xref: /linux/arch/powerpc/mm/nohash/tlb_low_64e.S (revision 46e6acfe3501fa938af9c5bd730f0020235b08a2) 
1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/*
3 *  Low level TLB miss handlers for Book3E
4 *
5 *  Copyright (C) 2008-2009
6 *      Ben. Herrenschmidt (benh@kernel.crashing.org), IBM Corp.
7 */
8
9#include <linux/pgtable.h>
10#include <asm/processor.h>
11#include <asm/reg.h>
12#include <asm/page.h>
13#include <asm/mmu.h>
14#include <asm/ppc_asm.h>
15#include <asm/asm-offsets.h>
16#include <asm/cputable.h>
17#include <asm/exception-64e.h>
18#include <asm/ppc-opcode.h>
19#include <asm/kvm_asm.h>
20#include <asm/kvm_booke_hv_asm.h>
21#include <asm/feature-fixups.h>
22
23#define VPTE_PMD_SHIFT	(PTE_INDEX_SIZE)
24#define VPTE_PUD_SHIFT	(VPTE_PMD_SHIFT + PMD_INDEX_SIZE)
25#define VPTE_PGD_SHIFT	(VPTE_PUD_SHIFT + PUD_INDEX_SIZE)
26#define VPTE_INDEX_SIZE (VPTE_PGD_SHIFT + PGD_INDEX_SIZE)
27
28/**********************************************************************
29 *                                                                    *
30 * TLB miss handling for Book3E with a bolted linear mapping          *
31 * No virtual page table, no nested TLB misses                        *
32 *                                                                    *
33 **********************************************************************/
34
35/*
36 * Note that, unlike non-bolted handlers, TLB_EXFRAME is not
37 * modified by the TLB miss handlers themselves, since the TLB miss
38 * handler code will not itself cause a recursive TLB miss.
39 *
40 * TLB_EXFRAME will be modified when crit/mc/debug exceptions are
41 * entered/exited.
42 */
43.macro tlb_prolog_bolted intnum addr
44	mtspr	SPRN_SPRG_GEN_SCRATCH,r12
45	mfspr	r12,SPRN_SPRG_TLB_EXFRAME
46	std	r13,EX_TLB_R13(r12)
47	std	r10,EX_TLB_R10(r12)
48	mfspr	r13,SPRN_SPRG_PACA
49
50	mfcr	r10
51	std	r11,EX_TLB_R11(r12)
52#ifdef CONFIG_KVM_BOOKE_HV
53BEGIN_FTR_SECTION
54	mfspr	r11, SPRN_SRR1
55END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
56#endif
57	DO_KVM	\intnum, SPRN_SRR1
58	std	r16,EX_TLB_R16(r12)
59	mfspr	r16,\addr		/* get faulting address */
60	std	r14,EX_TLB_R14(r12)
61	ld	r14,PACAPGD(r13)
62	std	r15,EX_TLB_R15(r12)
63	std	r10,EX_TLB_CR(r12)
64START_BTB_FLUSH_SECTION
65	mfspr r11, SPRN_SRR1
66	andi. r10,r11,MSR_PR
67	beq 1f
68	BTB_FLUSH(r10)
691:
70END_BTB_FLUSH_SECTION
71	std	r7,EX_TLB_R7(r12)
72.endm
73
74.macro tlb_epilog_bolted
75	ld	r14,EX_TLB_CR(r12)
76	ld	r7,EX_TLB_R7(r12)
77	ld	r10,EX_TLB_R10(r12)
78	ld	r11,EX_TLB_R11(r12)
79	ld	r13,EX_TLB_R13(r12)
80	mtcr	r14
81	ld	r14,EX_TLB_R14(r12)
82	ld	r15,EX_TLB_R15(r12)
83	ld	r16,EX_TLB_R16(r12)
84	mfspr	r12,SPRN_SPRG_GEN_SCRATCH
85.endm
86
87/* Data TLB miss */
88	START_EXCEPTION(data_tlb_miss_bolted)
89	tlb_prolog_bolted BOOKE_INTERRUPT_DTLB_MISS SPRN_DEAR
90
91	/* We need _PAGE_PRESENT and  _PAGE_ACCESSED set */
92
93	/* We do the user/kernel test for the PID here along with the RW test
94	 */
95	/* We pre-test some combination of permissions to avoid double
96	 * faults:
97	 *
98	 * We move the ESR:ST bit into the position of _PAGE_BAP_SW in the PTE
99	 * ESR_ST   is 0x00800000
100	 * _PAGE_BAP_SW is 0x00000010
101	 * So the shift is >> 19. This tests for supervisor writeability.
