xref: /openbmc/qemu/target/ppc/mmu_helper.c (revision 8f2aff64)
1 /*
2  *  PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU.
3  *
4  *  Copyright (c) 2003-2007 Jocelyn Mayer
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 
20 #include "qemu/osdep.h"
21 #include "qemu/units.h"
22 #include "cpu.h"
23 #include "exec/helper-proto.h"
24 #include "sysemu/kvm.h"
25 #include "kvm_ppc.h"
26 #include "mmu-hash64.h"
27 #include "mmu-hash32.h"
28 #include "exec/exec-all.h"
29 #include "exec/cpu_ldst.h"
30 #include "exec/log.h"
31 #include "helper_regs.h"
32 #include "qemu/error-report.h"
33 #include "qemu/main-loop.h"
34 #include "qemu/qemu-print.h"
35 #include "mmu-book3s-v3.h"
36 #include "mmu-radix64.h"
37 
38 /* #define DEBUG_MMU */
39 /* #define DEBUG_BATS */
40 /* #define DEBUG_SOFTWARE_TLB */
41 /* #define DUMP_PAGE_TABLES */
42 /* #define FLUSH_ALL_TLBS */
43 
44 #ifdef DEBUG_MMU
45 #  define LOG_MMU_STATE(cpu) log_cpu_state_mask(CPU_LOG_MMU, (cpu), 0)
46 #else
47 #  define LOG_MMU_STATE(cpu) do { } while (0)
48 #endif
49 
50 #ifdef DEBUG_SOFTWARE_TLB
51 #  define LOG_SWTLB(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
52 #else
53 #  define LOG_SWTLB(...) do { } while (0)
54 #endif
55 
56 #ifdef DEBUG_BATS
57 #  define LOG_BATS(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
58 #else
59 #  define LOG_BATS(...) do { } while (0)
60 #endif
61 
62 /*****************************************************************************/
63 /* PowerPC MMU emulation */
64 
65 /* Context used internally during MMU translations */
66 typedef struct mmu_ctx_t mmu_ctx_t;
67 struct mmu_ctx_t {
68     hwaddr raddr;      /* Real address              */
69     hwaddr eaddr;      /* Effective address         */
70     int prot;                      /* Protection bits           */
71     hwaddr hash[2];    /* Pagetable hash values     */
72     target_ulong ptem;             /* Virtual segment ID | API  */
73     int key;                       /* Access key                */
74     int nx;                        /* Non-execute area          */
75 };
76 
77 /* Common routines used by software and hardware TLBs emulation */
78 static inline int pte_is_valid(target_ulong pte0)
79 {
80     return pte0 & 0x80000000 ? 1 : 0;
81 }
82 
83 static inline void pte_invalidate(target_ulong *pte0)
84 {
85     *pte0 &= ~0x80000000;
86 }
87 
88 #define PTE_PTEM_MASK 0x7FFFFFBF
89 #define PTE_CHECK_MASK (TARGET_PAGE_MASK | 0x7B)
90 
91 static int pp_check(int key, int pp, int nx)
92 {
93     int access;
94 
95     /* Compute access rights */
96     access = 0;
97     if (key == 0) {
98         switch (pp) {
99         case 0x0:
100         case 0x1:
101         case 0x2:
102             access |= PAGE_WRITE;
103             /* fall through */
104         case 0x3:
105             access |= PAGE_READ;
106             break;
107         }
108     } else {
109         switch (pp) {
110         case 0x0:
111             access = 0;
112             break;
113         case 0x1:
114         case 0x3:
115             access = PAGE_READ;
116             break;
117         case 0x2:
118             access = PAGE_READ | PAGE_WRITE;
119             break;
120         }
121     }
122     if (nx == 0) {
123         access |= PAGE_EXEC;
124     }
125 
126     return access;
127 }
128 
129 static int check_prot(int prot, int rw, int access_type)
130 {
131     int ret;
132 
133     if (access_type == ACCESS_CODE) {
134         if (prot & PAGE_EXEC) {
135             ret = 0;
136         } else {
137             ret = -2;
138         }
139     } else if (rw) {
140         if (prot & PAGE_WRITE) {
141             ret = 0;
142         } else {
143             ret = -2;
144         }
145     } else {
146         if (prot & PAGE_READ) {
147             ret = 0;
148         } else {
149             ret = -2;
150         }
151     }
152 
153     return ret;
154 }
155 
156 static inline int ppc6xx_tlb_pte_check(mmu_ctx_t *ctx, target_ulong pte0,
157                                        target_ulong pte1, int h,
158                                        int rw, int type)
159 {
160     target_ulong ptem, mmask;
161     int access, ret, pteh, ptev, pp;
162 
163     ret = -1;
164     /* Check validity and table match */
165     ptev = pte_is_valid(pte0);
166     pteh = (pte0 >> 6) & 1;
167     if (ptev && h == pteh) {
168         /* Check vsid & api */
169         ptem = pte0 & PTE_PTEM_MASK;
170         mmask = PTE_CHECK_MASK;
171         pp = pte1 & 0x00000003;
172         if (ptem == ctx->ptem) {
173             if (ctx->raddr != (hwaddr)-1ULL) {
174                 /* all matches should have equal RPN, WIMG & PP */
175                 if ((ctx->raddr & mmask) != (pte1 & mmask)) {
176                     qemu_log_mask(CPU_LOG_MMU, "Bad RPN/WIMG/PP\n");
177                     return -3;
178                 }
179             }
180             /* Compute access rights */
181             access = pp_check(ctx->key, pp, ctx->nx);
182             /* Keep the matching PTE information */
183             ctx->raddr = pte1;
184             ctx->prot = access;
185             ret = check_prot(ctx->prot, rw, type);
186             if (ret == 0) {
187                 /* Access granted */
188                 qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n");
189             } else {
190                 /* Access right violation */
191                 qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n");
192             }
193         }
194     }
195 
196     return ret;
197 }
198 
199 static int pte_update_flags(mmu_ctx_t *ctx, target_ulong *pte1p,
200                             int ret, int rw)
201 {
202     int store = 0;
203 
204     /* Update page flags */
205     if (!(*pte1p & 0x00000100)) {
206         /* Update accessed flag */
207         *pte1p |= 0x00000100;
208         store = 1;
209     }
210     if (!(*pte1p & 0x00000080)) {
211         if (rw == 1 && ret == 0) {
212             /* Update changed flag */
213             *pte1p |= 0x00000080;
214             store = 1;
215         } else {
216             /* Force page fault for first write access */
217             ctx->prot &= ~PAGE_WRITE;
218         }
219     }
220 
221     return store;
222 }
223 
224 /* Software driven TLB helpers */
225 static inline int ppc6xx_tlb_getnum(CPUPPCState *env, target_ulong eaddr,
226                                     int way, int is_code)
227 {
228     int nr;
229 
230     /* Select TLB num in a way from address */
231     nr = (eaddr >> TARGET_PAGE_BITS) & (env->tlb_per_way - 1);
232     /* Select TLB way */
233     nr += env->tlb_per_way * way;
234     /* 6xx have separate TLBs for instructions and data */
235     if (is_code && env->id_tlbs == 1) {
236         nr += env->nb_tlb;
237     }
238 
239     return nr;
240 }
241 
242 static inline void ppc6xx_tlb_invalidate_all(CPUPPCState *env)
243 {
244     ppc6xx_tlb_t *tlb;
245     int nr, max;
246 
247     /* LOG_SWTLB("Invalidate all TLBs\n"); */
248     /* Invalidate all defined software TLB */
249     max = env->nb_tlb;
250     if (env->id_tlbs == 1) {
251         max *= 2;
252     }
253     for (nr = 0; nr < max; nr++) {
254         tlb = &env->tlb.tlb6[nr];
255         pte_invalidate(&tlb->pte0);
256     }
257     tlb_flush(env_cpu(env));
258 }
259 
260 static inline void ppc6xx_tlb_invalidate_virt2(CPUPPCState *env,
261                                                target_ulong eaddr,
262                                                int is_code, int match_epn)
263 {
264 #if !defined(FLUSH_ALL_TLBS)
265     CPUState *cs = env_cpu(env);
266     ppc6xx_tlb_t *tlb;
267     int way, nr;
268 
269     /* Invalidate ITLB + DTLB, all ways */
270     for (way = 0; way < env->nb_ways; way++) {
271         nr = ppc6xx_tlb_getnum(env, eaddr, way, is_code);
272         tlb = &env->tlb.tlb6[nr];
273         if (pte_is_valid(tlb->pte0) && (match_epn == 0 || eaddr == tlb->EPN)) {
274             LOG_SWTLB("TLB invalidate %d/%d " TARGET_FMT_lx "\n", nr,
275                       env->nb_tlb, eaddr);
276             pte_invalidate(&tlb->pte0);
277             tlb_flush_page(cs, tlb->EPN);
278         }
279     }
280 #else
281     /* XXX: PowerPC specification say this is valid as well */
282     ppc6xx_tlb_invalidate_all(env);
283 #endif
284 }
285 
286 static inline void ppc6xx_tlb_invalidate_virt(CPUPPCState *env,
287                                               target_ulong eaddr, int is_code)
288 {
289     ppc6xx_tlb_invalidate_virt2(env, eaddr, is_code, 0);
290 }
291 
292 static void ppc6xx_tlb_store(CPUPPCState *env, target_ulong EPN, int way,
293                              int is_code, target_ulong pte0, target_ulong pte1)
294 {
295     ppc6xx_tlb_t *tlb;
296     int nr;
297 
298     nr = ppc6xx_tlb_getnum(env, EPN, way, is_code);
299     tlb = &env->tlb.tlb6[nr];
300     LOG_SWTLB("Set TLB %d/%d EPN " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx
301               " PTE1 " TARGET_FMT_lx "\n", nr, env->nb_tlb, EPN, pte0, pte1);
302     /* Invalidate any pending reference in QEMU for this virtual address */
303     ppc6xx_tlb_invalidate_virt2(env, EPN, is_code, 1);
304     tlb->pte0 = pte0;
305     tlb->pte1 = pte1;
306     tlb->EPN = EPN;
307     /* Store last way for LRU mechanism */
308     env->last_way = way;
309 }
310 
311 static inline int ppc6xx_tlb_check(CPUPPCState *env, mmu_ctx_t *ctx,
312                                    target_ulong eaddr, int rw, int access_type)
313 {
314     ppc6xx_tlb_t *tlb;
315     int nr, best, way;
316     int ret;
317 
318     best = -1;
319     ret = -1; /* No TLB found */
320     for (way = 0; way < env->nb_ways; way++) {
321         nr = ppc6xx_tlb_getnum(env, eaddr, way,
322                                access_type == ACCESS_CODE ? 1 : 0);
323         tlb = &env->tlb.tlb6[nr];
324         /* This test "emulates" the PTE index match for hardware TLBs */
325         if ((eaddr & TARGET_PAGE_MASK) != tlb->EPN) {
326             LOG_SWTLB("TLB %d/%d %s [" TARGET_FMT_lx " " TARGET_FMT_lx
327                       "] <> " TARGET_FMT_lx "\n", nr, env->nb_tlb,
328                       pte_is_valid(tlb->pte0) ? "valid" : "inval",
329                       tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE, eaddr);
330             continue;
331         }
332         LOG_SWTLB("TLB %d/%d %s " TARGET_FMT_lx " <> " TARGET_FMT_lx " "
333                   TARGET_FMT_lx " %c %c\n", nr, env->nb_tlb,
334                   pte_is_valid(tlb->pte0) ? "valid" : "inval",
335                   tlb->EPN, eaddr, tlb->pte1,
336                   rw ? 'S' : 'L', access_type == ACCESS_CODE ? 'I' : 'D');
337         switch (ppc6xx_tlb_pte_check(ctx, tlb->pte0, tlb->pte1,
338                                      0, rw, access_type)) {
339         case -3:
340             /* TLB inconsistency */
341             return -1;
342         case -2:
343             /* Access violation */
344             ret = -2;
345             best = nr;
346             break;
347         case -1:
348         default:
349             /* No match */
350             break;
351         case 0:
352             /* access granted */
353             /*
354              * XXX: we should go on looping to check all TLBs
355              *      consistency but we can speed-up the whole thing as
356              *      the result would be undefined if TLBs are not
357              *      consistent.
