1
/*
2
 *  Low level TLB miss handlers for Book3E
3
 *
4
 *  Copyright (C) 2008-2009
5
 *      Ben. Herrenschmidt ([email protected]), IBM Corp.
6
 *
7
 *  This program is free software; you can redistribute it and/or
8
 *  modify it under the terms of the GNU General Public License
9
 *  as published by the Free Software Foundation; either version
10
 *  2 of the License, or (at your option) any later version.
11
 */
12

13
#include <asm/processor.h>
14
#include <asm/reg.h>
15
#include <asm/page.h>
16
#include <asm/mmu.h>
17
#include <asm/ppc_asm.h>
18
#include <asm/asm-offsets.h>
19
#include <asm/cputable.h>
20
#include <asm/pgtable.h>
21
#include <asm/exception-64e.h>
22
#include <asm/ppc-opcode.h>
23

24
#ifdef CONFIG_PPC_64K_PAGES
25
#define VPTE_PMD_SHIFT	(PTE_INDEX_SIZE+1)
26
#else
27
#define VPTE_PMD_SHIFT	(PTE_INDEX_SIZE)
28
#endif
29
#define VPTE_PUD_SHIFT	(VPTE_PMD_SHIFT + PMD_INDEX_SIZE)
30
#define VPTE_PGD_SHIFT	(VPTE_PUD_SHIFT + PUD_INDEX_SIZE)
31
#define VPTE_INDEX_SIZE (VPTE_PGD_SHIFT + PGD_INDEX_SIZE)
32

33

34
/**********************************************************************
35
 *                                                                    *
36
 * TLB miss handling for Book3E with TLB reservation and HES support  *
37
 *                                                                    *
38
 **********************************************************************/
39

40

41
/* Data TLB miss */
42
	START_EXCEPTION(data_tlb_miss)
43
	TLB_MISS_PROLOG
44

45
	/* Now we handle the fault proper. We only save DEAR in normal
46
	 * fault case since that's the only interesting values here.
47
	 * We could probably also optimize by not saving SRR0/1 in the
48
	 * linear mapping case but I'll leave that for later
49
	 */
50
	mfspr	r14,SPRN_ESR
51
	mfspr	r16,SPRN_DEAR		/* get faulting address */
52
	srdi	r15,r16,60		/* get region */
53
	cmpldi	cr0,r15,0xc		/* linear mapping ? */
54
	TLB_MISS_STATS_SAVE_INFO
55
	beq	tlb_load_linear		/* yes -> go to linear map load */
56

57
	/* The page tables are mapped virtually linear. At this point, though,
58
	 * we don't know whether we are trying to fault in a first level
59
	 * virtual address or a virtual page table address. We can get that
60
	 * from bit 0x1 of the region ID which we have set for a page table
61
	 */
62
	andi.	r10,r15,0x1
63
	bne-	virt_page_table_tlb_miss
64

65
	std	r14,EX_TLB_ESR(r12);	/* save ESR */
66
	std	r16,EX_TLB_DEAR(r12);	/* save DEAR */
67

68
	 /* We need _PAGE_PRESENT and  _PAGE_ACCESSED set */
69
	li	r11,_PAGE_PRESENT
70
	oris	r11,r11,_PAGE_ACCESSED@h
71

72
	/* We do the user/kernel test for the PID here along with the RW test
73
	 */
74
	cmpldi	cr0,r15,0		/* Check for user region */
75

76
	/* We pre-test some combination of permissions to avoid double
77
	 * faults:
78
	 *
79
	 * We move the ESR:ST bit into the position of _PAGE_BAP_SW in the PTE
80
	 * ESR_ST   is 0x00800000
81
	 * _PAGE_BAP_SW is 0x00000010
82
	 * So the shift is >> 19. This tests for supervisor writeability.
83
	 * If the page happens to be supervisor writeable and not user
84
	 * writeable, we will take a new fault later, but that should be
85
	 * a rare enough case.
86
	 *
87
	 * We also move ESR_ST in _PAGE_DIRTY position
88
	 * _PAGE_DIRTY is 0x00001000 so the shift is >> 11
89
	 *
90
	 * MAS1 is preset for all we need except for TID that needs to
91
	 * be cleared for kernel translations
92
	 */
93
	rlwimi	r11,r14,32-19,27,27
94
	rlwimi	r11,r14,32-16,19,19
95
	beq	normal_tlb_miss
96
	/* XXX replace the RMW cycles with immediate loads + writes */
97
1:	mfspr	r10,SPRN_MAS1
98
	cmpldi	cr0,r15,8		/* Check for vmalloc region */
99
	rlwinm	r10,r10,0,16,1		/* Clear TID */
100
	mtspr	SPRN_MAS1,r10
101
	beq+	normal_tlb_miss
102

