2017-05-02 09:37:17 +03:00
|
|
|
/*
|
|
|
|
* PowerPC Radix MMU mulation helpers for QEMU.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2016 Suraj Jitindar Singh, IBM Corporation
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2020-10-19 09:11:26 +03:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
2017-05-02 09:37:17 +03:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "qemu/osdep.h"
|
|
|
|
#include "cpu.h"
|
|
|
|
#include "exec/exec-all.h"
|
|
|
|
#include "qemu/error-report.h"
|
|
|
|
#include "sysemu/kvm.h"
|
|
|
|
#include "kvm_ppc.h"
|
|
|
|
#include "exec/log.h"
|
2021-05-18 23:11:23 +03:00
|
|
|
#include "internal.h"
|
2017-05-02 09:37:17 +03:00
|
|
|
#include "mmu-radix64.h"
|
|
|
|
#include "mmu-book3s-v3.h"
|
|
|
|
|
2020-05-14 01:56:54 +03:00
|
|
|
static bool ppc_radix64_get_fully_qualified_addr(const CPUPPCState *env,
|
|
|
|
vaddr eaddr,
|
2017-05-02 09:37:17 +03:00
|
|
|
uint64_t *lpid, uint64_t *pid)
|
|
|
|
{
|
2022-01-04 09:55:34 +03:00
|
|
|
/* When EA(2:11) are nonzero, raise a segment interrupt */
|
|
|
|
if (eaddr & ~R_EADDR_VALID_MASK) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-05-05 00:05:38 +03:00
|
|
|
if (FIELD_EX64(env->msr, MSR, HV)) { /* MSR[HV] -> Hypervisor/bare metal */
|
2019-02-15 20:00:29 +03:00
|
|
|
switch (eaddr & R_EADDR_QUADRANT) {
|
|
|
|
case R_EADDR_QUADRANT0:
|
|
|
|
*lpid = 0;
|
|
|
|
*pid = env->spr[SPR_BOOKS_PID];
|
|
|
|
break;
|
|
|
|
case R_EADDR_QUADRANT1:
|
|
|
|
*lpid = env->spr[SPR_LPIDR];
|
|
|
|
*pid = env->spr[SPR_BOOKS_PID];
|
|
|
|
break;
|
|
|
|
case R_EADDR_QUADRANT2:
|
|
|
|
*lpid = env->spr[SPR_LPIDR];
|
|
|
|
*pid = 0;
|
|
|
|
break;
|
|
|
|
case R_EADDR_QUADRANT3:
|
|
|
|
*lpid = 0;
|
|
|
|
*pid = 0;
|
|
|
|
break;
|
2020-05-14 01:57:00 +03:00
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2019-02-15 20:00:29 +03:00
|
|
|
}
|
|
|
|
} else { /* !MSR[HV] -> Guest */
|
2017-05-02 09:37:17 +03:00
|
|
|
switch (eaddr & R_EADDR_QUADRANT) {
|
|
|
|
case R_EADDR_QUADRANT0: /* Guest application */
|
|
|
|
*lpid = env->spr[SPR_LPIDR];
|
|
|
|
*pid = env->spr[SPR_BOOKS_PID];
|
|
|
|
break;
|
|
|
|
case R_EADDR_QUADRANT1: /* Illegal */
|
|
|
|
case R_EADDR_QUADRANT2:
|
|
|
|
return false;
|
|
|
|
case R_EADDR_QUADRANT3: /* Guest OS */
|
|
|
|
*lpid = env->spr[SPR_LPIDR];
|
|
|
|
*pid = 0; /* pid set to 0 -> addresses guest operating system */
|
|
|
|
break;
|
2020-05-14 01:57:00 +03:00
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2017-05-02 09:37:17 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static void ppc_radix64_raise_segi(PowerPCCPU *cpu, MMUAccessType access_type,
|
|
|
|
vaddr eaddr)
|
2017-05-02 09:37:17 +03:00
|
|
|
{
|
|
|
|
CPUState *cs = CPU(cpu);
|
|
|
|
CPUPPCState *env = &cpu->env;
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
switch (access_type) {
|
|
|
|
case MMU_INST_FETCH:
|
|
|
|
/* Instruction Segment Interrupt */
|
2017-05-02 09:37:17 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_ISEG;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
case MMU_DATA_STORE:
|
|
|
|
case MMU_DATA_LOAD:
|
|
|
|
/* Data Segment Interrupt */
|
2017-05-02 09:37:17 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_DSEG;
|
|
|
|
env->spr[SPR_DAR] = eaddr;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2017-05-02 09:37:17 +03:00
|
|
|
}
|
|
|
|
env->error_code = 0;
|
|
|
|
}
|
|
|
|
|
2022-01-04 09:55:34 +03:00
|
|
|
static inline const char *access_str(MMUAccessType access_type)
|
|
|
|
{
|
|
|
|
return access_type == MMU_DATA_LOAD ? "reading" :
|
|
|
|
(access_type == MMU_DATA_STORE ? "writing" : "execute");
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static void ppc_radix64_raise_si(PowerPCCPU *cpu, MMUAccessType access_type,
|
|
|
|
vaddr eaddr, uint32_t cause)
|
2017-05-02 09:37:17 +03:00
|
|
|
{
|
|
|
|
CPUState *cs = CPU(cpu);