358              */
359             ret = 0;
360             best = nr;
361             goto done;
362         }
363     }
364     if (best != -1) {
365     done:
366         LOG_SWTLB("found TLB at addr " TARGET_FMT_plx " prot=%01x ret=%d\n",
367                   ctx->raddr & TARGET_PAGE_MASK, ctx->prot, ret);
368         /* Update page flags */
369         pte_update_flags(ctx, &env->tlb.tlb6[best].pte1, ret, rw);
370     }
371 
372     return ret;
373 }
374 
375 /* Perform BAT hit & translation */
376 static inline void bat_size_prot(CPUPPCState *env, target_ulong *blp,
377                                  int *validp, int *protp, target_ulong *BATu,
378                                  target_ulong *BATl)
379 {
380     target_ulong bl;
381     int pp, valid, prot;
382 
383     bl = (*BATu & 0x00001FFC) << 15;
384     valid = 0;
385     prot = 0;
386     if (((msr_pr == 0) && (*BATu & 0x00000002)) ||
387         ((msr_pr != 0) && (*BATu & 0x00000001))) {
388         valid = 1;
389         pp = *BATl & 0x00000003;
390         if (pp != 0) {
391             prot = PAGE_READ | PAGE_EXEC;
392             if (pp == 0x2) {
393                 prot |= PAGE_WRITE;
394             }
395         }
396     }
397     *blp = bl;
398     *validp = valid;
399     *protp = prot;
400 }
401 
402 static int get_bat_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,
403                            target_ulong virtual, int rw, int type)
404 {
405     target_ulong *BATlt, *BATut, *BATu, *BATl;
406     target_ulong BEPIl, BEPIu, bl;
407     int i, valid, prot;
408     int ret = -1;
409 
410     LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,
411              type == ACCESS_CODE ? 'I' : 'D', virtual);
412     switch (type) {
413     case ACCESS_CODE:
414         BATlt = env->IBAT[1];
415         BATut = env->IBAT[0];
416         break;
417     default:
418         BATlt = env->DBAT[1];
419         BATut = env->DBAT[0];
420         break;
421     }
422     for (i = 0; i < env->nb_BATs; i++) {
423         BATu = &BATut[i];
424         BATl = &BATlt[i];
425         BEPIu = *BATu & 0xF0000000;
426         BEPIl = *BATu & 0x0FFE0000;
427         bat_size_prot(env, &bl, &valid, &prot, BATu, BATl);
428         LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
429                  " BATl " TARGET_FMT_lx "\n", __func__,
430                  type == ACCESS_CODE ? 'I' : 'D', i, virtual, *BATu, *BATl);
431         if ((virtual & 0xF0000000) == BEPIu &&
432             ((virtual & 0x0FFE0000) & ~bl) == BEPIl) {
433             /* BAT matches */
434             if (valid != 0) {
435                 /* Get physical address */
436                 ctx->raddr = (*BATl & 0xF0000000) |
437                     ((virtual & 0x0FFE0000 & bl) | (*BATl & 0x0FFE0000)) |
438                     (virtual & 0x0001F000);
439                 /* Compute access rights */
440                 ctx->prot = prot;
441                 ret = check_prot(ctx->prot, rw, type);
442                 if (ret == 0) {
443                     LOG_BATS("BAT %d match: r " TARGET_FMT_plx " prot=%c%c\n",
444                              i, ctx->raddr, ctx->prot & PAGE_READ ? 'R' : '-',
445                              ctx->prot & PAGE_WRITE ? 'W' : '-');
446                 }
447                 break;
448             }
449         }
450     }
451     if (ret < 0) {
452 #if defined(DEBUG_BATS)
453         if (qemu_log_enabled()) {
454             LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", virtual);
455             for (i = 0; i < 4; i++) {
456                 BATu = &BATut[i];
457                 BATl = &BATlt[i];
458                 BEPIu = *BATu & 0xF0000000;
459                 BEPIl = *BATu & 0x0FFE0000;
460                 bl = (*BATu & 0x00001FFC) << 15;
461                 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
462                          " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
463                          TARGET_FMT_lx " " TARGET_FMT_lx "\n",
464                          __func__, type == ACCESS_CODE ? 'I' : 'D', i, virtual,
465                          *BATu, *BATl, BEPIu, BEPIl, bl);
466             }
467         }
468 #endif
469     }
470     /* No hit */
471     return ret;
472 }
473 
474 /* Perform segment based translation */
475 static inline int get_segment_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,
476                                       target_ulong eaddr, int rw, int type)
477 {
478     PowerPCCPU *cpu = env_archcpu(env);
479     hwaddr hash;
480     target_ulong vsid;
481     int ds, pr, target_page_bits;
482     int ret;
483     target_ulong sr, pgidx;
484 
485     pr = msr_pr;
486     ctx->eaddr = eaddr;
487 
488     sr = env->sr[eaddr >> 28];
489     ctx->key = (((sr & 0x20000000) && (pr != 0)) ||
490                 ((sr & 0x40000000) && (pr == 0))) ? 1 : 0;
491     ds = sr & 0x80000000 ? 1 : 0;
492     ctx->nx = sr & 0x10000000 ? 1 : 0;
493     vsid = sr & 0x00FFFFFF;
494     target_page_bits = TARGET_PAGE_BITS;
495     qemu_log_mask(CPU_LOG_MMU,
496             "Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx
497             " nip=" TARGET_FMT_lx " lr=" TARGET_FMT_lx
498             " ir=%d dr=%d pr=%d %d t=%d\n",
499             eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, (int)msr_ir,
500             (int)msr_dr, pr != 0 ? 1 : 0, rw, type);
501     pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits;
502     hash = vsid ^ pgidx;
503     ctx->ptem = (vsid << 7) | (pgidx >> 10);
504 
505     qemu_log_mask(CPU_LOG_MMU,
506             "pte segment: key=%d ds %d nx %d vsid " TARGET_FMT_lx "\n",
507             ctx->key, ds, ctx->nx, vsid);
508     ret = -1;
509     if (!ds) {
510         /* Check if instruction fetch is allowed, if needed */
511         if (type != ACCESS_CODE || ctx->nx == 0) {
512             /* Page address translation */
513             qemu_log_mask(CPU_LOG_MMU, "htab_base " TARGET_FMT_plx
514                     " htab_mask " TARGET_FMT_plx
515                     " hash " TARGET_FMT_plx "\n",
516                     ppc_hash32_hpt_base(cpu), ppc_hash32_hpt_mask(cpu), hash);
517             ctx->hash[0] = hash;
518             ctx->hash[1] = ~hash;
519 
520             /* Initialize real address with an invalid value */
521             ctx->raddr = (hwaddr)-1ULL;
522             /* Software TLB search */
523             ret = ppc6xx_tlb_check(env, ctx, eaddr, rw, type);
524 #if defined(DUMP_PAGE_TABLES)
525             if (qemu_loglevel_mask(CPU_LOG_MMU)) {
526                 CPUState *cs = env_cpu(env);
527                 hwaddr curaddr;
528                 uint32_t a0, a1, a2, a3;
529 
530                 qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx
531                          "\n", ppc_hash32_hpt_base(cpu),
532                          ppc_hash32_hpt_mask(env) + 0x80);
533                 for (curaddr = ppc_hash32_hpt_base(cpu);
534                      curaddr < (ppc_hash32_hpt_base(cpu)
535                                 + ppc_hash32_hpt_mask(cpu) + 0x80);
536                      curaddr += 16) {
537                     a0 = ldl_phys(cs->as, curaddr);
538                     a1 = ldl_phys(cs->as, curaddr + 4);
539                     a2 = ldl_phys(cs->as, curaddr + 8);
540                     a3 = ldl_phys(cs->as, curaddr + 12);
541                     if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) {
542                         qemu_log(TARGET_FMT_plx ": %08x %08x %08x %08x\n",
543                                  curaddr, a0, a1, a2, a3);
544                     }
545                 }
546             }
547 #endif
548         } else {
549             qemu_log_mask(CPU_LOG_MMU, "No access allowed\n");
550             ret = -3;
551         }
552     } else {
553         target_ulong sr;
554 
555         qemu_log_mask(CPU_LOG_MMU, "direct store...\n");
556         /* Direct-store segment : absolutely *BUGGY* for now */
557 
558         /*
559          * Direct-store implies a 32-bit MMU.
560          * Check the Segment Register's bus unit ID (BUID).
561          */
562         sr = env->sr[eaddr >> 28];
563         if ((sr & 0x1FF00000) >> 20 == 0x07f) {
564             /*
565              * Memory-forced I/O controller interface access
566              *
567              * If T=1 and BUID=x'07F', the 601 performs a memory
568              * access to SR[28-31] LA[4-31], bypassing all protection
569              * mechanisms.
570              */
571             ctx->raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);
572             ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
573             return 0;
574         }
575 
576         switch (type) {
577         case ACCESS_INT:
578             /* Integer load/store : only access allowed */
579             break;
580         case ACCESS_CODE:
581             /* No code fetch is allowed in direct-store areas */
582             return -4;
583         case ACCESS_FLOAT:
584             /* Floating point load/store */
585             return -4;
586         case ACCESS_RES:
587             /* lwarx, ldarx or srwcx. */
588             return -4;
589         case ACCESS_CACHE:
590             /*
591              * dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi
592              *
593              * Should make the instruction do no-op.  As it already do
594              * no-op, it's quite easy :-)
595              */
596             ctx->raddr = eaddr;
597             return 0;
598         case ACCESS_EXT:
599             /* eciwx or ecowx */
600             return -4;
601         default:
602             qemu_log_mask(CPU_LOG_MMU, "ERROR: instruction should not need "
603                           "address translation\n");
604             return -4;
605         }
606         if ((rw == 1 || ctx->key != 1) && (rw == 0 || ctx->key != 0)) {
607             ctx->raddr = eaddr;
608             ret = 2;
609         } else {
610             ret = -2;
611         }
612     }
613 
614     return ret;
615 }
616 
617 /* Generic TLB check function for embedded PowerPC implementations */
618 static int ppcemb_tlb_check(CPUPPCState *env, ppcemb_tlb_t *tlb,
619                             hwaddr *raddrp,
620                             target_ulong address, uint32_t pid, int ext,
621                             int i)
622 {
623     target_ulong mask;
624 
625     /* Check valid flag */
626     if (!(tlb->prot & PAGE_VALID)) {
627         return -1;
628     }
629     mask = ~(tlb->size - 1);
630     LOG_SWTLB("%s: TLB %d address " TARGET_FMT_lx " PID %u <=> " TARGET_FMT_lx
631               " " TARGET_FMT_lx " %u %x\n", __func__, i, address, pid, tlb->EPN,
632               mask, (uint32_t)tlb->PID, tlb->prot);
633     /* Check PID */
634     if (tlb->PID != 0 && tlb->PID != pid) {
635         return -1;
636     }
637     /* Check effective address */
638     if ((address & mask) != tlb->EPN) {
639         return -1;
640     }
641     *raddrp = (tlb->RPN & mask) | (address & ~mask);
642     if (ext) {
643         /* Extend the physical address to 36 bits */
644         *raddrp |= (uint64_t)(tlb->RPN & 0xF) << 32;
645     }
646 
647     return 0;
648 }
649 
650 /* Generic TLB search function for PowerPC embedded implementations */
651 static int ppcemb_tlb_search(CPUPPCState *env, target_ulong address,
652                              uint32_t pid)
653 {
654     ppcemb_tlb_t *tlb;
655     hwaddr raddr;
656     int i, ret;
657 
658     /* Default return value is no match */
659     ret = -1;
660     for (i = 0; i < env->nb_tlb; i++) {
661         tlb = &env->tlb.tlbe[i];
662         if (ppcemb_tlb_check(env, tlb, &raddr, address, pid, 0, i) == 0) {
663             ret = i;
664             break;
665         }
666     }
667 
668     return ret;
669 }
670 
671 /* Helpers specific to PowerPC 40x implementations */
672 static inline void ppc4xx_tlb_invalidate_all(CPUPPCState *env)
673 {
674     ppcemb_tlb_t *tlb;
675     int i;
676 
677     for (i = 0; i < env->nb_tlb; i++) {
678         tlb = &env->tlb.tlbe[i];
679         tlb->prot &= ~PAGE_VALID;
680     }
681     tlb_flush(env_cpu(env));
682 }
683 
684 static int mmu40x_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
685                                        target_ulong address, int rw,
686                                        int access_type)
687 {
688     ppcemb_tlb_t *tlb;
689     hwaddr raddr;
690     int i, ret, zsel, zpr, pr;
691 
692     ret = -1;
693     raddr = (hwaddr)-1ULL;
694     pr = msr_pr;
695     for (i = 0; i < env->nb_tlb; i++) {
696         tlb = &env->tlb.tlbe[i];
697         if (ppcemb_tlb_check(env, tlb, &raddr, address,
698                              env->spr[SPR_40x_PID], 0, i) < 0) {
699             continue;
700         }
701         zsel = (tlb->attr >> 4) & 0xF;
702         zpr = (env->spr[SPR_40x_ZPR] >> (30 - (2 * zsel))) & 0x3;
703         LOG_SWTLB("%s: TLB %d zsel %d zpr %d rw %d attr %08x\n",
704                     __func__, i, zsel, zpr, rw, tlb->attr);
705         /* Check execute enable bit */
706         switch (zpr) {
707         case 0x2:
708             if (pr != 0) {
709                 goto check_perms;
710             }
711             /* fall through */
712         case 0x3:
713             /* All accesses granted */
714             ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
715             ret = 0;
716             break;
717         case 0x0:
718             if (pr != 0) {
719                 /* Raise Zone protection fault.  */
720                 env->spr[SPR_40x_ESR] = 1 << 22;
721                 ctx->prot = 0;
722                 ret = -2;
723                 break;
724             }
725             /* fall through */
726         case 0x1:
727         check_perms:
728             /* Check from TLB entry */
729             ctx->prot = tlb->prot;
730             ret = check_prot(ctx->prot, rw, access_type);
731             if (ret == -2) {
732                 env->spr[SPR_40x_ESR] = 0;
733             }
734             break;
735         }
736         if (ret >= 0) {
737             ctx->raddr = raddr;
738             LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
739                       " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
740                       ret);
741             return 0;
742         }
743     }
744     LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
745               " %d %d\n", __func__, address, raddr, ctx->prot, ret);
746 
747     return ret;
748 }
749 
750 void store_40x_sler(CPUPPCState *env, uint32_t val)
751 {
752     /* XXX: TO BE FIXED */
753     if (val != 0x00000000) {
754         cpu_abort(env_cpu(env),
755                   "Little-endian regions are not supported by now\n");
756     }
757     env->spr[SPR_405_SLER] = val;
758 }
759 
760 static inline int mmubooke_check_tlb(CPUPPCState *env, ppcemb_tlb_t *tlb,
761                                      hwaddr *raddr, int *prot,
762                                      target_ulong address, int rw,
763                                      int access_type, int i)
764 {
765     int ret, prot2;
766 
767     if (ppcemb_tlb_check(env, tlb, raddr, address,
768                          env->spr[SPR_BOOKE_PID],
769                          !env->nb_pids, i) >= 0) {
770         goto found_tlb;
771     }
772 
773     if (env->spr[SPR_BOOKE_PID1] &&
774         ppcemb_tlb_check(env, tlb, raddr, address,
775                          env->spr[SPR_BOOKE_PID1], 0, i) >= 0) {
776         goto found_tlb;
777     }
778 
779     if (env->spr[SPR_BOOKE_PID2] &&
780         ppcemb_tlb_check(env, tlb, raddr, address,
781                          env->spr[SPR_BOOKE_PID2], 0, i) >= 0) {
782         goto found_tlb;
783     }
784 
785     LOG_SWTLB("%s: TLB entry not found\n", __func__);
786     return -1;
787 
788 found_tlb:
789 
790     if (msr_pr != 0) {
791         prot2 = tlb->prot & 0xF;
792     } else {
793         prot2 = (tlb->prot >> 4) & 0xF;
794     }
795 
796     /* Check the address space */
797     if (access_type == ACCESS_CODE) {
798         if (msr_ir != (tlb->attr & 1)) {
799             LOG_SWTLB("%s: AS doesn't match\n", __func__);
800             return -1;
801         }
802 
803         *prot = prot2;
804         if (prot2 & PAGE_EXEC) {
805             LOG_SWTLB("%s: good TLB!\n", __func__);
806             return 0;
807         }
808 
809         LOG_SWTLB("%s: no PAGE_EXEC: %x\n", __func__, prot2);
810         ret = -3;
811     } else {
812         if (msr_dr != (tlb->attr & 1)) {
813             LOG_SWTLB("%s: AS doesn't match\n", __func__);
814             return -1;
815         }
816 
817         *prot = prot2;
818         if ((!rw && prot2 & PAGE_READ) || (rw && (prot2 & PAGE_WRITE))) {
819             LOG_SWTLB("%s: found TLB!\n", __func__);
820             return 0;
821         }
822 
823         LOG_SWTLB("%s: PAGE_READ/WRITE doesn't match: %x\n", __func__, prot2);
824         ret = -2;
825     }
826 
827     return ret;
828 }
829 
830 static int mmubooke_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
831                                          target_ulong address, int rw,
832                                          int access_type)
833 {
834     ppcemb_tlb_t *tlb;
835     hwaddr raddr;
836     int i, ret;
837 
838     ret = -1;
839     raddr = (hwaddr)-1ULL;
840     for (i = 0; i < env->nb_tlb; i++) {
841         tlb = &env->tlb.tlbe[i];
842         ret = mmubooke_check_tlb(env, tlb, &raddr, &ctx->prot, address, rw,
843                                  access_type, i);
844         if (ret != -1) {
845             break;
846         }
847     }
848 
849     if (ret >= 0) {
850         ctx->raddr = raddr;
851         LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
852                   " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
853                   ret);
854     } else {
855         LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
856                   " %d %d\n", __func__, address, raddr, ctx->prot, ret);
857     }
858 
859     return ret;
860 }
861 
862 static void booke206_flush_tlb(CPUPPCState *env, int flags,
863                                const int check_iprot)
864 {
865     int tlb_size;
866     int i, j;
867     ppcmas_tlb_t *tlb = env->tlb.tlbm;
868 
869     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
870         if (flags & (1 << i)) {
871             tlb_size = booke206_tlb_size(env, i);
872             for (j = 0; j < tlb_size; j++) {
873                 if (!check_iprot || !(tlb[j].mas1 & MAS1_IPROT)) {
874                     tlb[j].mas1 &= ~MAS1_VALID;
875                 }
876             }
877         }
878         tlb += booke206_tlb_size(env, i);
879     }
880 
881     tlb_flush(env_cpu(env));
882 }
883 
884 static hwaddr booke206_tlb_to_page_size(CPUPPCState *env,
885                                         ppcmas_tlb_t *tlb)
886 {
887     int tlbm_size;
888 
889     tlbm_size = (tlb->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
890 
891     return 1024ULL << tlbm_size;
892 }
893 
894 /* TLB check function for MAS based SoftTLBs */
895 static int ppcmas_tlb_check(CPUPPCState *env, ppcmas_tlb_t *tlb,
896                             hwaddr *raddrp, target_ulong address,
897                             uint32_t pid)
898 {
899     hwaddr mask;
900     uint32_t tlb_pid;
901 
902     if (!msr_cm) {
903         /* In 32bit mode we can only address 32bit EAs */
904         address = (uint32_t)address;
905     }
906 
907     /* Check valid flag */
908     if (!(tlb->mas1 & MAS1_VALID)) {
909         return -1;
910     }
911 
912     mask = ~(booke206_tlb_to_page_size(env, tlb) - 1);
913     LOG_SWTLB("%s: TLB ADDR=0x" TARGET_FMT_lx " PID=0x%x MAS1=0x%x MAS2=0x%"
914               PRIx64 " mask=0x%" HWADDR_PRIx " MAS7_3=0x%" PRIx64 " MAS8=0x%"
915               PRIx32 "\n", __func__, address, pid, tlb->mas1, tlb->mas2, mask,
916               tlb->mas7_3, tlb->mas8);
917 
918     /* Check PID */
919     tlb_pid = (tlb->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT;
920     if (tlb_pid != 0 && tlb_pid != pid) {
921         return -1;
922     }
923 
924     /* Check effective address */
925     if ((address & mask) != (tlb->mas2 & MAS2_EPN_MASK)) {
926         return -1;
927     }
928 
929     if (raddrp) {
930         *raddrp = (tlb->mas7_3 & mask) | (address & ~mask);
931     }
932 
933     return 0;
934 }
935 
936 static bool is_epid_mmu(int mmu_idx)
937 {
938     return mmu_idx == PPC_TLB_EPID_STORE || mmu_idx == PPC_TLB_EPID_LOAD;
939 }
940 
941 static uint32_t mmubooke206_esr(int mmu_idx, bool rw)
942 {
943     uint32_t esr = 0;
944     if (rw) {
945         esr |= ESR_ST;
946     }
947     if (is_epid_mmu(mmu_idx)) {
948         esr |= ESR_EPID;
949     }
950     return esr;
951 }
952 
953 /*
954  * Get EPID register given the mmu_idx. If this is regular load,
955  * construct the EPID access bits from current processor state
956  *
957  * Get the effective AS and PR bits and the PID. The PID is returned
958  * only if EPID load is requested, otherwise the caller must detect
959  * the correct EPID.  Return true if valid EPID is returned.