103
	/* We got a crappy address, just fault with whatever DEAR and ESR
104
	 * are here
105
	 */
106
	TLB_MISS_STATS_D(MMSTAT_TLB_MISS_NORM_FAULT)
107
	TLB_MISS_EPILOG_ERROR
108
	b	exc_data_storage_book3e
109

110
/* Instruction TLB miss */
111
	START_EXCEPTION(instruction_tlb_miss)
112
	TLB_MISS_PROLOG
113

114
	/* If we take a recursive fault, the second level handler may need
115
	 * to know whether we are handling a data or instruction fault in
116
	 * order to get to the right store fault handler. We provide that
117
	 * info by writing a crazy value in ESR in our exception frame
118
	 */
119
	li	r14,-1	/* store to exception frame is done later */
120

121
	/* Now we handle the fault proper. We only save DEAR in the non
122
	 * linear mapping case since we know the linear mapping case will
123
	 * not re-enter. We could indeed optimize and also not save SRR0/1
124
	 * in the linear mapping case but I'll leave that for later
125
	 *
126
	 * Faulting address is SRR0 which is already in r16
127
	 */
128
	srdi	r15,r16,60		/* get region */
129
	cmpldi	cr0,r15,0xc		/* linear mapping ? */
130
	TLB_MISS_STATS_SAVE_INFO
131
	beq	tlb_load_linear		/* yes -> go to linear map load */
132

133
	/* We do the user/kernel test for the PID here along with the RW test
134
	 */
135
	li	r11,_PAGE_PRESENT|_PAGE_EXEC	/* Base perm */
136
	oris	r11,r11,_PAGE_ACCESSED@h
137

138
	cmpldi	cr0,r15,0			/* Check for user region */
139
	std	r14,EX_TLB_ESR(r12)		/* write crazy -1 to frame */
140
	beq	normal_tlb_miss
141

142
	li	r11,_PAGE_PRESENT|_PAGE_BAP_SX	/* Base perm */
143
	oris	r11,r11,_PAGE_ACCESSED@h
144
	/* XXX replace the RMW cycles with immediate loads + writes */
145
	mfspr	r10,SPRN_MAS1
146
	cmpldi	cr0,r15,8			/* Check for vmalloc region */
147
	rlwinm	r10,r10,0,16,1			/* Clear TID */
148
	mtspr	SPRN_MAS1,r10
149
	beq+	normal_tlb_miss
150

151
	/* We got a crappy address, just fault */
152
	TLB_MISS_STATS_I(MMSTAT_TLB_MISS_NORM_FAULT)
153
	TLB_MISS_EPILOG_ERROR
154
	b	exc_instruction_storage_book3e
155

156
/*
157
 * This is the guts of the first-level TLB miss handler for direct
158
 * misses. We are entered with:
159
 *
160
 * r16 = faulting address
161
 * r15 = region ID
162
 * r14 = crap (free to use)
163
 * r13 = PACA
164
 * r12 = TLB exception frame in PACA
165
 * r11 = PTE permission mask
166
 * r10 = crap (free to use)
167
 */
168
normal_tlb_miss:
169
	/* So we first construct the page table address. We do that by
170
	 * shifting the bottom of the address (not the region ID) by
171
	 * PAGE_SHIFT-3, clearing the bottom 3 bits (get a PTE ptr) and
172
	 * or'ing the fourth high bit.
173
	 *
174
	 * NOTE: For 64K pages, we do things slightly differently in
175
	 * order to handle the weird page table format used by linux
176
	 */
177
	ori	r10,r15,0x1
178
#ifdef CONFIG_PPC_64K_PAGES
179
	/* For the top bits, 16 bytes per PTE */
180
	rldicl	r14,r16,64-(PAGE_SHIFT-4),PAGE_SHIFT-4+4
181
	/* Now create the bottom bits as 0 in position 0x8000 and
182
	 * the rest calculated for 8 bytes per PTE
183
	 */
184
	rldicl	r15,r16,64-(PAGE_SHIFT-3),64-15
185
	/* Insert the bottom bits in */
186
	rlwimi	r14,r15,0,16,31
187
#else
188
	rldicl	r14,r16,64-(PAGE_SHIFT-3),PAGE_SHIFT-3+4
189
#endif
190
	sldi	r15,r10,60
191
	clrrdi	r14,r14,3
192
	or	r10,r15,r14
193

