[mirror_qemu.git] / target-ppc / mmu-hash32.c

/*
 *  PowerPC MMU, TLB and BAT emulation helpers for QEMU.
 *
 *  Copyright (c) 2003-2007 Jocelyn Mayer
 *  Copyright (c) 2013 David Gibson, IBM Corporation
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 */

#include "cpu.h"
#include "helper.h"
#include "sysemu/kvm.h"
#include "kvm_ppc.h"
#include "mmu-hash32.h"

//#define DEBUG_MMU
//#define DEBUG_BAT

#ifdef DEBUG_MMU
#  define LOG_MMU(...) qemu_log(__VA_ARGS__)
#  define LOG_MMU_STATE(env) log_cpu_state((env), 0)
#else
#  define LOG_MMU(...) do { } while (0)
#  define LOG_MMU_STATE(...) do { } while (0)
#endif

#ifdef DEBUG_BATS
#  define LOG_BATS(...) qemu_log(__VA_ARGS__)
#else
#  define LOG_BATS(...) do { } while (0)
#endif

struct mmu_ctx_hash32 {
    hwaddr raddr;      /* Real address              */
    int prot;                      /* Protection bits           */
    int key;                       /* Access key                */
};

static int ppc_hash32_pp_prot(int key, int pp, int nx)
{
    int prot;

    if (key == 0) {
        switch (pp) {
        case 0x0:
        case 0x1:
        case 0x2:
            prot = PAGE_READ | PAGE_WRITE;
            break;

        case 0x3:
            prot = PAGE_READ;
            break;

        default:
            abort();
        }
    } else {
        switch (pp) {
        case 0x0:
            prot = 0;
            break;

        case 0x1:
        case 0x3:
            prot = PAGE_READ;
            break;

        case 0x2:
            prot = PAGE_READ | PAGE_WRITE;
            break;

        default:
            abort();
        }
    }
    if (nx == 0) {
        prot |= PAGE_EXEC;
    }

    return prot;
}

static int ppc_hash32_pte_prot(CPUPPCState *env,
                               target_ulong sr, ppc_hash_pte32_t pte)
{
    unsigned pp, key;

    key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));
    pp = pte.pte1 & HPTE32_R_PP;

    return ppc_hash32_pp_prot(key, pp, !!(sr & SR32_NX));
}

static target_ulong hash32_bat_size(CPUPPCState *env,
                                    target_ulong batu, target_ulong batl)
{
    if ((msr_pr && !(batu & BATU32_VP))
        || (!msr_pr && !(batu & BATU32_VS))) {
        return 0;
    }

    return BATU32_BEPI & ~((batu & BATU32_BL) << 15);
}

static int hash32_bat_prot(CPUPPCState *env,
                           target_ulong batu, target_ulong batl)
{
    int pp, prot;

    prot = 0;
    pp = batl & BATL32_PP;
    if (pp != 0) {
        prot = PAGE_READ | PAGE_EXEC;
        if (pp == 0x2) {
            prot |= PAGE_WRITE;
        }
    }
    return prot;
}

static target_ulong hash32_bat_601_size(CPUPPCState *env,
                                target_ulong batu, target_ulong batl)
{
    if (!(batl & BATL32_601_V)) {
        return 0;
    }

    return BATU32_BEPI & ~((batl & BATL32_601_BL) << 17);
}

static int hash32_bat_601_prot(CPUPPCState *env,
                               target_ulong batu, target_ulong batl)
{
    int key, pp;

    pp = batu & BATU32_601_PP;
    if (msr_pr == 0) {
        key = !!(batu & BATU32_601_KS);
    } else {
        key = !!(batu & BATU32_601_KP);
    }
    return ppc_hash32_pp_prot(key, pp, 0);
}

static hwaddr ppc_hash32_bat_lookup(CPUPPCState *env, target_ulong ea, int rwx,
                                    int *prot)
{
    target_ulong *BATlt, *BATut;
    int i;

    LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,
             rwx == 2 ? 'I' : 'D', ea);
    if (rwx == 2) {
        BATlt = env->IBAT[1];
        BATut = env->IBAT[0];
    } else {
        BATlt = env->DBAT[1];
        BATut = env->DBAT[0];
    }
    for (i = 0; i < env->nb_BATs; i++) {
        target_ulong batu = BATut[i];
        target_ulong batl = BATlt[i];
        target_ulong mask;

        if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
            mask = hash32_bat_601_size(env, batu, batl);
        } else {
            mask = hash32_bat_size(env, batu, batl);
        }
        LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
                 " BATl " TARGET_FMT_lx "\n", __func__,
                 type == ACCESS_CODE ? 'I' : 'D', i, ea, batu, batl);

        if (mask && ((ea & mask) == (batu & BATU32_BEPI))) {
            hwaddr raddr = (batl & mask) | (ea & ~mask);

