Archipelago » qemu

/*

 *  PowerPC MMU, TLB, SLB and BAT emulation helpers for QEMU.

 *

 *  Copyright (c) 2003-2007 Jocelyn Mayer

 *

 * This library is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public

 * License as published by the Free Software Foundation; either

 * version 2 of the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public

 * License along with this library; if not, see <http://www.gnu.org/licenses/>.

 */

#include "cpu.h"

#include "helper.h"

#include "sysemu/kvm.h"

#include "kvm_ppc.h"

#include "mmu-hash64.h"

#include "mmu-hash32.h"

//#define DEBUG_MMU

//#define DEBUG_BATS

//#define DEBUG_SOFTWARE_TLB

//#define DUMP_PAGE_TABLES

//#define DEBUG_SOFTWARE_TLB

//#define FLUSH_ALL_TLBS

#ifdef DEBUG_MMU

#  define LOG_MMU(...) qemu_log(__VA_ARGS__)

#  define LOG_MMU_STATE(env) log_cpu_state((env), 0)

#else

#  define LOG_MMU(...) do { } while (0)

#  define LOG_MMU_STATE(...) do { } while (0)

#endif

#ifdef DEBUG_SOFTWARE_TLB

#  define LOG_SWTLB(...) qemu_log(__VA_ARGS__)

#else

#  define LOG_SWTLB(...) do { } while (0)

#endif

#ifdef DEBUG_BATS

#  define LOG_BATS(...) qemu_log(__VA_ARGS__)

#else

#  define LOG_BATS(...) do { } while (0)

#endif

/*****************************************************************************/

/* PowerPC MMU emulation */

/* Context used internally during MMU translations */

typedef struct mmu_ctx_t mmu_ctx_t;

struct mmu_ctx_t {

    hwaddr raddr;      /* Real address              */

    hwaddr eaddr;      /* Effective address         */

    int prot;                      /* Protection bits           */

    hwaddr hash[2];    /* Pagetable hash values     */

    target_ulong ptem;             /* Virtual segment ID | API  */

    int key;                       /* Access key                */

    int nx;                        /* Non-execute area          */

};

/* Common routines used by software and hardware TLBs emulation */

static inline int pte_is_valid(target_ulong pte0)

{

    return pte0 & 0x80000000 ? 1 : 0;

}

static inline void pte_invalidate(target_ulong *pte0)

{

    *pte0 &= ~0x80000000;

}

#define PTE_PTEM_MASK 0x7FFFFFBF

#define PTE_CHECK_MASK (TARGET_PAGE_MASK | 0x7B)

static int pp_check(int key, int pp, int nx)

{

    int access;

    /* Compute access rights */

    access = 0;

    if (key == 0) {

        switch (pp) {

        case 0x0:

        case 0x1:

        case 0x2:

            access |= PAGE_WRITE;

            /* No break here */

        case 0x3:

            access |= PAGE_READ;

            break;

        }

    } else {

        switch (pp) {

        case 0x0:

            access = 0;

            break;

        case 0x1:

        case 0x3:

            access = PAGE_READ;

            break;

        case 0x2:

            access = PAGE_READ | PAGE_WRITE;

            break;

        }

    }

    if (nx == 0) {

        access |= PAGE_EXEC;

    }

    return access;

}

static int check_prot(int prot, int rw, int access_type)

{

    int ret;

    if (access_type == ACCESS_CODE) {

        if (prot & PAGE_EXEC) {

            ret = 0;

        } else {

            ret = -2;

        }

    } else if (rw) {

        if (prot & PAGE_WRITE) {

            ret = 0;

        } else {

            ret = -2;

        }

    } else {

        if (prot & PAGE_READ) {

            ret = 0;

        } else {

            ret = -2;

        }

    }

    return ret;

}

static inline int ppc6xx_tlb_pte_check(mmu_ctx_t *ctx, target_ulong pte0,

                                       target_ulong pte1, int h, int rw, int type)

{

    target_ulong ptem, mmask;

    int access, ret, pteh, ptev, pp;

    ret = -1;