|
|
|
|
CPUPPCState *env = &cpu->env;
|
|
|
|
|
2022-01-04 09:55:34 +03:00
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx" cause %08x\n",
|
|
|
|
__func__, access_str(access_type),
|
|
|
|
eaddr, cause);
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
switch (access_type) {
|
|
|
|
case MMU_INST_FETCH:
|
|
|
|
/* Instruction Storage Interrupt */
|
2017-05-02 09:37:17 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_ISI;
|
|
|
|
env->error_code = cause;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
case MMU_DATA_STORE:
|
|
|
|
cause |= DSISR_ISSTORE;
|
|
|
|
/* fall through */
|
|
|
|
case MMU_DATA_LOAD:
|
|
|
|
/* Data Storage Interrupt */
|
2017-05-02 09:37:17 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_DSI;
|
|
|
|
env->spr[SPR_DSISR] = cause;
|
|
|
|
env->spr[SPR_DAR] = eaddr;
|
|
|
|
env->error_code = 0;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2017-05-02 09:37:17 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static void ppc_radix64_raise_hsi(PowerPCCPU *cpu, MMUAccessType access_type,
|
|
|
|
vaddr eaddr, hwaddr g_raddr, uint32_t cause)
|
2020-04-03 17:00:56 +03:00
|
|
|
{
|
|
|
|
CPUState *cs = CPU(cpu);
|
|
|
|
CPUPPCState *env = &cpu->env;
|
|
|
|
|
2023-06-20 16:10:43 +03:00
|
|
|
env->error_code = 0;
|
|
|
|
if (cause & DSISR_PRTABLE_FAULT) {
|
|
|
|
/* HDSI PRTABLE_FAULT gets the originating access type in error_code */
|
|
|
|
env->error_code = access_type;
|
|
|
|
access_type = MMU_DATA_LOAD;
|
|
|
|
}
|
|
|
|
|
2022-01-04 09:55:34 +03:00
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx" 0x%"
|
|
|
|
HWADDR_PRIx" cause %08x\n",
|
|
|
|
__func__, access_str(access_type),
|
|
|
|
eaddr, g_raddr, cause);
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
switch (access_type) {
|
|
|
|
case MMU_INST_FETCH:
|
|
|
|
/* H Instruction Storage Interrupt */
|
2020-04-03 17:00:56 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_HISI;
|
|
|
|
env->spr[SPR_ASDR] = g_raddr;
|
|
|
|
env->error_code = cause;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
case MMU_DATA_STORE:
|
|
|
|
cause |= DSISR_ISSTORE;
|
|
|
|
/* fall through */
|
|
|
|
case MMU_DATA_LOAD:
|
|
|
|
/* H Data Storage Interrupt */
|
2020-04-03 17:00:56 +03:00
|
|
|
cs->exception_index = POWERPC_EXCP_HDSI;
|
|
|
|
env->spr[SPR_HDSISR] = cause;
|
|
|
|
env->spr[SPR_HDAR] = eaddr;
|
|
|
|
env->spr[SPR_ASDR] = g_raddr;
|
2021-05-18 23:11:24 +03:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2020-04-03 17:00:56 +03:00
|
|
|
}
|
|
|
|
}
|
2017-05-02 09:37:17 +03:00
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static bool ppc_radix64_check_prot(PowerPCCPU *cpu, MMUAccessType access_type,
|
|
|
|
uint64_t pte, int *fault_cause, int *prot,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
int mmu_idx, bool partition_scoped)
|
2017-05-02 09:37:17 +03:00
|
|
|
{
|
|
|
|
CPUPPCState *env = &cpu->env;
|
2021-05-18 23:11:23 +03:00
|
|
|
int need_prot;
|
2017-05-02 09:37:17 +03:00
|
|
|
|
|
|
|
/* Check Page Attributes (pte58:59) */
|
2021-05-18 23:11:24 +03:00
|
|
|
if ((pte & R_PTE_ATT) == R_PTE_ATT_NI_IO && access_type == MMU_INST_FETCH) {
|
2017-05-02 09:37:17 +03:00
|
|
|
/*
|
|
|
|
* Radix PTE entries with the non-idempotent I/O attribute are treated
|
|
|
|
* as guarded storage
|
|
|
|
*/
|
|
|
|
*fault_cause |= SRR1_NOEXEC_GUARD;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Determine permissions allowed by Encoded Access Authority */
|
2022-05-05 00:05:22 +03:00
|
|
|
if (!partition_scoped && (pte & R_PTE_EAA_PRIV) &&
|
|
|
|
FIELD_EX64(env->msr, MSR, PR)) {
|
2017-05-02 09:37:17 +03:00
|
|
|
*prot = 0;
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
} else if (mmuidx_pr(mmu_idx) || (pte & R_PTE_EAA_PRIV) ||
|
|
|
|
partition_scoped) {
|
2017-05-02 09:37:17 +03:00
|
|
|
*prot = ppc_radix64_get_prot_eaa(pte);
