xref: /openbmc/qemu/target/ppc/mmu_common.c (revision 2f44bea9)
1 /*
2  *  PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU.
3  *
4  *  Copyright (c) 2003-2007 Jocelyn Mayer
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 
20 #include "qemu/osdep.h"
21 #include "qemu/units.h"
22 #include "cpu.h"
23 #include "sysemu/kvm.h"
24 #include "kvm_ppc.h"
25 #include "mmu-hash64.h"
26 #include "mmu-hash32.h"
27 #include "exec/exec-all.h"
28 #include "exec/log.h"
29 #include "helper_regs.h"
30 #include "qemu/error-report.h"
31 #include "qemu/main-loop.h"
32 #include "qemu/qemu-print.h"
33 #include "internal.h"
34 #include "mmu-book3s-v3.h"
35 #include "mmu-radix64.h"
36 
37 /* #define DEBUG_MMU */
38 /* #define DEBUG_BATS */
39 /* #define DEBUG_SOFTWARE_TLB */
40 /* #define DUMP_PAGE_TABLES */
41 /* #define FLUSH_ALL_TLBS */
42 
43 #ifdef DEBUG_MMU
44 #  define LOG_MMU_STATE(cpu) log_cpu_state_mask(CPU_LOG_MMU, (cpu), 0)
45 #else
46 #  define LOG_MMU_STATE(cpu) do { } while (0)
47 #endif
48 
49 #ifdef DEBUG_SOFTWARE_TLB
50 #  define LOG_SWTLB(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
51 #else
52 #  define LOG_SWTLB(...) do { } while (0)
53 #endif
54 
55 #ifdef DEBUG_BATS
56 #  define LOG_BATS(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
57 #else
58 #  define LOG_BATS(...) do { } while (0)
59 #endif
60 
61 void ppc_store_sdr1(CPUPPCState *env, target_ulong value)
62 {
63     PowerPCCPU *cpu = env_archcpu(env);
64     qemu_log_mask(CPU_LOG_MMU, "%s: " TARGET_FMT_lx "\n", __func__, value);
65     assert(!cpu->env.has_hv_mode || !cpu->vhyp);
66 #if defined(TARGET_PPC64)
67     if (mmu_is_64bit(env->mmu_model)) {
68         target_ulong sdr_mask = SDR_64_HTABORG | SDR_64_HTABSIZE;
69         target_ulong htabsize = value & SDR_64_HTABSIZE;
70 
71         if (value & ~sdr_mask) {
72             qemu_log_mask(LOG_GUEST_ERROR, "Invalid bits 0x"TARGET_FMT_lx
73                      " set in SDR1", value & ~sdr_mask);
74             value &= sdr_mask;
75         }
76         if (htabsize > 28) {
77             qemu_log_mask(LOG_GUEST_ERROR, "Invalid HTABSIZE 0x" TARGET_FMT_lx
78                      " stored in SDR1", htabsize);
79             return;
80         }
81     }
82 #endif /* defined(TARGET_PPC64) */
83     /* FIXME: Should check for valid HTABMASK values in 32-bit case */
84     env->spr[SPR_SDR1] = value;
85 }
86 
87 /*****************************************************************************/
88 /* PowerPC MMU emulation */
89 
90 static int pp_check(int key, int pp, int nx)
91 {
92     int access;
93 
94     /* Compute access rights */
95     access = 0;
96     if (key == 0) {
97         switch (pp) {
98         case 0x0:
99         case 0x1:
100         case 0x2:
101             access |= PAGE_WRITE;
102             /* fall through */
103         case 0x3:
104             access |= PAGE_READ;
105             break;
106         }
107     } else {
108         switch (pp) {
109         case 0x0:
110             access = 0;
111             break;
112         case 0x1:
113         case 0x3:
114             access = PAGE_READ;
115             break;
116         case 0x2:
117             access = PAGE_READ | PAGE_WRITE;
118             break;
119         }
120     }
121     if (nx == 0) {
122         access |= PAGE_EXEC;
123     }
124 
125     return access;
126 }
127 
128 static int check_prot(int prot, MMUAccessType access_type)
129 {
130     return prot & prot_for_access_type(access_type) ? 0 : -2;
131 }
132 
133 int ppc6xx_tlb_getnum(CPUPPCState *env, target_ulong eaddr,
134                                     int way, int is_code)
135 {
136     int nr;
137 
138     /* Select TLB num in a way from address */
139     nr = (eaddr >> TARGET_PAGE_BITS) & (env->tlb_per_way - 1);
140     /* Select TLB way */
141     nr += env->tlb_per_way * way;
142     /* 6xx have separate TLBs for instructions and data */
143     if (is_code && env->id_tlbs == 1) {
144         nr += env->nb_tlb;
145     }
146 
147     return nr;
148 }
149 
150 static int ppc6xx_tlb_pte_check(mmu_ctx_t *ctx, target_ulong pte0,
151                                 target_ulong pte1, int h,
152                                 MMUAccessType access_type)
153 {
154     target_ulong ptem, mmask;
155     int access, ret, pteh, ptev, pp;
156 
157     ret = -1;
158     /* Check validity and table match */
159     ptev = pte_is_valid(pte0);
160     pteh = (pte0 >> 6) & 1;
161     if (ptev && h == pteh) {
162         /* Check vsid & api */
163         ptem = pte0 & PTE_PTEM_MASK;
164         mmask = PTE_CHECK_MASK;
165         pp = pte1 & 0x00000003;
166         if (ptem == ctx->ptem) {
167             if (ctx->raddr != (hwaddr)-1ULL) {
168                 /* all matches should have equal RPN, WIMG & PP */
169                 if ((ctx->raddr & mmask) != (pte1 & mmask)) {
170                     qemu_log_mask(CPU_LOG_MMU, "Bad RPN/WIMG/PP\n");
171                     return -3;
172                 }
173             }
174             /* Compute access rights */
175             access = pp_check(ctx->key, pp, ctx->nx);
176             /* Keep the matching PTE information */
177             ctx->raddr = pte1;
178             ctx->prot = access;
179             ret = check_prot(ctx->prot, access_type);
180             if (ret == 0) {
181                 /* Access granted */
182                 qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n");
183             } else {
184                 /* Access right violation */
185                 qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n");
186             }
187         }
188     }
189 
190     return ret;
191 }
192 
193 static int pte_update_flags(mmu_ctx_t *ctx, target_ulong *pte1p,
194                             int ret, MMUAccessType access_type)
195 {
196     int store = 0;
197 
198     /* Update page flags */
199     if (!(*pte1p & 0x00000100)) {
200         /* Update accessed flag */
201         *pte1p |= 0x00000100;
202         store = 1;
203     }
204     if (!(*pte1p & 0x00000080)) {
205         if (access_type == MMU_DATA_STORE && ret == 0) {
206             /* Update changed flag */
207             *pte1p |= 0x00000080;
208             store = 1;
209         } else {
210             /* Force page fault for first write access */
211             ctx->prot &= ~PAGE_WRITE;
212         }
213     }
214 
215     return store;
216 }
217 
218 /* Software driven TLB helpers */
219 
220 static int ppc6xx_tlb_check(CPUPPCState *env, mmu_ctx_t *ctx,
221                             target_ulong eaddr, MMUAccessType access_type)
222 {
223     ppc6xx_tlb_t *tlb;
224     int nr, best, way;
225     int ret;
226 
227     best = -1;
228     ret = -1; /* No TLB found */
229     for (way = 0; way < env->nb_ways; way++) {
230         nr = ppc6xx_tlb_getnum(env, eaddr, way, access_type == MMU_INST_FETCH);
231         tlb = &env->tlb.tlb6[nr];
232         /* This test "emulates" the PTE index match for hardware TLBs */
233         if ((eaddr & TARGET_PAGE_MASK) != tlb->EPN) {
234             LOG_SWTLB("TLB %d/%d %s [" TARGET_FMT_lx " " TARGET_FMT_lx
235                       "] <> " TARGET_FMT_lx "\n", nr, env->nb_tlb,
236                       pte_is_valid(tlb->pte0) ? "valid" : "inval",
237                       tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE, eaddr);
238             continue;
239         }
240         LOG_SWTLB("TLB %d/%d %s " TARGET_FMT_lx " <> " TARGET_FMT_lx " "
241                   TARGET_FMT_lx " %c %c\n", nr, env->nb_tlb,
242                   pte_is_valid(tlb->pte0) ? "valid" : "inval",
243                   tlb->EPN, eaddr, tlb->pte1,
244                   access_type == MMU_DATA_STORE ? 'S' : 'L',
245                   access_type == MMU_INST_FETCH ? 'I' : 'D');
246         switch (ppc6xx_tlb_pte_check(ctx, tlb->pte0, tlb->pte1,
247                                      0, access_type)) {
248         case -3:
249             /* TLB inconsistency */
250             return -1;
251         case -2:
252             /* Access violation */
253             ret = -2;
254             best = nr;
255             break;
256         case -1:
257         default:
258             /* No match */
259             break;
260         case 0:
261             /* access granted */
262             /*
263              * XXX: we should go on looping to check all TLBs
264              *      consistency but we can speed-up the whole thing as
265              *      the result would be undefined if TLBs are not
266              *      consistent.