    /* Check validity and table match */

    ptev = pte_is_valid(pte0);

    pteh = (pte0 >> 6) & 1;

    if (ptev && h == pteh) {

        /* Check vsid & api */

        ptem = pte0 & PTE_PTEM_MASK;

        mmask = PTE_CHECK_MASK;

        pp = pte1 & 0x00000003;

        if (ptem == ctx->ptem) {

            if (ctx->raddr != (hwaddr)-1ULL) {

                /* all matches should have equal RPN, WIMG & PP */

                if ((ctx->raddr & mmask) != (pte1 & mmask)) {

                    qemu_log("Bad RPN/WIMG/PP\n");

                    return -3;

                }

            }

            /* Compute access rights */

            access = pp_check(ctx->key, pp, ctx->nx);

            /* Keep the matching PTE informations */

            ctx->raddr = pte1;

            ctx->prot = access;

            ret = check_prot(ctx->prot, rw, type);

            if (ret == 0) {

                /* Access granted */

                LOG_MMU("PTE access granted !\n");

            } else {

                /* Access right violation */

                LOG_MMU("PTE access rejected\n");

            }

        }

    }

    return ret;

}

static int pte_update_flags(mmu_ctx_t *ctx, target_ulong *pte1p,

                            int ret, int rw)

{

    int store = 0;

    /* Update page flags */

    if (!(*pte1p & 0x00000100)) {

        /* Update accessed flag */

        *pte1p |= 0x00000100;

        store = 1;

    }

    if (!(*pte1p & 0x00000080)) {

        if (rw == 1 && ret == 0) {

            /* Update changed flag */

            *pte1p |= 0x00000080;

            store = 1;

        } else {

            /* Force page fault for first write access */

            ctx->prot &= ~PAGE_WRITE;

        }

    }

    return store;

}

/* Software driven TLB helpers */

static inline int ppc6xx_tlb_getnum(CPUPPCState *env, target_ulong eaddr,

                                    int way, int is_code)

{

    int nr;

    /* Select TLB num in a way from address */

    nr = (eaddr >> TARGET_PAGE_BITS) & (env->tlb_per_way - 1);

    /* Select TLB way */

    nr += env->tlb_per_way * way;

    /* 6xx have separate TLBs for instructions and data */

    if (is_code && env->id_tlbs == 1) {

        nr += env->nb_tlb;

    }

    return nr;

}

static inline void ppc6xx_tlb_invalidate_all(CPUPPCState *env)

{

    ppc6xx_tlb_t *tlb;

    int nr, max;

    /* LOG_SWTLB("Invalidate all TLBs\n"); */

    /* Invalidate all defined software TLB */

    max = env->nb_tlb;

    if (env->id_tlbs == 1) {

        max *= 2;

    }

    for (nr = 0; nr < max; nr++) {

        tlb = &env->tlb.tlb6[nr];

        pte_invalidate(&tlb->pte0);

    }

    tlb_flush(env, 1);

}

static inline void ppc6xx_tlb_invalidate_virt2(CPUPPCState *env,

                                               target_ulong eaddr,

                                               int is_code, int match_epn)

{

#if !defined(FLUSH_ALL_TLBS)

    ppc6xx_tlb_t *tlb;

    int way, nr;

    /* Invalidate ITLB + DTLB, all ways */

    for (way = 0; way < env->nb_ways; way++) {

        nr = ppc6xx_tlb_getnum(env, eaddr, way, is_code);

        tlb = &env->tlb.tlb6[nr];

        if (pte_is_valid(tlb->pte0) && (match_epn == 0 || eaddr == tlb->EPN)) {

            LOG_SWTLB("TLB invalidate %d/%d " TARGET_FMT_lx "\n", nr,

                      env->nb_tlb, eaddr);

            pte_invalidate(&tlb->pte0);

            tlb_flush_page(env, tlb->EPN);

        }

    }

#else

    /* XXX: PowerPC specification say this is valid as well */

    ppc6xx_tlb_invalidate_all(env);

#endif

}

static inline void ppc6xx_tlb_invalidate_virt(CPUPPCState *env,

                                              target_ulong eaddr, int is_code)

