2 * arch/ppc/kernel/except_8xx.S
5 * Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
6 * Rewritten by Cort Dougan (cort@cs.nmt.edu) for PReP
7 * Copyright (C) 1996 Cort Dougan <cort@cs.nmt.edu>
8 * Low-level exception handlers and MMU support
9 * rewritten by Paul Mackerras.
10 * Copyright (C) 1996 Paul Mackerras.
11 * MPC8xx modifications by Dan Malek
12 * Copyright (C) 1997 Dan Malek (dmalek@jlc.net).
14 * This file contains low-level support and setup for PowerPC 8xx
15 * embedded processors, including trap and interrupt dispatch.
17 * This program is free software; you can redistribute it and/or
18 * modify it under the terms of the GNU General Public License
19 * as published by the Free Software Foundation; either version
20 * 2 of the License, or (at your option) any later version.
24 #include <linux/config.h>
25 #include <asm/processor.h>
28 #include <asm/cache.h>
29 #include <asm/pgtable.h>
30 #include <asm/cputable.h>
31 #include <asm/thread_info.h>
32 #include <asm/ppc_asm.h>
33 #include <asm/offsets.h>
40 * _start is defined this way because the XCOFF loader in the OpenFirmware
41 * on the powermac expects the entry point to be a procedure descriptor.
48 * This port was done on an MBX board with an 860. Right now I only
49 * support an ELF compressed (zImage) boot from EPPC-Bug because the
50 * code there loads up some registers before calling us:
51 * r3: ptr to board info data
52 * r4: initrd_start or if no initrd then 0
53 * r5: initrd_end - unused if r4 is 0
54 * r6: Start of command line string
55 * r7: End of command line string
57 * I decided to use conditional compilation instead of checking PVR and
58 * adding more processor specific branches around code I don't need.
59 * Since this is an embedded processor, I also appreciate any memory
62 * The MPC8xx does not have any BATs, but it supports large page sizes.
63 * We first initialize the MMU to support 8M byte pages, then load one
64 * entry into each of the instruction and data TLBs to map the first
65 * 8M 1:1. I also mapped an additional I/O space 1:1 so we can get to
66 * the "internal" processor registers before MMU_init is called.
68 * The TLB code currently contains a major hack. Since I use the condition
69 * code register, I have to save and restore it. I am out of registers, so
70 * I just store it in memory location 0 (the TLB handlers are not reentrant).
71 * To avoid making any decisions, I need to use the "segment" valid bit
72 * in the first level table, but that would require many changes to the
73 * Linux page directory/table functions that I don't want to do right now.
75 * I used to use SPRG2 for a temporary register in the TLB handler, but it
76 * has since been put to other uses. I now use a hack to save a register
77 * and the CCR at memory location 0.....Someday I'll fix this.....
83 mr r31,r3 /* save parameters */
90 /* We have to turn on the MMU right away so we get cache modes
95 /* We now have the lower 8 Meg mapped into TLB entries, and the caches
101 ori r0,r0,MSR_DR|MSR_IR
104 ori r0,r0,start_here@l
107 rfi /* enables MMU */
110 * Exception entry code. This code runs with address translation
111 * turned off, i.e. using physical addresses.
112 * We assume sprg3 has the physical address of the current
113 * task's thread_struct.
115 #define EXCEPTION_PROLOG \
119 mfspr r21,SPRG2; /* exception stack to use from */ \
120 cmpwi 0,r21,0; /* user mode or RTAS */ \
122 tophys(r21,r1); /* use tophys(kernel sp) otherwise */ \
123 subi r21,r21,INT_FRAME_SIZE; /* alloc exc. frame */\
124 1: stw r20,_CCR(r21); /* save registers */ \
125 stw r22,GPR22(r21); \
126 stw r23,GPR23(r21); \
128 stw r20,GPR20(r21); \
130 stw r22,GPR21(r21); \
132 stw r20,_LINK(r21); \
143 tovirt(r1,r21); /* set new kernel sp */ \
144 SAVE_4GPRS(3, r21); \
147 * Note: code which follows this uses cr0.eq (set if from kernel),
148 * r21, r22 (SRR0), and r23 (SRR1).