            if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
                *prot = hash32_bat_601_prot(env, batu, batl);
            } else {
                *prot = hash32_bat_prot(env, batu, batl);
            }

            return raddr & TARGET_PAGE_MASK;
        }
    }

    /* No hit */
#if defined(DEBUG_BATS)
    if (qemu_log_enabled()) {
        LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", ea);
        for (i = 0; i < 4; i++) {
            BATu = &BATut[i];
            BATl = &BATlt[i];
            BEPIu = *BATu & BATU32_BEPIU;
            BEPIl = *BATu & BATU32_BEPIL;
            bl = (*BATu & 0x00001FFC) << 15;
            LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
                     " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
                     TARGET_FMT_lx " " TARGET_FMT_lx "\n",
                     __func__, type == ACCESS_CODE ? 'I' : 'D', i, ea,
                     *BATu, *BATl, BEPIu, BEPIl, bl);
        }
    }
#endif

    return -1;
}

static int ppc_hash32_direct_store(CPUPPCState *env, target_ulong sr,
                                   target_ulong eaddr, int rwx,
                                   hwaddr *raddr, int *prot)
{
    int key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));

    LOG_MMU("direct store...\n");

    if ((sr & 0x1FF00000) >> 20 == 0x07f) {
        /* Memory-forced I/O controller interface access */
        /* If T=1 and BUID=x'07F', the 601 performs a memory access
         * to SR[28-31] LA[4-31], bypassing all protection mechanisms.
         */
        *raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);
        *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
        return 0;
    }

    if (rwx == 2) {
        /* No code fetch is allowed in direct-store areas */
        return -4;
    }

    switch (env->access_type) {
    case ACCESS_INT:
        /* Integer load/store : only access allowed */
        break;
    case ACCESS_FLOAT:
        /* Floating point load/store */
        return -4;
    case ACCESS_RES:
        /* lwarx, ldarx or srwcx. */
        return -4;
    case ACCESS_CACHE:
        /* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */
        /* Should make the instruction do no-op.
         * As it already do no-op, it's quite easy :-)
         */
        *raddr = eaddr;
        return 0;
    case ACCESS_EXT:
        /* eciwx or ecowx */
        return -4;
    default:
        qemu_log("ERROR: instruction should not need "
                 "address translation\n");
        return -4;
    }
    if ((rwx == 1 || key != 1) && (rwx == 0 || key != 0)) {
        *raddr = eaddr;
        return 2;
    } else {
        return -2;
    }
}

hwaddr get_pteg_offset32(CPUPPCState *env, hwaddr hash)
{
    return (hash * HASH_PTEG_SIZE_32) & env->htab_mask;
}

static hwaddr ppc_hash32_pteg_search(CPUPPCState *env, hwaddr pteg_off,
                                     bool secondary, target_ulong ptem,
                                     ppc_hash_pte32_t *pte)
{
    hwaddr pte_offset = pteg_off;
    target_ulong pte0, pte1;
    int i;

    for (i = 0; i < HPTES_PER_GROUP; i++) {
        pte0 = ppc_hash32_load_hpte0(env, pte_offset);
        pte1 = ppc_hash32_load_hpte1(env, pte_offset);

        if ((pte0 & HPTE32_V_VALID)
            && (secondary == !!(pte0 & HPTE32_V_SECONDARY))
            && HPTE32_V_COMPARE(pte0, ptem)) {
            pte->pte0 = pte0;
            pte->pte1 = pte1;
            return pte_offset;
        }

        pte_offset += HASH_PTE_SIZE_32;
    }

    return -1;
}

static hwaddr ppc_hash32_htab_lookup(CPUPPCState *env,
                                     target_ulong sr, target_ulong eaddr,
                                     ppc_hash_pte32_t *pte)
{
    hwaddr pteg_off, pte_offset;
    hwaddr hash;
    uint32_t vsid, pgidx, ptem;

    vsid = sr & SR32_VSID;
    pgidx = (eaddr & ~SEGMENT_MASK_256M) >> TARGET_PAGE_BITS;
    hash = vsid ^ pgidx;
    ptem = (vsid << 7) | (pgidx >> 10);

    /* Page address translation */
    LOG_MMU("htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx
            " hash " TARGET_FMT_plx "\n",
            env->htab_base, env->htab_mask, hash);