267              */
268             ret = 0;
269             best = nr;
270             goto done;
271         }
272     }
273     if (best != -1) {
274     done:
275         LOG_SWTLB("found TLB at addr " TARGET_FMT_plx " prot=%01x ret=%d\n",
276                   ctx->raddr & TARGET_PAGE_MASK, ctx->prot, ret);
277         /* Update page flags */
278         pte_update_flags(ctx, &env->tlb.tlb6[best].pte1, ret, access_type);
279     }
280 
281     return ret;
282 }
283 
284 /* Perform BAT hit & translation */
285 static inline void bat_size_prot(CPUPPCState *env, target_ulong *blp,
286                                  int *validp, int *protp, target_ulong *BATu,
287                                  target_ulong *BATl)
288 {
289     target_ulong bl;
290     int pp, valid, prot;
291 
292     bl = (*BATu & 0x00001FFC) << 15;
293     valid = 0;
294     prot = 0;
295     if (((msr_pr == 0) && (*BATu & 0x00000002)) ||
296         ((msr_pr != 0) && (*BATu & 0x00000001))) {
297         valid = 1;
298         pp = *BATl & 0x00000003;
299         if (pp != 0) {
300             prot = PAGE_READ | PAGE_EXEC;
301             if (pp == 0x2) {
302                 prot |= PAGE_WRITE;
303             }
304         }
305     }
306     *blp = bl;
307     *validp = valid;
308     *protp = prot;
309 }
310 
311 static int get_bat_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,
312                            target_ulong virtual, MMUAccessType access_type)
313 {
314     target_ulong *BATlt, *BATut, *BATu, *BATl;
315     target_ulong BEPIl, BEPIu, bl;
316     int i, valid, prot;
317     int ret = -1;
318     bool ifetch = access_type == MMU_INST_FETCH;
319 
320     LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,
321              ifetch ? 'I' : 'D', virtual);
322     if (ifetch) {
323         BATlt = env->IBAT[1];
324         BATut = env->IBAT[0];
325     } else {
326         BATlt = env->DBAT[1];
327         BATut = env->DBAT[0];
328     }
329     for (i = 0; i < env->nb_BATs; i++) {
330         BATu = &BATut[i];
331         BATl = &BATlt[i];
332         BEPIu = *BATu & 0xF0000000;
333         BEPIl = *BATu & 0x0FFE0000;
334         bat_size_prot(env, &bl, &valid, &prot, BATu, BATl);
335         LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
336                  " BATl " TARGET_FMT_lx "\n", __func__,
337                  ifetch ? 'I' : 'D', i, virtual, *BATu, *BATl);
338         if ((virtual & 0xF0000000) == BEPIu &&
339             ((virtual & 0x0FFE0000) & ~bl) == BEPIl) {
340             /* BAT matches */
341             if (valid != 0) {
342                 /* Get physical address */
343                 ctx->raddr = (*BATl & 0xF0000000) |
344                     ((virtual & 0x0FFE0000 & bl) | (*BATl & 0x0FFE0000)) |
345                     (virtual & 0x0001F000);
346                 /* Compute access rights */
347                 ctx->prot = prot;
348                 ret = check_prot(ctx->prot, access_type);
349                 if (ret == 0) {
350                     LOG_BATS("BAT %d match: r " TARGET_FMT_plx " prot=%c%c\n",
351                              i, ctx->raddr, ctx->prot & PAGE_READ ? 'R' : '-',
352                              ctx->prot & PAGE_WRITE ? 'W' : '-');
353                 }
354                 break;
355             }
356         }
357     }
358     if (ret < 0) {
359 #if defined(DEBUG_BATS)
360         if (qemu_log_enabled()) {
361             LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", virtual);
362             for (i = 0; i < 4; i++) {
363                 BATu = &BATut[i];
364                 BATl = &BATlt[i];
365                 BEPIu = *BATu & 0xF0000000;
366                 BEPIl = *BATu & 0x0FFE0000;
367                 bl = (*BATu & 0x00001FFC) << 15;
368                 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
369                          " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
370                          TARGET_FMT_lx " " TARGET_FMT_lx "\n",
371                          __func__, ifetch ? 'I' : 'D', i, virtual,
372                          *BATu, *BATl, BEPIu, BEPIl, bl);
373             }
374         }
375 #endif
376     }
377     /* No hit */
378     return ret;
379 }
380 
381 /* Perform segment based translation */
382 static int get_segment_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,
383                                target_ulong eaddr, MMUAccessType access_type,
384                                int type)
385 {
386     PowerPCCPU *cpu = env_archcpu(env);
387     hwaddr hash;
388     target_ulong vsid;
389     int ds, pr, target_page_bits;
390     int ret;
391     target_ulong sr, pgidx;
392 
393     pr = msr_pr;
394     ctx->eaddr = eaddr;
395 
396     sr = env->sr[eaddr >> 28];
397     ctx->key = (((sr & 0x20000000) && (pr != 0)) ||
398                 ((sr & 0x40000000) && (pr == 0))) ? 1 : 0;
399     ds = sr & 0x80000000 ? 1 : 0;
400     ctx->nx = sr & 0x10000000 ? 1 : 0;
401     vsid = sr & 0x00FFFFFF;
402     target_page_bits = TARGET_PAGE_BITS;
403     qemu_log_mask(CPU_LOG_MMU,
404             "Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx
405             " nip=" TARGET_FMT_lx " lr=" TARGET_FMT_lx
406             " ir=%d dr=%d pr=%d %d t=%d\n",
407             eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, (int)msr_ir,
408             (int)msr_dr, pr != 0 ? 1 : 0, access_type == MMU_DATA_STORE, type);
409     pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits;
410     hash = vsid ^ pgidx;
411     ctx->ptem = (vsid << 7) | (pgidx >> 10);
412 
413     qemu_log_mask(CPU_LOG_MMU,
414             "pte segment: key=%d ds %d nx %d vsid " TARGET_FMT_lx "\n",
415             ctx->key, ds, ctx->nx, vsid);
416     ret = -1;
417     if (!ds) {
418         /* Check if instruction fetch is allowed, if needed */
419         if (type != ACCESS_CODE || ctx->nx == 0) {
420             /* Page address translation */
421             qemu_log_mask(CPU_LOG_MMU, "htab_base " TARGET_FMT_plx
422                     " htab_mask " TARGET_FMT_plx
423                     " hash " TARGET_FMT_plx "\n",
424                     ppc_hash32_hpt_base(cpu), ppc_hash32_hpt_mask(cpu), hash);
425             ctx->hash[0] = hash;
426             ctx->hash[1] = ~hash;
427 
428             /* Initialize real address with an invalid value */
429             ctx->raddr = (hwaddr)-1ULL;
430             /* Software TLB search */
431             ret = ppc6xx_tlb_check(env, ctx, eaddr, access_type);
432 #if defined(DUMP_PAGE_TABLES)
433             if (qemu_loglevel_mask(CPU_LOG_MMU)) {
434                 CPUState *cs = env_cpu(env);
435                 hwaddr curaddr;
436                 uint32_t a0, a1, a2, a3;
437 
438                 qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx
439                          "\n", ppc_hash32_hpt_base(cpu),
440                          ppc_hash32_hpt_mask(cpu) + 0x80);
441                 for (curaddr = ppc_hash32_hpt_base(cpu);
442                      curaddr < (ppc_hash32_hpt_base(cpu)
443                                 + ppc_hash32_hpt_mask(cpu) + 0x80);
444                      curaddr += 16) {
445                     a0 = ldl_phys(cs->as, curaddr);
446                     a1 = ldl_phys(cs->as, curaddr + 4);
447                     a2 = ldl_phys(cs->as, curaddr + 8);
448                     a3 = ldl_phys(cs->as, curaddr + 12);
449                     if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) {
450                         qemu_log(TARGET_FMT_plx ": %08x %08x %08x %08x\n",
451                                  curaddr, a0, a1, a2, a3);
452                     }
453                 }
454             }
455 #endif
456         } else {
457             qemu_log_mask(CPU_LOG_MMU, "No access allowed\n");
458             ret = -3;
459         }
460     } else {
461         target_ulong sr;
462 
463         qemu_log_mask(CPU_LOG_MMU, "direct store...\n");
464         /* Direct-store segment : absolutely *BUGGY* for now */
465 
466         /*
467          * Direct-store implies a 32-bit MMU.