102	 * If the page happens to be supervisor writeable and not user
103	 * writeable, we will take a new fault later, but that should be
104	 * a rare enough case.
105	 *
106	 * We also move ESR_ST in _PAGE_DIRTY position
107	 * _PAGE_DIRTY is 0x00001000 so the shift is >> 11
108	 *
109	 * MAS1 is preset for all we need except for TID that needs to
110	 * be cleared for kernel translations
111	 */
112
113	mfspr	r11,SPRN_ESR
114
115	srdi	r15,r16,60		/* get region */
116	rldicl.	r10,r16,64-PGTABLE_EADDR_SIZE,PGTABLE_EADDR_SIZE+4
117	bne-	dtlb_miss_fault_bolted	/* Bail if fault addr is invalid */
118
119	rlwinm	r10,r11,32-19,27,27
120	rlwimi	r10,r11,32-16,19,19
121	cmpwi	r15,0			/* user vs kernel check */
122	ori	r10,r10,_PAGE_PRESENT
123	oris	r11,r10,_PAGE_ACCESSED@h
124
125	bne	tlb_miss_kernel_bolted
126
127tlb_miss_user_bolted:
128#ifdef CONFIG_PPC_KUAP
129	mfspr	r10,SPRN_MAS1
130	rlwinm.	r10,r10,0,0x3fff0000
131	beq-	tlb_miss_fault_bolted /* KUAP fault */
132#endif
133
134tlb_miss_common_bolted:
135/*
136 * This is the guts of the TLB miss handler for bolted-linear.
137 * We are entered with:
138 *
139 * r16 = faulting address
140 * r15 = crap (free to use)
141 * r14 = page table base
142 * r13 = PACA
143 * r11 = PTE permission mask
144 * r10 = crap (free to use)
145 */
146	rldicl	r15,r16,64-PGDIR_SHIFT+3,64-PGD_INDEX_SIZE-3
147	cmpldi	cr0,r14,0
148	clrrdi	r15,r15,3
149	beq	tlb_miss_fault_bolted	/* No PGDIR, bail */
150
151	ldx	r14,r14,r15		/* grab pgd entry */
152
153	rldicl	r15,r16,64-PUD_SHIFT+3,64-PUD_INDEX_SIZE-3
154	clrrdi	r15,r15,3
155	cmpdi	cr0,r14,0
156	bge	tlb_miss_fault_bolted	/* Bad pgd entry or hugepage; bail */
157	ldx	r14,r14,r15		/* grab pud entry */
158
159	rldicl	r15,r16,64-PMD_SHIFT+3,64-PMD_INDEX_SIZE-3
160	clrrdi	r15,r15,3
161	cmpdi	cr0,r14,0
162	bge	tlb_miss_fault_bolted
163	ldx	r14,r14,r15		/* Grab pmd entry */
164
165	rldicl	r15,r16,64-PAGE_SHIFT+3,64-PTE_INDEX_SIZE-3
166	clrrdi	r15,r15,3
167	cmpdi	cr0,r14,0
168	bge	tlb_miss_fault_bolted
169	ldx	r14,r14,r15		/* Grab PTE, normal (!huge) page */
170
171	/* Check if required permissions are met */
172	andc.	r15,r11,r14
173	rldicr	r15,r14,64-(PTE_RPN_SHIFT-PAGE_SHIFT),63-PAGE_SHIFT
174	bne-	tlb_miss_fault_bolted
175
176	/* Now we build the MAS:
177	 *
178	 * MAS 0   :	Fully setup with defaults in MAS4 and TLBnCFG
179	 * MAS 1   :	Almost fully setup
180	 *               - PID already updated by caller if necessary
181	 *               - TSIZE need change if !base page size, not
182	 *                 yet implemented for now
183	 * MAS 2   :	Defaults not useful, need to be redone
184	 * MAS 3+7 :	Needs to be done
185	 */
186	clrrdi	r11,r16,12		/* Clear low crap in EA */
187	clrldi	r15,r15,12		/* Clear crap at the top */
188	rlwimi	r11,r14,32-19,27,31	/* Insert WIMGE */