    /* Primary PTEG lookup */
    LOG_MMU("0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
            " vsid=%" PRIx32 " ptem=%" PRIx32
            " hash=" TARGET_FMT_plx "\n",
            env->htab_base, env->htab_mask, vsid, ptem, hash);
    pteg_off = get_pteg_offset32(env, hash);
    pte_offset = ppc_hash32_pteg_search(env, pteg_off, 0, ptem, pte);
    if (pte_offset == -1) {
        /* Secondary PTEG lookup */
        LOG_MMU("1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
                " vsid=%" PRIx32 " api=%" PRIx32
                " hash=" TARGET_FMT_plx "\n", env->htab_base,
                env->htab_mask, vsid, ptem, ~hash);
        pteg_off = get_pteg_offset32(env, ~hash);
        pte_offset = ppc_hash32_pteg_search(env, pteg_off, 1, ptem, pte);
    }

    return pte_offset;
}

static hwaddr ppc_hash32_pte_raddr(target_ulong sr, ppc_hash_pte32_t pte,
                                   target_ulong eaddr)
{
    hwaddr rpn = pte.pte1;
    hwaddr mask = ~TARGET_PAGE_MASK;

    return (rpn & ~mask) | (eaddr & mask);
}

static int ppc_hash32_translate(CPUPPCState *env, struct mmu_ctx_hash32 *ctx,
                                target_ulong eaddr, int rwx)
{
    target_ulong sr;
    hwaddr pte_offset;
    ppc_hash_pte32_t pte;
    uint32_t new_pte1;
    const int need_prot[] = {PAGE_READ, PAGE_WRITE, PAGE_EXEC};

    assert((rwx == 0) || (rwx == 1) || (rwx == 2));

    /* 1. Handle real mode accesses */
    if (((rwx == 2) && (msr_ir == 0)) || ((rwx != 2) && (msr_dr == 0))) {
        /* Translation is off */
        ctx->raddr = eaddr;
        ctx->prot = PAGE_READ | PAGE_EXEC | PAGE_WRITE;
        return 0;
    }

    /* 2. Check Block Address Translation entries (BATs) */
    if (env->nb_BATs != 0) {
        ctx->raddr = ppc_hash32_bat_lookup(env, eaddr, rwx, &ctx->prot);
        if (ctx->raddr != -1) {
            if (need_prot[rwx] & ~ctx->prot) {
                return -2;
            }
            return 0;
        }
    }

    /* 3. Look up the Segment Register */
    sr = env->sr[eaddr >> 28];

    /* 4. Handle direct store segments */
    if (sr & SR32_T) {
        return ppc_hash32_direct_store(env, sr, eaddr, rwx,
                                       &ctx->raddr, &ctx->prot);
    }

    /* 5. Check for segment level no-execute violation */
    if ((rwx == 2) && (sr & SR32_NX)) {
        return -3;
    }

    /* 6. Locate the PTE in the hash table */
    pte_offset = ppc_hash32_htab_lookup(env, sr, eaddr, &pte);
    if (pte_offset == -1) {
        return -1;
    }
    LOG_MMU("found PTE at offset %08" HWADDR_PRIx "\n", pte_offset);

    /* 7. Check access permissions */

    ctx->prot = ppc_hash32_pte_prot(env, sr, pte);

    if (need_prot[rwx] & ~ctx->prot) {
        /* Access right violation */
        LOG_MMU("PTE access rejected\n");
        return -2;
    }

    LOG_MMU("PTE access granted !\n");

    /* 8. Update PTE referenced and changed bits if necessary */

    new_pte1 = pte.pte1 | HPTE32_R_R; /* set referenced bit */
    if (rwx == 1) {
        new_pte1 |= HPTE32_R_C; /* set changed (dirty) bit */
    } else {
        /* Treat the page as read-only for now, so that a later write
         * will pass through this function again to set the C bit */
        ctx->prot &= ~PAGE_WRITE;
    }

    if (new_pte1 != pte.pte1) {
        ppc_hash32_store_hpte1(env, pte_offset, new_pte1);
    }

    /* 9. Determine the real address from the PTE */

    ctx->raddr = ppc_hash32_pte_raddr(sr, pte, eaddr);

    return 0;
}

hwaddr ppc_hash32_get_phys_page_debug(CPUPPCState *env, target_ulong addr)
{
    struct mmu_ctx_hash32 ctx;

    /* FIXME: Will not behave sanely for direct store segments, but
     * they're almost never used */
    if (unlikely(ppc_hash32_translate(env, &ctx, addr, 0)
                 != 0)) {
        return -1;
    }

    return ctx.raddr & TARGET_PAGE_MASK;
}

int ppc_hash32_handle_mmu_fault(CPUPPCState *env, target_ulong address, int rwx,
                                int mmu_idx)
{
    struct mmu_ctx_hash32 ctx;
    int ret = 0;