194
BEGIN_MMU_FTR_SECTION
195
	/* Set the TLB reservation and search for existing entry. Then load
196
	 * the entry.
197
	 */
198
	PPC_TLBSRX_DOT(0,r16)
199
	ld	r14,0(r10)
200
	beq	normal_tlb_miss_done
201
MMU_FTR_SECTION_ELSE
202
	ld	r14,0(r10)
203
ALT_MMU_FTR_SECTION_END_IFSET(MMU_FTR_USE_TLBRSRV)
204

205
finish_normal_tlb_miss:
206
	/* Check if required permissions are met */
207
	andc.	r15,r11,r14
208
	bne-	normal_tlb_miss_access_fault
209

210
	/* Now we build the MAS:
211
	 *
212
	 * MAS 0   :	Fully setup with defaults in MAS4 and TLBnCFG
213
	 * MAS 1   :	Almost fully setup
214
	 *               - PID already updated by caller if necessary
215
	 *               - TSIZE need change if !base page size, not
216
	 *                 yet implemented for now
217
	 * MAS 2   :	Defaults not useful, need to be redone
218
	 * MAS 3+7 :	Needs to be done
219
	 *
220
	 * TODO: mix up code below for better scheduling
221
	 */
222
	clrrdi	r11,r16,12		/* Clear low crap in EA */
223
	rlwimi	r11,r14,32-19,27,31	/* Insert WIMGE */
224
	mtspr	SPRN_MAS2,r11
225

226
	/* Check page size, if not standard, update MAS1 */
227
	rldicl	r11,r14,64-8,64-8
228
#ifdef CONFIG_PPC_64K_PAGES
229
	cmpldi	cr0,r11,BOOK3E_PAGESZ_64K
230
#else
231
	cmpldi	cr0,r11,BOOK3E_PAGESZ_4K
232
#endif
233
	beq-	1f
234
	mfspr	r11,SPRN_MAS1
235
	rlwimi	r11,r14,31,21,24
236
	rlwinm	r11,r11,0,21,19
237
	mtspr	SPRN_MAS1,r11
238
1:
239
	/* Move RPN in position */
240
	rldicr	r11,r14,64-(PTE_RPN_SHIFT-PAGE_SHIFT),63-PAGE_SHIFT
241
	clrldi	r15,r11,12		/* Clear crap at the top */
242
	rlwimi	r15,r14,32-8,22,25	/* Move in U bits */
243
	rlwimi	r15,r14,32-2,26,31	/* Move in BAP bits */
244

245
	/* Mask out SW and UW if !DIRTY (XXX optimize this !) */
246
	andi.	r11,r14,_PAGE_DIRTY
247
	bne	1f
248
	li	r11,MAS3_SW|MAS3_UW
249
	andc	r15,r15,r11
250
1:
251
BEGIN_MMU_FTR_SECTION
252
	srdi	r16,r15,32
253
	mtspr	SPRN_MAS3,r15
254
	mtspr	SPRN_MAS7,r16
255
MMU_FTR_SECTION_ELSE
256
	mtspr	SPRN_MAS7_MAS3,r15
257
ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_PAIRED_MAS)
258

259
	tlbwe
260

261
normal_tlb_miss_done:
262
	/* We don't bother with restoring DEAR or ESR since we know we are
263
	 * level 0 and just going back to userland. They are only needed
264
	 * if you are going to take an access fault
265
	 */
266
	TLB_MISS_STATS_X(MMSTAT_TLB_MISS_NORM_OK)
267
	TLB_MISS_EPILOG_SUCCESS
268
	rfi
269

270
normal_tlb_miss_access_fault:
271
	/* We need to check if it was an instruction miss */
272
	andi.	r10,r11,_PAGE_EXEC
273
	bne	1f
274
	ld	r14,EX_TLB_DEAR(r12)
275
	ld	r15,EX_TLB_ESR(r12)
276
	mtspr	SPRN_DEAR,r14
277
	mtspr	SPRN_ESR,r15
278
	TLB_MISS_STATS_D(MMSTAT_TLB_MISS_NORM_FAULT)
279
	TLB_MISS_EPILOG_ERROR
280
	b	exc_data_storage_book3e
281
1:	TLB_MISS_STATS_I(MMSTAT_TLB_MISS_NORM_FAULT)
282
	TLB_MISS_EPILOG_ERROR
283
	b	exc_instruction_storage_book3e
284