|
2022-05-05 00:05:22 +03:00
|
|
|
} else { /* !MSR_PR && !(pte & R_PTE_EAA_PRIV) && !partition_scoped */
|
2017-05-02 09:37:17 +03:00
|
|
|
*prot = ppc_radix64_get_prot_eaa(pte);
|
|
|
|
*prot &= ppc_radix64_get_prot_amr(cpu); /* Least combined permissions */
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if requested access type is allowed */
|
2021-05-18 23:11:24 +03:00
|
|
|
need_prot = prot_for_access_type(access_type);
|
2021-05-18 23:11:23 +03:00
|
|
|
if (need_prot & ~*prot) { /* Page Protected for that Access */
|
2022-03-14 17:57:17 +03:00
|
|
|
*fault_cause |= access_type == MMU_INST_FETCH ? SRR1_NOEXEC_GUARD :
|
|
|
|
DSISR_PROTFAULT;
|
2017-05-02 09:37:17 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static void ppc_radix64_set_rc(PowerPCCPU *cpu, MMUAccessType access_type,
|
|
|
|
uint64_t pte, hwaddr pte_addr, int *prot)
|
2017-05-02 09:37:17 +03:00
|
|
|
{
|
|
|
|
CPUState *cs = CPU(cpu);
|
|
|
|
uint64_t npte;
|
|
|
|
|
|
|
|
npte = pte | R_PTE_R; /* Always set reference bit */
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
if (access_type == MMU_DATA_STORE) { /* Store/Write */
|
2017-05-02 09:37:17 +03:00
|
|
|
npte |= R_PTE_C; /* Set change bit */
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Treat the page as read-only for now, so that a later write
|
|
|
|
* will pass through this function again to set the C bit.
|
|
|
|
*/
|
|
|
|
*prot &= ~PAGE_WRITE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pte ^ npte) { /* If pte has changed then write it back */
|
|
|
|
stq_phys(cs->as, pte_addr, npte);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-06-28 16:39:58 +03:00
|
|
|
static bool ppc_radix64_is_valid_level(int level, int psize, uint64_t nls)
|
|
|
|
{
|
2022-10-28 21:36:17 +03:00
|
|
|
bool ret;
|
|
|
|
|
2022-06-28 16:39:58 +03:00
|
|
|
/*
|
|
|
|
* Check if this is a valid level, according to POWER9 and POWER10
|
|
|
|
* Processor User's Manuals, sections 4.10.4.1 and 5.10.6.1, respectively:
|
|
|
|
* Supported Radix Tree Configurations and Resulting Page Sizes.
|
|
|
|
*
|
|
|
|
* Note: these checks are specific to POWER9 and POWER10 CPUs. Any future
|
|
|
|
* CPUs that supports a different Radix MMU configuration will need their
|
|
|
|
* own implementation.
|
|
|
|
*/
|
|
|
|
switch (level) {
|
|
|
|
case 0: /* Root Page Dir */
|
2022-10-28 21:36:17 +03:00
|
|
|
ret = psize == 52 && nls == 13;
|
|
|
|
break;
|
2022-06-28 16:39:58 +03:00
|
|
|
case 1:
|
|
|
|
case 2:
|
2022-10-28 21:36:17 +03:00
|
|
|
ret = nls == 9;
|
|
|
|
break;
|
2022-06-28 16:39:58 +03:00
|
|
|
case 3:
|
2022-10-28 21:36:17 +03:00
|
|
|
ret = nls == 9 || nls == 5;
|
|
|
|
break;
|
2022-06-28 16:39:58 +03:00
|
|
|
default:
|
2022-10-28 21:36:17 +03:00
|
|
|
ret = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlikely(!ret)) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "invalid radix configuration: "
|
|
|
|
"level %d size %d nls %"PRIu64"\n",
|
|
|
|
level, psize, nls);
|
2022-06-28 16:39:58 +03:00
|
|
|
}
|
2022-10-28 21:36:17 +03:00
|
|
|
return ret;
|
2022-06-28 16:39:58 +03:00
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
static int ppc_radix64_next_level(AddressSpace *as, vaddr eaddr,
|
|
|
|
uint64_t *pte_addr, uint64_t *nls,
|
|
|
|
int *psize, uint64_t *pte, int *fault_cause)
|
2017-05-02 09:37:17 +03:00
|
|
|
{
|
2022-06-28 16:39:59 +03:00
|
|
|
uint64_t index, mask, nlb, pde;
|
2017-05-02 09:37:17 +03:00
|
|
|
|
|
|
|
/* Read page <directory/table> entry from guest address space */
|
2020-04-03 17:00:55 +03:00
|
|
|
pde = ldq_phys(as, *pte_addr);
|
|
|
|
if (!(pde & R_PTE_VALID)) { /* Invalid Entry */
|
2017-05-02 09:37:17 +03:00
|
|
|
*fault_cause |= DSISR_NOPTE;
|
2020-04-03 17:00:55 +03:00
|
|
|
return 1;
|
2017-05-02 09:37:17 +03:00
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