154 #define STD_EXCEPTION(n, label, hdlr) \
158 addi r3,r1,STACK_FRAME_OVERHEAD; \
160 bl transfer_to_handler; \
162 .long ret_from_except
165 #ifdef CONFIG_SMP /* MVME/MTX start the secondary here */
166 STD_EXCEPTION(0x100, Reset, __secondary_start_psurge)
168 STD_EXCEPTION(0x100, Reset, UnknownException)
172 STD_EXCEPTION(0x200, MachineCheck, MachineCheckException)
174 /* Data access exception.
175 * This is "never generated" by the MPC8xx. We jump to it for other
176 * translation errors.
186 addi r3,r1,STACK_FRAME_OVERHEAD
188 rlwimi r20,r23,0,16,16 /* copy EE bit from saved MSR */
189 bl transfer_to_handler
191 .long ret_from_except
193 /* Instruction access exception.
194 * This is "never generated" by the MPC8xx. We jump to it for other
195 * translation errors.
200 addi r3,r1,STACK_FRAME_OVERHEAD
204 rlwimi r20,r23,0,16,16 /* copy EE bit from saved MSR */
205 bl transfer_to_handler
207 .long ret_from_except
209 /* External interrupt */
213 addi r3,r1,STACK_FRAME_OVERHEAD
216 bl transfer_to_handler
217 .globl do_IRQ_intercept
220 .long ret_from_intercept
223 /* Alignment exception */
231 addi r3,r1,STACK_FRAME_OVERHEAD
233 rlwimi r20,r23,0,16,16 /* copy EE bit from saved MSR */
234 bl transfer_to_handler
235 .long AlignmentException
236 .long ret_from_except
238 /* Program check exception */
242 addi r3,r1,STACK_FRAME_OVERHEAD
244 rlwimi r20,r23,0,16,16 /* copy EE bit from saved MSR */
245 bl transfer_to_handler
246 .long ProgramCheckException
247 .long ret_from_except
249 /* No FPU on MPC8xx. This exception is not supposed to happen.
251 STD_EXCEPTION(0x800, FPUnavailable, UnknownException)
256 addi r3,r1,STACK_FRAME_OVERHEAD
258 bl transfer_to_handler
259 .globl timer_interrupt_intercept
260 timer_interrupt_intercept:
261 .long timer_interrupt
262 .long ret_from_intercept
264 STD_EXCEPTION(0xa00, Trap_0a, UnknownException)
265 STD_EXCEPTION(0xb00, Trap_0b, UnknownException)
271 stw r3,ORIG_GPR3(r21)
273 rlwimi r20,r23,0,16,16 /* copy EE bit from saved MSR */
274 bl transfer_to_handler
276 .long ret_from_except
278 /* Single step - not used on 601 */
279 STD_EXCEPTION(0xd00, SingleStep, SingleStepException)
281 STD_EXCEPTION(0xe00, Trap_0e, UnknownException)
282 STD_EXCEPTION(0xf00, Trap_0f, UnknownException)
284 /* On the MPC8xx, this is a software emulation interrupt. It occurs
285 * for all unimplemented and illegal instructions.
287 STD_EXCEPTION(0x1000, SoftEmu, SoftwareEmulation)
291 * For the MPC8xx, this is a software tablewalk to load the instruction
292 * TLB. It is modelled after the example in the Motorola manual. The task
293 * switch loads the M_TWB register with the pointer to the first level table.
294 * If we discover there is no second level table (the value is zero), the
295 * plan was to load that into the TLB, which causes another fault into the
296 * TLB Error interrupt where we can handle such problems. However, that did
297 * not work, so if we discover there is no second level table, we restore
298 * registers and branch to the error exception. We have to use the MD_xxx
299 * registers for the tablewalk because the equivalent MI_xxx registers
300 * only perform the attribute functions.