960  */
961 static bool mmubooke206_get_as(CPUPPCState *env,
962                                int mmu_idx, uint32_t *epid_out,
963                                bool *as_out, bool *pr_out)
964 {
965     if (is_epid_mmu(mmu_idx)) {
966         uint32_t epidr;
967         if (mmu_idx == PPC_TLB_EPID_STORE) {
968             epidr = env->spr[SPR_BOOKE_EPSC];
969         } else {
970             epidr = env->spr[SPR_BOOKE_EPLC];
971         }
972         *epid_out = (epidr & EPID_EPID) >> EPID_EPID_SHIFT;
973         *as_out = !!(epidr & EPID_EAS);
974         *pr_out = !!(epidr & EPID_EPR);
975         return true;
976     } else {
977         *as_out = msr_ds;
978         *pr_out = msr_pr;
979         return false;
980     }
981 }
982 
983 /* Check if the tlb found by hashing really matches */
984 static int mmubooke206_check_tlb(CPUPPCState *env, ppcmas_tlb_t *tlb,
985                                  hwaddr *raddr, int *prot,
986                                  target_ulong address, int rw,
987                                  int access_type, int mmu_idx)
988 {
989     int ret;
990     int prot2 = 0;
991     uint32_t epid;
992     bool as, pr;
993     bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr);
994 
995     if (!use_epid) {
996         if (ppcmas_tlb_check(env, tlb, raddr, address,
997                              env->spr[SPR_BOOKE_PID]) >= 0) {
998             goto found_tlb;
999         }
1000 
1001         if (env->spr[SPR_BOOKE_PID1] &&
1002             ppcmas_tlb_check(env, tlb, raddr, address,
1003                              env->spr[SPR_BOOKE_PID1]) >= 0) {
1004             goto found_tlb;
1005         }
1006 
1007         if (env->spr[SPR_BOOKE_PID2] &&
1008             ppcmas_tlb_check(env, tlb, raddr, address,
1009                              env->spr[SPR_BOOKE_PID2]) >= 0) {
1010             goto found_tlb;
1011         }
1012     } else {
1013         if (ppcmas_tlb_check(env, tlb, raddr, address, epid) >= 0) {
1014             goto found_tlb;
1015         }
1016     }
1017 
1018     LOG_SWTLB("%s: TLB entry not found\n", __func__);
1019     return -1;
1020 
1021 found_tlb:
1022 
1023     if (pr) {
1024         if (tlb->mas7_3 & MAS3_UR) {
1025             prot2 |= PAGE_READ;
1026         }
1027         if (tlb->mas7_3 & MAS3_UW) {
1028             prot2 |= PAGE_WRITE;
1029         }
1030         if (tlb->mas7_3 & MAS3_UX) {
1031             prot2 |= PAGE_EXEC;
1032         }
1033     } else {
1034         if (tlb->mas7_3 & MAS3_SR) {
1035             prot2 |= PAGE_READ;
1036         }
1037         if (tlb->mas7_3 & MAS3_SW) {
1038             prot2 |= PAGE_WRITE;
1039         }
1040         if (tlb->mas7_3 & MAS3_SX) {
1041             prot2 |= PAGE_EXEC;
1042         }
1043     }
1044 
1045     /* Check the address space and permissions */
1046     if (access_type == ACCESS_CODE) {
1047         /* There is no way to fetch code using epid load */
1048         assert(!use_epid);
1049         if (msr_ir != ((tlb->mas1 & MAS1_TS) >> MAS1_TS_SHIFT)) {
1050             LOG_SWTLB("%s: AS doesn't match\n", __func__);
1051             return -1;
1052         }
1053 
1054         *prot = prot2;
1055         if (prot2 & PAGE_EXEC) {
1056             LOG_SWTLB("%s: good TLB!\n", __func__);
1057             return 0;
1058         }
1059 
1060         LOG_SWTLB("%s: no PAGE_EXEC: %x\n", __func__, prot2);
1061         ret = -3;
1062     } else {
1063         if (as != ((tlb->mas1 & MAS1_TS) >> MAS1_TS_SHIFT)) {
1064             LOG_SWTLB("%s: AS doesn't match\n", __func__);
1065             return -1;
1066         }
1067 
1068         *prot = prot2;
1069         if ((!rw && prot2 & PAGE_READ) || (rw && (prot2 & PAGE_WRITE))) {
1070             LOG_SWTLB("%s: found TLB!\n", __func__);
1071             return 0;
1072         }
1073 
1074         LOG_SWTLB("%s: PAGE_READ/WRITE doesn't match: %x\n", __func__, prot2);
1075         ret = -2;
1076     }
1077 
1078     return ret;
1079 }
1080 
1081 static int mmubooke206_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
1082                                             target_ulong address, int rw,
1083                                             int access_type, int mmu_idx)
1084 {
1085     ppcmas_tlb_t *tlb;
1086     hwaddr raddr;
1087     int i, j, ret;
1088 
1089     ret = -1;
1090     raddr = (hwaddr)-1ULL;
1091 
1092     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
1093         int ways = booke206_tlb_ways(env, i);
1094 
1095         for (j = 0; j < ways; j++) {
1096             tlb = booke206_get_tlbm(env, i, address, j);
1097             if (!tlb) {
1098                 continue;
1099             }
1100             ret = mmubooke206_check_tlb(env, tlb, &raddr, &ctx->prot, address,
1101                                         rw, access_type, mmu_idx);
1102             if (ret != -1) {
1103                 goto found_tlb;
1104             }
1105         }
1106     }
1107 
1108 found_tlb:
1109 
1110     if (ret >= 0) {
1111         ctx->raddr = raddr;
1112         LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx
1113                   " %d %d\n", __func__, address, ctx->raddr, ctx->prot,
1114                   ret);
1115     } else {
1116         LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx
1117                   " %d %d\n", __func__, address, raddr, ctx->prot, ret);
1118     }
1119 
1120     return ret;
1121 }
1122 
1123 static const char *book3e_tsize_to_str[32] = {
1124     "1K", "2K", "4K", "8K", "16K", "32K", "64K", "128K", "256K", "512K",
1125     "1M", "2M", "4M", "8M", "16M", "32M", "64M", "128M", "256M", "512M",
1126     "1G", "2G", "4G", "8G", "16G", "32G", "64G", "128G", "256G", "512G",
1127     "1T", "2T"
1128 };
1129 
1130 static void mmubooke_dump_mmu(CPUPPCState *env)
1131 {
1132     ppcemb_tlb_t *entry;
1133     int i;
1134 
1135     if (kvm_enabled() && !env->kvm_sw_tlb) {
1136         qemu_printf("Cannot access KVM TLB\n");
1137         return;
1138     }
1139 
1140     qemu_printf("\nTLB:\n");
1141     qemu_printf("Effective          Physical           Size PID   Prot     "
1142                 "Attr\n");
1143 
1144     entry = &env->tlb.tlbe[0];
1145     for (i = 0; i < env->nb_tlb; i++, entry++) {
1146         hwaddr ea, pa;
1147         target_ulong mask;
1148         uint64_t size = (uint64_t)entry->size;
1149         char size_buf[20];
1150 
1151         /* Check valid flag */
1152         if (!(entry->prot & PAGE_VALID)) {
1153             continue;
1154         }
1155 
1156         mask = ~(entry->size - 1);
1157         ea = entry->EPN & mask;
1158         pa = entry->RPN & mask;
1159         /* Extend the physical address to 36 bits */
1160         pa |= (hwaddr)(entry->RPN & 0xF) << 32;
1161         if (size >= 1 * MiB) {
1162             snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "M", size / MiB);
1163         } else {
1164             snprintf(size_buf, sizeof(size_buf), "%3" PRId64 "k", size / KiB);
1165         }
1166         qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %s %-5u %08x %08x\n",
1167                     (uint64_t)ea, (uint64_t)pa, size_buf, (uint32_t)entry->PID,
1168                     entry->prot, entry->attr);
1169     }
1170 
1171 }
1172 
1173 static void mmubooke206_dump_one_tlb(CPUPPCState *env, int tlbn, int offset,
1174                                      int tlbsize)
1175 {
1176     ppcmas_tlb_t *entry;
1177     int i;
1178 
1179     qemu_printf("\nTLB%d:\n", tlbn);
1180     qemu_printf("Effective          Physical           Size TID   TS SRWX"
1181                 " URWX WIMGE U0123\n");
1182 
1183     entry = &env->tlb.tlbm[offset];
1184     for (i = 0; i < tlbsize; i++, entry++) {
1185         hwaddr ea, pa, size;
1186         int tsize;
1187 
1188         if (!(entry->mas1 & MAS1_VALID)) {
1189             continue;
1190         }
1191 
1192         tsize = (entry->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
1193         size = 1024ULL << tsize;
1194         ea = entry->mas2 & ~(size - 1);
1195         pa = entry->mas7_3 & ~(size - 1);
1196 
1197         qemu_printf("0x%016" PRIx64 " 0x%016" PRIx64 " %4s %-5u %1u  S%c%c%c"
1198                     "U%c%c%c %c%c%c%c%c U%c%c%c%c\n",
1199                     (uint64_t)ea, (uint64_t)pa,
1200                     book3e_tsize_to_str[tsize],
1201                     (entry->mas1 & MAS1_TID_MASK) >> MAS1_TID_SHIFT,
1202                     (entry->mas1 & MAS1_TS) >> MAS1_TS_SHIFT,
1203                     entry->mas7_3 & MAS3_SR ? 'R' : '-',
1204                     entry->mas7_3 & MAS3_SW ? 'W' : '-',
1205                     entry->mas7_3 & MAS3_SX ? 'X' : '-',
1206                     entry->mas7_3 & MAS3_UR ? 'R' : '-',
1207                     entry->mas7_3 & MAS3_UW ? 'W' : '-',
1208                     entry->mas7_3 & MAS3_UX ? 'X' : '-',
1209                     entry->mas2 & MAS2_W ? 'W' : '-',
1210                     entry->mas2 & MAS2_I ? 'I' : '-',
1211                     entry->mas2 & MAS2_M ? 'M' : '-',
1212                     entry->mas2 & MAS2_G ? 'G' : '-',
1213                     entry->mas2 & MAS2_E ? 'E' : '-',
1214                     entry->mas7_3 & MAS3_U0 ? '0' : '-',
1215                     entry->mas7_3 & MAS3_U1 ? '1' : '-',
1216                     entry->mas7_3 & MAS3_U2 ? '2' : '-',
1217                     entry->mas7_3 & MAS3_U3 ? '3' : '-');
1218     }
1219 }
1220 
1221 static void mmubooke206_dump_mmu(CPUPPCState *env)
1222 {
1223     int offset = 0;
1224     int i;
1225 
1226     if (kvm_enabled() && !env->kvm_sw_tlb) {
1227         qemu_printf("Cannot access KVM TLB\n");
1228         return;
1229     }
1230 
1231     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
1232         int size = booke206_tlb_size(env, i);
1233 
1234         if (size == 0) {
1235             continue;
1236         }
1237 
1238         mmubooke206_dump_one_tlb(env, i, offset, size);
1239         offset += size;
1240     }
1241 }
1242 
1243 static void mmu6xx_dump_BATs(CPUPPCState *env, int type)
1244 {
1245     target_ulong *BATlt, *BATut, *BATu, *BATl;
1246     target_ulong BEPIl, BEPIu, bl;
1247     int i;
1248 
1249     switch (type) {
1250     case ACCESS_CODE:
1251         BATlt = env->IBAT[1];
1252         BATut = env->IBAT[0];
1253         break;
1254     default:
1255         BATlt = env->DBAT[1];
1256         BATut = env->DBAT[0];
1257         break;
1258     }
1259 
1260     for (i = 0; i < env->nb_BATs; i++) {
1261         BATu = &BATut[i];
1262         BATl = &BATlt[i];
1263         BEPIu = *BATu & 0xF0000000;
1264         BEPIl = *BATu & 0x0FFE0000;
1265         bl = (*BATu & 0x00001FFC) << 15;
1266         qemu_printf("%s BAT%d BATu " TARGET_FMT_lx
1267                     " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
1268                     TARGET_FMT_lx " " TARGET_FMT_lx "\n",
1269                     type == ACCESS_CODE ? "code" : "data", i,
1270                     *BATu, *BATl, BEPIu, BEPIl, bl);
1271     }
1272 }
1273 
1274 static void mmu6xx_dump_mmu(CPUPPCState *env)
1275 {
1276     PowerPCCPU *cpu = env_archcpu(env);
1277     ppc6xx_tlb_t *tlb;
1278     target_ulong sr;
1279     int type, way, entry, i;
1280 
1281     qemu_printf("HTAB base = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_base(cpu));
1282     qemu_printf("HTAB mask = 0x%"HWADDR_PRIx"\n", ppc_hash32_hpt_mask(cpu));
1283 
1284     qemu_printf("\nSegment registers:\n");
1285     for (i = 0; i < 32; i++) {
1286         sr = env->sr[i];
1287         if (sr & 0x80000000) {
1288             qemu_printf("%02d T=%d Ks=%d Kp=%d BUID=0x%03x "
1289                         "CNTLR_SPEC=0x%05x\n", i,
1290                         sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0,
1291                         sr & 0x20000000 ? 1 : 0, (uint32_t)((sr >> 20) & 0x1FF),
1292                         (uint32_t)(sr & 0xFFFFF));
1293         } else {
1294             qemu_printf("%02d T=%d Ks=%d Kp=%d N=%d VSID=0x%06x\n", i,
1295                         sr & 0x80000000 ? 1 : 0, sr & 0x40000000 ? 1 : 0,
1296                         sr & 0x20000000 ? 1 : 0, sr & 0x10000000 ? 1 : 0,
1297                         (uint32_t)(sr & 0x00FFFFFF));
1298         }
1299     }
1300 
1301     qemu_printf("\nBATs:\n");
1302     mmu6xx_dump_BATs(env, ACCESS_INT);
1303     mmu6xx_dump_BATs(env, ACCESS_CODE);
1304 
1305     if (env->id_tlbs != 1) {
1306         qemu_printf("ERROR: 6xx MMU should have separated TLB"
1307                     " for code and data\n");
1308     }
1309 
1310     qemu_printf("\nTLBs                       [EPN    EPN + SIZE]\n");
1311 
1312     for (type = 0; type < 2; type++) {
1313         for (way = 0; way < env->nb_ways; way++) {
1314             for (entry = env->nb_tlb * type + env->tlb_per_way * way;
1315                  entry < (env->nb_tlb * type + env->tlb_per_way * (way + 1));
1316                  entry++) {
1317 
1318                 tlb = &env->tlb.tlb6[entry];
1319                 qemu_printf("%s TLB %02d/%02d way:%d %s ["
1320                             TARGET_FMT_lx " " TARGET_FMT_lx "]\n",
1321                             type ? "code" : "data", entry % env->nb_tlb,
1322                             env->nb_tlb, way,
1323                             pte_is_valid(tlb->pte0) ? "valid" : "inval",
1324                             tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE);
1325             }
1326         }
1327     }
1328 }
1329 
1330 void dump_mmu(CPUPPCState *env)
1331 {
1332     switch (env->mmu_model) {
1333     case POWERPC_MMU_BOOKE:
1334         mmubooke_dump_mmu(env);
1335         break;
1336     case POWERPC_MMU_BOOKE206:
1337         mmubooke206_dump_mmu(env);
1338         break;
1339     case POWERPC_MMU_SOFT_6xx:
1340     case POWERPC_MMU_SOFT_74xx:
1341         mmu6xx_dump_mmu(env);
1342         break;
1343 #if defined(TARGET_PPC64)
1344     case POWERPC_MMU_64B:
1345     case POWERPC_MMU_2_03:
1346     case POWERPC_MMU_2_06:
1347     case POWERPC_MMU_2_07:
1348         dump_slb(env_archcpu(env));
1349         break;
1350     case POWERPC_MMU_3_00:
1351         if (ppc64_v3_radix(env_archcpu(env))) {
1352             qemu_log_mask(LOG_UNIMP, "%s: the PPC64 MMU is unsupported\n",
1353                           __func__);
1354         } else {
1355             dump_slb(env_archcpu(env));
1356         }
1357         break;
1358 #endif
1359     default:
1360         qemu_log_mask(LOG_UNIMP, "%s: unimplemented\n", __func__);
1361     }
1362 }
1363 
1364 static inline int check_physical(CPUPPCState *env, mmu_ctx_t *ctx,
1365                                  target_ulong eaddr, int rw)
1366 {
1367     int in_plb, ret;
1368 
1369     ctx->raddr = eaddr;
1370     ctx->prot = PAGE_READ | PAGE_EXEC;
1371     ret = 0;
1372     switch (env->mmu_model) {
1373     case POWERPC_MMU_SOFT_6xx:
1374     case POWERPC_MMU_SOFT_74xx:
1375     case POWERPC_MMU_SOFT_4xx:
1376     case POWERPC_MMU_REAL:
1377     case POWERPC_MMU_BOOKE:
1378         ctx->prot |= PAGE_WRITE;
1379         break;
1380 
1381     case POWERPC_MMU_SOFT_4xx_Z:
1382         if (unlikely(msr_pe != 0)) {
1383             /*
1384              * 403 family add some particular protections, using
1385              * PBL/PBU registers for accesses with no translation.
1386              */
1387             in_plb =
1388                 /* Check PLB validity */
1389                 (env->pb[0] < env->pb[1] &&
1390                  /* and address in plb area */
1391                  eaddr >= env->pb[0] && eaddr < env->pb[1]) ||
1392                 (env->pb[2] < env->pb[3] &&
1393                  eaddr >= env->pb[2] && eaddr < env->pb[3]) ? 1 : 0;
1394             if (in_plb ^ msr_px) {
1395                 /* Access in protected area */
1396                 if (rw == 1) {
1397                     /* Access is not allowed */
1398                     ret = -2;
1399                 }
1400             } else {
1401                 /* Read-write access is allowed */
1402                 ctx->prot |= PAGE_WRITE;
1403             }
1404         }
1405         break;
1406 
1407     default:
1408         /* Caller's checks mean we should never get here for other models */
1409         abort();
1410         return -1;
1411     }
1412 
1413     return ret;
1414 }
1415 
1416 static int get_physical_address_wtlb(
1417     CPUPPCState *env, mmu_ctx_t *ctx,
1418     target_ulong eaddr, int rw, int access_type,
1419     int mmu_idx)
1420 {
1421     int ret = -1;
1422     bool real_mode = (access_type == ACCESS_CODE && msr_ir == 0)
1423         || (access_type != ACCESS_CODE && msr_dr == 0);
1424 
1425     switch (env->mmu_model) {
1426     case POWERPC_MMU_SOFT_6xx:
1427     case POWERPC_MMU_SOFT_74xx:
1428         if (real_mode) {
1429             ret = check_physical(env, ctx, eaddr, rw);
1430         } else {
1431             /* Try to find a BAT */
1432             if (env->nb_BATs != 0) {
1433                 ret = get_bat_6xx_tlb(env, ctx, eaddr, rw, access_type);
1434             }
1435             if (ret < 0) {
1436                 /* We didn't match any BAT entry or don't have BATs */
1437                 ret = get_segment_6xx_tlb(env, ctx, eaddr, rw, access_type);
1438             }
1439         }
1440         break;
1441 
1442     case POWERPC_MMU_SOFT_4xx:
1443     case POWERPC_MMU_SOFT_4xx_Z:
1444         if (real_mode) {
1445             ret = check_physical(env, ctx, eaddr, rw);
1446         } else {
1447             ret = mmu40x_get_physical_address(env, ctx, eaddr,
1448                                               rw, access_type);
1449         }
1450         break;
1451     case POWERPC_MMU_BOOKE:
1452         ret = mmubooke_get_physical_address(env, ctx, eaddr,
1453                                             rw, access_type);
1454         break;
1455     case POWERPC_MMU_BOOKE206:
1456         ret = mmubooke206_get_physical_address(env, ctx, eaddr, rw,
1457                                                access_type, mmu_idx);
1458         break;
1459     case POWERPC_MMU_MPC8xx:
1460         /* XXX: TODO */
1461         cpu_abort(env_cpu(env), "MPC8xx MMU model is not implemented\n");
1462         break;
1463     case POWERPC_MMU_REAL:
1464         if (real_mode) {
1465             ret = check_physical(env, ctx, eaddr, rw);
1466         } else {
1467             cpu_abort(env_cpu(env),
1468                       "PowerPC in real mode do not do any translation\n");
1469         }
1470         return -1;
1471     default:
1472         cpu_abort(env_cpu(env), "Unknown or invalid MMU model\n");
1473         return -1;
1474     }
1475 
1476     return ret;
1477 }
1478 
1479 static int get_physical_address(
1480     CPUPPCState *env, mmu_ctx_t *ctx,
1481     target_ulong eaddr, int rw, int access_type)
1482 {
1483     return get_physical_address_wtlb(env, ctx, eaddr, rw, access_type, 0);
1484 }
1485 
1486 hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
1487 {
1488     PowerPCCPU *cpu = POWERPC_CPU(cs);
1489     CPUPPCState *env = &cpu->env;
1490     mmu_ctx_t ctx;
1491 
1492     switch (env->mmu_model) {
1493 #if defined(TARGET_PPC64)
1494     case POWERPC_MMU_64B:
1495     case POWERPC_MMU_2_03:
1496     case POWERPC_MMU_2_06:
1497     case POWERPC_MMU_2_07:
1498         return ppc_hash64_get_phys_page_debug(cpu, addr);
1499     case POWERPC_MMU_3_00:
1500         return ppc64_v3_get_phys_page_debug(cpu, addr);
1501 #endif
1502 
1503     case POWERPC_MMU_32B:
1504     case POWERPC_MMU_601:
1505         return ppc_hash32_get_phys_page_debug(cpu, addr);
1506 
1507     default:
1508         ;
1509     }
1510 
1511     if (unlikely(get_physical_address(env, &ctx, addr, 0, ACCESS_INT) != 0)) {
1512 
1513         /*
1514          * Some MMUs have separate TLBs for code and data. If we only
1515          * try an ACCESS_INT, we may not be able to read instructions
1516          * mapped by code TLBs, so we also try a ACCESS_CODE.
1517          */
1518         if (unlikely(get_physical_address(env, &ctx, addr, 0,
1519                                           ACCESS_CODE) != 0)) {
1520             return -1;
1521         }
1522     }
1523 
1524     return ctx.raddr & TARGET_PAGE_MASK;
1525 }
1526 
1527 static void booke206_update_mas_tlb_miss(CPUPPCState *env, target_ulong address,
1528                                      int rw, int mmu_idx)
1529 {
1530     uint32_t epid;
1531     bool as, pr;
1532     uint32_t missed_tid = 0;
1533     bool use_epid = mmubooke206_get_as(env, mmu_idx, &epid, &as, &pr);
1534     if (rw == 2) {
1535         as = msr_ir;
1536     }
1537     env->spr[SPR_BOOKE_MAS0] = env->spr[SPR_BOOKE_MAS4] & MAS4_TLBSELD_MASK;
1538     env->spr[SPR_BOOKE_MAS1] = env->spr[SPR_BOOKE_MAS4] & MAS4_TSIZED_MASK;
1539     env->spr[SPR_BOOKE_MAS2] = env->spr[SPR_BOOKE_MAS4] & MAS4_WIMGED_MASK;
1540     env->spr[SPR_BOOKE_MAS3] = 0;
1541     env->spr[SPR_BOOKE_MAS6] = 0;
1542     env->spr[SPR_BOOKE_MAS7] = 0;
1543 
1544     /* AS */
1545     if (as) {
1546         env->spr[SPR_BOOKE_MAS1] |= MAS1_TS;
1547         env->spr[SPR_BOOKE_MAS6] |= MAS6_SAS;
1548     }
1549 
1550     env->spr[SPR_BOOKE_MAS1] |= MAS1_VALID;
1551     env->spr[SPR_BOOKE_MAS2] |= address & MAS2_EPN_MASK;
1552 
1553     if (!use_epid) {
1554         switch (env->spr[SPR_BOOKE_MAS4] & MAS4_TIDSELD_PIDZ) {
1555         case MAS4_TIDSELD_PID0:
1556             missed_tid = env->spr[SPR_BOOKE_PID];
1557             break;
1558         case MAS4_TIDSELD_PID1:
1559             missed_tid = env->spr[SPR_BOOKE_PID1];
1560             break;
1561         case MAS4_TIDSELD_PID2:
1562             missed_tid = env->spr[SPR_BOOKE_PID2];
1563             break;
1564         }
1565         env->spr[SPR_BOOKE_MAS6] |= env->spr[SPR_BOOKE_PID] << 16;
1566     } else {
1567         missed_tid = epid;
1568         env->spr[SPR_BOOKE_MAS6] |= missed_tid << 16;
1569     }
1570     env->spr[SPR_BOOKE_MAS1] |= (missed_tid << MAS1_TID_SHIFT);
1571 
1572 
1573     /* next victim logic */
1574     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_ESEL_SHIFT;
1575     env->last_way++;
1576     env->last_way &= booke206_tlb_ways(env, 0) - 1;
1577     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_NV_SHIFT;
1578 }
1579 
1580 /* Perform address translation */
1581 static int cpu_ppc_handle_mmu_fault(CPUPPCState *env, target_ulong address,
1582                                     int rw, int mmu_idx)
1583 {
1584     CPUState *cs = env_cpu(env);
1585     PowerPCCPU *cpu = POWERPC_CPU(cs);
1586     mmu_ctx_t ctx;
1587     int access_type;
1588     int ret = 0;
1589 
1590     if (rw == 2) {
1591         /* code access */
1592         rw = 0;
1593         access_type = ACCESS_CODE;
1594     } else {
1595         /* data access */
1596         access_type = env->access_type;
1597     }
1598     ret = get_physical_address_wtlb(env, &ctx, address, rw,
1599                                     access_type, mmu_idx);
1600     if (ret == 0) {
1601         tlb_set_page(cs, address & TARGET_PAGE_MASK,
1602                      ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
1603                      mmu_idx, TARGET_PAGE_SIZE);
1604         ret = 0;
1605     } else if (ret < 0) {
1606         LOG_MMU_STATE(cs);
1607         if (access_type == ACCESS_CODE) {
1608             switch (ret) {
1609             case -1:
1610                 /* No matches in page tables or TLB */
1611                 switch (env->mmu_model) {
1612                 case POWERPC_MMU_SOFT_6xx:
1613                     cs->exception_index = POWERPC_EXCP_IFTLB;
1614                     env->error_code = 1 << 18;
1615                     env->spr[SPR_IMISS] = address;
1616                     env->spr[SPR_ICMP] = 0x80000000 | ctx.ptem;
1617                     goto tlb_miss;
1618                 case POWERPC_MMU_SOFT_74xx:
1619                     cs->exception_index = POWERPC_EXCP_IFTLB;
1620                     goto tlb_miss_74xx;
1621                 case POWERPC_MMU_SOFT_4xx:
1622                 case POWERPC_MMU_SOFT_4xx_Z:
1623                     cs->exception_index = POWERPC_EXCP_ITLB;
1624                     env->error_code = 0;
1625                     env->spr[SPR_40x_DEAR] = address;
1626                     env->spr[SPR_40x_ESR] = 0x00000000;
1627                     break;
1628                 case POWERPC_MMU_BOOKE206:
1629                     booke206_update_mas_tlb_miss(env, address, 2, mmu_idx);
1630                     /* fall through */
1631                 case POWERPC_MMU_BOOKE:
1632                     cs->exception_index = POWERPC_EXCP_ITLB;
1633                     env->error_code = 0;
1634                     env->spr[SPR_BOOKE_DEAR] = address;
1635                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, 0);
1636                     return -1;
1637                 case POWERPC_MMU_MPC8xx:
1638                     /* XXX: TODO */
1639                     cpu_abort(cs, "MPC8xx MMU model is not implemented\n");
1640                     break;
1641                 case POWERPC_MMU_REAL:
1642                     cpu_abort(cs, "PowerPC in real mode should never raise "
1643                               "any MMU exceptions\n");
1644                     return -1;
1645                 default:
1646                     cpu_abort(cs, "Unknown or invalid MMU model\n");
1647                     return -1;
1648                 }
1649                 break;
1650             case -2:
1651                 /* Access rights violation */
1652                 cs->exception_index = POWERPC_EXCP_ISI;
1653                 env->error_code = 0x08000000;
1654                 break;
1655             case -3:
1656                 /* No execute protection violation */
1657                 if ((env->mmu_model == POWERPC_MMU_BOOKE) ||
1658                     (env->mmu_model == POWERPC_MMU_BOOKE206)) {
1659                     env->spr[SPR_BOOKE_ESR] = 0x00000000;
1660                 }
1661                 cs->exception_index = POWERPC_EXCP_ISI;
1662                 env->error_code = 0x10000000;
1663                 break;
1664             case -4:
1665                 /* Direct store exception */
1666                 /* No code fetch is allowed in direct-store areas */
1667                 cs->exception_index = POWERPC_EXCP_ISI;
1668                 env->error_code = 0x10000000;
1669                 break;
1670             }
1671         } else {
1672             switch (ret) {
1673             case -1:
1674                 /* No matches in page tables or TLB */
1675                 switch (env->mmu_model) {
1676                 case POWERPC_MMU_SOFT_6xx:
1677                     if (rw == 1) {
1678                         cs->exception_index = POWERPC_EXCP_DSTLB;
1679                         env->error_code = 1 << 16;
1680                     } else {
1681                         cs->exception_index = POWERPC_EXCP_DLTLB;
1682                         env->error_code = 0;
1683                     }
1684                     env->spr[SPR_DMISS] = address;
1685                     env->spr[SPR_DCMP] = 0x80000000 | ctx.ptem;
1686                 tlb_miss:
1687                     env->error_code |= ctx.key << 19;
1688                     env->spr[SPR_HASH1] = ppc_hash32_hpt_base(cpu) +
1689                         get_pteg_offset32(cpu, ctx.hash[0]);
1690                     env->spr[SPR_HASH2] = ppc_hash32_hpt_base(cpu) +
1691                         get_pteg_offset32(cpu, ctx.hash[1]);
1692                     break;
1693                 case POWERPC_MMU_SOFT_74xx:
1694                     if (rw == 1) {
1695                         cs->exception_index = POWERPC_EXCP_DSTLB;
1696                     } else {
1697                         cs->exception_index = POWERPC_EXCP_DLTLB;
1698                     }
1699                 tlb_miss_74xx:
1700                     /* Implement LRU algorithm */
1701                     env->error_code = ctx.key << 19;
1702                     env->spr[SPR_TLBMISS] = (address & ~((target_ulong)0x3)) |
1703                         ((env->last_way + 1) & (env->nb_ways - 1));
1704                     env->spr[SPR_PTEHI] = 0x80000000 | ctx.ptem;
1705                     break;