    ret = ppc_hash32_translate(env, &ctx, address, rwx);
    if (ret == 0) {
        tlb_set_page(env, address & TARGET_PAGE_MASK,
                     ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
                     mmu_idx, TARGET_PAGE_SIZE);
        ret = 0;
    } else if (ret < 0) {
        LOG_MMU_STATE(env);
        if (rwx == 2) {
            switch (ret) {
            case -1:
                /* No matches in page tables or TLB */
                env->exception_index = POWERPC_EXCP_ISI;
                env->error_code = 0x40000000;
                break;
            case -2:
                /* Access rights violation */
                env->exception_index = POWERPC_EXCP_ISI;
                env->error_code = 0x08000000;
                break;
            case -3:
                /* No execute protection violation */
                env->exception_index = POWERPC_EXCP_ISI;
                env->error_code = 0x10000000;
                break;
            case -4:
                /* Direct store exception */
                /* No code fetch is allowed in direct-store areas */
                env->exception_index = POWERPC_EXCP_ISI;
                env->error_code = 0x10000000;
                break;
            }
        } else {
            switch (ret) {
            case -1:
                /* No matches in page tables or TLB */
                env->exception_index = POWERPC_EXCP_DSI;
                env->error_code = 0;
                env->spr[SPR_DAR] = address;
                if (rwx == 1) {
                    env->spr[SPR_DSISR] = 0x42000000;
                } else {
                    env->spr[SPR_DSISR] = 0x40000000;
                }
                break;
            case -2:
                /* Access rights violation */
                env->exception_index = POWERPC_EXCP_DSI;
                env->error_code = 0;
                env->spr[SPR_DAR] = address;
                if (rwx == 1) {
                    env->spr[SPR_DSISR] = 0x0A000000;
                } else {
                    env->spr[SPR_DSISR] = 0x08000000;
                }
                break;
            case -4:
                /* Direct store exception */
                switch (env->access_type) {
                case ACCESS_FLOAT:
                    /* Floating point load/store */
                    env->exception_index = POWERPC_EXCP_ALIGN;
                    env->error_code = POWERPC_EXCP_ALIGN_FP;
                    env->spr[SPR_DAR] = address;
                    break;
                case ACCESS_RES:
                    /* lwarx, ldarx or stwcx. */
                    env->exception_index = POWERPC_EXCP_DSI;
                    env->error_code = 0;
                    env->spr[SPR_DAR] = address;
                    if (rwx == 1) {
                        env->spr[SPR_DSISR] = 0x06000000;
                    } else {
                        env->spr[SPR_DSISR] = 0x04000000;
                    }
                    break;
                case ACCESS_EXT:
                    /* eciwx or ecowx */
                    env->exception_index = POWERPC_EXCP_DSI;
                    env->error_code = 0;
                    env->spr[SPR_DAR] = address;
                    if (rwx == 1) {
                        env->spr[SPR_DSISR] = 0x06100000;
                    } else {
                        env->spr[SPR_DSISR] = 0x04100000;
                    }
                    break;
                default:
                    printf("DSI: invalid exception (%d)\n", ret);
                    env->exception_index = POWERPC_EXCP_PROGRAM;
                    env->error_code =
                        POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL;
                    env->spr[SPR_DAR] = address;
                    break;
                }
                break;
            }
        }
#if 0
        printf("%s: set exception to %d %02x\n", __func__,
               env->exception, env->error_code);
#endif
        ret = 1;
    }