*pte = pde;
|
|
|
|
*psize -= *nls;
|
|
|
|
if (!(pde & R_PTE_LEAF)) { /* Prepare for next iteration */
|
|
|
|
*nls = pde & R_PDE_NLS;
|
|
|
|
index = eaddr >> (*psize - *nls); /* Shift */
|
|
|
|
index &= ((1UL << *nls) - 1); /* Mask */
|
2022-06-28 16:39:59 +03:00
|
|
|
nlb = pde & R_PDE_NLB;
|
|
|
|
mask = MAKE_64BIT_MASK(0, *nls + 3);
|
|
|
|
|
|
|
|
if (nlb & mask) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
|
|
"%s: misaligned page dir/table base: 0x"TARGET_FMT_lx
|
|
|
|
" page dir size: 0x"TARGET_FMT_lx"\n",
|
|
|
|
__func__, nlb, mask + 1);
|
|
|
|
nlb &= ~mask;
|
|
|
|
}
|
|
|
|
*pte_addr = nlb + index * sizeof(pde);
|
2020-04-03 17:00:55 +03:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
2017-05-02 09:37:17 +03:00
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
static int ppc_radix64_walk_tree(AddressSpace *as, vaddr eaddr,
|
|
|
|
uint64_t base_addr, uint64_t nls,
|
|
|
|
hwaddr *raddr, int *psize, uint64_t *pte,
|
|
|
|
int *fault_cause, hwaddr *pte_addr)
|
|
|
|
{
|
2022-06-28 16:39:58 +03:00
|
|
|
uint64_t index, pde, rpn, mask;
|
|
|
|
int level = 0;
|
2017-05-02 09:37:17 +03:00
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
index = eaddr >> (*psize - nls); /* Shift */
|
2022-06-28 16:39:59 +03:00
|
|
|
index &= ((1UL << nls) - 1); /* Mask */
|
|
|
|
mask = MAKE_64BIT_MASK(0, nls + 3);
|
|
|
|
|
|
|
|
if (base_addr & mask) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
|
|
"%s: misaligned page dir base: 0x"TARGET_FMT_lx
|
|
|
|
" page dir size: 0x"TARGET_FMT_lx"\n",
|
|
|
|
__func__, base_addr, mask + 1);
|
|
|
|
base_addr &= ~mask;
|
|
|
|
}
|
|
|
|
*pte_addr = base_addr + index * sizeof(pde);
|
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
do {
|
|
|
|
int ret;
|
|
|
|
|
2022-06-28 16:39:58 +03:00
|
|
|
if (!ppc_radix64_is_valid_level(level++, *psize, nls)) {
|
|
|
|
*fault_cause |= DSISR_R_BADCONFIG;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:55 +03:00
|
|
|
ret = ppc_radix64_next_level(as, eaddr, pte_addr, &nls, psize, &pde,
|
|
|
|
fault_cause);
|
|
|
|
if (ret) {
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
} while (!(pde & R_PTE_LEAF));
|
|
|
|
|
|
|
|
*pte = pde;
|
|
|
|
rpn = pde & R_PTE_RPN;
|
|
|
|
mask = (1UL << *psize) - 1;
|
|
|
|
|
|
|
|
/* Or high bits of rpn and low bits to ea to form whole real addr */
|
|
|
|
*raddr = (rpn & ~mask) | (eaddr & mask);
|
|
|
|
return 0;
|
2017-05-02 09:37:17 +03:00
|
|
|
}
|
|
|
|
|
2019-02-15 20:00:29 +03:00
|
|
|
static bool validate_pate(PowerPCCPU *cpu, uint64_t lpid, ppc_v3_pate_t *pate)
|
|
|
|
{
|
|
|
|
CPUPPCState *env = &cpu->env;
|
|
|
|
|
|
|
|
if (!(pate->dw0 & PATE0_HR)) {
|
|
|
|
return false;
|
|
|
|
}
|
2022-05-05 00:05:38 +03:00
|
|
|
if (lpid == 0 && !FIELD_EX64(env->msr, MSR, HV)) {
|
2019-02-15 20:00:29 +03:00
|
|
|
return false;
|
|
|
|
}
|
2020-03-30 12:49:40 +03:00
|
|
|
if ((pate->dw0 & PATE1_R_PRTS) < 5) {
|
|
|
|
return false;
|
|
|
|
}
|
2019-02-15 20:00:29 +03:00
|
|
|
/* More checks ... */
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static int ppc_radix64_partition_scoped_xlate(PowerPCCPU *cpu,
|
2023-06-20 16:10:43 +03:00
|
|
|
MMUAccessType orig_access_type,
|
2020-04-03 17:00:56 +03:00
|
|
|
vaddr eaddr, hwaddr g_raddr,
|
|
|
|
ppc_v3_pate_t pate,
|
|
|
|
hwaddr *h_raddr, int *h_prot,
|
|
|
|
int *h_page_size, bool pde_addr,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
int mmu_idx, bool guest_visible)
|
2020-04-03 17:00:56 +03:00
|
|
|
{
|
2023-06-20 16:10:43 +03:00
|
|
|
MMUAccessType access_type = orig_access_type;
|
2020-04-03 17:00:56 +03:00
|
|
|
int fault_cause = 0;
|
|
|
|
hwaddr pte_addr;
|
|
|
|
uint64_t pte;
|
|
|
|
|
2023-06-20 16:10:42 +03:00
|
|
|
if (pde_addr) {
|
|
|
|
/*
|
|
|
|
* Translation of process-scoped tables/directories is performed as
|
|
|
|
* a read-access.