189	rlwimi	r15,r14,32-8,22,25	/* Move in U bits */
190	mtspr	SPRN_MAS2,r11
191	andi.	r11,r14,_PAGE_DIRTY
192	rlwimi	r15,r14,32-2,26,31	/* Move in BAP bits */
193
194	/* Mask out SW and UW if !DIRTY (XXX optimize this !) */
195	bne	1f
196	li	r11,MAS3_SW|MAS3_UW
197	andc	r15,r15,r11
1981:
199	mtspr	SPRN_MAS7_MAS3,r15
200	tlbwe
201
202tlb_miss_done_bolted:
203	tlb_epilog_bolted
204	rfi
205
206itlb_miss_kernel_bolted:
207	li	r11,_PAGE_PRESENT|_PAGE_BAP_SX	/* Base perm */
208	oris	r11,r11,_PAGE_ACCESSED@h
209tlb_miss_kernel_bolted:
210	mfspr	r10,SPRN_MAS1
211	ld	r14,PACA_KERNELPGD(r13)
212	srdi	r15,r16,44		/* get kernel region */
213	andi.	r15,r15,1		/* Check for vmalloc region */
214	rlwinm	r10,r10,0,16,1		/* Clear TID */
215	mtspr	SPRN_MAS1,r10
216	bne+	tlb_miss_common_bolted
217
218tlb_miss_fault_bolted:
219	/* We need to check if it was an instruction miss */
220	andi.	r10,r11,_PAGE_BAP_UX|_PAGE_BAP_SX
221	bne	itlb_miss_fault_bolted
222dtlb_miss_fault_bolted:
223	tlb_epilog_bolted
224	b	exc_data_storage_book3e
225itlb_miss_fault_bolted:
226	tlb_epilog_bolted
227	b	exc_instruction_storage_book3e
228
229/* Instruction TLB miss */
230	START_EXCEPTION(instruction_tlb_miss_bolted)
231	tlb_prolog_bolted BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR0
232
233	rldicl.	r10,r16,64-PGTABLE_EADDR_SIZE,PGTABLE_EADDR_SIZE+4
234	srdi	r15,r16,60		/* get region */
235	bne-	itlb_miss_fault_bolted
236
237	li	r11,_PAGE_PRESENT|_PAGE_BAP_UX	/* Base perm */
238
239	/* We do the user/kernel test for the PID here along with the RW test
240	 */
241
242	cmpldi	cr0,r15,0			/* Check for user region */
243	oris	r11,r11,_PAGE_ACCESSED@h
244	beq	tlb_miss_user_bolted
245	b	itlb_miss_kernel_bolted
246
247/*
248 * TLB miss handling for e6500 and derivatives, using hardware tablewalk.
249 *
250 * Linear mapping is bolted: no virtual page table or nested TLB misses
251 * Indirect entries in TLB1, hardware loads resulting direct entries
252 *    into TLB0
253 * No HES or NV hint on TLB1, so we need to do software round-robin
254 * No tlbsrx. so we need a spinlock, and we have to deal
255 *    with MAS-damage caused by tlbsx
256 * 4K pages only
257 */
258
259	START_EXCEPTION(instruction_tlb_miss_e6500)
260	tlb_prolog_bolted BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR0
261
262	ld	r11,PACA_TCD_PTR(r13)
263	srdi.	r15,r16,60		/* get region */
264	ori	r16,r16,1
265
266	bne	tlb_miss_kernel_e6500	/* user/kernel test */
267
268	b	tlb_miss_common_e6500
269
270	START_EXCEPTION(data_tlb_miss_e6500)
271	tlb_prolog_bolted BOOKE_INTERRUPT_DTLB_MISS SPRN_DEAR
272
273	ld	r11,PACA_TCD_PTR(r13)
274	srdi.	r15,r16,60		/* get region */
275	rldicr	r16,r16,0,62
276
277	bne	tlb_miss_kernel_e6500	/* user vs kernel check */
278
279/*
280 * This is the guts of the TLB miss handler for e6500 and derivatives.