468          * Check the Segment Register's bus unit ID (BUID).
469          */
470         sr = env->sr[eaddr >> 28];
471         if ((sr & 0x1FF00000) >> 20 == 0x07f) {
472             /*
473              * Memory-forced I/O controller interface access
474              *
475              * If T=1 and BUID=x'07F', the 601 performs a memory
476              * access to SR[28-31] LA[4-31], bypassing all protection
477              * mechanisms.
478              */
479             ctx->raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);
480             ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
481             return 0;
482         }
483 
484         switch (type) {
485         case ACCESS_INT:
486             /* Integer load/store : only access allowed */
487             break;
488         case ACCESS_CODE:
489             /* No code fetch is allowed in direct-store areas */
490             return -4;
491         case ACCESS_FLOAT:
492             /* Floating point load/store */
493             return -4;
494         case ACCESS_RES:
495             /* lwarx, ldarx or srwcx. */
496             return -4;
497         case ACCESS_CACHE:
498             /*
499              * dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi
500              *
501              * Should make the instruction do no-op.  As it already do
502              * no-op, it's quite easy :-)
503              */
504             ctx->raddr = eaddr;
505             return 0;
506         case ACCESS_EXT:
507             /* eciwx or ecowx */
508             return -4;
509         default:
510             qemu_log_mask(CPU_LOG_MMU, "ERROR: instruction should not need "
511                           "address translation\n");
512             return -4;
513         }
514         if ((access_type == MMU_DATA_STORE || ctx->key != 1) &&
515             (access_type == MMU_DATA_LOAD || ctx->key != 0)) {
516             ctx->raddr = eaddr;
517             ret = 2;
518         } else {
519             ret = -2;
520         }
521     }
522 
523     return ret;
524 }
525 
526 /* Generic TLB check function for embedded PowerPC implementations */
527 int ppcemb_tlb_check(CPUPPCState *env, ppcemb_tlb_t *tlb,
528                             hwaddr *raddrp,
529                             target_ulong address, uint32_t pid, int ext,
530                             int i)
531 {
532     target_ulong mask;
533 
534     /* Check valid flag */
535     if (!(tlb->prot & PAGE_VALID)) {
536         return -1;
537     }
538     mask = ~(tlb->size - 1);
539     LOG_SWTLB("%s: TLB %d address " TARGET_FMT_lx " PID %u <=> " TARGET_FMT_lx
540               " " TARGET_FMT_lx " %u %x\n", __func__, i, address, pid, tlb->EPN,
541               mask, (uint32_t)tlb->PID, tlb->prot);
542     /* Check PID */
543     if (tlb->PID != 0 && tlb->PID != pid) {
544         return -1;
545     }
546     /* Check effective address */
547     if ((address & mask) != tlb->EPN) {
548         return -1;
549     }
550     *raddrp = (tlb->RPN & mask) | (address & ~mask);
551     if (ext) {
552         /* Extend the physical address to 36 bits */
553         *raddrp |= (uint64_t)(tlb->RPN & 0xF) << 32;
554     }
555 
556     return 0;
557 }
558 
559 static int mmu40x_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
560                                        target_ulong address,
561                                        MMUAccessType access_type)
562 {
563     ppcemb_tlb_t *tlb;
564     hwaddr raddr;
565     int i, ret, zsel, zpr, pr;
566 
567     ret = -1;
568     raddr = (hwaddr)-1ULL;
569     pr = msr_pr;
570     for (i = 0; i < env->nb_tlb; i++) {
571         tlb = &env->tlb.tlbe[i];
572         if (ppcemb_tlb_check(env, tlb, &raddr, address,
573                              env->spr[SPR_40x_PID], 0, i) < 0) {
574             continue;
575         }
576         zsel = (tlb->attr >> 4) & 0xF;
577         zpr = (env->spr[SPR_40x_ZPR] >> (30 - (2 * zsel))) & 0x3;
578         LOG_SWTLB("%s: TLB %d zsel %d zpr %d ty %d attr %08x\n",
579                     __func__, i, zsel, zpr, access_type, tlb->attr);
580         /* Check execute enable bit */
581         switch (zpr) {
582         case 0x2:
583             if (pr != 0) {
584                 goto check_perms;
585             }
586             /* fall through */
587         case 0x3:
588             /* All accesses granted */
589             ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
590             ret = 0;
591             break;
592         case 0x0:
593             if (pr != 0) {
594                 /* Raise Zone protection fault.  */
595                 env->spr[SPR_40x_ESR] = 1 << 22;
596                 ctx->prot = 0;
597                 ret = -2;
598                 break;
599             }
600             /* fall through */
601         case 0x1:
602         check_perms:
603             /* Check from TLB entry */
604             ctx->prot = tlb->prot;
605             ret = check_prot(ctx->prot, access_type);
606             if (ret == -2) {
607                 env->spr[SPR_40x_ESR] = 0;
608             }
609             break;
610         }
611         if (ret >= 0) {
612             ctx->raddr = raddr;
613             LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
614                       " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
615                       ret);
616             return 0;
617         }
618     }
619     LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
620               " %d %d\n", __func__, address, raddr, ctx->prot, ret);
621 
622     return ret;
623 }
624 
625 static int mmubooke_check_tlb(CPUPPCState *env, ppcemb_tlb_t *tlb,
626                               hwaddr *raddr, int *prot, target_ulong address,
627                               MMUAccessType access_type, int i)
628 {
629     int prot2;
630 
631     if (ppcemb_tlb_check(env, tlb, raddr, address,
632                          env->spr[SPR_BOOKE_PID],
633                          !env->nb_pids, i) >= 0) {
634         goto found_tlb;
635     }
636 
637     if (env->spr[SPR_BOOKE_PID1] &&
638         ppcemb_tlb_check(env, tlb, raddr, address,
639                          env->spr[SPR_BOOKE_PID1], 0, i) >= 0) {
640         goto found_tlb;
641     }
642 
643     if (env->spr[SPR_BOOKE_PID2] &&
644         ppcemb_tlb_check(env, tlb, raddr, address,
645                          env->spr[SPR_BOOKE_PID2], 0, i) >= 0) {
646         goto found_tlb;
647     }
648 
649     LOG_SWTLB("%s: TLB entry not found\n", __func__);
650     return -1;
651 
652 found_tlb:
653 
654     if (msr_pr != 0) {
655         prot2 = tlb->prot & 0xF;
656     } else {
657         prot2 = (tlb->prot >> 4) & 0xF;
658     }
659 
660     /* Check the address space */
661     if ((access_type == MMU_INST_FETCH ? msr_ir : msr_dr) != (tlb->attr & 1)) {
662         LOG_SWTLB("%s: AS doesn't match\n", __func__);
663         return -1;
664     }
665 
666     *prot = prot2;
667     if (prot2 & prot_for_access_type(access_type)) {
668         LOG_SWTLB("%s: good TLB!\n", __func__);
669         return 0;
670     }
671 
672     LOG_SWTLB("%s: no prot match: %x\n", __func__, prot2);
673     return access_type == MMU_INST_FETCH ? -3 : -2;
674 }
675 
676 static int mmubooke_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