|
|
|
|
*/
|
|
|
|
access_type = MMU_DATA_LOAD;
|
|
|
|
}
|
|
|
|
|
2022-01-04 09:55:34 +03:00
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx
|
2022-02-09 11:08:55 +03:00
|
|
|
" mmu_idx %u 0x%"HWADDR_PRIx"\n",
|
2022-01-04 09:55:34 +03:00
|
|
|
__func__, access_str(access_type),
|
2022-02-09 11:08:55 +03:00
|
|
|
eaddr, mmu_idx, g_raddr);
|
2022-01-04 09:55:34 +03:00
|
|
|
|
2020-04-03 17:00:56 +03:00
|
|
|
*h_page_size = PRTBE_R_GET_RTS(pate.dw0);
|
|
|
|
/* No valid pte or access denied due to protection */
|
|
|
|
if (ppc_radix64_walk_tree(CPU(cpu)->as, g_raddr, pate.dw0 & PRTBE_R_RPDB,
|
|
|
|
pate.dw0 & PRTBE_R_RPDS, h_raddr, h_page_size,
|
|
|
|
&pte, &fault_cause, &pte_addr) ||
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
ppc_radix64_check_prot(cpu, access_type, pte,
|
|
|
|
&fault_cause, h_prot, mmu_idx, true)) {
|
2020-05-14 01:57:07 +03:00
|
|
|
if (pde_addr) { /* address being translated was that of a guest pde */
|
2020-04-03 17:00:56 +03:00
|
|
|
fault_cause |= DSISR_PRTABLE_FAULT;
|
2020-05-14 01:57:07 +03:00
|
|
|
}
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2023-06-20 16:10:43 +03:00
|
|
|
ppc_radix64_raise_hsi(cpu, orig_access_type,
|
|
|
|
eaddr, g_raddr, fault_cause);
|
2020-04-03 17:00:56 +03:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_set_rc(cpu, access_type, pte, pte_addr, h_prot);
|
2020-05-14 01:57:19 +03:00
|
|
|
}
|
2020-04-03 17:00:56 +03:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2022-02-18 10:34:14 +03:00
|
|
|
/*
|
2022-02-18 10:34:14 +03:00
|
|
|
* The spapr vhc has a flat partition scope provided by qemu memory when
|
|
|
|
* not nested.
|
|
|
|
*
|
|
|
|
* When running a nested guest, the addressing is 2-level radix on top of the
|
|
|
|
* vhc memory, so it works practically identically to the bare metal 2-level
|
|
|
|
* radix. So that code is selected directly. A cleaner and more flexible nested
|
|
|
|
* hypervisor implementation would allow the vhc to provide a ->nested_xlate()
|
|
|
|
* function but that is not required for the moment.
|
2022-02-18 10:34:14 +03:00
|
|
|
*/
|
|
|
|
static bool vhyp_flat_addressing(PowerPCCPU *cpu)
|
|
|
|
{
|
|
|
|
if (cpu->vhyp) {
|
2022-02-18 10:34:14 +03:00
|
|
|
return !vhyp_cpu_in_nested(cpu);
|
2022-02-18 10:34:14 +03:00
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
static int ppc_radix64_process_scoped_xlate(PowerPCCPU *cpu,
|
|
|
|
MMUAccessType access_type,
|
2020-04-03 17:00:53 +03:00
|
|
|
vaddr eaddr, uint64_t pid,
|
|
|
|
ppc_v3_pate_t pate, hwaddr *g_raddr,
|
|
|
|
int *g_prot, int *g_page_size,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
int mmu_idx, bool guest_visible)
|
2020-04-03 17:00:53 +03:00
|
|
|
{
|
|
|
|
CPUState *cs = CPU(cpu);
|
2020-04-03 17:00:56 +03:00
|
|
|
CPUPPCState *env = &cpu->env;
|
2022-06-28 16:39:57 +03:00
|
|
|
uint64_t offset, size, prtb, prtbe_addr, prtbe0, base_addr, nls, index, pte;
|
2020-04-03 17:00:56 +03:00
|
|
|
int fault_cause = 0, h_page_size, h_prot;
|
|
|
|
hwaddr h_raddr, pte_addr;
|
2020-04-03 17:00:55 +03:00
|
|
|
int ret;
|
2020-04-03 17:00:53 +03:00
|
|
|
|
2022-01-04 09:55:34 +03:00
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx
|
|
|
|
" mmu_idx %u pid %"PRIu64"\n",
|
|
|
|
__func__, access_str(access_type),
|
|
|
|
eaddr, mmu_idx, pid);
|
|
|
|
|
2022-06-28 16:39:57 +03:00
|
|
|
prtb = (pate.dw1 & PATE1_R_PRTB);
|
|
|
|
size = 1ULL << ((pate.dw1 & PATE1_R_PRTS) + 12);
|
|
|
|
if (prtb & (size - 1)) {
|
|
|
|
/* Process Table not properly aligned */
|
|
|
|
if (guest_visible) {
|
|
|
|
ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_R_BADCONFIG);
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:53 +03:00
|
|
|
/* Index Process Table by PID to Find Corresponding Process Table Entry */
|
|
|
|
offset = pid * sizeof(struct prtb_entry);
|
|
|
|
if (offset >= size) {
|
|
|
|
/* offset exceeds size of the process table */
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_NOPTE);
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
2022-06-28 16:39:57 +03:00
|
|
|
prtbe_addr = prtb + offset;
|
2020-04-03 17:00:56 +03:00
|
|
|
|
2022-02-18 10:34:14 +03:00
|
|
|
if (vhyp_flat_addressing(cpu)) {
|
2020-04-03 17:00:56 +03:00
|
|
|
prtbe0 = ldq_phys(cs->as, prtbe_addr);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Process table addresses are subject to partition-scoped
|
|
|
|
* translation
|
|
|
|
*
|
|
|
|
* On a Radix host, the partition-scoped page table for LPID=0
|
|
|
|
* is only used to translate the effective addresses of the
|
|
|
|
* process table entries.