1706                 case POWERPC_MMU_SOFT_4xx:
1707                 case POWERPC_MMU_SOFT_4xx_Z:
1708                     cs->exception_index = POWERPC_EXCP_DTLB;
1709                     env->error_code = 0;
1710                     env->spr[SPR_40x_DEAR] = address;
1711                     if (rw) {
1712                         env->spr[SPR_40x_ESR] = 0x00800000;
1713                     } else {
1714                         env->spr[SPR_40x_ESR] = 0x00000000;
1715                     }
1716                     break;
1717                 case POWERPC_MMU_MPC8xx:
1718                     /* XXX: TODO */
1719                     cpu_abort(cs, "MPC8xx MMU model is not implemented\n");
1720                     break;
1721                 case POWERPC_MMU_BOOKE206:
1722                     booke206_update_mas_tlb_miss(env, address, rw, mmu_idx);
1723                     /* fall through */
1724                 case POWERPC_MMU_BOOKE:
1725                     cs->exception_index = POWERPC_EXCP_DTLB;
1726                     env->error_code = 0;
1727                     env->spr[SPR_BOOKE_DEAR] = address;
1728                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, rw);
1729                     return -1;
1730                 case POWERPC_MMU_REAL:
1731                     cpu_abort(cs, "PowerPC in real mode should never raise "
1732                               "any MMU exceptions\n");
1733                     return -1;
1734                 default:
1735                     cpu_abort(cs, "Unknown or invalid MMU model\n");
1736                     return -1;
1737                 }
1738                 break;
1739             case -2:
1740                 /* Access rights violation */
1741                 cs->exception_index = POWERPC_EXCP_DSI;
1742                 env->error_code = 0;
1743                 if (env->mmu_model == POWERPC_MMU_SOFT_4xx
1744                     || env->mmu_model == POWERPC_MMU_SOFT_4xx_Z) {
1745                     env->spr[SPR_40x_DEAR] = address;
1746                     if (rw) {
1747                         env->spr[SPR_40x_ESR] |= 0x00800000;
1748                     }
1749                 } else if ((env->mmu_model == POWERPC_MMU_BOOKE) ||
1750                            (env->mmu_model == POWERPC_MMU_BOOKE206)) {
1751                     env->spr[SPR_BOOKE_DEAR] = address;
1752                     env->spr[SPR_BOOKE_ESR] = mmubooke206_esr(mmu_idx, rw);
1753                 } else {
1754                     env->spr[SPR_DAR] = address;
1755                     if (rw == 1) {
1756                         env->spr[SPR_DSISR] = 0x0A000000;
1757                     } else {
1758                         env->spr[SPR_DSISR] = 0x08000000;
1759                     }
1760                 }
1761                 break;
1762             case -4:
1763                 /* Direct store exception */
1764                 switch (access_type) {
1765                 case ACCESS_FLOAT:
1766                     /* Floating point load/store */
1767                     cs->exception_index = POWERPC_EXCP_ALIGN;
1768                     env->error_code = POWERPC_EXCP_ALIGN_FP;
1769                     env->spr[SPR_DAR] = address;
1770                     break;
1771                 case ACCESS_RES:
1772                     /* lwarx, ldarx or stwcx. */
1773                     cs->exception_index = POWERPC_EXCP_DSI;
1774                     env->error_code = 0;
1775                     env->spr[SPR_DAR] = address;
1776                     if (rw == 1) {
1777                         env->spr[SPR_DSISR] = 0x06000000;
1778                     } else {
1779                         env->spr[SPR_DSISR] = 0x04000000;
1780                     }
1781                     break;
1782                 case ACCESS_EXT:
1783                     /* eciwx or ecowx */
1784                     cs->exception_index = POWERPC_EXCP_DSI;
1785                     env->error_code = 0;
1786                     env->spr[SPR_DAR] = address;
1787                     if (rw == 1) {
1788                         env->spr[SPR_DSISR] = 0x06100000;
1789                     } else {
1790                         env->spr[SPR_DSISR] = 0x04100000;
1791                     }
1792                     break;
1793                 default:
1794                     printf("DSI: invalid exception (%d)\n", ret);
1795                     cs->exception_index = POWERPC_EXCP_PROGRAM;
1796                     env->error_code =
1797                         POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL;
1798                     env->spr[SPR_DAR] = address;
1799                     break;
1800                 }
1801                 break;
1802             }
1803         }
1804         ret = 1;
1805     }
1806 
1807     return ret;
1808 }
1809 
1810 /*****************************************************************************/
1811 /* BATs management */
1812 #if !defined(FLUSH_ALL_TLBS)
1813 static inline void do_invalidate_BAT(CPUPPCState *env, target_ulong BATu,
1814                                      target_ulong mask)
1815 {
1816     CPUState *cs = env_cpu(env);
1817     target_ulong base, end, page;
1818 
1819     base = BATu & ~0x0001FFFF;
1820     end = base + mask + 0x00020000;
1821     if (((end - base) >> TARGET_PAGE_BITS) > 1024) {
1822         /* Flushing 1024 4K pages is slower than a complete flush */
1823         LOG_BATS("Flush all BATs\n");
1824         tlb_flush(cs);
1825         LOG_BATS("Flush done\n");
1826         return;
1827     }
1828     LOG_BATS("Flush BAT from " TARGET_FMT_lx " to " TARGET_FMT_lx " ("
1829              TARGET_FMT_lx ")\n", base, end, mask);
1830     for (page = base; page != end; page += TARGET_PAGE_SIZE) {
1831         tlb_flush_page(cs, page);
1832     }
1833     LOG_BATS("Flush done\n");
1834 }
1835 #endif
1836 
1837 static inline void dump_store_bat(CPUPPCState *env, char ID, int ul, int nr,
1838                                   target_ulong value)
1839 {
1840     LOG_BATS("Set %cBAT%d%c to " TARGET_FMT_lx " (" TARGET_FMT_lx ")\n", ID,
1841              nr, ul == 0 ? 'u' : 'l', value, env->nip);
1842 }
1843 
1844 void helper_store_ibatu(CPUPPCState *env, uint32_t nr, target_ulong value)
1845 {
1846     target_ulong mask;
1847 #if defined(FLUSH_ALL_TLBS)
1848     PowerPCCPU *cpu = env_archcpu(env);
1849 #endif
1850 
1851     dump_store_bat(env, 'I', 0, nr, value);
1852     if (env->IBAT[0][nr] != value) {
1853         mask = (value << 15) & 0x0FFE0000UL;
1854 #if !defined(FLUSH_ALL_TLBS)
1855         do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1856 #endif
1857         /*
1858          * When storing valid upper BAT, mask BEPI and BRPN and
1859          * invalidate all TLBs covered by this BAT
1860          */
1861         mask = (value << 15) & 0x0FFE0000UL;
1862         env->IBAT[0][nr] = (value & 0x00001FFFUL) |
1863             (value & ~0x0001FFFFUL & ~mask);
1864         env->IBAT[1][nr] = (env->IBAT[1][nr] & 0x0000007B) |
1865             (env->IBAT[1][nr] & ~0x0001FFFF & ~mask);
1866 #if !defined(FLUSH_ALL_TLBS)
1867         do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1868 #else
1869         tlb_flush(env_cpu(env));
1870 #endif
1871     }
1872 }
1873 
1874 void helper_store_ibatl(CPUPPCState *env, uint32_t nr, target_ulong value)
1875 {
1876     dump_store_bat(env, 'I', 1, nr, value);
1877     env->IBAT[1][nr] = value;
1878 }
1879 
1880 void helper_store_dbatu(CPUPPCState *env, uint32_t nr, target_ulong value)
1881 {
1882     target_ulong mask;
1883 #if defined(FLUSH_ALL_TLBS)
1884     PowerPCCPU *cpu = env_archcpu(env);
1885 #endif
1886 
1887     dump_store_bat(env, 'D', 0, nr, value);
1888     if (env->DBAT[0][nr] != value) {
1889         /*
1890          * When storing valid upper BAT, mask BEPI and BRPN and
1891          * invalidate all TLBs covered by this BAT
1892          */
1893         mask = (value << 15) & 0x0FFE0000UL;
1894 #if !defined(FLUSH_ALL_TLBS)
1895         do_invalidate_BAT(env, env->DBAT[0][nr], mask);
1896 #endif
1897         mask = (value << 15) & 0x0FFE0000UL;
1898         env->DBAT[0][nr] = (value & 0x00001FFFUL) |
1899             (value & ~0x0001FFFFUL & ~mask);
1900         env->DBAT[1][nr] = (env->DBAT[1][nr] & 0x0000007B) |
1901             (env->DBAT[1][nr] & ~0x0001FFFF & ~mask);
1902 #if !defined(FLUSH_ALL_TLBS)
1903         do_invalidate_BAT(env, env->DBAT[0][nr], mask);
1904 #else
1905         tlb_flush(env_cpu(env));
1906 #endif
1907     }
1908 }
1909 
1910 void helper_store_dbatl(CPUPPCState *env, uint32_t nr, target_ulong value)
1911 {
1912     dump_store_bat(env, 'D', 1, nr, value);
1913     env->DBAT[1][nr] = value;
1914 }
1915 
1916 void helper_store_601_batu(CPUPPCState *env, uint32_t nr, target_ulong value)
1917 {
1918     target_ulong mask;
1919 #if defined(FLUSH_ALL_TLBS)
1920     PowerPCCPU *cpu = env_archcpu(env);
1921     int do_inval;
1922 #endif
1923 
1924     dump_store_bat(env, 'I', 0, nr, value);
1925     if (env->IBAT[0][nr] != value) {
1926 #if defined(FLUSH_ALL_TLBS)
1927         do_inval = 0;
1928 #endif
1929         mask = (env->IBAT[1][nr] << 17) & 0x0FFE0000UL;
1930         if (env->IBAT[1][nr] & 0x40) {
1931             /* Invalidate BAT only if it is valid */
1932 #if !defined(FLUSH_ALL_TLBS)
1933             do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1934 #else
1935             do_inval = 1;
1936 #endif
1937         }
1938         /*
1939          * When storing valid upper BAT, mask BEPI and BRPN and
1940          * invalidate all TLBs covered by this BAT
1941          */
1942         env->IBAT[0][nr] = (value & 0x00001FFFUL) |
1943             (value & ~0x0001FFFFUL & ~mask);
1944         env->DBAT[0][nr] = env->IBAT[0][nr];
1945         if (env->IBAT[1][nr] & 0x40) {
1946 #if !defined(FLUSH_ALL_TLBS)
1947             do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1948 #else
1949             do_inval = 1;
1950 #endif
1951         }
1952 #if defined(FLUSH_ALL_TLBS)
1953         if (do_inval) {
1954             tlb_flush(env_cpu(env));
1955         }
1956 #endif
1957     }
1958 }
1959 
1960 void helper_store_601_batl(CPUPPCState *env, uint32_t nr, target_ulong value)
1961 {
1962 #if !defined(FLUSH_ALL_TLBS)
1963     target_ulong mask;
1964 #else
1965     PowerPCCPU *cpu = env_archcpu(env);
1966     int do_inval;
1967 #endif
1968 
1969     dump_store_bat(env, 'I', 1, nr, value);
1970     if (env->IBAT[1][nr] != value) {
1971 #if defined(FLUSH_ALL_TLBS)
1972         do_inval = 0;
1973 #endif
1974         if (env->IBAT[1][nr] & 0x40) {
1975 #if !defined(FLUSH_ALL_TLBS)
1976             mask = (env->IBAT[1][nr] << 17) & 0x0FFE0000UL;
1977             do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1978 #else
1979             do_inval = 1;
1980 #endif
1981         }
1982         if (value & 0x40) {
1983 #if !defined(FLUSH_ALL_TLBS)
1984             mask = (value << 17) & 0x0FFE0000UL;
1985             do_invalidate_BAT(env, env->IBAT[0][nr], mask);
1986 #else
1987             do_inval = 1;
1988 #endif
1989         }
1990         env->IBAT[1][nr] = value;
1991         env->DBAT[1][nr] = value;
1992 #if defined(FLUSH_ALL_TLBS)
1993         if (do_inval) {
1994             tlb_flush(env_cpu(env));
1995         }
1996 #endif
1997     }
1998 }
1999 
2000 /*****************************************************************************/
2001 /* TLB management */
2002 void ppc_tlb_invalidate_all(CPUPPCState *env)
2003 {
2004 #if defined(TARGET_PPC64)
2005     if (mmu_is_64bit(env->mmu_model)) {
2006         env->tlb_need_flush = 0;
2007         tlb_flush(env_cpu(env));
2008     } else
2009 #endif /* defined(TARGET_PPC64) */
2010     switch (env->mmu_model) {
2011     case POWERPC_MMU_SOFT_6xx:
2012     case POWERPC_MMU_SOFT_74xx:
2013         ppc6xx_tlb_invalidate_all(env);
2014         break;
2015     case POWERPC_MMU_SOFT_4xx:
2016     case POWERPC_MMU_SOFT_4xx_Z:
2017         ppc4xx_tlb_invalidate_all(env);
2018         break;
2019     case POWERPC_MMU_REAL:
2020         cpu_abort(env_cpu(env), "No TLB for PowerPC 4xx in real mode\n");
2021         break;
2022     case POWERPC_MMU_MPC8xx:
2023         /* XXX: TODO */
2024         cpu_abort(env_cpu(env), "MPC8xx MMU model is not implemented\n");
2025         break;
2026     case POWERPC_MMU_BOOKE:
2027         tlb_flush(env_cpu(env));
2028         break;
2029     case POWERPC_MMU_BOOKE206:
2030         booke206_flush_tlb(env, -1, 0);
2031         break;
2032     case POWERPC_MMU_32B:
2033     case POWERPC_MMU_601:
2034         env->tlb_need_flush = 0;
2035         tlb_flush(env_cpu(env));
2036         break;
2037     default:
2038         /* XXX: TODO */
2039         cpu_abort(env_cpu(env), "Unknown MMU model %x\n", env->mmu_model);
2040         break;
2041     }
2042 }
2043 
2044 void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
2045 {
2046 #if !defined(FLUSH_ALL_TLBS)
2047     addr &= TARGET_PAGE_MASK;
2048 #if defined(TARGET_PPC64)
2049     if (mmu_is_64bit(env->mmu_model)) {
2050         /* tlbie invalidate TLBs for all segments */
2051         /*
2052          * XXX: given the fact that there are too many segments to invalidate,
2053          *      and we still don't have a tlb_flush_mask(env, n, mask) in QEMU,
2054          *      we just invalidate all TLBs
2055          */
2056         env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
2057     } else
2058 #endif /* defined(TARGET_PPC64) */
2059     switch (env->mmu_model) {
2060     case POWERPC_MMU_SOFT_6xx:
2061     case POWERPC_MMU_SOFT_74xx:
2062         ppc6xx_tlb_invalidate_virt(env, addr, 0);
2063         if (env->id_tlbs == 1) {
2064             ppc6xx_tlb_invalidate_virt(env, addr, 1);
2065         }
2066         break;
2067     case POWERPC_MMU_32B:
2068     case POWERPC_MMU_601:
2069         /*
2070          * Actual CPUs invalidate entire congruence classes based on
2071          * the geometry of their TLBs and some OSes take that into
2072          * account, we just mark the TLB to be flushed later (context
2073          * synchronizing event or sync instruction on 32-bit).