281 * We are entered with:
282 *
283 * r16 = page of faulting address (low bit 0 if data, 1 if instruction)
284 * r15 = crap (free to use)
285 * r14 = page table base
286 * r13 = PACA
287 * r11 = tlb_per_core ptr
288 * r10 = crap (free to use)
289 * r7  = esel_next
290 */
291tlb_miss_common_e6500:
292	crmove	cr2*4+2,cr0*4+2		/* cr2.eq != 0 if kernel address */
293
294BEGIN_FTR_SECTION		/* CPU_FTR_SMT */
295	/*
296	 * Search if we already have an indirect entry for that virtual
297	 * address, and if we do, bail out.
298	 *
299	 * MAS6:IND should be already set based on MAS4
300	 */
301	lhz	r10,PACAPACAINDEX(r13)
302	addi	r10,r10,1
303	crclr	cr1*4+eq	/* set cr1.eq = 0 for non-recursive */
3041:	lbarx	r15,0,r11
305	cmpdi	r15,0
306	bne	2f
307	stbcx.	r10,0,r11
308	bne	1b
3093:
310	.subsection 1
3112:	cmpd	cr1,r15,r10	/* recursive lock due to mcheck/crit/etc? */
312	beq	cr1,3b		/* unlock will happen if cr1.eq = 0 */
31310:	lbz	r15,0(r11)
314	cmpdi	r15,0
315	bne	10b
316	b	1b
317	.previous
318END_FTR_SECTION_IFSET(CPU_FTR_SMT)
319
320	lbz	r7,TCD_ESEL_NEXT(r11)
321
322BEGIN_FTR_SECTION		/* CPU_FTR_SMT */
323	/*
324	 * Erratum A-008139 says that we can't use tlbwe to change
325	 * an indirect entry in any way (including replacing or
326	 * invalidating) if the other thread could be in the process
327	 * of a lookup.  The workaround is to invalidate the entry
328	 * with tlbilx before overwriting.
329	 */
330
331	rlwinm	r10,r7,16,0xff0000
332	oris	r10,r10,MAS0_TLBSEL(1)@h
333	mtspr	SPRN_MAS0,r10
334	isync
335	tlbre
336	mfspr	r15,SPRN_MAS1
337	andis.	r15,r15,MAS1_VALID@h
338	beq	5f
339
340BEGIN_FTR_SECTION_NESTED(532)
341	mfspr	r10,SPRN_MAS8
342	rlwinm	r10,r10,0,0x80000fff  /* tgs,tlpid -> sgs,slpid */
343	mtspr	SPRN_MAS5,r10
344END_FTR_SECTION_NESTED(CPU_FTR_EMB_HV,CPU_FTR_EMB_HV,532)
345
346	mfspr	r10,SPRN_MAS1
347	rlwinm	r15,r10,0,0x3fff0000  /* tid -> spid */
348	rlwimi	r15,r10,20,0x00000003 /* ind,ts -> sind,sas */
349	mfspr	r10,SPRN_MAS6
350	mtspr	SPRN_MAS6,r15
351
352	mfspr	r15,SPRN_MAS2
353	isync
354	PPC_TLBILX_VA(0,R15)
355	isync
356
357	mtspr	SPRN_MAS6,r10
358
3595:
360BEGIN_FTR_SECTION_NESTED(532)
361	li	r10,0
362	mtspr	SPRN_MAS8,r10
363	mtspr	SPRN_MAS5,r10
364END_FTR_SECTION_NESTED(CPU_FTR_EMB_HV,CPU_FTR_EMB_HV,532)
365
366	tlbsx	0,r16
367	mfspr	r10,SPRN_MAS1
368	andis.	r15,r10,MAS1_VALID@h
369	bne	tlb_miss_done_e6500
370FTR_SECTION_ELSE
371	mfspr	r10,SPRN_MAS1
372ALT_FTR_SECTION_END_IFSET(CPU_FTR_SMT)
373
374	oris	r10,r10,MAS1_VALID@h
375	beq	cr2,4f
376	rlwinm	r10,r10,0,16,1		/* Clear TID */
3774:	mtspr	SPRN_MAS1,r10
378
379	/* Now, we need to walk the page tables. First check if we are in
380	 * range.