|
|
|
|
*/
|
2023-06-20 16:10:42 +03:00
|
|
|
/* mmu_idx is 5 because we're translating from hypervisor scope */
|
|
|
|
ret = ppc_radix64_partition_scoped_xlate(cpu, access_type, eaddr,
|
|
|
|
prtbe_addr, pate, &h_raddr,
|
|
|
|
&h_prot, &h_page_size, true,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
5, guest_visible);
|
2020-04-03 17:00:56 +03:00
|
|
|
if (ret) {
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
prtbe0 = ldq_phys(cs->as, h_raddr);
|
|
|
|
}
|
2020-04-03 17:00:53 +03:00
|
|
|
|
|
|
|
/* Walk Radix Tree from Process Table Entry to Convert EA to RA */
|
|
|
|
*g_page_size = PRTBE_R_GET_RTS(prtbe0);
|
2020-04-03 17:00:56 +03:00
|
|
|
base_addr = prtbe0 & PRTBE_R_RPDB;
|
|
|
|
nls = prtbe0 & PRTBE_R_RPDS;
|
2022-05-05 00:05:38 +03:00
|
|
|
if (FIELD_EX64(env->msr, MSR, HV) || vhyp_flat_addressing(cpu)) {
|
2020-04-03 17:00:56 +03:00
|
|
|
/*
|
|
|
|
* Can treat process table addresses as real addresses
|
|
|
|
*/
|
|
|
|
ret = ppc_radix64_walk_tree(cs->as, eaddr & R_EADDR_MASK, base_addr,
|
|
|
|
nls, g_raddr, g_page_size, &pte,
|
|
|
|
&fault_cause, &pte_addr);
|
|
|
|
if (ret) {
|
|
|
|
/* No valid PTE */
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause);
|
2020-04-03 17:00:56 +03:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
uint64_t rpn, mask;
|
2022-06-28 16:39:58 +03:00
|
|
|
int level = 0;
|
2020-04-03 17:00:56 +03:00
|
|
|
|
|
|
|
index = (eaddr & R_EADDR_MASK) >> (*g_page_size - nls); /* Shift */
|
|
|
|
index &= ((1UL << nls) - 1); /* Mask */
|
|
|
|
pte_addr = base_addr + (index * sizeof(pte));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Each process table address is subject to a partition-scoped
|
|
|
|
* translation
|
|
|
|
*/
|
|
|
|
do {
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
/* mmu_idx is 5 because we're translating from hypervisor scope */
|
2023-06-20 16:10:42 +03:00
|
|
|
ret = ppc_radix64_partition_scoped_xlate(cpu, access_type, eaddr,
|
|
|
|
pte_addr, pate, &h_raddr,
|
|
|
|
&h_prot, &h_page_size,
|
|
|
|
true, 5, guest_visible);
|
2020-04-03 17:00:56 +03:00
|
|
|
if (ret) {
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2022-06-28 16:39:58 +03:00
|
|
|
if (!ppc_radix64_is_valid_level(level++, *g_page_size, nls)) {
|
|
|
|
fault_cause |= DSISR_R_BADCONFIG;
|
2022-10-28 21:36:17 +03:00
|
|
|
ret = 1;
|
|
|
|
} else {
|
|
|
|
ret = ppc_radix64_next_level(cs->as, eaddr & R_EADDR_MASK,
|
|
|
|
&h_raddr, &nls, g_page_size,
|
|
|
|
&pte, &fault_cause);
|
2022-06-28 16:39:58 +03:00
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:56 +03:00
|
|
|
if (ret) {
|
|
|
|
/* No valid pte */
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause);
|
2020-04-03 17:00:56 +03:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
pte_addr = h_raddr;
|
|
|
|
} while (!(pte & R_PTE_LEAF));
|
|
|
|
|
|
|
|
rpn = pte & R_PTE_RPN;
|
|
|
|
mask = (1UL << *g_page_size) - 1;
|
|
|
|
|
|
|
|
/* Or high bits of rpn and low bits to ea to form whole real addr */
|
|
|
|
*g_raddr = (rpn & ~mask) | (eaddr & mask);