303 #ifdef CONFIG_8xx_CPU6
309 mtspr M_TW, r20 /* Save a couple of working registers */
313 mfspr r20, SRR0 /* Get effective address of fault */
314 #ifdef CONFIG_8xx_CPU6
319 mtspr MD_EPN, r20 /* Have to use MD_EPN for walk, MI_EPN can't */
320 mfspr r20, M_TWB /* Get level 1 table entry address */
322 /* If we are faulting a kernel address, we have to use the
323 * kernel page tables.
325 andi. r21, r20, 0x0800 /* Address >= 0x80000000 */
327 lis r21, swapper_pg_dir@h
328 ori r21, r21, swapper_pg_dir@l
329 rlwimi r20, r21, 0, 2, 19
331 lwz r21, 0(r20) /* Get the level 1 entry */
332 rlwinm. r20, r21,0,0,19 /* Extract page descriptor page address */
333 beq 2f /* If zero, don't try to find a pte */
335 /* We have a pte table, so load the MI_TWC with the attributes
336 * for this "segment."
339 ori r21,r21,1 /* Set valid bit */
340 #ifdef CONFIG_8xx_CPU6
345 mtspr MI_TWC, r21 /* Set segment attributes */
346 #ifdef CONFIG_8xx_CPU6
351 mtspr MD_TWC, r21 /* Load pte table base address */
352 mfspr r21, MD_TWC /* ....and get the pte address */
353 lwz r20, 0(r21) /* Get the pte */
355 ori r20, r20, _PAGE_ACCESSED
358 /* The Linux PTE won't go exactly into the MMU TLB.
359 * Software indicator bits 21, 22 and 28 must be clear.
360 * Software indicator bits 24, 25, 26, and 27 must be
361 * set. All other Linux PTE bits control the behavior
365 rlwimi r20, r21, 0, 24, 28 /* Set 24-27, clear 28 */
367 #ifdef CONFIG_8xx_CPU6
372 mtspr MI_RPN, r20 /* Update TLB entry */
374 mfspr r20, M_TW /* Restore registers */
378 #ifdef CONFIG_8xx_CPU6
383 2: mfspr r20, M_TW /* Restore registers */
387 #ifdef CONFIG_8xx_CPU6
394 #ifdef CONFIG_8xx_CPU6
400 mtspr M_TW, r20 /* Save a couple of working registers */
404 mfspr r20, M_TWB /* Get level 1 table entry address */
406 /* If we are faulting a kernel address, we have to use the
407 * kernel page tables.
409 andi. r21, r20, 0x0800
411 lis r21, swapper_pg_dir@h
412 ori r21, r21, swapper_pg_dir@l
413 rlwimi r20, r21, 0, 2, 19
415 lwz r21, 0(r20) /* Get the level 1 entry */
416 rlwinm. r20, r21,0,0,19 /* Extract page descriptor page address */
417 beq 2f /* If zero, don't try to find a pte */
419 /* We have a pte table, so load fetch the pte from the table.
422 ori r21, r21, 1 /* Set valid bit in physical L2 page */
423 #ifdef CONFIG_8xx_CPU6
428 mtspr MD_TWC, r21 /* Load pte table base address */
429 mfspr r20, MD_TWC /* ....and get the pte address */
430 lwz r20, 0(r20) /* Get the pte */
432 /* Insert the Guarded flag into the TWC from the Linux PTE.
433 * It is bit 27 of both the Linux PTE and the TWC (at least
434 * I got that right :-). It will be better when we can put
435 * this into the Linux pgd/pmd and load it in the operation
438 rlwimi r21, r20, 0, 27, 27
439 #ifdef CONFIG_8xx_CPU6
446 mfspr r21, MD_TWC /* get the pte address again */
447 ori r20, r20, _PAGE_ACCESSED
450 /* The Linux PTE won't go exactly into the MMU TLB.
451 * Software indicator bits 21, 22 and 28 must be clear.