{

    ppc6xx_tlb_invalidate_virt2(env, eaddr, is_code, 0);

}

static void ppc6xx_tlb_store(CPUPPCState *env, target_ulong EPN, int way,

                             int is_code, target_ulong pte0, target_ulong pte1)

{

    ppc6xx_tlb_t *tlb;

    int nr;

    nr = ppc6xx_tlb_getnum(env, EPN, way, is_code);

    tlb = &env->tlb.tlb6[nr];

    LOG_SWTLB("Set TLB %d/%d EPN " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx

              " PTE1 " TARGET_FMT_lx "\n", nr, env->nb_tlb, EPN, pte0, pte1);

    /* Invalidate any pending reference in QEMU for this virtual address */

    ppc6xx_tlb_invalidate_virt2(env, EPN, is_code, 1);

    tlb->pte0 = pte0;

    tlb->pte1 = pte1;

    tlb->EPN = EPN;

    /* Store last way for LRU mechanism */

    env->last_way = way;

}

static inline int ppc6xx_tlb_check(CPUPPCState *env, mmu_ctx_t *ctx,

                                   target_ulong eaddr, int rw, int access_type)

{

    ppc6xx_tlb_t *tlb;

    int nr, best, way;

    int ret;

    best = -1;

    ret = -1; /* No TLB found */

    for (way = 0; way < env->nb_ways; way++) {

        nr = ppc6xx_tlb_getnum(env, eaddr, way,

                               access_type == ACCESS_CODE ? 1 : 0);

        tlb = &env->tlb.tlb6[nr];

        /* This test "emulates" the PTE index match for hardware TLBs */

        if ((eaddr & TARGET_PAGE_MASK) != tlb->EPN) {

            LOG_SWTLB("TLB %d/%d %s [" TARGET_FMT_lx " " TARGET_FMT_lx

                      "] <> " TARGET_FMT_lx "\n", nr, env->nb_tlb,

                      pte_is_valid(tlb->pte0) ? "valid" : "inval",

                      tlb->EPN, tlb->EPN + TARGET_PAGE_SIZE, eaddr);

            continue;

        }

        LOG_SWTLB("TLB %d/%d %s " TARGET_FMT_lx " <> " TARGET_FMT_lx " "

                  TARGET_FMT_lx " %c %c\n", nr, env->nb_tlb,

                  pte_is_valid(tlb->pte0) ? "valid" : "inval",

                  tlb->EPN, eaddr, tlb->pte1,

                  rw ? 'S' : 'L', access_type == ACCESS_CODE ? 'I' : 'D');

        switch (ppc6xx_tlb_pte_check(ctx, tlb->pte0, tlb->pte1, 0, rw, access_type)) {

        case -3:

            /* TLB inconsistency */

            return -1;

        case -2:

            /* Access violation */

            ret = -2;

            best = nr;

            break;

        case -1:

        default:

            /* No match */

            break;

        case 0:

            /* access granted */

            /* XXX: we should go on looping to check all TLBs consistency

             *      but we can speed-up the whole thing as the

             *      result would be undefined if TLBs are not consistent.

             */

            ret = 0;

            best = nr;

            goto done;

        }

    }

    if (best != -1) {

    done:

        LOG_SWTLB("found TLB at addr " TARGET_FMT_plx " prot=%01x ret=%d\n",

                  ctx->raddr & TARGET_PAGE_MASK, ctx->prot, ret);

        /* Update page flags */

        pte_update_flags(ctx, &env->tlb.tlb6[best].pte1, ret, rw);

    }

    return ret;

}

/* Perform BAT hit & translation */

static inline void bat_size_prot(CPUPPCState *env, target_ulong *blp,

                                 int *validp, int *protp, target_ulong *BATu,

                                 target_ulong *BATl)

{

    target_ulong bl;

    int pp, valid, prot;

    bl = (*BATu & 0x00001FFC) << 15;

    valid = 0;

    prot = 0;

    if (((msr_pr == 0) && (*BATu & 0x00000002)) ||

        ((msr_pr != 0) && (*BATu & 0x00000001))) {

        valid = 1;

        pp = *BATl & 0x00000003;

        if (pp != 0) {

            prot = PAGE_READ | PAGE_EXEC;

            if (pp == 0x2) {

                prot |= PAGE_WRITE;