|
|
|
|
}
|
|
|
|
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
if (ppc_radix64_check_prot(cpu, access_type, pte, &fault_cause,
|
|
|
|
g_prot, mmu_idx, false)) {
|
2020-04-03 17:00:56 +03:00
|
|
|
/* Access denied due to protection */
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_raise_si(cpu, access_type, eaddr, fault_cause);
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_set_rc(cpu, access_type, pte, pte_addr, g_prot);
|
2020-05-14 01:57:19 +03:00
|
|
|
}
|
2020-04-03 17:00:53 +03:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-04-03 17:00:56 +03:00
|
|
|
/*
|
|
|
|
* Radix tree translation is a 2 steps translation process:
|
|
|
|
*
|
|
|
|
* 1. Process-scoped translation: Guest Eff Addr -> Guest Real Addr
|
|
|
|
* 2. Partition-scoped translation: Guest Real Addr -> Host Real Addr
|
|
|
|
*
|
|
|
|
* MSR[HV]
|
|
|
|
* +-------------+----------------+---------------+
|
|
|
|
* | | HV = 0 | HV = 1 |
|
|
|
|
* +-------------+----------------+---------------+
|
|
|
|
* | Relocation | Partition | No |
|
|
|
|
* | = Off | Scoped | Translation |
|
|
|
|
* Relocation +-------------+----------------+---------------+
|
|
|
|
* | Relocation | Partition & | Process |
|
|
|
|
* | = On | Process Scoped | Scoped |
|
|
|
|
* +-------------+----------------+---------------+
|
|
|
|
*/
|
2022-01-04 09:55:34 +03:00
|
|
|
static bool ppc_radix64_xlate_impl(PowerPCCPU *cpu, vaddr eaddr,
|
|
|
|
MMUAccessType access_type, hwaddr *raddr,
|
|
|
|
int *psizep, int *protp, int mmu_idx,
|
|
|
|
bool guest_visible)
|
2020-04-03 17:00:53 +03:00
|
|
|
{
|
2020-04-03 17:00:56 +03:00
|
|
|
CPUPPCState *env = &cpu->env;
|
2020-05-14 01:57:00 +03:00
|
|
|
uint64_t lpid, pid;
|
2020-04-03 17:00:53 +03:00
|
|
|
ppc_v3_pate_t pate;
|
|
|
|
int psize, prot;
|
|
|
|
hwaddr g_raddr;
|
2021-06-21 15:51:08 +03:00
|
|
|
bool relocation;
|
|
|
|
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
assert(!(mmuidx_hv(mmu_idx) && cpu->vhyp));
|
2021-06-21 15:51:08 +03:00
|
|
|
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
relocation = !mmuidx_real(mmu_idx);
|
2021-06-21 15:51:08 +03:00
|
|
|
|
|
|
|
/* HV or virtual hypervisor Real Mode Access */
|
2022-02-18 10:34:14 +03:00
|
|
|
if (!relocation && (mmuidx_hv(mmu_idx) || vhyp_flat_addressing(cpu))) {
|
2021-06-21 15:51:08 +03:00
|
|
|
/* In real mode top 4 effective addr bits (mostly) ignored */
|
|
|
|
*raddr = eaddr & 0x0FFFFFFFFFFFFFFFULL;
|
|
|
|
|
|
|
|
/* In HV mode, add HRMOR if top EA bit is clear */
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
if (mmuidx_hv(mmu_idx) || !env->has_hv_mode) {
|
2021-06-21 15:51:08 +03:00
|
|
|
if (!(eaddr >> 63)) {
|
|
|
|
*raddr |= env->spr[SPR_HRMOR];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
|
|
|
|
*psizep = TARGET_PAGE_BITS;
|
2021-06-21 15:51:09 +03:00
|
|
|
return true;
|
2021-06-21 15:51:08 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check UPRT (we avoid the check in real mode to deal with
|
|
|
|
* transitional states during kexec.