285

286
/*
287
 * This is the guts of the second-level TLB miss handler for direct
288
 * misses. We are entered with:
289
 *
290
 * r16 = virtual page table faulting address
291
 * r15 = region (top 4 bits of address)
292
 * r14 = crap (free to use)
293
 * r13 = PACA
294
 * r12 = TLB exception frame in PACA
295
 * r11 = crap (free to use)
296
 * r10 = crap (free to use)
297
 *
298
 * Note that this should only ever be called as a second level handler
299
 * with the current scheme when using SW load.
300
 * That means we can always get the original fault DEAR at
301
 * EX_TLB_DEAR-EX_TLB_SIZE(r12)
302
 *
303
 * It can be re-entered by the linear mapping miss handler. However, to
304
 * avoid too much complication, it will restart the whole fault at level
305
 * 0 so we don't care too much about clobbers
306
 *
307
 * XXX That code was written back when we couldn't clobber r14. We can now,
308
 * so we could probably optimize things a bit
309
 */
310
virt_page_table_tlb_miss:
311
	/* Are we hitting a kernel page table ? */
312
	andi.	r10,r15,0x8
313

314
	/* The cool thing now is that r10 contains 0 for user and 8 for kernel,
315
	 * and we happen to have the swapper_pg_dir at offset 8 from the user
316
	 * pgdir in the PACA :-).
317
	 */
318
	add	r11,r10,r13
319

320
	/* If kernel, we need to clear MAS1 TID */
321
	beq	1f
322
	/* XXX replace the RMW cycles with immediate loads + writes */
323
	mfspr	r10,SPRN_MAS1
324
	rlwinm	r10,r10,0,16,1			/* Clear TID */
325
	mtspr	SPRN_MAS1,r10
326
1:
327
BEGIN_MMU_FTR_SECTION
328
	/* Search if we already have a TLB entry for that virtual address, and
329
	 * if we do, bail out.
330
	 */
331
	PPC_TLBSRX_DOT(0,r16)
332
	beq	virt_page_table_tlb_miss_done
333
END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_TLBRSRV)
334

335
	/* Now, we need to walk the page tables. First check if we are in
336
	 * range.
337
	 */
338
	rldicl.	r10,r16,64-(VPTE_INDEX_SIZE+3),VPTE_INDEX_SIZE+3+4
339
	bne-	virt_page_table_tlb_miss_fault
340

341
	/* Get the PGD pointer */
342
	ld	r15,PACAPGD(r11)
343
	cmpldi	cr0,r15,0
344
	beq-	virt_page_table_tlb_miss_fault
345

346
	/* Get to PGD entry */
347
	rldicl	r11,r16,64-VPTE_PGD_SHIFT,64-PGD_INDEX_SIZE-3
348
	clrrdi	r10,r11,3
349
	ldx	r15,r10,r15
350
	cmpldi	cr0,r15,0
351
	beq	virt_page_table_tlb_miss_fault
352

353
#ifndef CONFIG_PPC_64K_PAGES
354
	/* Get to PUD entry */
355
	rldicl	r11,r16,64-VPTE_PUD_SHIFT,64-PUD_INDEX_SIZE-3
356
	clrrdi	r10,r11,3
357
	ldx	r15,r10,r15
358
	cmpldi	cr0,r15,0
359
	beq	virt_page_table_tlb_miss_fault
360
#endif /* CONFIG_PPC_64K_PAGES */
361

362
	/* Get to PMD entry */
363
	rldicl	r11,r16,64-VPTE_PMD_SHIFT,64-PMD_INDEX_SIZE-3
364
	clrrdi	r10,r11,3
365
	ldx	r15,r10,r15
366
	cmpldi	cr0,r15,0
367
	beq	virt_page_table_tlb_miss_fault
368

369
	/* Ok, we're all right, we can now create a kernel translation for
370
	 * a 4K or 64K page from r16 -> r15.
371
	 */
372
	/* Now we build the MAS:
373
	 *
374
	 * MAS 0   :	Fully setup with defaults in MAS4 and TLBnCFG
375
	 * MAS 1   :	Almost fully setup
376
	 *               - PID already updated by caller if necessary
377
	 *               - TSIZE for now is base page size always
378
	 * MAS 2   :	Use defaults
379
	 * MAS 3+7 :	Needs to be done
380
	 *
381
	 * So we only do MAS 2 and 3 for now...
382
	 */
383
	clrldi	r11,r15,4		/* remove region ID from RPN */
384
	ori	r10,r11,1		/* Or-in SR */
385