452 * Software indicator bits 24, 25, 26, and 27 must be
453 * set. All other Linux PTE bits control the behavior
457 rlwimi r20, r21, 0, 24, 28 /* Set 24-27, clear 28 */
459 #ifdef CONFIG_8xx_CPU6
464 mtspr MD_RPN, r20 /* Update TLB entry */
466 mfspr r20, M_TW /* Restore registers */
470 #ifdef CONFIG_8xx_CPU6
475 2: mfspr r20, M_TW /* Restore registers */
479 #ifdef CONFIG_8xx_CPU6
484 /* This is an instruction TLB error on the MPC8xx. This could be due
485 * to many reasons, such as executing guarded memory or illegal instruction
486 * addresses. There is nothing to do but handle a big time error fault.
492 /* This is the data TLB error on the MPC8xx. This could be due to
493 * many reasons, including a dirty update to a pte. We can catch that
494 * one here, but anything else is an error. First, we track down the
495 * Linux pte. If it is valid, write access is allowed, but the
496 * page dirty bit is not set, we will set it and reload the TLB. For
497 * any other case, we bail out to a higher level function that can
502 #ifdef CONFIG_8xx_CPU6
508 mtspr M_TW, r20 /* Save a couple of working registers */
513 /* First, make sure this was a store operation.
516 andis. r21, r20, 0x0200 /* If set, indicates store op */
519 /* The EA of a data TLB miss is automatically stored in the MD_EPN
520 * register. The EA of a data TLB error is automatically stored in
521 * the DAR, but not the MD_EPN register. We must copy the 20 most
522 * significant bits of the EA from the DAR to MD_EPN before we
523 * start walking the page tables. We also need to copy the CASID
524 * value from the M_CASID register.
525 * Addendum: The EA of a data TLB error is _supposed_ to be stored
526 * in DAR, but it seems that this doesn't happen in some cases, such
527 * as when the error is due to a dcbi instruction to a page with a
528 * TLB that doesn't have the changed bit set. In such cases, there
529 * does not appear to be any way to recover the EA of the error
530 * since it is neither in DAR nor MD_EPN. As a workaround, the
531 * _PAGE_HWWRITE bit is set for all kernel data pages when the PTEs
532 * are initialized in mapin_ram(). This will avoid the problem,
533 * assuming we only use the dcbi instruction on kernel addresses.
536 rlwinm r21, r20, 0, 0, 19
537 ori r21, r21, MD_EVALID
539 rlwimi r21, r20, 0, 28, 31
540 #ifdef CONFIG_8xx_CPU6
547 mfspr r20, M_TWB /* Get level 1 table entry address */
549 /* If we are faulting a kernel address, we have to use the
550 * kernel page tables.
552 andi. r21, r20, 0x0800
554 lis r21, swapper_pg_dir@h
555 ori r21, r21, swapper_pg_dir@l
556 rlwimi r20, r21, 0, 2, 19
558 lwz r21, 0(r20) /* Get the level 1 entry */
559 rlwinm. r20, r21,0,0,19 /* Extract page descriptor page address */
560 beq 2f /* If zero, bail */
562 /* We have a pte table, so fetch the pte from the table.
565 ori r21, r21, 1 /* Set valid bit in physical L2 page */
566 #ifdef CONFIG_8xx_CPU6
571 mtspr MD_TWC, r21 /* Load pte table base address */
572 mfspr r21, MD_TWC /* ....and get the pte address */
573 lwz r20, 0(r21) /* Get the pte */
575 andi. r21, r20, _PAGE_RW /* Is it writeable? */
576 beq 2f /* Bail out if not */
578 /* Update 'changed', among others.
580 ori r20, r20, _PAGE_DIRTY|_PAGE_ACCESSED|_PAGE_HWWRITE
581 mfspr r21, MD_TWC /* Get pte address again */
582 stw r20, 0(r21) /* and update pte in table */
584 /* The Linux PTE won't go exactly into the MMU TLB.
585 * Software indicator bits 21, 22 and 28 must be clear.