677                                          target_ulong address,
678                                          MMUAccessType access_type)
679 {
680     ppcemb_tlb_t *tlb;
681     hwaddr raddr;
682     int i, ret;
683 
684     ret = -1;
685     raddr = (hwaddr)-1ULL;
686     for (i = 0; i < env->nb_tlb; i++) {
687         tlb = &env->tlb.tlbe[i];
688         ret = mmubooke_check_tlb(env, tlb, &raddr, &ctx->prot, address,
689                                  access_type, i);
690         if (ret != -1) {
691             break;
692         }
693     }
694 
695     if (ret >= 0) {
696         ctx->raddr = raddr;
697         LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
698                   " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
699                   ret);
700     } else {
701         LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
702                   " %d %d\n", __func__, address, raddr, ctx->prot, ret);
703     }
704 
705     return ret;
706 }
707 
708 hwaddr booke206_tlb_to_page_size(CPUPPCState *env,
709                                         ppcmas_tlb_t *tlb)
710 {
711     int tlbm_size;
712 
713     tlbm_size = (tlb->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
714 
715     return 1024ULL << tlbm_size;
716 }
717 
718 /* TLB check function for MAS based SoftTLBs */
719 int ppcmas_tlb_check(CPUPPCState *env, ppcmas_tlb_t *tlb,
720                             hwaddr *raddrp, target_ulong address,
721                             uint32_t pid)
722 {
723     hwaddr mask;
724     uint32_t tlb_pid;
725 
726     if (!msr_cm) {
727         /* In 32bit mode we can only address 32bit EAs */
728         address = (uint32_t)address;
729     }
730 
731     /* Check valid flag */
732     if (!(tlb->mas1 & MAS1_VALID)) {
733         return -1;
734     }
735 
736     mask = ~(booke206_tlb_to_page_size(env, tlb) - 1);
737     LOG_SWTLB("%s: TLB ADDR=0x" TARGET_FMT_lx " PID=0x%x MAS1=0x%x MAS2=0x%"
738               PRIx64 " mask=0x%" HWADDR_PRIx " MAS7_3=0x%" PRIx64 " MAS8=0x%"
739               PRIx32 "\n", __func__, address, pid, tlb->mas1, tlb->mas2, mask,
740               tlb->mas7_3, tlb->mas8);
741 
742     /* Check PID */
743     tlb_pid = (tlb->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT;
744     if (tlb_pid != 0 && tlb_pid != pid) {
745         return -1;
746     }
747 
748     /* Check effective address */
749     if ((address & mask) != (tlb->mas2 & MAS2_EPN_MASK)) {
750         return -1;
751     }
752 
753     if (raddrp) {
754         *raddrp = (tlb->mas7_3 & mask) | (address & ~mask);
755     }
756 
757     return 0;
758 }
759 
760 static bool is_epid_mmu(int mmu_idx)
761 {
762     return mmu_idx == PPC_TLB_EPID_STORE || mmu_idx == PPC_TLB_EPID_LOAD;
763 }
764 
765 static uint32_t mmubooke206_esr(int mmu_idx, MMUAccessType access_type)
766 {
767     uint32_t esr = 0;
768     if (access_type == MMU_DATA_STORE) {
769         esr |= ESR_ST;
770     }
771     if (is_epid_mmu(mmu_idx)) {
772         esr |= ESR_EPID;
773     }
774     return esr;
775 }
776 
777 /*
778  * Get EPID register given the mmu_idx. If this is regular load,
779  * construct the EPID access bits from current processor state
780  *
781  * Get the effective AS and PR bits and the PID. The PID is returned
782  * only if EPID load is requested, otherwise the caller must detect
783  * the correct EPID.  Return true if valid EPID is returned.
784  */
785 static bool mmubooke206_get_as(CPUPPCState *env,
786                                int mmu_idx, uint32_t *epid_out,
787                                bool *as_out, bool *pr_out)
788 {
789     if (is_epid_mmu(mmu_idx)) {
790         uint32_t epidr;
791         if (mmu_idx == PPC_TLB_EPID_STORE) {
792             epidr = env->spr[SPR_BOOKE_EPSC];
793         } else {
794             epidr = env->spr[SPR_BOOKE_EPLC];
795         }
796         *epid_out = (epidr & EPID_EPID) >> EPID_EPID_SHIFT;
797         *as_out = !!(epidr & EPID_EAS);
798         *pr_out = !!(epidr & EPID_EPR);
799         return true;
800     } else {
801         *as_out = msr_ds;
802         *pr_out = msr_pr;
803         return false;
804     }
805 }
806 
807 /* Check if the tlb found by hashing really matches */
808 static int mmubooke206_check_tlb(CPUPPCState *env, ppcmas_tlb_t *tlb,
809                                  hwaddr *raddr, int *prot,
810                                  target_ulong address,
811                                  MMUAccessType access_type, int mmu_idx)
812 {
813     int prot2 = 0;
814     uint32_t epid;
815     bool as, pr;
816     bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr);
817 
818     if (!use_epid) {
819         if (ppcmas_tlb_check(env, tlb, raddr, address,
820                              env->spr[SPR_BOOKE_PID]) >= 0) {
821             goto found_tlb;
822         }
823 
824         if (env->spr[SPR_BOOKE_PID1] &&
825             ppcmas_tlb_check(env, tlb, raddr, address,
826                              env->spr[SPR_BOOKE_PID1]) >= 0) {
827             goto found_tlb;
828         }
829 
830         if (env->spr[SPR_BOOKE_PID2] &&
831             ppcmas_tlb_check(env, tlb, raddr, address,
832                              env->spr[SPR_BOOKE_PID2]) >= 0) {
833             goto found_tlb;
834         }
835     } else {
836         if (ppcmas_tlb_check(env, tlb, raddr, address, epid) >= 0) {
837             goto found_tlb;
838         }
839     }
840 
841     LOG_SWTLB("%s: TLB entry not found\n", __func__);
842     return -1;
843 
844 found_tlb:
845 
846     if (pr) {
847         if (tlb->mas7_3 & MAS3_UR) {
848             prot2 |= PAGE_READ;
849         }
850         if (tlb->mas7_3 & MAS3_UW) {
851             prot2 |= PAGE_WRITE;
852         }
853         if (tlb->mas7_3 & MAS3_UX) {
854             prot2 |= PAGE_EXEC;
855         }
856     } else {
857         if (tlb->mas7_3 & MAS3_SR) {
858             prot2 |= PAGE_READ;
859         }
860         if (tlb->mas7_3 & MAS3_SW) {
861             prot2 |= PAGE_WRITE;
862         }
863         if (tlb->mas7_3 & MAS3_SX) {
864             prot2 |= PAGE_EXEC;
865         }
866     }
867 
868     /* Check the address space and permissions */
869     if (access_type == MMU_INST_FETCH) {
870         /* There is no way to fetch code using epid load */
871         assert(!use_epid);
872         as = msr_ir;
873     }
874 
875     if (as != ((tlb->mas1 & MAS1_TS) >> MAS1_TS_SHIFT)) {
876         LOG_SWTLB("%s: AS doesn't match\n", __func__);
877         return -1;
878     }
879 
880     *prot = prot2;
881     if (prot2 & prot_for_access_type(access_type)) {
882         LOG_SWTLB("%s: good TLB!\n", __func__);
883         return 0;
884     }
885 
886     LOG_SWTLB("%s: no prot match: %x\n", __func__, prot2);
887     return access_type == MMU_INST_FETCH ? -3 : -2;
888 }
889 
890 static int mmubooke206_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
891                                             target_ulong address,
892                                             MMUAccessType access_type,
893                                             int mmu_idx)
894 {
895     ppcmas_tlb_t *tlb;
896     hwaddr raddr;
897     int i, j, ret;
898 
899     ret = -1;
900     raddr = (hwaddr)-1ULL;
901 