386
BEGIN_MMU_FTR_SECTION
387
	srdi	r16,r10,32
388
	mtspr	SPRN_MAS3,r10
389
	mtspr	SPRN_MAS7,r16
390
MMU_FTR_SECTION_ELSE
391
	mtspr	SPRN_MAS7_MAS3,r10
392
ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_PAIRED_MAS)
393

394
	tlbwe
395

396
BEGIN_MMU_FTR_SECTION
397
virt_page_table_tlb_miss_done:
398

399
	/* We have overriden MAS2:EPN but currently our primary TLB miss
400
	 * handler will always restore it so that should not be an issue,
401
	 * if we ever optimize the primary handler to not write MAS2 on
402
	 * some cases, we'll have to restore MAS2:EPN here based on the
403
	 * original fault's DEAR. If we do that we have to modify the
404
	 * ITLB miss handler to also store SRR0 in the exception frame
405
	 * as DEAR.
406
	 *
407
	 * However, one nasty thing we did is we cleared the reservation
408
	 * (well, potentially we did). We do a trick here thus if we
409
	 * are not a level 0 exception (we interrupted the TLB miss) we
410
	 * offset the return address by -4 in order to replay the tlbsrx
411
	 * instruction there
412
	 */
413
	subf	r10,r13,r12
414
	cmpldi	cr0,r10,PACA_EXTLB+EX_TLB_SIZE
415
	bne-	1f
416
	ld	r11,PACA_EXTLB+EX_TLB_SIZE+EX_TLB_SRR0(r13)
417
	addi	r10,r11,-4
418
	std	r10,PACA_EXTLB+EX_TLB_SIZE+EX_TLB_SRR0(r13)
419
1:
420
END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_TLBRSRV)
421
	/* Return to caller, normal case */
422
	TLB_MISS_STATS_X(MMSTAT_TLB_MISS_PT_OK);
423
	TLB_MISS_EPILOG_SUCCESS
424
	rfi
425

426
virt_page_table_tlb_miss_fault:
427
	/* If we fault here, things are a little bit tricky. We need to call
428
	 * either data or instruction store fault, and we need to retrieve
429
	 * the original fault address and ESR (for data).
430
	 *
431
	 * The thing is, we know that in normal circumstances, this is
432
	 * always called as a second level tlb miss for SW load or as a first
433
	 * level TLB miss for HW load, so we should be able to peek at the
434
	 * relevant information in the first exception frame in the PACA.
435
	 *
436
	 * However, we do need to double check that, because we may just hit
437
	 * a stray kernel pointer or a userland attack trying to hit those
438
	 * areas. If that is the case, we do a data fault. (We can't get here
439
	 * from an instruction tlb miss anyway).
440
	 *
441
	 * Note also that when going to a fault, we must unwind the previous
442
	 * level as well. Since we are doing that, we don't need to clear or
443
	 * restore the TLB reservation neither.
444
	 */
445
	subf	r10,r13,r12
446
	cmpldi	cr0,r10,PACA_EXTLB+EX_TLB_SIZE
447
	bne-	virt_page_table_tlb_miss_whacko_fault
448

449
	/* We dig the original DEAR and ESR from slot 0 */
450
	ld	r15,EX_TLB_DEAR+PACA_EXTLB(r13)
451
	ld	r16,EX_TLB_ESR+PACA_EXTLB(r13)
452

453
	/* We check for the "special" ESR value for instruction faults */
454
	cmpdi	cr0,r16,-1
455
	beq	1f
456
	mtspr	SPRN_DEAR,r15
457
	mtspr	SPRN_ESR,r16
458
	TLB_MISS_STATS_D(MMSTAT_TLB_MISS_PT_FAULT);
459
	TLB_MISS_EPILOG_ERROR
460
	b	exc_data_storage_book3e
461
1:	TLB_MISS_STATS_I(MMSTAT_TLB_MISS_PT_FAULT);
462
	TLB_MISS_EPILOG_ERROR
463
	b	exc_instruction_storage_book3e
464

465
virt_page_table_tlb_miss_whacko_fault:
466
	/* The linear fault will restart everything so ESR and DEAR will
467
	 * not have been clobbered, let's just fault with what we have
468
	 */
469
	TLB_MISS_STATS_X(MMSTAT_TLB_MISS_PT_FAULT);
470
	TLB_MISS_EPILOG_ERROR
471
	b	exc_data_storage_book3e
472

473

474
/**************************************************************
475
 *                                                            *
476
 * TLB miss handling for Book3E with hw page table support    *
477
 *                                                            *
478
 **************************************************************/
479