    return ret;
}
Commit	Line	Data
	1	/*
	2	* PowerPC MMU, TLB and BAT emulation helpers for QEMU.
	3	*
	4	* Copyright (c) 2003-2007 Jocelyn Mayer
	5	* Copyright (c) 2013 David Gibson, IBM Corporation
	6	*
	7	* This library is free software; you can redistribute it and/or
	8	* modify it under the terms of the GNU Lesser General Public
	9	* License as published by the Free Software Foundation; either
	10	* version 2 of the License, or (at your option) any later version.
	11	*
	12	* This library is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	* Lesser General Public License for more details.
	16	*
	17	* You should have received a copy of the GNU Lesser General Public
	18	* License along with this library; if not, see <http://www.gnu.org/licenses/>.
	19	*/
	20
	21	#include "cpu.h"
	22	#include "helper.h"
	23	#include "sysemu/kvm.h"
	24	#include "kvm_ppc.h"
	25	#include "mmu-hash32.h"
	26
	27	//#define DEBUG_MMU
	28	//#define DEBUG_BAT
	29
	30	#ifdef DEBUG_MMU
	31	# define LOG_MMU(...) qemu_log(__VA_ARGS__)
	32	# define LOG_MMU_STATE(env) log_cpu_state((env), 0)
	33	#else
	34	# define LOG_MMU(...) do { } while (0)
	35	# define LOG_MMU_STATE(...) do { } while (0)
	36	#endif
	37
	38	#ifdef DEBUG_BATS
	39	# define LOG_BATS(...) qemu_log(__VA_ARGS__)
	40	#else
	41	# define LOG_BATS(...) do { } while (0)
	42	#endif
	43
	44	struct mmu_ctx_hash32 {
	45	hwaddr raddr; /* Real address */
	46	int prot; /* Protection bits */
	47	int key; /* Access key */
	48	};
	49
	50	static int ppc_hash32_pp_prot(int key, int pp, int nx)
	51	{
	52	int prot;
	53
	54	if (key == 0) {
	55	switch (pp) {
	56	case 0x0:
	57	case 0x1:
	58	case 0x2:
	59	prot = PAGE_READ \| PAGE_WRITE;
	60	break;
	61
	62	case 0x3:
	63	prot = PAGE_READ;
	64	break;
	65
	66	default:
	67	abort();
	68	}
	69	} else {
	70	switch (pp) {
	71	case 0x0:
	72	prot = 0;
	73	break;
	74
	75	case 0x1:
	76	case 0x3:
	77	prot = PAGE_READ;
	78	break;
	79
	80	case 0x2:
	81	prot = PAGE_READ \| PAGE_WRITE;
	82	break;
	83
	84	default:
	85	abort();
	86	}
	87	}
	88	if (nx == 0) {
	89	prot \|= PAGE_EXEC;
	90	}
	91
	92	return prot;
	93	}
	94
	95	static int ppc_hash32_pte_prot(CPUPPCState *env,
	96	target_ulong sr, ppc_hash_pte32_t pte)
	97	{
	98	unsigned pp, key;
	99
	100	key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));
	101	pp = pte.pte1 & HPTE32_R_PP;
	102
	103	return ppc_hash32_pp_prot(key, pp, !!(sr & SR32_NX));
	104	}
	105
	106	static target_ulong hash32_bat_size(CPUPPCState *env,
	107	target_ulong batu, target_ulong batl)
	108	{
	109	if ((msr_pr && !(batu & BATU32_VP))
	110	\|\| (!msr_pr && !(batu & BATU32_VS))) {
	111	return 0;
	112	}
	113
	114	return BATU32_BEPI & ~((batu & BATU32_BL) << 15);
	115	}
	116
	117	static int hash32_bat_prot(CPUPPCState *env,
	118	target_ulong batu, target_ulong batl)
	119	{
	120	int pp, prot;
	121
	122	prot = 0;
	123	pp = batl & BATL32_PP;
	124	if (pp != 0) {
	125	prot = PAGE_READ \| PAGE_EXEC;
	126	if (pp == 0x2) {
	127	prot \|= PAGE_WRITE;
	128	}
	129	}
	130	return prot;
	131	}
	132
	133	static target_ulong hash32_bat_601_size(CPUPPCState *env,
	134	target_ulong batu, target_ulong batl)
	135	{
	136	if (!(batl & BATL32_601_V)) {
	137	return 0;
	138	}
	139
	140	return BATU32_BEPI & ~((batl & BATL32_601_BL) << 17);
	141	}
	142
	143	static int hash32_bat_601_prot(CPUPPCState *env,
	144	target_ulong batu, target_ulong batl)
	145	{
	146	int key, pp;
	147
	148	pp = batu & BATU32_601_PP;
	149	if (msr_pr == 0) {
	150	key = !!(batu & BATU32_601_KS);
	151	} else {
	152	key = !!(batu & BATU32_601_KP);
	153	}
	154	return ppc_hash32_pp_prot(key, pp, 0);
	155	}
	156
	157	static hwaddr ppc_hash32_bat_lookup(CPUPPCState *env, target_ulong ea, int rwx,
	158	int *prot)
	159	{
	160	target_ulong BATlt, BATut;
	161	int i;
	162
	163	LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,
	164	rwx == 2 ? 'I' : 'D', ea);