381	 */
382	rldicl.	r10,r16,64-PGTABLE_EADDR_SIZE,PGTABLE_EADDR_SIZE+4
383	bne-	tlb_miss_fault_e6500
384
385	rldicl	r15,r16,64-PGDIR_SHIFT+3,64-PGD_INDEX_SIZE-3
386	cmpldi	cr0,r14,0
387	clrrdi	r15,r15,3
388	beq-	tlb_miss_fault_e6500 /* No PGDIR, bail */
389	ldx	r14,r14,r15		/* grab pgd entry */
390
391	rldicl	r15,r16,64-PUD_SHIFT+3,64-PUD_INDEX_SIZE-3
392	clrrdi	r15,r15,3
393	cmpdi	cr0,r14,0
394	bge	tlb_miss_huge_e6500	/* Bad pgd entry or hugepage; bail */
395	ldx	r14,r14,r15		/* grab pud entry */
396
397	rldicl	r15,r16,64-PMD_SHIFT+3,64-PMD_INDEX_SIZE-3
398	clrrdi	r15,r15,3
399	cmpdi	cr0,r14,0
400	bge	tlb_miss_huge_e6500
401	ldx	r14,r14,r15		/* Grab pmd entry */
402
403	mfspr	r10,SPRN_MAS0
404	cmpdi	cr0,r14,0
405	bge	tlb_miss_huge_e6500
406
407	/* Now we build the MAS for a 2M indirect page:
408	 *
409	 * MAS 0   :	ESEL needs to be filled by software round-robin
410	 * MAS 1   :	Fully set up
411	 *               - PID already updated by caller if necessary
412	 *               - TSIZE for now is base ind page size always
413	 *               - TID already cleared if necessary
414	 * MAS 2   :	Default not 2M-aligned, need to be redone
415	 * MAS 3+7 :	Needs to be done
416	 */
417
418	ori	r14,r14,(BOOK3E_PAGESZ_4K << MAS3_SPSIZE_SHIFT)
419	mtspr	SPRN_MAS7_MAS3,r14
420
421	clrrdi	r15,r16,21		/* make EA 2M-aligned */
422	mtspr	SPRN_MAS2,r15
423
424tlb_miss_huge_done_e6500:
425	lbz	r16,TCD_ESEL_MAX(r11)
426	lbz	r14,TCD_ESEL_FIRST(r11)
427	rlwimi	r10,r7,16,0x00ff0000	/* insert esel_next into MAS0 */
428	addi	r7,r7,1			/* increment esel_next */
429	mtspr	SPRN_MAS0,r10
430	cmpw	r7,r16
431	iseleq	r7,r14,r7		/* if next == last use first */
432	stb	r7,TCD_ESEL_NEXT(r11)
433
434	tlbwe
435
436tlb_miss_done_e6500:
437	.macro	tlb_unlock_e6500
438BEGIN_FTR_SECTION
439	beq	cr1,1f		/* no unlock if lock was recursively grabbed */
440	li	r15,0
441	isync
442	stb	r15,0(r11)
4431:
444END_FTR_SECTION_IFSET(CPU_FTR_SMT)
445	.endm
446
447	tlb_unlock_e6500
448	tlb_epilog_bolted
449	rfi
450
451tlb_miss_huge_e6500:
452	beq	tlb_miss_fault_e6500
453	rlwinm	r15,r14,32-_PAGE_PSIZE_SHIFT,0x1e
454
455	/*
456	 * Now we build the MAS for a huge page.