            }

        }

    }

    *blp = bl;

    *validp = valid;

    *protp = prot;

}

static int get_bat_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,

                           target_ulong virtual, int rw, int type)

{

    target_ulong *BATlt, *BATut, *BATu, *BATl;

    target_ulong BEPIl, BEPIu, bl;

    int i, valid, prot;

    int ret = -1;

    LOG_BATS("%s: %cBAT v " TARGET_FMT_lx "\n", __func__,

             type == ACCESS_CODE ? 'I' : 'D', virtual);

    switch (type) {

    case ACCESS_CODE:

        BATlt = env->IBAT[1];

        BATut = env->IBAT[0];

        break;

    default:

        BATlt = env->DBAT[1];

        BATut = env->DBAT[0];

        break;

    }

    for (i = 0; i < env->nb_BATs; i++) {

        BATu = &BATut[i];

        BATl = &BATlt[i];

        BEPIu = *BATu & 0xF0000000;

        BEPIl = *BATu & 0x0FFE0000;

        bat_size_prot(env, &bl, &valid, &prot, BATu, BATl);

        LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx

                 " BATl " TARGET_FMT_lx "\n", __func__,

                 type == ACCESS_CODE ? 'I' : 'D', i, virtual, *BATu, *BATl);

        if ((virtual & 0xF0000000) == BEPIu &&

            ((virtual & 0x0FFE0000) & ~bl) == BEPIl) {

            /* BAT matches */

            if (valid != 0) {

                /* Get physical address */

                ctx->raddr = (*BATl & 0xF0000000) |

                    ((virtual & 0x0FFE0000 & bl) | (*BATl & 0x0FFE0000)) |

                    (virtual & 0x0001F000);

                /* Compute access rights */

                ctx->prot = prot;

                ret = check_prot(ctx->prot, rw, type);

                if (ret == 0) {

                    LOG_BATS("BAT %d match: r " TARGET_FMT_plx " prot=%c%c\n",

                             i, ctx->raddr, ctx->prot & PAGE_READ ? 'R' : '-',

                             ctx->prot & PAGE_WRITE ? 'W' : '-');

                }

                break;

            }

        }

    }

    if (ret < 0) {

#if defined(DEBUG_BATS)

        if (qemu_log_enabled()) {

            LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", virtual);

            for (i = 0; i < 4; i++) {

                BATu = &BATut[i];

                BATl = &BATlt[i];

                BEPIu = *BATu & 0xF0000000;

                BEPIl = *BATu & 0x0FFE0000;

                bl = (*BATu & 0x00001FFC) << 15;

                LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx

                         " BATl " TARGET_FMT_lx "\n\t" TARGET_FMT_lx " "

                         TARGET_FMT_lx " " TARGET_FMT_lx "\n",

                         __func__, type == ACCESS_CODE ? 'I' : 'D', i, virtual,

                         *BATu, *BATl, BEPIu, BEPIl, bl);

            }

        }

#endif

    }

    /* No hit */

    return ret;

}

/* Perform segment based translation */

static inline int get_segment_6xx_tlb(CPUPPCState *env, mmu_ctx_t *ctx,

                                      target_ulong eaddr, int rw, int type)

{

    hwaddr hash;

    target_ulong vsid;

    int ds, pr, target_page_bits;

    int ret;

    target_ulong sr, pgidx;

    pr = msr_pr;

    ctx->eaddr = eaddr;

    sr = env->sr[eaddr >> 28];

    ctx->key = (((sr & 0x20000000) && (pr != 0)) ||

                ((sr & 0x40000000) && (pr == 0))) ? 1 : 0;

    ds = sr & 0x80000000 ? 1 : 0;

    ctx->nx = sr & 0x10000000 ? 1 : 0;

    vsid = sr & 0x00FFFFFF;

    target_page_bits = TARGET_PAGE_BITS;

    LOG_MMU("Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx " nip="