2074          */
2075         env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
2076         break;
2077     default:
2078         /* Should never reach here with other MMU models */
2079         assert(0);
2080     }
2081 #else
2082     ppc_tlb_invalidate_all(env);
2083 #endif
2084 }
2085 
2086 /*****************************************************************************/
2087 /* Special registers manipulation */
2088 void ppc_store_sdr1(CPUPPCState *env, target_ulong value)
2089 {
2090     PowerPCCPU *cpu = env_archcpu(env);
2091     qemu_log_mask(CPU_LOG_MMU, "%s: " TARGET_FMT_lx "\n", __func__, value);
2092     assert(!cpu->vhyp);
2093 #if defined(TARGET_PPC64)
2094     if (mmu_is_64bit(env->mmu_model)) {
2095         target_ulong sdr_mask = SDR_64_HTABORG | SDR_64_HTABSIZE;
2096         target_ulong htabsize = value & SDR_64_HTABSIZE;
2097 
2098         if (value & ~sdr_mask) {
2099             error_report("Invalid bits 0x"TARGET_FMT_lx" set in SDR1",
2100                          value & ~sdr_mask);
2101             value &= sdr_mask;
2102         }
2103         if (htabsize > 28) {
2104             error_report("Invalid HTABSIZE 0x" TARGET_FMT_lx" stored in SDR1",
2105                          htabsize);
2106             return;
2107         }
2108     }
2109 #endif /* defined(TARGET_PPC64) */
2110     /* FIXME: Should check for valid HTABMASK values in 32-bit case */
2111     env->spr[SPR_SDR1] = value;
2112 }
2113 
2114 #if defined(TARGET_PPC64)
2115 void ppc_store_ptcr(CPUPPCState *env, target_ulong value)
2116 {
2117     PowerPCCPU *cpu = env_archcpu(env);
2118     target_ulong ptcr_mask = PTCR_PATB | PTCR_PATS;
2119     target_ulong patbsize = value & PTCR_PATS;
2120 
2121     qemu_log_mask(CPU_LOG_MMU, "%s: " TARGET_FMT_lx "\n", __func__, value);
2122 
2123     assert(!cpu->vhyp);
2124     assert(env->mmu_model & POWERPC_MMU_3_00);
2125 
2126     if (value & ~ptcr_mask) {
2127         error_report("Invalid bits 0x"TARGET_FMT_lx" set in PTCR",
2128                      value & ~ptcr_mask);
2129         value &= ptcr_mask;
2130     }
2131 
2132     if (patbsize > 24) {
2133         error_report("Invalid Partition Table size 0x" TARGET_FMT_lx
2134                      " stored in PTCR", patbsize);
2135         return;
2136     }
2137 
2138     env->spr[SPR_PTCR] = value;
2139 }
2140 
2141 #endif /* defined(TARGET_PPC64) */
2142 
2143 /* Segment registers load and store */
2144 target_ulong helper_load_sr(CPUPPCState *env, target_ulong sr_num)
2145 {
2146 #if defined(TARGET_PPC64)
2147     if (mmu_is_64bit(env->mmu_model)) {
2148         /* XXX */
2149         return 0;
2150     }
2151 #endif
2152     return env->sr[sr_num];
2153 }
2154 
2155 void helper_store_sr(CPUPPCState *env, target_ulong srnum, target_ulong value)
2156 {
2157     qemu_log_mask(CPU_LOG_MMU,
2158             "%s: reg=%d " TARGET_FMT_lx " " TARGET_FMT_lx "\n", __func__,
2159             (int)srnum, value, env->sr[srnum]);
2160 #if defined(TARGET_PPC64)
2161     if (mmu_is_64bit(env->mmu_model)) {
2162         PowerPCCPU *cpu = env_archcpu(env);
2163         uint64_t esid, vsid;
2164 
2165         /* ESID = srnum */
2166         esid = ((uint64_t)(srnum & 0xf) << 28) | SLB_ESID_V;
2167 
2168         /* VSID = VSID */
2169         vsid = (value & 0xfffffff) << 12;
2170         /* flags = flags */
2171         vsid |= ((value >> 27) & 0xf) << 8;
2172 
2173         ppc_store_slb(cpu, srnum, esid, vsid);
2174     } else
2175 #endif
2176     if (env->sr[srnum] != value) {
2177         env->sr[srnum] = value;
2178         /*
2179          * Invalidating 256MB of virtual memory in 4kB pages is way
2180          * longer than flushing the whole TLB.
2181          */
2182 #if !defined(FLUSH_ALL_TLBS) && 0
2183         {
2184             target_ulong page, end;
2185             /* Invalidate 256 MB of virtual memory */
2186             page = (16 << 20) * srnum;
2187             end = page + (16 << 20);
2188             for (; page != end; page += TARGET_PAGE_SIZE) {
2189                 tlb_flush_page(env_cpu(env), page);
2190             }
2191         }
2192 #else
2193         env->tlb_need_flush |= TLB_NEED_LOCAL_FLUSH;
2194 #endif
2195     }
2196 }
2197 
2198 /* TLB management */
2199 void helper_tlbia(CPUPPCState *env)
2200 {
2201     ppc_tlb_invalidate_all(env);
2202 }
2203 
2204 void helper_tlbie(CPUPPCState *env, target_ulong addr)
2205 {
2206     ppc_tlb_invalidate_one(env, addr);
2207 }
2208 
2209 void helper_tlbiva(CPUPPCState *env, target_ulong addr)
2210 {
2211     /* tlbiva instruction only exists on BookE */
2212     assert(env->mmu_model == POWERPC_MMU_BOOKE);
2213     /* XXX: TODO */
2214     cpu_abort(env_cpu(env), "BookE MMU model is not implemented\n");
2215 }
2216 
2217 /* Software driven TLBs management */
2218 /* PowerPC 602/603 software TLB load instructions helpers */
2219 static void do_6xx_tlb(CPUPPCState *env, target_ulong new_EPN, int is_code)
2220 {
2221     target_ulong RPN, CMP, EPN;
2222     int way;
2223 
2224     RPN = env->spr[SPR_RPA];
2225     if (is_code) {
2226         CMP = env->spr[SPR_ICMP];
2227         EPN = env->spr[SPR_IMISS];
2228     } else {
2229         CMP = env->spr[SPR_DCMP];
2230         EPN = env->spr[SPR_DMISS];
2231     }
2232     way = (env->spr[SPR_SRR1] >> 17) & 1;
2233     (void)EPN; /* avoid a compiler warning */
2234     LOG_SWTLB("%s: EPN " TARGET_FMT_lx " " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx
2235               " PTE1 " TARGET_FMT_lx " way %d\n", __func__, new_EPN, EPN, CMP,
2236               RPN, way);
2237     /* Store this TLB */
2238     ppc6xx_tlb_store(env, (uint32_t)(new_EPN & TARGET_PAGE_MASK),
2239                      way, is_code, CMP, RPN);
2240 }
2241 
2242 void helper_6xx_tlbd(CPUPPCState *env, target_ulong EPN)
2243 {
2244     do_6xx_tlb(env, EPN, 0);
2245 }
2246 
2247 void helper_6xx_tlbi(CPUPPCState *env, target_ulong EPN)
2248 {
2249     do_6xx_tlb(env, EPN, 1);
2250 }
2251 
2252 /* PowerPC 74xx software TLB load instructions helpers */
2253 static void do_74xx_tlb(CPUPPCState *env, target_ulong new_EPN, int is_code)
2254 {
2255     target_ulong RPN, CMP, EPN;
2256     int way;
2257 
2258     RPN = env->spr[SPR_PTELO];
2259     CMP = env->spr[SPR_PTEHI];
2260     EPN = env->spr[SPR_TLBMISS] & ~0x3;
2261     way = env->spr[SPR_TLBMISS] & 0x3;
2262     (void)EPN; /* avoid a compiler warning */
2263     LOG_SWTLB("%s: EPN " TARGET_FMT_lx " " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx
2264               " PTE1 " TARGET_FMT_lx " way %d\n", __func__, new_EPN, EPN, CMP,
2265               RPN, way);
2266     /* Store this TLB */
2267     ppc6xx_tlb_store(env, (uint32_t)(new_EPN & TARGET_PAGE_MASK),
2268                      way, is_code, CMP, RPN);
2269 }
2270 
2271 void helper_74xx_tlbd(CPUPPCState *env, target_ulong EPN)
2272 {
2273     do_74xx_tlb(env, EPN, 0);
2274 }
2275 
2276 void helper_74xx_tlbi(CPUPPCState *env, target_ulong EPN)
2277 {
2278     do_74xx_tlb(env, EPN, 1);
2279 }
2280 
2281 /*****************************************************************************/
2282 /* PowerPC 601 specific instructions (POWER bridge) */
2283 
2284 target_ulong helper_rac(CPUPPCState *env, target_ulong addr)
2285 {
2286     mmu_ctx_t ctx;
2287     int nb_BATs;
2288     target_ulong ret = 0;
2289 
2290     /*
2291      * We don't have to generate many instances of this instruction,
2292      * as rac is supervisor only.