457	 *
458	 * MAS 0   :	ESEL needs to be filled by software round-robin
459	 *		 - can be handled by indirect code
460	 * MAS 1   :	Need to clear IND and set TSIZE
461	 * MAS 2,3+7:	Needs to be redone similar to non-tablewalk handler
462	 */
463
464	mfspr	r10,SPRN_MAS1
465	rlwinm	r10,r10,0,~MAS1_IND
466	rlwimi	r10,r15,MAS1_TSIZE_SHIFT,MAS1_TSIZE_MASK
467	mtspr	SPRN_MAS1,r10
468
469	li	r10,-0x400
470	sld	r15,r10,r15		/* Generate mask based on size */
471	and	r10,r16,r15
472	rldicr	r15,r14,64-(PTE_RPN_SHIFT-PAGE_SHIFT),63-PAGE_SHIFT
473	rlwimi	r10,r14,32-19,27,31	/* Insert WIMGE */
474	clrldi	r15,r15,PAGE_SHIFT	/* Clear crap at the top */
475	rlwimi	r15,r14,32-8,22,25	/* Move in U bits */
476	mtspr	SPRN_MAS2,r10
477	andi.	r10,r14,_PAGE_DIRTY
478	rlwimi	r15,r14,32-2,26,31	/* Move in BAP bits */
479
480	/* Mask out SW and UW if !DIRTY (XXX optimize this !) */
481	bne	1f
482	li	r10,MAS3_SW|MAS3_UW
483	andc	r15,r15,r10
4841:
485	mtspr	SPRN_MAS7_MAS3,r15
486
487	mfspr	r10,SPRN_MAS0
488	b	tlb_miss_huge_done_e6500
489
490tlb_miss_kernel_e6500:
491	ld	r14,PACA_KERNELPGD(r13)
492	srdi	r15,r16,44		/* get kernel region */
493	xoris	r15,r15,0xc		/* Check for vmalloc region */
494	cmplwi	cr1,r15,1
495	beq+	cr1,tlb_miss_common_e6500
496
497tlb_miss_fault_e6500:
498	tlb_unlock_e6500
499	/* We need to check if it was an instruction miss */
500	andi.	r16,r16,1
501	bne	itlb_miss_fault_e6500
502dtlb_miss_fault_e6500:
503	tlb_epilog_bolted
504	b	exc_data_storage_book3e
505itlb_miss_fault_e6500:
506	tlb_epilog_bolted
507	b	exc_instruction_storage_book3e
508
509/*
510 * This is the guts of the second-level TLB miss handler for direct
511 * misses. We are entered with:
512 *
513 * r16 = virtual page table faulting address
514 * r15 = region (top 4 bits of address)
515 * r14 = crap (free to use)
516 * r13 = PACA
517 * r12 = TLB exception frame in PACA
518 * r11 = crap (free to use)
519 * r10 = crap (free to use)
520 *
521 * Note that this should only ever be called as a second level handler
522 * with the current scheme when using SW load.
523 * That means we can always get the original fault DEAR at
524 * EX_TLB_DEAR-EX_TLB_SIZE(r12)
525 *
526 * It can be re-entered by the linear mapping miss handler. However, to
527 * avoid too much complication, it will restart the whole fault at level
528 * 0 so we don't care too much about clobbers
529 *
530 * XXX That code was written back when we couldn't clobber r14. We can now,
531 * so we could probably optimize things a bit
532 */
533virt_page_table_tlb_miss:
534	/* Are we hitting a kernel page table ? */
535	srdi	r15,r16,60
536	andi.	r10,r15,0x8
537
538	/* The cool thing now is that r10 contains 0 for user and 8 for kernel,
539	 * and we happen to have the swapper_pg_dir at offset 8 from the user
540	 * pgdir in the PACA :-).
541	 */
542	add	r11,r10,r13
543
544	/* If kernel, we need to clear MAS1 TID */
545	beq	1f
546	/* XXX replace the RMW cycles with immediate loads + writes */
547	mfspr	r10,SPRN_MAS1
548	rlwinm	r10,r10,0,16,1			/* Clear TID */
549	mtspr	SPRN_MAS1,r10
550#ifdef CONFIG_PPC_KUAP
551	b	2f
5521:
553	mfspr	r10,SPRN_MAS1
554	rlwinm.	r10,r10,0,0x3fff0000
555	beq-	virt_page_table_tlb_miss_fault /* KUAP fault */
5562:
557#else
5581:
559#endif
560
561	/* Now, we need to walk the page tables. First check if we are in
562	 * range.