902     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
903         int ways = booke206_tlb_ways(env, i);
904 
905         for (j = 0; j < ways; j++) {
906             tlb = booke206_get_tlbm(env, i, address, j);
907             if (!tlb) {
908                 continue;
909             }
910             ret = mmubooke206_check_tlb(env, tlb, &raddr, &ctx->prot, address,
911                                         access_type, mmu_idx);
912             if (ret != -1) {
913                 goto found_tlb;
914             }
915         }
916     }
917 
918 found_tlb:
919 
920     if (ret >= 0) {
921         ctx->raddr = raddr;
922         LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
923                   " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
924                   ret);
925     } else {
926         LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
927                   " %d %d\n", __func__, address, raddr, ctx->prot, ret);
928     }
929 
930     return ret;
931 }
932 
933 static const char *book3e_tsize_to_str[32] = {
934     "1K", "2K", "4K", "8K", "16K", "32K", "64K", "128K", "256K", "512K",
935     "1M", "2M", "4M", "8M", "16M", "32M", "64M", "128M", "256M", "512M",
936     "1G", "2G", "4G", "8G", "16G", "32G", "64G", "128G", "256G", "512G",
937     "1T", "2T"
938 };
939 
940 static void mmubooke_dump_mmu(CPUPPCState *env)
941 {
942     ppcemb_tlb_t *entry;
943     int i;
944 
945     if (kvm_enabled() && !env->kvm_sw_tlb) {
946         qemu_printf("Cannot access KVM TLB\n");
947         return;
948     }
949 
950     qemu_printf("\nTLB:\n");
951     qemu_printf("Effective          Physical           Size PID   Prot     "
952                 "Attr\n");
953 
954     entry = &env->tlb.tlbe[0];
955     for (i = 0; i < env->nb_tlb; i++, entry++) {
956         hwaddr ea, pa;
957         target_ulong mask;
958         uint64_t size = (uint64_t)entry->size;
959         char size_buf[20];
960 
961         /* Check valid flag */
962         if (!(entry->prot & PAGE_VALID)) {
963             continue;
964         }
965 
966         mask = ~(entry->size - 1);
967         ea = entry->EPN & mask;
968         pa = entry->RPN & mask;
969         /* Extend the physical address to 36 bits */
970         pa |= (hwaddr)(entry->RPN & 0xF) << 32;
971         if (size >= 1 * MiB) {
972             snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "M", size / MiB);
973         } else {
974             snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "k", size / KiB);
975         }
976         qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %s %-5u %08x %08x\n",
977                     (uint64_t)ea, (uint64_t)pa, size_buf, (uint32_t)entry->PID,
978                     entry->prot, entry->attr);
979     }
980 
981 }
982 
983 static void mmubooke206_dump_one_tlb(CPUPPCState *env, int tlbn, int offset,
984                                      int tlbsize)
985 {
986     ppcmas_tlb_t *entry;
987     int i;
988 
989     qemu_printf("\nTLB%d:\n", tlbn);
990     qemu_printf("Effective          Physical           Size TID   TS SRWX"
991                 " URWX WIMGE U0123\n");
992 
993     entry = &env->tlb.tlbm[offset];
994     for (i = 0; i < tlbsize; i++, entry++) {
995         hwaddr ea, pa, size;
996         int tsize;
997 
998         if (!(entry->mas1 & MAS1_VALID)) {
999             continue;
1000         }
1001 
1002         tsize = (entry->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
1003         size = 1024ULL << tsize;
1004         ea = entry->mas2 & ~(size - 1);
1005         pa = entry->mas7_3 & ~(size - 1);
1006 
1007         qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %4s %-5u %1u  S%c%c%c"
1008                     "U%c%c%c %c%c%c%c%c U%c%c%c%c\n",
1009                     (uint64_t)ea, (uint64_t)pa,
1010                     book3e_tsize_to_str[tsize],
1011                     (entry->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT,
1012                     (entry->mas1 & MAS1_TS) >> MAS1_TS_SHIFT,
1013                     entry->mas7_3 & MAS3_SR ? 'R' : '-',
1014                     entry->mas7_3 & MAS3_SW ? 'W' : '-',
1015                     entry->mas7_3 & MAS3_SX ? 'X' : '-',
1016                     entry->mas7_3 & MAS3_UR ? 'R' : '-',
1017                     entry->mas7_3 & MAS3_UW ? 'W' : '-',
1018                     entry->mas7_3 & MAS3_UX ? 'X' : '-',
1019                     entry->mas2 & MAS2_W ? 'W' : '-',
1020                     entry->mas2 & MAS2_I ? 'I' : '-',
1021                     entry->mas2 & MAS2_M ? 'M' : '-',
1022                     entry->mas2 & MAS2_G ? 'G' : '-',
1023                     entry->mas2 & MAS2_E ? 'E' : '-',
1024                     entry->mas7_3 & MAS3_U0 ? '0' : '-',
1025                     entry->mas7_3 & MAS3_U1 ? '1' : '-',
1026                     entry->mas7_3 & MAS3_U2 ? '2' : '-',
1027                     entry->mas7_3 & MAS3_U3 ? '3' : '-');
1028     }
1029 }
1030 
1031 static void mmubooke206_dump_mmu(CPUPPCState *env)
1032 {
1033     int offset = 0;
1034     int i;
1035 
1036     if (kvm_enabled() && !env->kvm_sw_tlb) {
1037         qemu_printf("Cannot access KVM TLB\n");
1038         return;
1039     }
1040 
1041     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
1042         int size = booke206_tlb_size(env, i);
1043 
1044         if (size == 0) {
1045             continue;
1046         }
1047 
1048         mmubooke206_dump_one_tlb(env, i, offset, size);
1049         offset += size;
1050     }
1051 }
1052 
1053 static void mmu6xx_dump_BATs(CPUPPCState *env, int type)
1054 {
1055     target_ulong *BATlt, *BATut, *BATu, *BATl;
1056     target_ulong BEPIl, BEPIu, bl;
1057     int i;
1058 
1059     switch (type) {
1060     case ACCESS_CODE:
1061         BATlt = env->IBAT[1];
1062         BATut = env->IBAT[0];
1063         break;
1064     default:
1065         BATlt = env->DBAT[1];
1066         BATut = env->DBAT[0];
1067         break;
1068     }
1069 
1070     for (i = 0; i < env->nb_BATs; i++) {
1071         BATu = &BATut[i];
1072         BATl = &BATlt[i];
1073         BEPIu = *BATu & 0xF0000000;
1074         BEPIl = *BATu & 0x0FFE0000;
1075         bl = (*BATu & 0x00001FFC) << 15;
1076         qemu_printf("%s BAT%d BATu " TARGET_FMT_lx
1077                     " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
1078                     TARGET_FMT_lx " " TARGET_FMT_lx "\n",
1079                     type == ACCESS_CODE ? "code" : "data", i,
1080                     *BATu, *BATl, BEPIu, BEPIl, bl);
1081     }
1082 }
1083 
1084 static void mmu6xx_dump_mmu(CPUPPCState *env)
1085 {
1086     PowerPCCPU *cpu = env_archcpu(env);
1087     ppc6xx_tlb_t *tlb;
1088     target_ulong sr;
1089     int type, way, entry, i;
1090 
1091     qemu_printf("HTAB base = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_base(cpu));
1092     qemu_printf("HTAB mask = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_mask(cpu));
1093 
1094     qemu_printf("\nSegment registers:\n");
1095     for (i = 0; i < 32; i++) {
1096         sr = env->sr[i];
1097         if (sr & 0x80000000) {
1098             qemu_printf("%02d T=%d Ks=%d Kp=%d BUID=0x%03x "
1099                         "CNTLR_SPEC=0x%05x\n", i,
1100                         sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0,