            TARGET_FMT_lx " lr=" TARGET_FMT_lx

            " ir=%d dr=%d pr=%d %d t=%d\n",

            eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, (int)msr_ir,

            (int)msr_dr, pr != 0 ? 1 : 0, rw, type);

    pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits;

    hash = vsid ^ pgidx;

    ctx->ptem = (vsid << 7) | (pgidx >> 10);

    LOG_MMU("pte segment: key=%d ds %d nx %d vsid " TARGET_FMT_lx "\n",

            ctx->key, ds, ctx->nx, vsid);

    ret = -1;

    if (!ds) {

        /* Check if instruction fetch is allowed, if needed */

        if (type != ACCESS_CODE || ctx->nx == 0) {

            /* Page address translation */

            LOG_MMU("htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx

                    " hash " TARGET_FMT_plx "\n",

                    env->htab_base, env->htab_mask, hash);

            ctx->hash[0] = hash;

            ctx->hash[1] = ~hash;

            /* Initialize real address with an invalid value */

            ctx->raddr = (hwaddr)-1ULL;

            /* Software TLB search */

            ret = ppc6xx_tlb_check(env, ctx, eaddr, rw, type);

#if defined(DUMP_PAGE_TABLES)

            if (qemu_log_enabled()) {

                hwaddr curaddr;

                uint32_t a0, a1, a2, a3;

                qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx

                         "\n", sdr, mask + 0x80);

                for (curaddr = sdr; curaddr < (sdr + mask + 0x80);

                     curaddr += 16) {

                    a0 = ldl_phys(curaddr);

                    a1 = ldl_phys(curaddr + 4);

                    a2 = ldl_phys(curaddr + 8);

                    a3 = ldl_phys(curaddr + 12);

                    if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) {

                        qemu_log(TARGET_FMT_plx ": %08x %08x %08x %08x\n",

                                 curaddr, a0, a1, a2, a3);

                    }

                }

            }

#endif

        } else {

            LOG_MMU("No access allowed\n");

            ret = -3;

        }

    } else {

        target_ulong sr;

        LOG_MMU("direct store...\n");

        /* Direct-store segment : absolutely *BUGGY* for now */

        /* Direct-store implies a 32-bit MMU.

         * Check the Segment Register's bus unit ID (BUID).

         */

        sr = env->sr[eaddr >> 28];

        if ((sr & 0x1FF00000) >> 20 == 0x07f) {

            /* Memory-forced I/O controller interface access */

            /* If T=1 and BUID=x'07F', the 601 performs a memory access

             * to SR[28-31] LA[4-31], bypassing all protection mechanisms.

             */

            ctx->raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);

            ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;

            return 0;

        }

        switch (type) {

        case ACCESS_INT:

            /* Integer load/store : only access allowed */

            break;

        case ACCESS_CODE:

            /* No code fetch is allowed in direct-store areas */

            return -4;

        case ACCESS_FLOAT:

            /* Floating point load/store */

            return -4;

        case ACCESS_RES:

            /* lwarx, ldarx or srwcx. */

            return -4;

        case ACCESS_CACHE:

            /* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */

            /* Should make the instruction do no-op.

             * As it already do no-op, it's quite easy :-)

             */

            ctx->raddr = eaddr;

            return 0;

        case ACCESS_EXT:

            /* eciwx or ecowx */

            return -4;

        default:

            qemu_log("ERROR: instruction should not need "

                        "address translation\n");

            return -4;

        }

        if ((rw == 1 || ctx->key != 1) && (rw == 0 || ctx->key != 0)) {

            ctx->raddr = eaddr;

            ret = 2;

        } else {

            ret = -2;

        }

    }

    return ret;

}

/* Generic TLB check function for embedded PowerPC implementations */

static int ppcemb_tlb_check(CPUPPCState *env, ppcemb_tlb_t *tlb,

                            hwaddr *raddrp,

                            target_ulong address, uint32_t pid, int ext,

                            int i)

{

    target_ulong mask;

    /* Check valid flag */

    if (!(tlb->prot & PAGE_VALID)) {

        return -1;

    }

    mask = ~(tlb->size - 1);