563	 */
564	rldicl	r10,r16,64-(VPTE_INDEX_SIZE+3),VPTE_INDEX_SIZE+3+4
565	cmpldi	r10,0x80
566	bne-	virt_page_table_tlb_miss_fault
567
568	/* Get the PGD pointer */
569	ld	r15,PACAPGD(r11)
570	cmpldi	cr0,r15,0
571	beq-	virt_page_table_tlb_miss_fault
572
573	/* Get to PGD entry */
574	rldicl	r11,r16,64-VPTE_PGD_SHIFT,64-PGD_INDEX_SIZE-3
575	clrrdi	r10,r11,3
576	ldx	r15,r10,r15
577	cmpdi	cr0,r15,0
578	bge	virt_page_table_tlb_miss_fault
579
580	/* Get to PUD entry */
581	rldicl	r11,r16,64-VPTE_PUD_SHIFT,64-PUD_INDEX_SIZE-3
582	clrrdi	r10,r11,3
583	ldx	r15,r10,r15
584	cmpdi	cr0,r15,0
585	bge	virt_page_table_tlb_miss_fault
586
587	/* Get to PMD entry */
588	rldicl	r11,r16,64-VPTE_PMD_SHIFT,64-PMD_INDEX_SIZE-3
589	clrrdi	r10,r11,3
590	ldx	r15,r10,r15
591	cmpdi	cr0,r15,0
592	bge	virt_page_table_tlb_miss_fault
593
594	/* Ok, we're all right, we can now create a kernel translation for
595	 * a 4K or 64K page from r16 -> r15.
596	 */
597	/* Now we build the MAS:
598	 *
599	 * MAS 0   :	Fully setup with defaults in MAS4 and TLBnCFG
600	 * MAS 1   :	Almost fully setup
601	 *               - PID already updated by caller if necessary
602	 *               - TSIZE for now is base page size always
603	 * MAS 2   :	Use defaults
604	 * MAS 3+7 :	Needs to be done
605	 *
606	 * So we only do MAS 2 and 3 for now...
607	 */
608	clrldi	r11,r15,4		/* remove region ID from RPN */
609	ori	r10,r11,1		/* Or-in SR */
610
611	srdi	r16,r10,32
612	mtspr	SPRN_MAS3,r10
613	mtspr	SPRN_MAS7,r16
614
615	tlbwe
616
617	/* Return to caller, normal case */
618	TLB_MISS_EPILOG_SUCCESS
619	rfi
620
621virt_page_table_tlb_miss_fault:
622	/* If we fault here, things are a little bit tricky. We need to call
623	 * either data or instruction store fault, and we need to retrieve
624	 * the original fault address and ESR (for data).
625	 *
626	 * The thing is, we know that in normal circumstances, this is
627	 * always called as a second level tlb miss for SW load or as a first
628	 * level TLB miss for HW load, so we should be able to peek at the
629	 * relevant information in the first exception frame in the PACA.
630	 *
631	 * However, we do need to double check that, because we may just hit
632	 * a stray kernel pointer or a userland attack trying to hit those
633	 * areas. If that is the case, we do a data fault. (We can't get here
634	 * from an instruction tlb miss anyway).
635	 *
636	 * Note also that when going to a fault, we must unwind the previous
637	 * level as well. Since we are doing that, we don't need to clear or
638	 * restore the TLB reservation neither.