2293      *
2294      * XXX: FIX THIS: Pretend we have no BAT
2295      */
2296     nb_BATs = env->nb_BATs;
2297     env->nb_BATs = 0;
2298     if (get_physical_address(env, &ctx, addr, 0, ACCESS_INT) == 0) {
2299         ret = ctx.raddr;
2300     }
2301     env->nb_BATs = nb_BATs;
2302     return ret;
2303 }
2304 
2305 static inline target_ulong booke_tlb_to_page_size(int size)
2306 {
2307     return 1024 << (2 * size);
2308 }
2309 
2310 static inline int booke_page_size_to_tlb(target_ulong page_size)
2311 {
2312     int size;
2313 
2314     switch (page_size) {
2315     case 0x00000400UL:
2316         size = 0x0;
2317         break;
2318     case 0x00001000UL:
2319         size = 0x1;
2320         break;
2321     case 0x00004000UL:
2322         size = 0x2;
2323         break;
2324     case 0x00010000UL:
2325         size = 0x3;
2326         break;
2327     case 0x00040000UL:
2328         size = 0x4;
2329         break;
2330     case 0x00100000UL:
2331         size = 0x5;
2332         break;
2333     case 0x00400000UL:
2334         size = 0x6;
2335         break;
2336     case 0x01000000UL:
2337         size = 0x7;
2338         break;
2339     case 0x04000000UL:
2340         size = 0x8;
2341         break;
2342     case 0x10000000UL:
2343         size = 0x9;
2344         break;
2345     case 0x40000000UL:
2346         size = 0xA;
2347         break;
2348 #if defined(TARGET_PPC64)
2349     case 0x000100000000ULL:
2350         size = 0xB;
2351         break;
2352     case 0x000400000000ULL:
2353         size = 0xC;
2354         break;
2355     case 0x001000000000ULL:
2356         size = 0xD;
2357         break;
2358     case 0x004000000000ULL:
2359         size = 0xE;
2360         break;
2361     case 0x010000000000ULL:
2362         size = 0xF;
2363         break;
2364 #endif
2365     default:
2366         size = -1;
2367         break;
2368     }
2369 
2370     return size;
2371 }
2372 
2373 /* Helpers for 4xx TLB management */
2374 #define PPC4XX_TLB_ENTRY_MASK       0x0000003f  /* Mask for 64 TLB entries */
2375 
2376 #define PPC4XX_TLBHI_V              0x00000040
2377 #define PPC4XX_TLBHI_E              0x00000020
2378 #define PPC4XX_TLBHI_SIZE_MIN       0
2379 #define PPC4XX_TLBHI_SIZE_MAX       7
2380 #define PPC4XX_TLBHI_SIZE_DEFAULT   1
2381 #define PPC4XX_TLBHI_SIZE_SHIFT     7
2382 #define PPC4XX_TLBHI_SIZE_MASK      0x00000007
2383 
2384 #define PPC4XX_TLBLO_EX             0x00000200
2385 #define PPC4XX_TLBLO_WR             0x00000100
2386 #define PPC4XX_TLBLO_ATTR_MASK      0x000000FF
2387 #define PPC4XX_TLBLO_RPN_MASK       0xFFFFFC00
2388 
2389 target_ulong helper_4xx_tlbre_hi(CPUPPCState *env, target_ulong entry)
2390 {
2391     ppcemb_tlb_t *tlb;
2392     target_ulong ret;
2393     int size;
2394 
2395     entry &= PPC4XX_TLB_ENTRY_MASK;
2396     tlb = &env->tlb.tlbe[entry];
2397     ret = tlb->EPN;
2398     if (tlb->prot & PAGE_VALID) {
2399         ret |= PPC4XX_TLBHI_V;
2400     }
2401     size = booke_page_size_to_tlb(tlb->size);
2402     if (size < PPC4XX_TLBHI_SIZE_MIN || size > PPC4XX_TLBHI_SIZE_MAX) {
2403         size = PPC4XX_TLBHI_SIZE_DEFAULT;
2404     }
2405     ret |= size << PPC4XX_TLBHI_SIZE_SHIFT;
2406     env->spr[SPR_40x_PID] = tlb->PID;
2407     return ret;
2408 }
2409 
2410 target_ulong helper_4xx_tlbre_lo(CPUPPCState *env, target_ulong entry)
2411 {
2412     ppcemb_tlb_t *tlb;
2413     target_ulong ret;
2414 
2415     entry &= PPC4XX_TLB_ENTRY_MASK;
2416     tlb = &env->tlb.tlbe[entry];
2417     ret = tlb->RPN;
2418     if (tlb->prot & PAGE_EXEC) {
2419         ret |= PPC4XX_TLBLO_EX;
2420     }
2421     if (tlb->prot & PAGE_WRITE) {
2422         ret |= PPC4XX_TLBLO_WR;
2423     }
2424     return ret;
2425 }
2426 
2427 void helper_4xx_tlbwe_hi(CPUPPCState *env, target_ulong entry,
2428                          target_ulong val)
2429 {
2430     CPUState *cs = env_cpu(env);
2431     ppcemb_tlb_t *tlb;
2432     target_ulong page, end;
2433 
2434     LOG_SWTLB("%s entry %d val " TARGET_FMT_lx "\n", __func__, (int)entry,
2435               val);
2436     entry &= PPC4XX_TLB_ENTRY_MASK;
2437     tlb = &env->tlb.tlbe[entry];
2438     /* Invalidate previous TLB (if it's valid) */
2439     if (tlb->prot & PAGE_VALID) {
2440         end = tlb->EPN + tlb->size;
2441         LOG_SWTLB("%s: invalidate old TLB %d start " TARGET_FMT_lx " end "
2442                   TARGET_FMT_lx "\n", __func__, (int)entry, tlb->EPN, end);
2443         for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE) {
2444             tlb_flush_page(cs, page);
2445         }
2446     }
2447     tlb->size = booke_tlb_to_page_size((val >> PPC4XX_TLBHI_SIZE_SHIFT)
2448                                        & PPC4XX_TLBHI_SIZE_MASK);
2449     /*
2450      * We cannot handle TLB size < TARGET_PAGE_SIZE.
2451      * If this ever occurs, we should implement TARGET_PAGE_BITS_VARY
2452      */
2453     if ((val & PPC4XX_TLBHI_V) && tlb->size < TARGET_PAGE_SIZE) {
2454         cpu_abort(cs, "TLB size " TARGET_FMT_lu " < %u "
2455                   "are not supported (%d)\n"
2456                   "Please implement TARGET_PAGE_BITS_VARY\n",
2457                   tlb->size, TARGET_PAGE_SIZE, (int)((val >> 7) & 0x7));
2458     }
2459     tlb->EPN = val & ~(tlb->size - 1);
2460     if (val & PPC4XX_TLBHI_V) {
2461         tlb->prot |= PAGE_VALID;
2462         if (val & PPC4XX_TLBHI_E) {
2463             /* XXX: TO BE FIXED */
2464             cpu_abort(cs,
2465                       "Little-endian TLB entries are not supported by now\n");
2466         }
2467     } else {
2468         tlb->prot &= ~PAGE_VALID;
2469     }
2470     tlb->PID = env->spr[SPR_40x_PID]; /* PID */
2471     LOG_SWTLB("%s: set up TLB %d RPN " TARGET_FMT_plx " EPN " TARGET_FMT_lx
2472               " size " TARGET_FMT_lx " prot %c%c%c%c PID %d\n", __func__,
2473               (int)entry, tlb->RPN, tlb->EPN, tlb->size,
2474               tlb->prot & PAGE_READ ? 'r' : '-',
2475               tlb->prot & PAGE_WRITE ? 'w' : '-',
2476               tlb->prot & PAGE_EXEC ? 'x' : '-',
2477               tlb->prot & PAGE_VALID ? 'v' : '-', (int)tlb->PID);
2478     /* Invalidate new TLB (if valid) */
2479     if (tlb->prot & PAGE_VALID) {
2480         end = tlb->EPN + tlb->size;
2481         LOG_SWTLB("%s: invalidate TLB %d start " TARGET_FMT_lx " end "
2482                   TARGET_FMT_lx "\n", __func__, (int)entry, tlb->EPN, end);
2483         for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE) {
2484             tlb_flush_page(cs, page);
2485         }
2486     }
2487 }
2488 
2489 void helper_4xx_tlbwe_lo(CPUPPCState *env, target_ulong entry,
2490                          target_ulong val)
2491 {
2492     ppcemb_tlb_t *tlb;
2493 
2494     LOG_SWTLB("%s entry %i val " TARGET_FMT_lx "\n", __func__, (int)entry,
2495               val);
2496     entry &= PPC4XX_TLB_ENTRY_MASK;
2497     tlb = &env->tlb.tlbe[entry];
2498     tlb->attr = val & PPC4XX_TLBLO_ATTR_MASK;
2499     tlb->RPN = val & PPC4XX_TLBLO_RPN_MASK;
2500     tlb->prot = PAGE_READ;
2501     if (val & PPC4XX_TLBLO_EX) {
2502         tlb->prot |= PAGE_EXEC;
2503     }
2504     if (val & PPC4XX_TLBLO_WR) {
2505         tlb->prot |= PAGE_WRITE;
2506     }
2507     LOG_SWTLB("%s: set up TLB %d RPN " TARGET_FMT_plx " EPN " TARGET_FMT_lx
2508               " size " TARGET_FMT_lx " prot %c%c%c%c PID %d\n", __func__,
2509               (int)entry, tlb->RPN, tlb->EPN, tlb->size,
2510               tlb->prot & PAGE_READ ? 'r' : '-',
2511               tlb->prot & PAGE_WRITE ? 'w' : '-',
2512               tlb->prot & PAGE_EXEC ? 'x' : '-',
2513               tlb->prot & PAGE_VALID ? 'v' : '-', (int)tlb->PID);
2514 }
2515 
2516 target_ulong helper_4xx_tlbsx(CPUPPCState *env, target_ulong address)
2517 {
2518     return ppcemb_tlb_search(env, address, env->spr[SPR_40x_PID]);
2519 }
2520 
2521 /* PowerPC 440 TLB management */
2522 void helper_440_tlbwe(CPUPPCState *env, uint32_t word, target_ulong entry,
2523                       target_ulong value)
2524 {
2525     ppcemb_tlb_t *tlb;
2526     target_ulong EPN, RPN, size;
2527     int do_flush_tlbs;
2528 
2529     LOG_SWTLB("%s word %d entry %d value " TARGET_FMT_lx "\n",
2530               __func__, word, (int)entry, value);
2531     do_flush_tlbs = 0;
2532     entry &= 0x3F;
2533     tlb = &env->tlb.tlbe[entry];
2534     switch (word) {
2535     default:
2536         /* Just here to please gcc */
2537     case 0:
2538         EPN = value & 0xFFFFFC00;
2539         if ((tlb->prot & PAGE_VALID) && EPN != tlb->EPN) {
2540             do_flush_tlbs = 1;
2541         }
2542         tlb->EPN = EPN;
2543         size = booke_tlb_to_page_size((value >> 4) & 0xF);
2544         if ((tlb->prot & PAGE_VALID) && tlb->size < size) {
2545             do_flush_tlbs = 1;
2546         }
2547         tlb->size = size;
2548         tlb->attr &= ~0x1;
2549         tlb->attr |= (value >> 8) & 1;
2550         if (value & 0x200) {
2551             tlb->prot |= PAGE_VALID;
2552         } else {
2553             if (tlb->prot & PAGE_VALID) {
2554                 tlb->prot &= ~PAGE_VALID;
2555                 do_flush_tlbs = 1;
2556             }
2557         }
2558         tlb->PID = env->spr[SPR_440_MMUCR] & 0x000000FF;
2559         if (do_flush_tlbs) {
2560             tlb_flush(env_cpu(env));
2561         }
2562         break;
2563     case 1:
2564         RPN = value & 0xFFFFFC0F;
2565         if ((tlb->prot & PAGE_VALID) && tlb->RPN != RPN) {
2566             tlb_flush(env_cpu(env));
2567         }
2568         tlb->RPN = RPN;
2569         break;
2570     case 2:
2571         tlb->attr = (tlb->attr & 0x1) | (value & 0x0000FF00);
2572         tlb->prot = tlb->prot & PAGE_VALID;
2573         if (value & 0x1) {
2574             tlb->prot |= PAGE_READ << 4;
2575         }
2576         if (value & 0x2) {
2577             tlb->prot |= PAGE_WRITE << 4;
2578         }
2579         if (value & 0x4) {
2580             tlb->prot |= PAGE_EXEC << 4;
2581         }
2582         if (value & 0x8) {
2583             tlb->prot |= PAGE_READ;
2584         }
2585         if (value & 0x10) {
2586             tlb->prot |= PAGE_WRITE;
2587         }
2588         if (value & 0x20) {
2589             tlb->prot |= PAGE_EXEC;
2590         }
2591         break;
2592     }
2593 }
2594 
2595 target_ulong helper_440_tlbre(CPUPPCState *env, uint32_t word,
2596                               target_ulong entry)
2597 {
2598     ppcemb_tlb_t *tlb;
2599     target_ulong ret;
2600     int size;
2601 
2602     entry &= 0x3F;
2603     tlb = &env->tlb.tlbe[entry];
2604     switch (word) {
2605     default:
2606         /* Just here to please gcc */
2607     case 0:
2608         ret = tlb->EPN;
2609         size = booke_page_size_to_tlb(tlb->size);
2610         if (size < 0 || size > 0xF) {
2611             size = 1;
2612         }
2613         ret |= size << 4;
2614         if (tlb->attr & 0x1) {
2615             ret |= 0x100;
2616         }
2617         if (tlb->prot & PAGE_VALID) {
2618             ret |= 0x200;
2619         }
2620         env->spr[SPR_440_MMUCR] &= ~0x000000FF;
2621         env->spr[SPR_440_MMUCR] |= tlb->PID;
2622         break;
2623     case 1:
2624         ret = tlb->RPN;
2625         break;
2626     case 2:
2627         ret = tlb->attr & ~0x1;
2628         if (tlb->prot & (PAGE_READ << 4)) {
2629             ret |= 0x1;
2630         }
2631         if (tlb->prot & (PAGE_WRITE << 4)) {
2632             ret |= 0x2;
2633         }
2634         if (tlb->prot & (PAGE_EXEC << 4)) {
2635             ret |= 0x4;
2636         }
2637         if (tlb->prot & PAGE_READ) {
2638             ret |= 0x8;
2639         }
2640         if (tlb->prot & PAGE_WRITE) {
2641             ret |= 0x10;
2642         }
2643         if (tlb->prot & PAGE_EXEC) {
2644             ret |= 0x20;
2645         }
2646         break;
2647     }
2648     return ret;
2649 }
2650 
2651 target_ulong helper_440_tlbsx(CPUPPCState *env, target_ulong address)
2652 {
2653     return ppcemb_tlb_search(env, address, env->spr[SPR_440_MMUCR] & 0xFF);
2654 }
2655 
2656 /* PowerPC BookE 2.06 TLB management */
2657 
2658 static ppcmas_tlb_t *booke206_cur_tlb(CPUPPCState *env)
2659 {
2660     uint32_t tlbncfg = 0;
2661     int esel = (env->spr[SPR_BOOKE_MAS0] & MAS0_ESEL_MASK) >> MAS0_ESEL_SHIFT;
2662     int ea = (env->spr[SPR_BOOKE_MAS2] & MAS2_EPN_MASK);
2663     int tlb;
2664 
2665     tlb = (env->spr[SPR_BOOKE_MAS0] & MAS0_TLBSEL_MASK) >> MAS0_TLBSEL_SHIFT;
2666     tlbncfg = env->spr[SPR_BOOKE_TLB0CFG + tlb];
2667 
2668     if ((tlbncfg & TLBnCFG_HES) && (env->spr[SPR_BOOKE_MAS0] & MAS0_HES)) {
2669         cpu_abort(env_cpu(env), "we don't support HES yet\n");
2670     }
2671 
2672     return booke206_get_tlbm(env, tlb, ea, esel);
2673 }
2674 
2675 void helper_booke_setpid(CPUPPCState *env, uint32_t pidn, target_ulong pid)
2676 {
2677     env->spr[pidn] = pid;
2678     /* changing PIDs mean we're in a different address space now */
2679     tlb_flush(env_cpu(env));
2680 }
2681 
2682 void helper_booke_set_eplc(CPUPPCState *env, target_ulong val)
2683 {
2684     env->spr[SPR_BOOKE_EPLC] = val & EPID_MASK;
2685     tlb_flush_by_mmuidx(env_cpu(env), 1 << PPC_TLB_EPID_LOAD);
2686 }
2687 void helper_booke_set_epsc(CPUPPCState *env, target_ulong val)
2688 {
2689     env->spr[SPR_BOOKE_EPSC] = val & EPID_MASK;
2690     tlb_flush_by_mmuidx(env_cpu(env), 1 << PPC_TLB_EPID_STORE);
2691 }
2692 
2693 static inline void flush_page(CPUPPCState *env, ppcmas_tlb_t *tlb)
2694 {
2695     if (booke206_tlb_to_page_size(env, tlb) == TARGET_PAGE_SIZE) {
2696         tlb_flush_page(env_cpu(env), tlb->mas2 & MAS2_EPN_MASK);
2697     } else {
2698         tlb_flush(env_cpu(env));
2699     }
2700 }
2701 
2702 void helper_booke206_tlbwe(CPUPPCState *env)
2703 {
2704     uint32_t tlbncfg, tlbn;
2705     ppcmas_tlb_t *tlb;
2706     uint32_t size_tlb, size_ps;
2707     target_ulong mask;
2708 
2709 
2710     switch (env->spr[SPR_BOOKE_MAS0] & MAS0_WQ_MASK) {
2711     case MAS0_WQ_ALWAYS:
2712         /* good to go, write that entry */
2713         break;
2714     case MAS0_WQ_COND:
2715         /* XXX check if reserved */
2716         if (0) {
2717             return;
2718         }
2719         break;
2720     case MAS0_WQ_CLR_RSRV:
2721         /* XXX clear entry */
2722         return;
2723     default:
2724         /* no idea what to do */
2725         return;
2726     }
2727 
2728     if (((env->spr[SPR_BOOKE_MAS0] & MAS0_ATSEL) == MAS0_ATSEL_LRAT) &&
2729         !msr_gs) {
2730         /* XXX we don't support direct LRAT setting yet */
2731         fprintf(stderr, "cpu: don't support LRAT setting yet\n");
2732         return;
2733     }
2734 
2735     tlbn = (env->spr[SPR_BOOKE_MAS0] & MAS0_TLBSEL_MASK) >> MAS0_TLBSEL_SHIFT;
2736     tlbncfg = env->spr[SPR_BOOKE_TLB0CFG + tlbn];
2737 
2738     tlb = booke206_cur_tlb(env);
2739 
2740     if (!tlb) {
2741         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
2742                                POWERPC_EXCP_INVAL |
2743                                POWERPC_EXCP_INVAL_INVAL, GETPC());
2744     }
2745 
2746     /* check that we support the targeted size */
2747     size_tlb = (env->spr[SPR_BOOKE_MAS1] & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
2748     size_ps = booke206_tlbnps(env, tlbn);
2749     if ((env->spr[SPR_BOOKE_MAS1] & MAS1_VALID) && (tlbncfg & TLBnCFG_AVAIL) &&
2750         !(size_ps & (1 << size_tlb))) {
2751         raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
2752                                POWERPC_EXCP_INVAL |
2753                                POWERPC_EXCP_INVAL_INVAL, GETPC());
2754     }
2755 
2756     if (msr_gs) {
2757         cpu_abort(env_cpu(env), "missing HV implementation\n");
2758     }
2759 
2760     if (tlb->mas1 & MAS1_VALID) {
2761         /*
2762          * Invalidate the page in QEMU TLB if it was a valid entry.