    LOG_SWTLB("%s: TLB %d address " TARGET_FMT_lx " PID %u <=> " TARGET_FMT_lx

              " " TARGET_FMT_lx " %u %x\n", __func__, i, address, pid, tlb->EPN,

              mask, (uint32_t)tlb->PID, tlb->prot);

    /* Check PID */

    if (tlb->PID != 0 && tlb->PID != pid) {

        return -1;

    }

    /* Check effective address */

    if ((address & mask) != tlb->EPN) {

        return -1;

    }

    *raddrp = (tlb->RPN & mask) | (address & ~mask);

    if (ext) {

        /* Extend the physical address to 36 bits */

        *raddrp |= (uint64_t)(tlb->RPN & 0xF) << 32;

    }

    return 0;

}

/* Generic TLB search function for PowerPC embedded implementations */

static int ppcemb_tlb_search(CPUPPCState *env, target_ulong address,

                             uint32_t pid)

{

    ppcemb_tlb_t *tlb;

    hwaddr raddr;

    int i, ret;

    /* Default return value is no match */

    ret = -1;

    for (i = 0; i < env->nb_tlb; i++) {

        tlb = &env->tlb.tlbe[i];

        if (ppcemb_tlb_check(env, tlb, &raddr, address, pid, 0, i) == 0) {

            ret = i;

            break;

        }

    }

    return ret;

}

/* Helpers specific to PowerPC 40x implementations */

static inline void ppc4xx_tlb_invalidate_all(CPUPPCState *env)

{

    ppcemb_tlb_t *tlb;

    int i;

    for (i = 0; i < env->nb_tlb; i++) {

        tlb = &env->tlb.tlbe[i];

        tlb->prot &= ~PAGE_VALID;

    }

    tlb_flush(env, 1);

}

static inline void ppc4xx_tlb_invalidate_virt(CPUPPCState *env,

                                              target_ulong eaddr, uint32_t pid)

{

#if !defined(FLUSH_ALL_TLBS)

    ppcemb_tlb_t *tlb;

    hwaddr raddr;

    target_ulong page, end;

    int i;

    for (i = 0; i < env->nb_tlb; i++) {

        tlb = &env->tlb.tlbe[i];

        if (ppcemb_tlb_check(env, tlb, &raddr, eaddr, pid, 0, i) == 0) {

            end = tlb->EPN + tlb->size;

            for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE) {

                tlb_flush_page(env, page);

            }

            tlb->prot &= ~PAGE_VALID;

            break;

        }

    }

#else

    ppc4xx_tlb_invalidate_all(env);

#endif

}

static int mmu40x_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,

                                       target_ulong address, int rw,

                                       int access_type)

{

    ppcemb_tlb_t *tlb;

    hwaddr raddr;

    int i, ret, zsel, zpr, pr;

    ret = -1;

    raddr = (hwaddr)-1ULL;

    pr = msr_pr;

    for (i = 0; i < env->nb_tlb; i++) {

        tlb = &env->tlb.tlbe[i];

        if (ppcemb_tlb_check(env, tlb, &raddr, address,

                             env->spr[SPR_40x_PID], 0, i) < 0) {

            continue;

        }

        zsel = (tlb->attr >> 4) & 0xF;

        zpr = (env->spr[SPR_40x_ZPR] >> (30 - (2 * zsel))) & 0x3;

        LOG_SWTLB("%s: TLB %d zsel %d zpr %d rw %d attr %08x\n",

                    __func__, i, zsel, zpr, rw, tlb->attr);

        /* Check execute enable bit */

        switch (zpr) {

        case 0x2:

            if (pr != 0) {

                goto check_perms;

            }

            /* No break here */

        case 0x3:

            /* All accesses granted */

            ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;

            ret = 0;

            break;

        case 0x0:

            if (pr != 0) {

                /* Raise Zone protection fault.  */

                env->spr[SPR_40x_ESR] = 1 << 22;

                ctx->prot = 0;

                ret = -2;

                break;

            }

            /* No break here */

        case 0x1:

        check_perms:

            /* Check from TLB entry */

            ctx->prot = tlb->prot;

            ret = check_prot(ctx->prot, rw, access_type);

            if (ret == -2) {

                env->spr[SPR_40x_ESR] = 0;