639	 */
640	subf	r10,r13,r12
641	cmpldi	cr0,r10,PACA_EXTLB+EX_TLB_SIZE
642	bne-	virt_page_table_tlb_miss_whacko_fault
643
644	/* We dig the original DEAR and ESR from slot 0 */
645	ld	r15,EX_TLB_DEAR+PACA_EXTLB(r13)
646	ld	r16,EX_TLB_ESR+PACA_EXTLB(r13)
647
648	/* We check for the "special" ESR value for instruction faults */
649	cmpdi	cr0,r16,-1
650	beq	1f
651	mtspr	SPRN_DEAR,r15
652	mtspr	SPRN_ESR,r16
653	TLB_MISS_EPILOG_ERROR
654	b	exc_data_storage_book3e
6551:	TLB_MISS_EPILOG_ERROR
656	b	exc_instruction_storage_book3e
657
658virt_page_table_tlb_miss_whacko_fault:
659	/* The linear fault will restart everything so ESR and DEAR will
660	 * not have been clobbered, let's just fault with what we have
661	 */
662	TLB_MISS_EPILOG_ERROR
663	b	exc_data_storage_book3e
664
665/*
666 * This is the guts of "any" level TLB miss handler for kernel linear
667 * mapping misses. We are entered with:
668 *
669 *
670 * r16 = faulting address
671 * r15 = crap (free to use)
672 * r14 = ESR (data) or -1 (instruction)
673 * r13 = PACA
674 * r12 = TLB exception frame in PACA
675 * r11 = crap (free to use)
676 * r10 = crap (free to use)
677 *
678 * In addition we know that we will not re-enter, so in theory, we could
679 * use a simpler epilog not restoring SRR0/1 etc.. but we'll do that later.
680 *
681 * We also need to be careful about MAS registers here & TLB reservation,
682 * as we know we'll have clobbered them if we interrupt the main TLB miss
683 * handlers in which case we probably want to do a full restart at level
684 * 0 rather than saving / restoring the MAS.
685 *
686 * Note: If we care about performance of that core, we can easily shuffle
687 *       a few things around
688 */
689tlb_load_linear:
690	/* For now, we assume the linear mapping is contiguous and stops at
691	 * linear_map_top. We also assume the size is a multiple of 1G, thus
692	 * we only use 1G pages for now. That might have to be changed in a
693	 * final implementation, especially when dealing with hypervisors
694	 */
695	__LOAD_PACA_TOC(r11)
696	LOAD_REG_ADDR_ALTTOC(r11, r11, linear_map_top)
697	ld	r10,0(r11)
698	tovirt(10,10)
699	cmpld	cr0,r16,r10
700	bge	tlb_load_linear_fault
701
702	/* MAS1 need whole new setup. */
703	li	r15,(BOOK3E_PAGESZ_1GB<<MAS1_TSIZE_SHIFT)
704	oris	r15,r15,MAS1_VALID@h	/* MAS1 needs V and TSIZE */
705	mtspr	SPRN_MAS1,r15
706
707	/* Already somebody there ? */
708	PPC_TLBSRX_DOT(0,R16)
709	beq	tlb_load_linear_done
710
711	/* Now we build the remaining MAS. MAS0 and 2 should be fine
712	 * with their defaults, which leaves us with MAS 3 and 7. The
713	 * mapping is linear, so we just take the address, clear the
714	 * region bits, and or in the permission bits which are currently
715	 * hard wired
716	 */
717	clrrdi	r10,r16,30		/* 1G page index */
718	clrldi	r10,r10,4		/* clear region bits */
719	ori	r10,r10,MAS3_SR|MAS3_SW|MAS3_SX
720
721	srdi	r16,r10,32
722	mtspr	SPRN_MAS3,r10
723	mtspr	SPRN_MAS7,r16
724
725	tlbwe
726
727tlb_load_linear_done:
728	/* We use the "error" epilog for success as we do want to
729	 * restore to the initial faulting context, whatever it was.
730	 * We do that because we can't resume a fault within a TLB
731	 * miss handler, due to MAS and TLB reservation being clobbered.
732	 */
733	TLB_MISS_EPILOG_ERROR
734	rfi
735
736tlb_load_linear_fault:
737	/* We keep the DEAR and ESR around, this shouldn't have happened */
738	cmpdi	cr0,r14,-1
739	beq	1f
740	TLB_MISS_EPILOG_ERROR_SPECIAL
741	b	exc_data_storage_book3e
7421:	TLB_MISS_EPILOG_ERROR_SPECIAL
743	b	exc_instruction_storage_book3e
744