|
|
|
|
*/
|
|
|
|
if (guest_visible && !ppc64_use_proc_tbl(cpu)) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
|
|
"LPCR:UPRT not set in radix mode ! LPCR="
|
|
|
|
TARGET_FMT_lx "\n", env->spr[SPR_LPCR]);
|
|
|
|
}
|
2020-04-03 17:00:53 +03:00
|
|
|
|
|
|
|
/* Virtual Mode Access - get the fully qualified address */
|
|
|
|
if (!ppc_radix64_get_fully_qualified_addr(&cpu->env, eaddr, &lpid, &pid)) {
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2021-05-18 23:11:24 +03:00
|
|
|
ppc_radix64_raise_segi(cpu, access_type, eaddr);
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
2021-06-21 15:51:09 +03:00
|
|
|
return false;
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
|
2022-06-28 16:39:57 +03:00
|
|
|
/* Get Partition Table */
|
2020-04-03 17:00:53 +03:00
|
|
|
if (cpu->vhyp) {
|
|
|
|
PPCVirtualHypervisorClass *vhc;
|
|
|
|
vhc = PPC_VIRTUAL_HYPERVISOR_GET_CLASS(cpu->vhyp);
|
2022-02-18 10:34:14 +03:00
|
|
|
if (!vhc->get_pate(cpu->vhyp, cpu, lpid, &pate)) {
|
|
|
|
if (guest_visible) {
|
|
|
|
ppc_radix64_raise_hsi(cpu, access_type, eaddr, eaddr,
|
|
|
|
DSISR_R_BADCONFIG);
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2020-04-03 17:00:53 +03:00
|
|
|
} else {
|
|
|
|
if (!ppc64_v3_get_pate(cpu, lpid, &pate)) {
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2022-02-18 10:34:14 +03:00
|
|
|
ppc_radix64_raise_hsi(cpu, access_type, eaddr, eaddr,
|
|
|
|
DSISR_R_BADCONFIG);
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
2021-06-21 15:51:09 +03:00
|
|
|
return false;
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
if (!validate_pate(cpu, lpid, &pate)) {
|
2020-05-14 01:57:19 +03:00
|
|
|
if (guest_visible) {
|
2022-02-18 10:34:14 +03:00
|
|
|
ppc_radix64_raise_hsi(cpu, access_type, eaddr, eaddr,
|
|
|
|
DSISR_R_BADCONFIG);
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
2021-06-21 15:51:09 +03:00
|
|
|
return false;
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*psizep = INT_MAX;
|
|
|
|
*protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Perform process-scoped translation if relocation enabled.
|
|
|
|
*
|
|
|
|
* - Translates an effective address to a host real address in
|
|
|
|
* quadrants 0 and 3 when HV=1.
|
2020-04-03 17:00:56 +03:00
|
|
|
*
|
|
|
|
* - Translates an effective address to a guest real address.
|
2020-04-03 17:00:53 +03:00
|
|
|
*/
|
|
|
|
if (relocation) {
|
2021-05-18 23:11:24 +03:00
|
|
|
int ret = ppc_radix64_process_scoped_xlate(cpu, access_type, eaddr, pid,
|
2020-04-03 17:00:53 +03:00
|
|
|
pate, &g_raddr, &prot,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
&psize, mmu_idx, guest_visible);
|
2020-04-03 17:00:53 +03:00
|
|
|
if (ret) {
|
2021-06-21 15:51:09 +03:00
|
|
|
return false;
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
|
|
|
*psizep = MIN(*psizep, psize);
|
|
|
|
*protp &= prot;
|
|
|
|
} else {
|
|
|
|
g_raddr = eaddr & R_EADDR_MASK;
|
|
|
|
}
|
|
|
|
|
2022-02-18 10:34:14 +03:00
|
|
|
if (vhyp_flat_addressing(cpu)) {
|
2020-04-03 17:00:56 +03:00
|
|
|
*raddr = g_raddr;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Perform partition-scoped translation if !HV or HV access to
|
|
|
|
* quadrants 1 or 2. Translates a guest real address to a host
|
|
|
|
* real address.
|
|
|
|
*/
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
if (lpid || !mmuidx_hv(mmu_idx)) {
|
2020-04-03 17:00:56 +03:00
|
|
|
int ret;
|
|
|
|
|
2021-05-18 23:11:24 +03:00
|
|
|
ret = ppc_radix64_partition_scoped_xlate(cpu, access_type, eaddr,
|
|
|
|
g_raddr, pate, raddr,
|
|
|
|
&prot, &psize, false,
|
target/ppc: fix address translation bug for radix mmus
This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html
To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.
This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.
The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.
As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20210628133610.1143-2-bruno.larsen@eldorado.org.br>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-06-28 16:36:08 +03:00
|
|
|
mmu_idx, guest_visible);
|
2020-04-03 17:00:56 +03:00
|
|
|
if (ret) {
|
2021-06-21 15:51:09 +03:00
|
|
|
return false;
|
2020-04-03 17:00:56 +03:00
|
|
|
}
|
|
|
|
*psizep = MIN(*psizep, psize);
|
|
|
|
*protp &= prot;
|
|
|
|
} else {
|
|
|
|
*raddr = g_raddr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-21 15:51:09 +03:00
|
|
|
return true;
|
2020-04-03 17:00:53 +03:00
|
|
|
}
|
2022-01-04 09:55:34 +03:00
|
|
|
|
|
|
|
bool ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
|
|
|
|
hwaddr *raddrp, int *psizep, int *protp, int mmu_idx,
|
|
|
|
bool guest_visible)
|
|
|
|
{
|
|
|
|
bool ret = ppc_radix64_xlate_impl(cpu, eaddr, access_type, raddrp,
|
|
|
|
psizep, protp, mmu_idx, guest_visible);
|
|
|
|
|
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s for %s @0x%"VADDR_PRIx
|
|
|
|
" mmu_idx %u (prot %c%c%c) -> 0x%"HWADDR_PRIx"\n",
|
|
|
|
__func__, access_str(access_type),
|
|
|
|
eaddr, mmu_idx,
|
|
|
|
*protp & PAGE_READ ? 'r' : '-',
|
|
|
|
*protp & PAGE_WRITE ? 'w' : '-',
|
|
|
|
*protp & PAGE_EXEC ? 'x' : '-',
|
|
|
|
*raddrp);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|