1101                         sr & 0x20000000 ? 1 : 0, (uint32_t)((sr >> 20) & 0x1FF),
1102                         (uint32_t)(sr & 0xFFFFF));
1103         } else {
1104             qemu_printf("%02d T=%d Ks=%d Kp=%d N=%d VSID=0x%06x\n", i,
1105                         sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0,
1106                         sr & 0x20000000 ? 1 : 0, sr & 0x10000000 ? 1 : 0,
1107                         (uint32_t)(sr & 0x00FFFFFF));
1108         }
1109     }
1110 
1111     qemu_printf("\nBATs:\n");
1112     mmu6xx_dump_BATs(env, ACCESS_INT);
1113     mmu6xx_dump_BATs(env, ACCESS_CODE);
1114 
1115     if (env->id_tlbs != 1) {
1116         qemu_printf("ERROR: 6xx MMU should have separated TLB"
1117                     " for code and data\n");
1118     }
1119 
1120     qemu_printf("\nTLBs                       [EPN    EPN + SIZE]\n");
1121 
1122     for (type = 0; type < 2; type++) {
1123         for (way = 0; way < env->nb_ways; way++) {
1124             for (entry = env->nb_tlb * type + env->tlb_per_way * way;
1125                  entry < (env->nb_tlb * type + env->tlb_per_way * (way + 1));
1126                  entry++) {
1127 
1128                 tlb = &env->tlb.tlb6[entry];
1129                 qemu_printf("%s TLB %02d/%02d way:%d %s ["
1130                             TARGET_FMT_lx " " TARGET_FMT_lx "]\n",
1131                             type ? "code" : "data", entry % env->nb_tlb,
1132                             env->nb_tlb, way,
1133                             pte_is_valid(tlb->pte0) ? "valid" : "inval",
1134                             tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE);
1135             }
1136         }
1137     }
1138 }
1139 
1140 void dump_mmu(CPUPPCState *env)
1141 {
1142     switch (env->mmu_model) {
1143     case POWERPC_MMU_BOOKE:
1144         mmubooke_dump_mmu(env);
1145         break;
1146     case POWERPC_MMU_BOOKE206:
1147         mmubooke206_dump_mmu(env);
1148         break;
1149     case POWERPC_MMU_SOFT_6xx:
1150     case POWERPC_MMU_SOFT_74xx:
1151         mmu6xx_dump_mmu(env);
1152         break;
1153 #if defined(TARGET_PPC64)
1154     case POWERPC_MMU_64B:
1155     case POWERPC_MMU_2_03:
1156     case POWERPC_MMU_2_06:
1157     case POWERPC_MMU_2_07:
1158         dump_slb(env_archcpu(env));
1159         break;
1160     case POWERPC_MMU_3_00:
1161         if (ppc64_v3_radix(env_archcpu(env))) {
1162             qemu_log_mask(LOG_UNIMP, "%s: the PPC64 MMU is unsupported\n",
1163                           __func__);
1164         } else {
1165             dump_slb(env_archcpu(env));
1166         }
1167         break;
1168 #endif
1169     default:
1170         qemu_log_mask(LOG_UNIMP, "%s: unimplemented\n", __func__);
1171     }
1172 }
1173 
1174 static int check_physical(CPUPPCState *env, mmu_ctx_t *ctx, target_ulong eaddr,
1175                           MMUAccessType access_type)
1176 {
1177     int in_plb, ret;
1178 
1179     ctx->raddr = eaddr;
1180     ctx->prot = PAGE_READ | PAGE_EXEC;
1181     ret = 0;
1182     switch (env->mmu_model) {
1183     case POWERPC_MMU_SOFT_6xx:
1184     case POWERPC_MMU_SOFT_74xx:
1185     case POWERPC_MMU_SOFT_4xx:
1186     case POWERPC_MMU_REAL:
1187     case POWERPC_MMU_BOOKE:
1188         ctx->prot |= PAGE_WRITE;
1189         break;
1190 
1191     case POWERPC_MMU_SOFT_4xx_Z:
1192         if (unlikely(msr_pe != 0)) {
1193             /*
1194              * 403 family add some particular protections, using
1195              * PBL/PBU registers for accesses with no translation.
1196              */
1197             in_plb =
1198                 /* Check PLB validity */
1199                 (env->pb[0] < env->pb[1] &&
1200                  /* and address in plb area */
1201                  eaddr >= env->pb[0] && eaddr < env->pb[1]) ||
1202                 (env->pb[2] < env->pb[3] &&
1203                  eaddr >= env->pb[2] && eaddr < env->pb[3]) ? 1 : 0;
1204             if (in_plb ^ msr_px) {
1205                 /* Access in protected area */
1206                 if (access_type == MMU_DATA_STORE) {
1207                     /* Access is not allowed */
1208                     ret = -2;
1209                 }
1210             } else {
1211                 /* Read-write access is allowed */
1212                 ctx->prot |= PAGE_WRITE;
1213             }
1214         }
1215         break;
1216 
1217     default:
1218         /* Caller's checks mean we should never get here for other models */
1219         abort();
1220         return -1;
1221     }
1222 
1223     return ret;
1224 }
1225 
1226 int get_physical_address_wtlb(CPUPPCState *env, mmu_ctx_t *ctx,
1227                                      target_ulong eaddr,
1228                                      MMUAccessType access_type, int type,
1229                                      int mmu_idx)
1230 {
1231     int ret = -1;
1232     bool real_mode = (type == ACCESS_CODE && msr_ir == 0)
1233         || (type != ACCESS_CODE && msr_dr == 0);
1234 
1235     switch (env->mmu_model) {
1236     case POWERPC_MMU_SOFT_6xx:
1237     case POWERPC_MMU_SOFT_74xx:
1238         if (real_mode) {
1239             ret = check_physical(env, ctx, eaddr, access_type);
1240         } else {
1241             /* Try to find a BAT */
1242             if (env->nb_BATs != 0) {
1243                 ret = get_bat_6xx_tlb(env, ctx, eaddr, access_type);
1244             }
1245             if (ret < 0) {
1246                 /* We didn't match any BAT entry or don't have BATs */
1247                 ret = get_segment_6xx_tlb(env, ctx, eaddr, access_type, type);
1248             }
1249         }
1250         break;
1251 
1252     case POWERPC_MMU_SOFT_4xx:
1253     case POWERPC_MMU_SOFT_4xx_Z:
1254         if (real_mode) {
1255             ret = check_physical(env, ctx, eaddr, access_type);
1256         } else {
1257             ret = mmu40x_get_physical_address(env, ctx, eaddr, access_type);
1258         }
1259         break;
1260     case POWERPC_MMU_BOOKE:
1261         ret = mmubooke_get_physical_address(env, ctx, eaddr, access_type);
1262         break;
1263     case POWERPC_MMU_BOOKE206:
1264         ret = mmubooke206_get_physical_address(env, ctx, eaddr, access_type,
1265                                                mmu_idx);
1266         break;
1267     case POWERPC_MMU_MPC8xx:
1268         /* XXX: TODO */
1269         cpu_abort(env_cpu(env), "MPC8xx MMU model is not implemented\n");
1270         break;
1271     case POWERPC_MMU_REAL:
1272         if (real_mode) {
1273             ret = check_physical(env, ctx, eaddr, access_type);
1274         } else {
1275             cpu_abort(env_cpu(env),
1276                       "PowerPC in real mode do not do any translation\n");
1277         }
1278         return -1;
1279     default:
1280         cpu_abort(env_cpu(env), "Unknown or invalid MMU model\n");
1281         return -1;
1282     }
1283 
1284     return ret;
1285 }
1286 
1287 static void booke206_update_mas_tlb_miss(CPUPPCState *env, target_ulong address,
1288                                          MMUAccessType access_type, int mmu_idx)
1289 {
1290     uint32_t epid;
1291     bool as, pr;
1292     uint32_t missed_tid = 0;
1293     bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr);
1294 