	165	if (rwx == 2) {
	166	BATlt = env->IBAT[1];
	167	BATut = env->IBAT[0];
	168	} else {
	169	BATlt = env->DBAT[1];
	170	BATut = env->DBAT[0];
	171	}
	172	for (i = 0; i < env->nb_BATs; i++) {
	173	target_ulong batu = BATut[i];
	174	target_ulong batl = BATlt[i];
	175	target_ulong mask;
	176
	177	if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
	178	mask = hash32_bat_601_size(env, batu, batl);
	179	} else {
	180	mask = hash32_bat_size(env, batu, batl);
	181	}
	182	LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
	183	" BATl " TARGET_FMT_lx "\n", __func__,
	184	type == ACCESS_CODE ? 'I' : 'D', i, ea, batu, batl);
	185
	186	if (mask && ((ea & mask) == (batu & BATU32_BEPI))) {
	187	hwaddr raddr = (batl & mask) \| (ea & ~mask);
	188
	189	if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
	190	*prot = hash32_bat_601_prot(env, batu, batl);
	191	} else {
	192	*prot = hash32_bat_prot(env, batu, batl);
	193	}
	194
	195	return raddr & TARGET_PAGE_MASK;
	196	}
	197	}
	198
	199	/* No hit */
	200	#if defined(DEBUG_BATS)
	201	if (qemu_log_enabled()) {
	202	LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", ea);
	203	for (i = 0; i < 4; i++) {
	204	BATu = &BATut[i];
	205	BATl = &BATlt[i];
	206	BEPIu = *BATu & BATU32_BEPIU;
	207	BEPIl = *BATu & BATU32_BEPIL;
	208	bl = (*BATu & 0x00001FFC) << 15;
	209	LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
	210	" BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "
	211	TARGET_FMT_lx " " TARGET_FMT_lx "\n",
	212	__func__, type == ACCESS_CODE ? 'I' : 'D', i, ea,
	213	BATu, BATl, BEPIu, BEPIl, bl);
	214	}
	215	}
	216	#endif
	217
	218	return -1;
	219	}
	220
	221	static int ppc_hash32_direct_store(CPUPPCState *env, target_ulong sr,
	222	target_ulong eaddr, int rwx,
	223	hwaddr raddr, int prot)
	224	{
	225	int key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));
	226
	227	LOG_MMU("direct store...\n");
	228
	229	if ((sr & 0x1FF00000) >> 20 == 0x07f) {
	230	/* Memory-forced I/O controller interface access */
	231	/* If T=1 and BUID=x'07F', the 601 performs a memory access
	232	* to SR[28-31] LA[4-31], bypassing all protection mechanisms.
	233	*/
	234	*raddr = ((sr & 0xF) << 28) \| (eaddr & 0x0FFFFFFF);
	235	*prot = PAGE_READ \| PAGE_WRITE \| PAGE_EXEC;
	236	return 0;
	237	}
	238
	239	if (rwx == 2) {
	240	/* No code fetch is allowed in direct-store areas */
	241	return -4;
	242	}
	243
	244	switch (env->access_type) {
	245	case ACCESS_INT:
	246	/* Integer load/store : only access allowed */
	247	break;
	248	case ACCESS_FLOAT:
	249	/* Floating point load/store */
	250	return -4;
	251	case ACCESS_RES:
	252	/* lwarx, ldarx or srwcx. */
	253	return -4;
	254	case ACCESS_CACHE:
	255	/* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */
	256	/* Should make the instruction do no-op.
	257	* As it already do no-op, it's quite easy :-)
	258	*/
	259	*raddr = eaddr;
	260	return 0;
	261	case ACCESS_EXT:
	262	/* eciwx or ecowx */
	263	return -4;
	264	default:
	265	qemu_log("ERROR: instruction should not need "
	266	"address translation\n");
	267	return -4;
	268	}
	269	if ((rwx == 1 \|\| key != 1) && (rwx == 0 \|\| key != 0)) {
	270	*raddr = eaddr;
	271	return 2;
	272	} else {
	273	return -2;
	274	}
	275	}
	276
	277	hwaddr get_pteg_offset32(CPUPPCState *env, hwaddr hash)
	278	{
	279	return (hash * HASH_PTEG_SIZE_32) & env->htab_mask;
	280	}
	281
	282	static hwaddr ppc_hash32_pteg_search(CPUPPCState *env, hwaddr pteg_off,
	283	bool secondary, target_ulong ptem,
	284	ppc_hash_pte32_t *pte)
	285	{
	286	hwaddr pte_offset = pteg_off;
	287	target_ulong pte0, pte1;
	288	int i;
	289
	290	for (i = 0; i < HPTES_PER_GROUP; i++) {
	291	pte0 = ppc_hash32_load_hpte0(env, pte_offset);
	292	pte1 = ppc_hash32_load_hpte1(env, pte_offset);
	293
	294	if ((pte0 & HPTE32_V_VALID)
	295	&& (secondary == !!(pte0 & HPTE32_V_SECONDARY))
