then 939 * we can't proceed further. 940 */ 941 report_bad_exec(cpu, addr); 942 exit(1); 943 } 944 p = (void *)((uintptr_t)addr + env->tlb_table[mmu_idx][index].addend); 945 return qemu_ram_addr_from_host_nofail(p); 946 } 947 948 /* Probe for whether the specified guest write access is permitted. 949 * If it is not permitted then an exception will be taken in the same 950 * way as if this were a real write access (and we will not return). 951 * Otherwise the function will return, and there will be a valid 952 * entry in the TLB for this access. 953 */ 954 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx, 955 uintptr_t retaddr) 956 { 957 int index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 958 target_ulong tlb_addr = env->tlb_table[mmu_idx][index].addr_write; 959 960 if ((addr & TARGET_PAGE_MASK) 961 != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 962 /* TLB entry is for a different page */ 963 if (!VICTIM_TLB_HIT(addr_write, addr)) { 964 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE, 965 mmu_idx, retaddr); 966 } 967 } 968 } 969 970 /* Probe for a read-modify-write atomic operation. Do not allow unaligned 971 * operations, or io operations to proceed. Return the host address. */ 972 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, 973 TCGMemOpIdx oi, uintptr_t retaddr, 974 NotDirtyInfo *ndi) 975 { 976 size_t mmu_idx = get_mmuidx(oi); 977 size_t index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); 978 CPUTLBEntry *tlbe = &env->tlb_table[mmu_idx][index]; 979 target_ulong tlb_addr = tlbe->addr_write; 980 TCGMemOp mop = get_memop(oi); 981 int a_bits = get_alignment_bits(mop); 982 int s_bits = mop & MO_SIZE; 983 void *hostaddr; 984 985 /* Adjust the given return address. */ 986 retaddr -= GETPC_ADJ; 987 988 /* Enforce guest required alignment. */ 989 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) { 990 /* ??? Maybe indicate atomic op to cpu_unaligned_access */ 991 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE, 992 mmu_idx, retaddr); 993 } 994 995 /* Enforce qemu required alignment. */ 996 if (unlikely(addr & ((1 << s_bits) - 1))) { 997 /* We get here if guest alignment was not requested, 998 or was not enforced by cpu_unaligned_access above. 999 We might widen the access and emulate, but for now 1000 mark an exception and exit the cpu loop. */ 1001 goto stop_the_world; 1002 } 1003 1004 /* Check TLB entry and enforce page permissions. */ 1005 if ((addr & TARGET_PAGE_MASK) 1006 != (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK))) { 1007 if (!VICTIM_TLB_HIT(addr_write, addr)) { 1008 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE, 1009 mmu_idx, retaddr); 1010 } 1011 tlb_addr = tlbe->addr_write & ~TLB_INVALID_MASK; 1012 } 1013 1014 /* Notice an IO access */ 1015 if (unlikely(tlb_addr & TLB_MMIO)) { 1016 /* There's really nothing that can be done to 1017 support this apart from stop-the-world. */ 1018 goto stop_the_world; 1019 } 1020 1021 /* Let the guest notice RMW on a write-only page. */ 1022 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) { 1023 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD, 1024 mmu_idx, retaddr); 1025 /* Since we don't support reads and writes to different addresses, 1026 and we do have the proper page loaded for write, this shouldn't 1027 ever return. But just in case, handle via stop-the-world. */ 1028 goto stop_the_world; 1029 } 1030 1031 hostaddr = (void *)((uintptr_t)addr + tlbe->addend); 1032 1033 ndi->active = false; 1034 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 1035 ndi->active = true; 1036 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr, 1037 qemu_ram_addr_from_host_nofail(hostaddr), 1038 1 << s_bits); 1039 } 1040 1041 return hostaddr; 1042 1043 stop_the_world: 1044 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr); 1045 } 1046 1047 #ifdef TARGET_WORDS_BIGENDIAN 1048 # define TGT_BE(X) (X) 1049 # define TGT_LE(X) BSWAP(X) 1050 #else 1051 # define TGT_BE(X) BSWAP(X) 1052 # define TGT_LE(X) (X) 1053 #endif 1054 1055 #define MMUSUFFIX _mmu 1056 1057 #define DATA_SIZE 1 1058 #include "softmmu_template.h" 1059 1060 #define DATA_SIZE 2 1061 #include "softmmu_template.h" 1062 1063 #define DATA_SIZE 4 1064 #include "softmmu_template.h" 1065 1066 #define DATA_SIZE 8 1067 #include "softmmu_template.h" 1068 1069 /* First set of helpers allows passing in of OI and RETADDR. This makes 1070 them callable from other helpers. */ 1071 1072 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr 1073 #define ATOMIC_NAME(X) \ 1074 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu)) 1075 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi 1076 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi) 1077 #define ATOMIC_MMU_CLEANUP \ 1078 do { \ 1079 if (unlikely(ndi.active)) { \ 1080 memory_notdirty_write_complete(&ndi); \ 1081 } \ 1082 } while (0) 1083 1084 #define DATA_SIZE 1 1085 #include "atomic_template.h" 1086 1087 #define DATA_SIZE 2 1088 #include "atomic_template.h" 1089 1090 #define DATA_SIZE 4 1091 #include "atomic_template.h" 1092 1093 #ifdef CONFIG_ATOMIC64 1094 #define DATA_SIZE 8 1095 #include "atomic_template.h" 1096 #endif 1097 1098 #ifdef CONFIG_ATOMIC128 1099 #define DATA_SIZE 16 1100 #include "atomic_template.h" 1101 #endif 1102 1103 /* Second set of helpers are directly callable from TCG as helpers. */ 1104 1105 #undef EXTRA_ARGS 1106 #undef ATOMIC_NAME 1107 #undef ATOMIC_MMU_LOOKUP 1108 #define EXTRA_ARGS , TCGMemOpIdx oi 1109 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END)) 1110 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi) 1111 1112 #define DATA_SIZE 1 1113 #include "atomic_template.h" 1114 1115 #define DATA_SIZE 2 1116 #include "atomic_template.h" 1117 1118 #define DATA_SIZE 4 1119 #include "atomic_template.h" 1120 1121 #ifdef CONFIG_ATOMIC64 1122 #define DATA_SIZE 8 1123 #include "atomic_template.h" 1124 #endif 1125 1126 /* Code access functions. */ 1127 1128 #undef MMUSUFFIX 1129 #define MMUSUFFIX _cmmu 1130 #undef GETPC 1131 #define GETPC() ((uintptr_t)0) 1132 #define SOFTMMU_CODE_ACCESS 1133 1134 #define DATA_SIZE 1 1135 #include "softmmu_template.h" 1136 1137 #define DATA_SIZE 2 1138 #include "softmmu_template.h" 1139 1140 #define DATA_SIZE 4 1141 #include "softmmu_template.h" 1142 1143 #define DATA_SIZE 8 1144 #include "softmmu_template.h" 1145