1295     if (access_type == MMU_INST_FETCH) {
1296         as = msr_ir;
1297     }
1298     env->spr[SPR_BOOKE_MAS0] = env->spr[SPR_BOOKE_MAS4] & MAS4_TLBSELD_MASK;
1299     env->spr[SPR_BOOKE_MAS1] = env->spr[SPR_BOOKE_MAS4] & MAS4_TSIZED_MASK;
1300     env->spr[SPR_BOOKE_MAS2] = env->spr[SPR_BOOKE_MAS4] & MAS4_WIMGED_MASK;
1301     env->spr[SPR_BOOKE_MAS3] = 0;
1302     env->spr[SPR_BOOKE_MAS6] = 0;
1303     env->spr[SPR_BOOKE_MAS7] = 0;
1304 
1305     /* AS */
1306     if (as) {
1307         env->spr[SPR_BOOKE_MAS1] |= MAS1_TS;
1308         env->spr[SPR_BOOKE_MAS6] |= MAS6_SAS;
1309     }
1310 
1311     env->spr[SPR_BOOKE_MAS1] |= MAS1_VALID;
1312     env->spr[SPR_BOOKE_MAS2] |= address & MAS2_EPN_MASK;
1313 
1314     if (!use_epid) {
1315         switch (env->spr[SPR_BOOKE_MAS4] & MAS4_TIDSELD_PIDZ) {
1316         case MAS4_TIDSELD_PID0:
1317             missed_tid = env->spr[SPR_BOOKE_PID];
1318             break;
1319         case MAS4_TIDSELD_PID1:
1320             missed_tid = env->spr[SPR_BOOKE_PID1];
1321             break;
1322         case MAS4_TIDSELD_PID2:
1323             missed_tid = env->spr[SPR_BOOKE_PID2];
1324             break;
1325         }
1326         env->spr[SPR_BOOKE_MAS6] |= env->spr[SPR_BOOKE_PID] << 16;
1327     } else {
1328         missed_tid = epid;
1329         env->spr[SPR_BOOKE_MAS6] |= missed_tid << 16;
1330     }
1331     env->spr[SPR_BOOKE_MAS1] |= (missed_tid << MAS1_TID_SHIFT);
1332 
1333 
1334     /* next victim logic */
1335     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_ESEL_SHIFT;
1336     env->last_way++;
1337     env->last_way &= booke206_tlb_ways(env, 0) - 1;
1338     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_NV_SHIFT;
1339 }
1340 
1341 /* Perform address translation */
1342 /* TODO: Split this by mmu_model. */
1343 static bool ppc_jumbo_xlate(PowerPCCPU *cpu, vaddr eaddr,
1344                             MMUAccessType access_type,
1345                             hwaddr *raddrp, int *psizep, int *protp,
1346                             int mmu_idx, bool guest_visible)
1347 {
1348     CPUState *cs = CPU(cpu);
1349     CPUPPCState *env = &cpu->env;
1350     mmu_ctx_t ctx;
1351     int type;
1352     int ret;
1353 
1354     if (access_type == MMU_INST_FETCH) {
1355         /* code access */
1356         type = ACCESS_CODE;
1357     } else if (guest_visible) {
1358         /* data access */
1359         type = env->access_type;
1360     } else {
1361         type = ACCESS_INT;
1362     }
1363 
1364     ret = get_physical_address_wtlb(env, &ctx, eaddr, access_type,
1365                                     type, mmu_idx);
1366     if (ret == 0) {
1367         *raddrp = ctx.raddr;
1368         *protp = ctx.prot;
1369         *psizep = TARGET_PAGE_BITS;
1370         return true;
1371     }
1372 
1373     if (guest_visible) {
1374         LOG_MMU_STATE(cs);
1375         if (type == ACCESS_CODE) {
1376             switch (ret) {
1377             case -1:
1378                 /* No matches in page tables or TLB */
1379                 switch (env->mmu_model) {
1380                 case POWERPC_MMU_SOFT_6xx:
1381                     cs->exception_index = POWERPC_EXCP_IFTLB;
1382                     env->error_code = 1 << 18;
1383                     env->spr[SPR_IMISS] = eaddr;
1384                     env->spr[SPR_ICMP] = 0x80000000 | ctx.ptem;
1385                     goto tlb_miss;
1386                 case POWERPC_MMU_SOFT_74xx:
1387                     cs->exception_index = POWERPC_EXCP_IFTLB;
1388                     goto tlb_miss_74xx;
1389                 case POWERPC_MMU_SOFT_4xx:
1390                 case POWERPC_MMU_SOFT_4xx_Z:
1391                     cs->exception_index = POWERPC_EXCP_ITLB;
1392                     env->error_code = 0;
1393                     env->spr[SPR_40x_DEAR] = eaddr;
1394                     env->spr[SPR_40x_ESR] = 0x00000000;
1395                     break;
1396                 case POWERPC_MMU_BOOKE206:
1397                     booke206_update_mas_tlb_miss(env, eaddr, 2, mmu_idx);
1398                     /* fall through */
1399                 case POWERPC_MMU_BOOKE:
1400                     cs->exception_index = POWERPC_EXCP_ITLB;
1401                     env->error_code = 0;
1402                     env->spr[SPR_BOOKE_DEAR] = eaddr;
1403                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, MMU_DATA_LOAD);
1404                     break;
1405                 case POWERPC_MMU_MPC8xx:
1406                     cpu_abort(cs, "MPC8xx MMU model is not implemented\n");
1407                 case POWERPC_MMU_REAL:
1408                     cpu_abort(cs, "PowerPC in real mode should never raise "
1409                               "any MMU exceptions\n");
1410                 default:
1411                     cpu_abort(cs, "Unknown or invalid MMU model\n");
1412                 }
1413                 break;
1414             case -2:
1415                 /* Access rights violation */
1416                 cs->exception_index = POWERPC_EXCP_ISI;
1417                 env->error_code = 0x08000000;
1418                 break;
1419             case -3:
1420                 /* No execute protection violation */
1421                 if ((env->mmu_model == POWERPC_MMU_BOOKE) ||
1422                     (env->mmu_model == POWERPC_MMU_BOOKE206)) {
1423                     env->spr[SPR_BOOKE_ESR] = 0x00000000;
1424                 }
1425                 cs->exception_index = POWERPC_EXCP_ISI;
1426                 env->error_code = 0x10000000;
1427                 break;
1428             case -4:
1429                 /* Direct store exception */
1430                 /* No code fetch is allowed in direct-store areas */
1431                 cs->exception_index = POWERPC_EXCP_ISI;
1432                 env->error_code = 0x10000000;
1433                 break;
1434             }
1435         } else {
1436             switch (ret) {
1437             case -1:
1438                 /* No matches in page tables or TLB */
1439                 switch (env->mmu_model) {
1440                 case POWERPC_MMU_SOFT_6xx:
1441                     if (access_type == MMU_DATA_STORE) {
1442                         cs->exception_index = POWERPC_EXCP_DSTLB;
1443                         env->error_code = 1 << 16;
1444                     } else {
1445                         cs->exception_index = POWERPC_EXCP_DLTLB;
1446                         env->error_code = 0;
1447                     }
1448                     env->spr[SPR_DMISS] = eaddr;
1449                     env->spr[SPR_DCMP] = 0x80000000 | ctx.ptem;
1450                 tlb_miss:
1451                     env->error_code |= ctx.key << 19;
1452                     env->spr[SPR_HASH1] = ppc_hash32_hpt_base(cpu) +
1453                         get_pteg_offset32(cpu, ctx.hash[0]);
1454                     env->spr[SPR_HASH2] = ppc_hash32_hpt_base(cpu) +
1455                         get_pteg_offset32(cpu, ctx.hash[1]);
1456                     break;
1457                 case POWERPC_MMU_SOFT_74xx:
1458                     if (access_type == MMU_DATA_STORE) {
1459                         cs->exception_index = POWERPC_EXCP_DSTLB;
1460                     } else {
1461                         cs->exception_index = POWERPC_EXCP_DLTLB;
1462                     }