	296	&& HPTE32_V_COMPARE(pte0, ptem)) {
	297	pte->pte0 = pte0;
	298	pte->pte1 = pte1;
	299	return pte_offset;
	300	}
	301
	302	pte_offset += HASH_PTE_SIZE_32;
	303	}
	304
	305	return -1;
	306	}
	307
	308	static hwaddr ppc_hash32_htab_lookup(CPUPPCState *env,
	309	target_ulong sr, target_ulong eaddr,
	310	ppc_hash_pte32_t *pte)
	311	{
	312	hwaddr pteg_off, pte_offset;
	313	hwaddr hash;
	314	uint32_t vsid, pgidx, ptem;
	315
	316	vsid = sr & SR32_VSID;
	317	pgidx = (eaddr & ~SEGMENT_MASK_256M) >> TARGET_PAGE_BITS;
	318	hash = vsid ^ pgidx;
	319	ptem = (vsid << 7) \| (pgidx >> 10);
	320
	321	/* Page address translation */
	322	LOG_MMU("htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx
	323	" hash " TARGET_FMT_plx "\n",
	324	env->htab_base, env->htab_mask, hash);
	325
	326	/* Primary PTEG lookup */
	327	LOG_MMU("0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
	328	" vsid=%" PRIx32 " ptem=%" PRIx32
	329	" hash=" TARGET_FMT_plx "\n",
	330	env->htab_base, env->htab_mask, vsid, ptem, hash);
	331	pteg_off = get_pteg_offset32(env, hash);
	332	pte_offset = ppc_hash32_pteg_search(env, pteg_off, 0, ptem, pte);
	333	if (pte_offset == -1) {
	334	/* Secondary PTEG lookup */
	335	LOG_MMU("1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
	336	" vsid=%" PRIx32 " api=%" PRIx32
	337	" hash=" TARGET_FMT_plx "\n", env->htab_base,
	338	env->htab_mask, vsid, ptem, ~hash);
	339	pteg_off = get_pteg_offset32(env, ~hash);
	340	pte_offset = ppc_hash32_pteg_search(env, pteg_off, 1, ptem, pte);
	341	}
	342
	343	return pte_offset;
	344	}
	345
	346	static hwaddr ppc_hash32_pte_raddr(target_ulong sr, ppc_hash_pte32_t pte,
	347	target_ulong eaddr)
	348	{
	349	hwaddr rpn = pte.pte1;
	350	hwaddr mask = ~TARGET_PAGE_MASK;
	351
	352	return (rpn & ~mask) \| (eaddr & mask);
	353	}
	354
	355	static int ppc_hash32_translate(CPUPPCState env, struct mmu_ctx_hash32 ctx,
	356	target_ulong eaddr, int rwx)
	357	{
	358	target_ulong sr;
	359	hwaddr pte_offset;
	360	ppc_hash_pte32_t pte;
	361	uint32_t new_pte1;
	362	const int need_prot[] = {PAGE_READ, PAGE_WRITE, PAGE_EXEC};
	363
	364	assert((rwx == 0) \|\| (rwx == 1) \|\| (rwx == 2));
	365
	366	/* 1. Handle real mode accesses */
	367	if (((rwx == 2) && (msr_ir == 0)) \|\| ((rwx != 2) && (msr_dr == 0))) {
	368	/* Translation is off */
	369	ctx->raddr = eaddr;
	370	ctx->prot = PAGE_READ \| PAGE_EXEC \| PAGE_WRITE;
	371	return 0;
	372	}
	373
	374	/* 2. Check Block Address Translation entries (BATs) */
	375	if (env->nb_BATs != 0) {
	376	ctx->raddr = ppc_hash32_bat_lookup(env, eaddr, rwx, &ctx->prot);
	377	if (ctx->raddr != -1) {
	378	if (need_prot[rwx] & ~ctx->prot) {
	379	return -2;
	380	}
	381	return 0;
	382	}
	383	}
	384
	385	/* 3. Look up the Segment Register */
	386	sr = env->sr[eaddr >> 28];
	387
	388	/* 4. Handle direct store segments */
	389	if (sr & SR32_T) {
	390	return ppc_hash32_direct_store(env, sr, eaddr, rwx,
	391	&ctx->raddr, &ctx->prot);
	392	}
	393
	394	/* 5. Check for segment level no-execute violation */
	395	if ((rwx == 2) && (sr & SR32_NX)) {
	396	return -3;
	397	}
	398
	399	/* 6. Locate the PTE in the hash table */
	400	pte_offset = ppc_hash32_htab_lookup(env, sr, eaddr, &pte);
	401	if (pte_offset == -1) {
	402	return -1;
	403	}
	404	LOG_MMU("found PTE at offset %08" HWADDR_PRIx "\n", pte_offset);
	405
	406	/* 7. Check access permissions */
	407
	408	ctx->prot = ppc_hash32_pte_prot(env, sr, pte);
	409
	410	if (need_prot[rwx] & ~ctx->prot) {
	411	/* Access right violation */
	412	LOG_MMU("PTE access rejected\n");
	413	return -2;
	414	}
	415
	416	LOG_MMU("PTE access granted !\n");
	417
	418	/* 8. Update PTE referenced and changed bits if necessary */
	419
	420	new_pte1 = pte.pte1 \| HPTE32_R_R; /* set referenced bit */
	421	if (rwx == 1) {
	422	new_pte1 \|= HPTE32_R_C; /* set changed (dirty) bit */
	423	} else {