480

481
/* Data TLB miss */
482
	START_EXCEPTION(data_tlb_miss_htw)
483
	TLB_MISS_PROLOG
484

485
	/* Now we handle the fault proper. We only save DEAR in normal
486
	 * fault case since that's the only interesting values here.
487
	 * We could probably also optimize by not saving SRR0/1 in the
488
	 * linear mapping case but I'll leave that for later
489
	 */
490
	mfspr	r14,SPRN_ESR
491
	mfspr	r16,SPRN_DEAR		/* get faulting address */
492
	srdi	r11,r16,60		/* get region */
493
	cmpldi	cr0,r11,0xc		/* linear mapping ? */
494
	TLB_MISS_STATS_SAVE_INFO
495
	beq	tlb_load_linear		/* yes -> go to linear map load */
496

497
	/* We do the user/kernel test for the PID here along with the RW test
498
	 */
499
	cmpldi	cr0,r11,0		/* Check for user region */
500
	ld	r15,PACAPGD(r13)	/* Load user pgdir */
501
	beq	htw_tlb_miss
502

503
	/* XXX replace the RMW cycles with immediate loads + writes */
504
1:	mfspr	r10,SPRN_MAS1
505
	cmpldi	cr0,r11,8		/* Check for vmalloc region */
506
	rlwinm	r10,r10,0,16,1		/* Clear TID */
507
	mtspr	SPRN_MAS1,r10
508
	ld	r15,PACA_KERNELPGD(r13)	/* Load kernel pgdir */
509
	beq+	htw_tlb_miss
510

511
	/* We got a crappy address, just fault with whatever DEAR and ESR
512
	 * are here
513
	 */
514
	TLB_MISS_STATS_D(MMSTAT_TLB_MISS_NORM_FAULT)
515
	TLB_MISS_EPILOG_ERROR
516
	b	exc_data_storage_book3e
517

518
/* Instruction TLB miss */
519
	START_EXCEPTION(instruction_tlb_miss_htw)
520
	TLB_MISS_PROLOG
521

522
	/* If we take a recursive fault, the second level handler may need
523
	 * to know whether we are handling a data or instruction fault in
524
	 * order to get to the right store fault handler. We provide that
525
	 * info by keeping a crazy value for ESR in r14
526
	 */
527
	li	r14,-1	/* store to exception frame is done later */
528

529
	/* Now we handle the fault proper. We only save DEAR in the non
530
	 * linear mapping case since we know the linear mapping case will
531
	 * not re-enter. We could indeed optimize and also not save SRR0/1
532
	 * in the linear mapping case but I'll leave that for later
533
	 *
534
	 * Faulting address is SRR0 which is already in r16
535
	 */
536
	srdi	r11,r16,60		/* get region */
537
	cmpldi	cr0,r11,0xc		/* linear mapping ? */
538
	TLB_MISS_STATS_SAVE_INFO
539
	beq	tlb_load_linear		/* yes -> go to linear map load */
540

541
	/* We do the user/kernel test for the PID here along with the RW test
542
	 */
543
	cmpldi	cr0,r11,0			/* Check for user region */
544
	ld	r15,PACAPGD(r13)		/* Load user pgdir */
545
	beq	htw_tlb_miss
546

547
	/* XXX replace the RMW cycles with immediate loads + writes */
548
1:	mfspr	r10,SPRN_MAS1
549
	cmpldi	cr0,r11,8			/* Check for vmalloc region */
550
	rlwinm	r10,r10,0,16,1			/* Clear TID */
551
	mtspr	SPRN_MAS1,r10
552
	ld	r15,PACA_KERNELPGD(r13)		/* Load kernel pgdir */
553
	beq+	htw_tlb_miss
554

555
	/* We got a crappy address, just fault */
556
	TLB_MISS_STATS_I(MMSTAT_TLB_MISS_NORM_FAULT)
557
	TLB_MISS_EPILOG_ERROR
558
	b	exc_instruction_storage_book3e
559

560

561
/*
562
 * This is the guts of the second-level TLB miss handler for direct
563
 * misses. We are entered with:
564
 *
565
 * r16 = virtual page table faulting address
566
 * r15 = PGD pointer
567
 * r14 = ESR
568
 * r13 = PACA
569
 * r12 = TLB exception frame in PACA
570
 * r11 = crap (free to use)
571
 * r10 = crap (free to use)
572
 *
573
 * It can be re-entered by the linear mapping miss handler. However, to
574
 * avoid too much complication, it will save/restore things for us
575
 */
576
htw_tlb_miss:
577
	/* Search if we already have a TLB entry for that virtual address, and
578
	 * if we do, bail out.
579
	 *
580
	 * MAS1:IND should be already set based on MAS4
581
	 */
582
	PPC_TLBSRX_DOT(0,r16)
583
	beq	htw_tlb_miss_done
584