1463                 tlb_miss_74xx:
1464                     /* Implement LRU algorithm */
1465                     env->error_code = ctx.key << 19;
1466                     env->spr[SPR_TLBMISS] = (eaddr & ~((target_ulong)0x3)) |
1467                         ((env->last_way + 1) & (env->nb_ways - 1));
1468                     env->spr[SPR_PTEHI] = 0x80000000 | ctx.ptem;
1469                     break;
1470                 case POWERPC_MMU_SOFT_4xx:
1471                 case POWERPC_MMU_SOFT_4xx_Z:
1472                     cs->exception_index = POWERPC_EXCP_DTLB;
1473                     env->error_code = 0;
1474                     env->spr[SPR_40x_DEAR] = eaddr;
1475                     if (access_type == MMU_DATA_STORE) {
1476                         env->spr[SPR_40x_ESR] = 0x00800000;
1477                     } else {
1478                         env->spr[SPR_40x_ESR] = 0x00000000;
1479                     }
1480                     break;
1481                 case POWERPC_MMU_MPC8xx:
1482                     /* XXX: TODO */
1483                     cpu_abort(cs, "MPC8xx MMU model is not implemented\n");
1484                 case POWERPC_MMU_BOOKE206:
1485                     booke206_update_mas_tlb_miss(env, eaddr, access_type, mmu_idx);
1486                     /* fall through */
1487                 case POWERPC_MMU_BOOKE:
1488                     cs->exception_index = POWERPC_EXCP_DTLB;
1489                     env->error_code = 0;
1490                     env->spr[SPR_BOOKE_DEAR] = eaddr;
1491                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, access_type);
1492                     break;
1493                 case POWERPC_MMU_REAL:
1494                     cpu_abort(cs, "PowerPC in real mode should never raise "
1495                               "any MMU exceptions\n");
1496                 default:
1497                     cpu_abort(cs, "Unknown or invalid MMU model\n");
1498                 }
1499                 break;
1500             case -2:
1501                 /* Access rights violation */
1502                 cs->exception_index = POWERPC_EXCP_DSI;
1503                 env->error_code = 0;
1504                 if (env->mmu_model == POWERPC_MMU_SOFT_4xx
1505                     || env->mmu_model == POWERPC_MMU_SOFT_4xx_Z) {
1506                     env->spr[SPR_40x_DEAR] = eaddr;
1507                     if (access_type == MMU_DATA_STORE) {
1508                         env->spr[SPR_40x_ESR] |= 0x00800000;
1509                     }
1510                 } else if ((env->mmu_model == POWERPC_MMU_BOOKE) ||
1511                            (env->mmu_model == POWERPC_MMU_BOOKE206)) {
1512                     env->spr[SPR_BOOKE_DEAR] = eaddr;
1513                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, access_type);
1514                 } else {
1515                     env->spr[SPR_DAR] = eaddr;
1516                     if (access_type == MMU_DATA_STORE) {
1517                         env->spr[SPR_DSISR] = 0x0A000000;
1518                     } else {
1519                         env->spr[SPR_DSISR] = 0x08000000;
1520                     }
1521                 }
1522                 break;
1523             case -4:
1524                 /* Direct store exception */
1525                 switch (type) {
1526                 case ACCESS_FLOAT:
1527                     /* Floating point load/store */
1528                     cs->exception_index = POWERPC_EXCP_ALIGN;
1529                     env->error_code = POWERPC_EXCP_ALIGN_FP;
1530                     env->spr[SPR_DAR] = eaddr;
1531                     break;
1532                 case ACCESS_RES:
1533                     /* lwarx, ldarx or stwcx. */
1534                     cs->exception_index = POWERPC_EXCP_DSI;
1535                     env->error_code = 0;
1536                     env->spr[SPR_DAR] = eaddr;
1537                     if (access_type == MMU_DATA_STORE) {
1538                         env->spr[SPR_DSISR] = 0x06000000;
1539                     } else {
1540                         env->spr[SPR_DSISR] = 0x04000000;
1541                     }
1542                     break;
1543                 case ACCESS_EXT:
1544                     /* eciwx or ecowx */
1545                     cs->exception_index = POWERPC_EXCP_DSI;
1546                     env->error_code = 0;
1547                     env->spr[SPR_DAR] = eaddr;
1548                     if (access_type == MMU_DATA_STORE) {
1549                         env->spr[SPR_DSISR] = 0x06100000;
1550                     } else {
1551                         env->spr[SPR_DSISR] = 0x04100000;
1552                     }
1553                     break;
1554                 default:
1555                     printf("DSI: invalid exception (%d)\n", ret);
1556                     cs->exception_index = POWERPC_EXCP_PROGRAM;
1557                     env->error_code =
1558                         POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL;
1559                     env->spr[SPR_DAR] = eaddr;
1560                     break;
1561                 }
1562                 break;
1563             }
1564         }
1565     }
1566     return false;
1567 }
1568 
1569 /*****************************************************************************/
1570 
1571 bool ppc_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
1572                       hwaddr *raddrp, int *psizep, int *protp,
1573                       int mmu_idx, bool guest_visible)
1574 {
1575     switch (cpu->env.mmu_model) {
1576 #if defined(TARGET_PPC64)
1577     case POWERPC_MMU_3_00:
1578         if (ppc64_v3_radix(cpu)) {
1579             return ppc_radix64_xlate(cpu, eaddr, access_type, raddrp,
1580                                      psizep, protp, mmu_idx, guest_visible);
1581         }
1582         /* fall through */
1583     case POWERPC_MMU_64B:
1584     case POWERPC_MMU_2_03:
1585     case POWERPC_MMU_2_06:
1586     case POWERPC_MMU_2_07:
1587         return ppc_hash64_xlate(cpu, eaddr, access_type,
1588                                 raddrp, psizep, protp, mmu_idx, guest_visible);
1589 #endif
1590 
1591     case POWERPC_MMU_32B:
1592     case POWERPC_MMU_601:
1593         return ppc_hash32_xlate(cpu, eaddr, access_type, raddrp,
1594                                psizep, protp, mmu_idx, guest_visible);
1595 
1596     default:
1597         return ppc_jumbo_xlate(cpu, eaddr, access_type, raddrp,
1598                                psizep, protp, mmu_idx, guest_visible);
1599     }
1600 }
1601 
1602 hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
1603 {
1604     PowerPCCPU *cpu = POWERPC_CPU(cs);
1605     hwaddr raddr;
1606     int s, p;
1607 
1608     /*
1609      * Some MMUs have separate TLBs for code and data. If we only
1610      * try an MMU_DATA_LOAD, we may not be able to read instructions
1611      * mapped by code TLBs, so we also try a MMU_INST_FETCH.
1612      */
1613     if (ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p,
1614                   cpu_mmu_index(&cpu->env, false), false) ||
1615         ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p,
1616                   cpu_mmu_index(&cpu->env, true), false)) {
1617         return raddr & TARGET_PAGE_MASK;
1618     }
1619     return -1;
1620 }
1621