2763          *
2764          * In "PowerPC e500 Core Family Reference Manual, Rev. 1",
2765          * Section "12.4.2 TLB Write Entry (tlbwe) Instruction":
2766          * (https://www.nxp.com/docs/en/reference-manual/E500CORERM.pdf)
2767          *
2768          * "Note that when an L2 TLB entry is written, it may be displacing an
2769          * already valid entry in the same L2 TLB location (a victim). If a
2770          * valid L1 TLB entry corresponds to the L2 MMU victim entry, that L1
2771          * TLB entry is automatically invalidated."
2772          */
2773         flush_page(env, tlb);
2774     }
2775 
2776     tlb->mas7_3 = ((uint64_t)env->spr[SPR_BOOKE_MAS7] << 32) |
2777         env->spr[SPR_BOOKE_MAS3];
2778     tlb->mas1 = env->spr[SPR_BOOKE_MAS1];
2779 
2780     if ((env->spr[SPR_MMUCFG] & MMUCFG_MAVN) == MMUCFG_MAVN_V2) {
2781         /* For TLB which has a fixed size TSIZE is ignored with MAV2 */
2782         booke206_fixed_size_tlbn(env, tlbn, tlb);
2783     } else {
2784         if (!(tlbncfg & TLBnCFG_AVAIL)) {
2785             /* force !AVAIL TLB entries to correct page size */
2786             tlb->mas1 &= ~MAS1_TSIZE_MASK;
2787             /* XXX can be configured in MMUCSR0 */
2788             tlb->mas1 |= (tlbncfg & TLBnCFG_MINSIZE) >> 12;
2789         }
2790     }
2791 
2792     /* Make a mask from TLB size to discard invalid bits in EPN field */
2793     mask = ~(booke206_tlb_to_page_size(env, tlb) - 1);
2794     /* Add a mask for page attributes */
2795     mask |= MAS2_ACM | MAS2_VLE | MAS2_W | MAS2_I | MAS2_M | MAS2_G | MAS2_E;
2796 
2797     if (!msr_cm) {
2798         /*
2799          * Executing a tlbwe instruction in 32-bit mode will set bits
2800          * 0:31 of the TLB EPN field to zero.
2801          */
2802         mask &= 0xffffffff;
2803     }
2804 
2805     tlb->mas2 = env->spr[SPR_BOOKE_MAS2] & mask;
2806 
2807     if (!(tlbncfg & TLBnCFG_IPROT)) {
2808         /* no IPROT supported by TLB */
2809         tlb->mas1 &= ~MAS1_IPROT;
2810     }
2811 
2812     flush_page(env, tlb);
2813 }
2814 
2815 static inline void booke206_tlb_to_mas(CPUPPCState *env, ppcmas_tlb_t *tlb)
2816 {
2817     int tlbn = booke206_tlbm_to_tlbn(env, tlb);
2818     int way = booke206_tlbm_to_way(env, tlb);
2819 
2820     env->spr[SPR_BOOKE_MAS0] = tlbn << MAS0_TLBSEL_SHIFT;
2821     env->spr[SPR_BOOKE_MAS0] |= way << MAS0_ESEL_SHIFT;
2822     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_NV_SHIFT;
2823 
2824     env->spr[SPR_BOOKE_MAS1] = tlb->mas1;
2825     env->spr[SPR_BOOKE_MAS2] = tlb->mas2;
2826     env->spr[SPR_BOOKE_MAS3] = tlb->mas7_3;
2827     env->spr[SPR_BOOKE_MAS7] = tlb->mas7_3 >> 32;
2828 }
2829 
2830 void helper_booke206_tlbre(CPUPPCState *env)
2831 {
2832     ppcmas_tlb_t *tlb = NULL;
2833 
2834     tlb = booke206_cur_tlb(env);
2835     if (!tlb) {
2836         env->spr[SPR_BOOKE_MAS1] = 0;
2837     } else {
2838         booke206_tlb_to_mas(env, tlb);
2839     }
2840 }
2841 
2842 void helper_booke206_tlbsx(CPUPPCState *env, target_ulong address)
2843 {
2844     ppcmas_tlb_t *tlb = NULL;
2845     int i, j;
2846     hwaddr raddr;
2847     uint32_t spid, sas;
2848 
2849     spid = (env->spr[SPR_BOOKE_MAS6] & MAS6_SPID_MASK) >> MAS6_SPID_SHIFT;
2850     sas = env->spr[SPR_BOOKE_MAS6] & MAS6_SAS;
2851 
2852     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
2853         int ways = booke206_tlb_ways(env, i);
2854 
2855         for (j = 0; j < ways; j++) {
2856             tlb = booke206_get_tlbm(env, i, address, j);
2857 
2858             if (!tlb) {
2859                 continue;
2860             }
2861 
2862             if (ppcmas_tlb_check(env, tlb, &raddr, address, spid)) {
2863                 continue;
2864             }
2865 
2866             if (sas != ((tlb->mas1 & MAS1_TS) >> MAS1_TS_SHIFT)) {
2867                 continue;
2868             }
2869 
2870             booke206_tlb_to_mas(env, tlb);
2871             return;
2872         }
2873     }
2874 
2875     /* no entry found, fill with defaults */
2876     env->spr[SPR_BOOKE_MAS0] = env->spr[SPR_BOOKE_MAS4] & MAS4_TLBSELD_MASK;
2877     env->spr[SPR_BOOKE_MAS1] = env->spr[SPR_BOOKE_MAS4] & MAS4_TSIZED_MASK;
2878     env->spr[SPR_BOOKE_MAS2] = env->spr[SPR_BOOKE_MAS4] & MAS4_WIMGED_MASK;
2879     env->spr[SPR_BOOKE_MAS3] = 0;
2880     env->spr[SPR_BOOKE_MAS7] = 0;
2881 
2882     if (env->spr[SPR_BOOKE_MAS6] & MAS6_SAS) {
2883         env->spr[SPR_BOOKE_MAS1] |= MAS1_TS;
2884     }
2885 
2886     env->spr[SPR_BOOKE_MAS1] |= (env->spr[SPR_BOOKE_MAS6] >> 16)
2887         << MAS1_TID_SHIFT;
2888 
2889     /* next victim logic */
2890     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_ESEL_SHIFT;
2891     env->last_way++;
2892     env->last_way &= booke206_tlb_ways(env, 0) - 1;
2893     env->spr[SPR_BOOKE_MAS0] |= env->last_way << MAS0_NV_SHIFT;
2894 }
2895 
2896 static inline void booke206_invalidate_ea_tlb(CPUPPCState *env, int tlbn,
2897                                               uint32_t ea)
2898 {
2899     int i;
2900     int ways = booke206_tlb_ways(env, tlbn);
2901     target_ulong mask;
2902 
2903     for (i = 0; i < ways; i++) {
2904         ppcmas_tlb_t *tlb = booke206_get_tlbm(env, tlbn, ea, i);
2905         if (!tlb) {
2906             continue;
2907         }
2908         mask = ~(booke206_tlb_to_page_size(env, tlb) - 1);
2909         if (((tlb->mas2 & MAS2_EPN_MASK) == (ea & mask)) &&
2910             !(tlb->mas1 & MAS1_IPROT)) {
2911             tlb->mas1 &= ~MAS1_VALID;
2912         }
2913     }
2914 }
2915 
2916 void helper_booke206_tlbivax(CPUPPCState *env, target_ulong address)
2917 {
2918     CPUState *cs;
2919 
2920     if (address & 0x4) {
2921         /* flush all entries */
2922         if (address & 0x8) {
2923             /* flush all of TLB1 */
2924             booke206_flush_tlb(env, BOOKE206_FLUSH_TLB1, 1);
2925         } else {
2926             /* flush all of TLB0 */
2927             booke206_flush_tlb(env, BOOKE206_FLUSH_TLB0, 0);
2928         }
2929         return;
2930     }
2931 
2932     if (address & 0x8) {
2933         /* flush TLB1 entries */
2934         booke206_invalidate_ea_tlb(env, 1, address);
2935         CPU_FOREACH(cs) {
2936             tlb_flush(cs);
2937         }
2938     } else {
2939         /* flush TLB0 entries */
2940         booke206_invalidate_ea_tlb(env, 0, address);
2941         CPU_FOREACH(cs) {
2942             tlb_flush_page(cs, address & MAS2_EPN_MASK);
2943         }
2944     }
2945 }
2946 
2947 void helper_booke206_tlbilx0(CPUPPCState *env, target_ulong address)
2948 {
2949     /* XXX missing LPID handling */
2950     booke206_flush_tlb(env, -1, 1);
2951 }
2952 
2953 void helper_booke206_tlbilx1(CPUPPCState *env, target_ulong address)
2954 {
2955     int i, j;
2956     int tid = (env->spr[SPR_BOOKE_MAS6] & MAS6_SPID);
2957     ppcmas_tlb_t *tlb = env->tlb.tlbm;
2958     int tlb_size;
2959 
2960     /* XXX missing LPID handling */
2961     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
2962         tlb_size = booke206_tlb_size(env, i);
2963         for (j = 0; j < tlb_size; j++) {
2964             if (!(tlb[j].mas1 & MAS1_IPROT) &&
2965                 ((tlb[j].mas1 & MAS1_TID_MASK) == tid)) {
2966                 tlb[j].mas1 &= ~MAS1_VALID;
2967             }
2968         }
2969         tlb += booke206_tlb_size(env, i);
2970     }
2971     tlb_flush(env_cpu(env));
2972 }
2973 
2974 void helper_booke206_tlbilx3(CPUPPCState *env, target_ulong address)
2975 {
2976     int i, j;
2977     ppcmas_tlb_t *tlb;
2978     int tid = (env->spr[SPR_BOOKE_MAS6] & MAS6_SPID);
2979     int pid = tid >> MAS6_SPID_SHIFT;
2980     int sgs = env->spr[SPR_BOOKE_MAS5] & MAS5_SGS;
2981     int ind = (env->spr[SPR_BOOKE_MAS6] & MAS6_SIND) ? MAS1_IND : 0;
2982     /* XXX check for unsupported isize and raise an invalid opcode then */
2983     int size = env->spr[SPR_BOOKE_MAS6] & MAS6_ISIZE_MASK;
2984     /* XXX implement MAV2 handling */
2985     bool mav2 = false;
2986 
2987     /* XXX missing LPID handling */
2988     /* flush by pid and ea */
2989     for (i = 0; i < BOOKE206_MAX_TLBN; i++) {
2990         int ways = booke206_tlb_ways(env, i);
2991 
2992         for (j = 0; j < ways; j++) {
2993             tlb = booke206_get_tlbm(env, i, address, j);
2994             if (!tlb) {
2995                 continue;
2996             }
2997             if ((ppcmas_tlb_check(env, tlb, NULL, address, pid) != 0) ||
2998                 (tlb->mas1 & MAS1_IPROT) ||
2999                 ((tlb->mas1 & MAS1_IND) != ind) ||
3000                 ((tlb->mas8 & MAS8_TGS) != sgs)) {
3001                 continue;
3002             }
3003             if (mav2 && ((tlb->mas1 & MAS1_TSIZE_MASK) != size)) {
3004                 /* XXX only check when MMUCFG[TWC] || TLBnCFG[HES] */
3005                 continue;
3006             }
3007             /* XXX e500mc doesn't match SAS, but other cores might */
3008             tlb->mas1 &= ~MAS1_VALID;
3009         }
3010     }
3011     tlb_flush(env_cpu(env));
3012 }
3013 
3014 void helper_booke206_tlbflush(CPUPPCState *env, target_ulong type)
3015 {
3016     int flags = 0;
3017 
3018     if (type & 2) {
3019         flags |= BOOKE206_FLUSH_TLB1;
3020     }
3021 
3022     if (type & 4) {
3023         flags |= BOOKE206_FLUSH_TLB0;
3024     }
3025 
3026     booke206_flush_tlb(env, flags, 1);
3027 }
3028 
3029 
3030 void helper_check_tlb_flush_local(CPUPPCState *env)
3031 {
3032     check_tlb_flush(env, false);
3033 }
3034 
3035 void helper_check_tlb_flush_global(CPUPPCState *env)
3036 {
3037     check_tlb_flush(env, true);
3038 }
3039 
3040 /*****************************************************************************/
3041 
3042 bool ppc_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
3043                       MMUAccessType access_type, int mmu_idx,
3044                       bool probe, uintptr_t retaddr)
3045 {
3046     PowerPCCPU *cpu = POWERPC_CPU(cs);
3047     PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cs);
3048     CPUPPCState *env = &cpu->env;
3049     int ret;
3050 
3051     if (pcc->handle_mmu_fault) {
3052         ret = pcc->handle_mmu_fault(cpu, addr, access_type, mmu_idx);
3053     } else {
3054         ret = cpu_ppc_handle_mmu_fault(env, addr, access_type, mmu_idx);
3055     }
3056     if (unlikely(ret != 0)) {
3057         if (probe) {
3058             return false;
3059         }
3060         raise_exception_err_ra(env, cs->exception_index, env->error_code,
3061                                retaddr);
3062     }
3063     return true;
3064 }
3065