585
	/* Now, we need to walk the page tables. First check if we are in
586
	 * range.
587
	 */
588
	rldicl.	r10,r16,64-PGTABLE_EADDR_SIZE,PGTABLE_EADDR_SIZE+4
589
	bne-	htw_tlb_miss_fault
590

591
	/* Get the PGD pointer */
592
	cmpldi	cr0,r15,0
593
	beq-	htw_tlb_miss_fault
594

595
	/* Get to PGD entry */
596
	rldicl	r11,r16,64-(PGDIR_SHIFT-3),64-PGD_INDEX_SIZE-3
597
	clrrdi	r10,r11,3
598
	ldx	r15,r10,r15
599
	cmpldi	cr0,r15,0
600
	beq	htw_tlb_miss_fault
601

602
#ifndef CONFIG_PPC_64K_PAGES
603
	/* Get to PUD entry */
604
	rldicl	r11,r16,64-(PUD_SHIFT-3),64-PUD_INDEX_SIZE-3
605
	clrrdi	r10,r11,3
606
	ldx	r15,r10,r15
607
	cmpldi	cr0,r15,0
608
	beq	htw_tlb_miss_fault
609
#endif /* CONFIG_PPC_64K_PAGES */
610

611
	/* Get to PMD entry */
612
	rldicl	r11,r16,64-(PMD_SHIFT-3),64-PMD_INDEX_SIZE-3
613
	clrrdi	r10,r11,3
614
	ldx	r15,r10,r15
615
	cmpldi	cr0,r15,0
616
	beq	htw_tlb_miss_fault
617

618
	/* Ok, we're all right, we can now create an indirect entry for
619
	 * a 1M or 256M page.
620
	 *
621
	 * The last trick is now that because we use "half" pages for
622
	 * the HTW (1M IND is 2K and 256M IND is 32K) we need to account
623
	 * for an added LSB bit to the RPN. For 64K pages, there is no
624
	 * problem as we already use 32K arrays (half PTE pages), but for
625
	 * 4K page we need to extract a bit from the virtual address and
626
	 * insert it into the "PA52" bit of the RPN.
627
	 */
628
#ifndef CONFIG_PPC_64K_PAGES
629
	rlwimi	r15,r16,32-9,20,20
630
#endif
631
	/* Now we build the MAS:
632
	 *
633
	 * MAS 0   :	Fully setup with defaults in MAS4 and TLBnCFG
634
	 * MAS 1   :	Almost fully setup
635
	 *               - PID already updated by caller if necessary
636
	 *               - TSIZE for now is base ind page size always
637
	 * MAS 2   :	Use defaults
638
	 * MAS 3+7 :	Needs to be done
639
	 */
640
#ifdef CONFIG_PPC_64K_PAGES
641
	ori	r10,r15,(BOOK3E_PAGESZ_64K << MAS3_SPSIZE_SHIFT)
642
#else
643
	ori	r10,r15,(BOOK3E_PAGESZ_4K << MAS3_SPSIZE_SHIFT)
644
#endif
645

646
BEGIN_MMU_FTR_SECTION
647
	srdi	r16,r10,32
648
	mtspr	SPRN_MAS3,r10
649
	mtspr	SPRN_MAS7,r16
650
MMU_FTR_SECTION_ELSE
651
	mtspr	SPRN_MAS7_MAS3,r10
652
ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_PAIRED_MAS)
653

654
	tlbwe
655

656
htw_tlb_miss_done:
657
	/* We don't bother with restoring DEAR or ESR since we know we are
658
	 * level 0 and just going back to userland. They are only needed
659
	 * if you are going to take an access fault
660
	 */
661
	TLB_MISS_STATS_X(MMSTAT_TLB_MISS_PT_OK)
662
	TLB_MISS_EPILOG_SUCCESS
663
	rfi
664