            }

            break;

        }

        if (ret >= 0) {

            ctx->raddr = raddr;

            LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx

                      " %d %d\n", __func__, address, ctx->raddr, ctx->prot,

                      ret);

            return 0;

        }

    }

    LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx

              " %d %d\n", __func__, address, raddr, ctx->prot, ret);

    return ret;

}

void store_40x_sler(CPUPPCState *env, uint32_t val)

{

    /* XXX: TO BE FIXED */

    if (val != 0x00000000) {

        cpu_abort(env, "Little-endian regions are not supported by now\n");

    }

    env->spr[SPR_405_SLER] = val;

}

static inline int mmubooke_check_tlb(CPUPPCState *env, ppcemb_tlb_t *tlb,

                                     hwaddr *raddr, int *prot,

                                     target_ulong address, int rw,

                                     int access_type, int i)

{

    int ret, prot2;

    if (ppcemb_tlb_check(env, tlb, raddr, address,

                         env->spr[SPR_BOOKE_PID],

                         !env->nb_pids, i) >= 0) {

        goto found_tlb;

    }

    if (env->spr[SPR_BOOKE_PID1] &&

        ppcemb_tlb_check(env, tlb, raddr, address,

                         env->spr[SPR_BOOKE_PID1], 0, i) >= 0) {

        goto found_tlb;

    }

    if (env->spr[SPR_BOOKE_PID2] &&

        ppcemb_tlb_check(env, tlb, raddr, address,

                         env->spr[SPR_BOOKE_PID2], 0, i) >= 0) {

        goto found_tlb;

    }

    LOG_SWTLB("%s: TLB entry not found\n", __func__);

    return -1;

found_tlb:

    if (msr_pr != 0) {

        prot2 = tlb->prot & 0xF;

    } else {

        prot2 = (tlb->prot >> 4) & 0xF;

    }

    /* Check the address space */

    if (access_type == ACCESS_CODE) {

        if (msr_ir != (tlb->attr & 1)) {

            LOG_SWTLB("%s: AS doesn't match\n", __func__);

            return -1;

        }

        *prot = prot2;

        if (prot2 & PAGE_EXEC) {

            LOG_SWTLB("%s: good TLB!\n", __func__);

            return 0;

        }

        LOG_SWTLB("%s: no PAGE_EXEC: %x\n", __func__, prot2);

        ret = -3;

    } else {

        if (msr_dr != (tlb->attr & 1)) {

            LOG_SWTLB("%s: AS doesn't match\n", __func__);

            return -1;

        }

        *prot = prot2;

        if ((!rw && prot2 & PAGE_READ) || (rw && (prot2 & PAGE_WRITE))) {

            LOG_SWTLB("%s: found TLB!\n", __func__);

            return 0;

        }

        LOG_SWTLB("%s: PAGE_READ/WRITE doesn't match: %x\n", __func__, prot2);

        ret = -2;

    }

    return ret;

}

static int mmubooke_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,

                                         target_ulong address, int rw,

                                         int access_type)

{

    ppcemb_tlb_t *tlb;

    hwaddr raddr;

    int i, ret;

    ret = -1;

    raddr = (hwaddr)-1ULL;

    for (i = 0; i < env->nb_tlb; i++) {

        tlb = &env->tlb.tlbe[i];

        ret = mmubooke_check_tlb(env, tlb, &raddr, &ctx->prot, address, rw,

                                 access_type, i);

        if (!ret) {

            break;

        }

    }

    if (ret >= 0) {

        ctx->raddr = raddr;

        LOG_SWTLB("%s: access granted " TARGET_FMT_lx " => " TARGET_FMT_plx

                  " %d %d\n", __func__, address, ctx->raddr, ctx->prot,

                  ret);

    } else {

        LOG_SWTLB("%s: access refused " TARGET_FMT_lx " => " TARGET_FMT_plx

                  " %d %d\n", __func__, address, raddr, ctx->prot, ret);

    }

    return ret;

}

static void booke206_flush_tlb(CPUPPCState *env, int flags,