	424	/* Treat the page as read-only for now, so that a later write
	425	* will pass through this function again to set the C bit */
	426	ctx->prot &= ~PAGE_WRITE;
	427	}
	428
	429	if (new_pte1 != pte.pte1) {
	430	ppc_hash32_store_hpte1(env, pte_offset, new_pte1);
	431	}
	432
	433	/* 9. Determine the real address from the PTE */
	434
	435	ctx->raddr = ppc_hash32_pte_raddr(sr, pte, eaddr);
	436
	437	return 0;
	438	}
	439
	440	hwaddr ppc_hash32_get_phys_page_debug(CPUPPCState *env, target_ulong addr)
	441	{
	442	struct mmu_ctx_hash32 ctx;
	443
	444	/* FIXME: Will not behave sanely for direct store segments, but
	445	* they're almost never used */
	446	if (unlikely(ppc_hash32_translate(env, &ctx, addr, 0)
	447	!= 0)) {
	448	return -1;
	449	}
	450
	451	return ctx.raddr & TARGET_PAGE_MASK;
	452	}
	453
	454	int ppc_hash32_handle_mmu_fault(CPUPPCState *env, target_ulong address, int rwx,
	455	int mmu_idx)
	456	{
	457	struct mmu_ctx_hash32 ctx;
	458	int ret = 0;
	459
	460	ret = ppc_hash32_translate(env, &ctx, address, rwx);
	461	if (ret == 0) {
	462	tlb_set_page(env, address & TARGET_PAGE_MASK,
	463	ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
	464	mmu_idx, TARGET_PAGE_SIZE);
	465	ret = 0;
	466	} else if (ret < 0) {
	467	LOG_MMU_STATE(env);
	468	if (rwx == 2) {
	469	switch (ret) {
	470	case -1:
	471	/* No matches in page tables or TLB */
	472	env->exception_index = POWERPC_EXCP_ISI;
	473	env->error_code = 0x40000000;
	474	break;
	475	case -2:
	476	/* Access rights violation */
	477	env->exception_index = POWERPC_EXCP_ISI;
	478	env->error_code = 0x08000000;
	479	break;
	480	case -3:
	481	/* No execute protection violation */
	482	env->exception_index = POWERPC_EXCP_ISI;
	483	env->error_code = 0x10000000;
	484	break;
	485	case -4:
	486	/* Direct store exception */
	487	/* No code fetch is allowed in direct-store areas */
	488	env->exception_index = POWERPC_EXCP_ISI;
	489	env->error_code = 0x10000000;
	490	break;
	491	}
	492	} else {
	493	switch (ret) {
	494	case -1:
	495	/* No matches in page tables or TLB */
	496	env->exception_index = POWERPC_EXCP_DSI;
	497	env->error_code = 0;
	498	env->spr[SPR_DAR] = address;
	499	if (rwx == 1) {
	500	env->spr[SPR_DSISR] = 0x42000000;
	501	} else {
	502	env->spr[SPR_DSISR] = 0x40000000;
	503	}
	504	break;
	505	case -2:
	506	/* Access rights violation */
	507	env->exception_index = POWERPC_EXCP_DSI;
	508	env->error_code = 0;
	509	env->spr[SPR_DAR] = address;
	510	if (rwx == 1) {
	511	env->spr[SPR_DSISR] = 0x0A000000;
	512	} else {
	513	env->spr[SPR_DSISR] = 0x08000000;
	514	}
	515	break;
	516	case -4:
	517	/* Direct store exception */
	518	switch (env->access_type) {
	519	case ACCESS_FLOAT:
	520	/* Floating point load/store */
	521	env->exception_index = POWERPC_EXCP_ALIGN;
	522	env->error_code = POWERPC_EXCP_ALIGN_FP;
	523	env->spr[SPR_DAR] = address;
	524	break;
	525	case ACCESS_RES:
	526	/* lwarx, ldarx or stwcx. */
	527	env->exception_index = POWERPC_EXCP_DSI;
	528	env->error_code = 0;
	529	env->spr[SPR_DAR] = address;
	530	if (rwx == 1) {
	531	env->spr[SPR_DSISR] = 0x06000000;
	532	} else {
	533	env->spr[SPR_DSISR] = 0x04000000;
	534	}
	535	break;
	536	case ACCESS_EXT:
	537	/* eciwx or ecowx */
	538	env->exception_index = POWERPC_EXCP_DSI;
	539	env->error_code = 0;
	540	env->spr[SPR_DAR] = address;
	541	if (rwx == 1) {
	542	env->spr[SPR_DSISR] = 0x06100000;
	543	} else {
	544	env->spr[SPR_DSISR] = 0x04100000;
	545	}
	546	break;
	547	default:
	548	printf("DSI: invalid exception (%d)\n", ret);
	549	env->exception_index = POWERPC_EXCP_PROGRAM;
	550	env->error_code =
	551	POWERPC_EXCP_INVAL \| POWERPC_EXCP_INVAL_INVAL;
	552	env->spr[SPR_DAR] = address;
	553	break;
	554	}
	555	break;
	556	}
	557	}
	558	#if 0
	559	printf("%s: set exception to %d %02x\n", __func__,
	560	env->exception, env->error_code);
	561	#endif
	562	ret = 1;
	563	}
	564
	565	return ret;
	566	}