665
htw_tlb_miss_fault:
666
	/* We need to check if it was an instruction miss. We know this
667
	 * though because r14 would contain -1
668
	 */
669
	cmpdi	cr0,r14,-1
670
	beq	1f
671
	mtspr	SPRN_DEAR,r16
672
	mtspr	SPRN_ESR,r14
673
	TLB_MISS_STATS_D(MMSTAT_TLB_MISS_PT_FAULT)
674
	TLB_MISS_EPILOG_ERROR
675
	b	exc_data_storage_book3e
676
1:	TLB_MISS_STATS_I(MMSTAT_TLB_MISS_PT_FAULT)
677
	TLB_MISS_EPILOG_ERROR
678
	b	exc_instruction_storage_book3e
679

680
/*
681
 * This is the guts of "any" level TLB miss handler for kernel linear
682
 * mapping misses. We are entered with:
683
 *
684
 *
685
 * r16 = faulting address
686
 * r15 = crap (free to use)
687
 * r14 = ESR (data) or -1 (instruction)
688
 * r13 = PACA
689
 * r12 = TLB exception frame in PACA
690
 * r11 = crap (free to use)
691
 * r10 = crap (free to use)
692
 *
693
 * In addition we know that we will not re-enter, so in theory, we could
694
 * use a simpler epilog not restoring SRR0/1 etc.. but we'll do that later.
695
 *
696
 * We also need to be careful about MAS registers here & TLB reservation,
697
 * as we know we'll have clobbered them if we interrupt the main TLB miss
698
 * handlers in which case we probably want to do a full restart at level
699
 * 0 rather than saving / restoring the MAS.
700
 *
701
 * Note: If we care about performance of that core, we can easily shuffle
702
 *       a few things around
703
 */
704
tlb_load_linear:
705
	/* For now, we assume the linear mapping is contiguous and stops at
706
	 * linear_map_top. We also assume the size is a multiple of 1G, thus
707
	 * we only use 1G pages for now. That might have to be changed in a
708
	 * final implementation, especially when dealing with hypervisors
709
	 */
710
	ld	r11,PACATOC(r13)
711
	ld	r11,linear_map_top@got(r11)
712
	ld	r10,0(r11)
713
	cmpld	cr0,r10,r16
714
	bge	tlb_load_linear_fault
715

716
	/* MAS1 need whole new setup. */
717
	li	r15,(BOOK3E_PAGESZ_1GB<<MAS1_TSIZE_SHIFT)
718
	oris	r15,r15,MAS1_VALID@h	/* MAS1 needs V and TSIZE */
719
	mtspr	SPRN_MAS1,r15
720

721
	/* Already somebody there ? */
722
	PPC_TLBSRX_DOT(0,r16)
723
	beq	tlb_load_linear_done
724

725
	/* Now we build the remaining MAS. MAS0 and 2 should be fine
726
	 * with their defaults, which leaves us with MAS 3 and 7. The
727
	 * mapping is linear, so we just take the address, clear the
728
	 * region bits, and or in the permission bits which are currently
729
	 * hard wired
730
	 */
731
	clrrdi	r10,r16,30		/* 1G page index */
732
	clrldi	r10,r10,4		/* clear region bits */
733
	ori	r10,r10,MAS3_SR|MAS3_SW|MAS3_SX
734

735
BEGIN_MMU_FTR_SECTION
736
	srdi	r16,r10,32
737
	mtspr	SPRN_MAS3,r10
738
	mtspr	SPRN_MAS7,r16
739
MMU_FTR_SECTION_ELSE
740
	mtspr	SPRN_MAS7_MAS3,r10
741
ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_PAIRED_MAS)
742

743
	tlbwe
744

745
tlb_load_linear_done:
746
	/* We use the "error" epilog for success as we do want to
747
	 * restore to the initial faulting context, whatever it was.
748
	 * We do that because we can't resume a fault within a TLB
749
	 * miss handler, due to MAS and TLB reservation being clobbered.
750
	 */
751
	TLB_MISS_STATS_X(MMSTAT_TLB_MISS_LINEAR)
752
	TLB_MISS_EPILOG_ERROR
753
	rfi
754

755
tlb_load_linear_fault:
756
	/* We keep the DEAR and ESR around, this shouldn't have happened */
757
	cmpdi	cr0,r14,-1
758
	beq	1f
759
	TLB_MISS_EPILOG_ERROR_SPECIAL
760
	b	exc_data_storage_book3e
761
1:	TLB_MISS_EPILOG_ERROR_SPECIAL
762
	b	exc_instruction_storage_book3e
763

764

765
#ifdef CONFIG_BOOK3E_MMU_TLB_STATS
766
.tlb_stat_inc:
767
1:	ldarx	r8,0,r9
768
	addi	r8,r8,1
769
	stdcx.	r8,0,r9
770
	bne-	1b
771
	blr
772
#endif
773

774