586 * Software indicator bits 24, 25, 26, and 27 must be
587 * set. All other Linux PTE bits control the behavior
591 rlwimi r20, r21, 0, 24, 28 /* Set 24-27, clear 28 */
593 #ifdef CONFIG_8xx_CPU6
598 mtspr MD_RPN, r20 /* Update TLB entry */
600 mfspr r20, M_TW /* Restore registers */
604 #ifdef CONFIG_8xx_CPU6
609 mfspr r20, M_TW /* Restore registers */
613 #ifdef CONFIG_8xx_CPU6
618 STD_EXCEPTION(0x1500, Trap_15, UnknownException)
619 STD_EXCEPTION(0x1600, Trap_16, UnknownException)
620 STD_EXCEPTION(0x1700, Trap_17, TAUException)
621 STD_EXCEPTION(0x1800, Trap_18, UnknownException)
622 STD_EXCEPTION(0x1900, Trap_19, UnknownException)
623 STD_EXCEPTION(0x1a00, Trap_1a, UnknownException)
624 STD_EXCEPTION(0x1b00, Trap_1b, UnknownException)
626 /* On the MPC8xx, these next four traps are used for development
627 * support of breakpoints and such. Someday I will get around to
630 STD_EXCEPTION(0x1c00, Trap_1c, UnknownException)
631 STD_EXCEPTION(0x1d00, Trap_1d, UnknownException)
632 STD_EXCEPTION(0x1e00, Trap_1e, UnknownException)
633 STD_EXCEPTION(0x1f00, Trap_1f, UnknownException)
641 /* Maybe someday.......
643 _GLOBAL(__setup_cpu_8xx)
647 * This is where the main kernel code starts.
652 ori r2,r2,init_task@l
654 /* ptr to phys current thread */
656 addi r4,r4,THREAD /* init task's THREAD */
659 mtspr SPRG2,r3 /* 0 => r1 has kernel sp */
662 lis r1,init_thread_union@ha
663 addi r1,r1,init_thread_union@l
665 stwu r0,THREAD_SIZE-STACK_FRAME_OVERHEAD(r1)
667 bl early_init /* We have to do this with MMU on */
670 * Decide what sort of machine this is and initialize the MMU.
681 * Go back to running unmapped so we can load up new values
682 * and change to using our exception vectors.
683 * On the 8xx, all we have to do is invalidate the TLB to clear
684 * the old 8M byte TLB mappings and load the page table base register.
686 /* The right way to do this would be to track it down through
687 * init's THREAD like the context switch code does, but this is
688 * easier......until someone changes init's static structures.
690 lis r6, swapper_pg_dir@h
691 ori r6, r6, swapper_pg_dir@l
693 #ifdef CONFIG_8xx_CPU6
694 lis r4, cpu6_errata_word@h
695 ori r4, r4, cpu6_errata_word@l
704 li r3,MSR_KERNEL & ~(MSR_IR|MSR_DR)
708 /* Load up the kernel context */
710 SYNC /* Force all PTE updates to finish */
711 tlbia /* Clear all TLB entries */
712 sync /* wait for tlbia/tlbie to finish */
713 TLBSYNC /* ... on all CPUs */
715 /* set up the PTE pointers for the Abatron bdiGDB.
718 lis r5, abatron_pteptrs@h
719 ori r5, r5, abatron_pteptrs@l
720 stw r5, 0xf0(r0) /* Must match your Abatron config file */
724 /* Now turn on the MMU for real! */
726 lis r3,start_kernel@h
727 ori r3,r3,start_kernel@l
730 rfi /* enable MMU and jump to start_kernel */
732 /* Set up the initial MMU state so we can do the first level of
733 * kernel initialization. This maps the first 8 MBytes of memory 1:1
734 * virtual to physical. Also, set the cache mode since that is defined
735 * by TLB entries and perform any additional mapping (like of the IMMR).
736 * If configured to pin some TLBs, we pin the first 8 Mbytes of kernel,
737 * 24 Mbytes of data, and the 8M IMMR space. Anything not covered by
738 * these mappings is mapped by page tables.
741 tlbia /* Invalidate all TLB entries */
742 #ifdef CONFIG_PIN_TLB
748 mtspr MI_CTR, r8 /* Set instruction MMU control */
750 #ifdef CONFIG_PIN_TLB
751 lis r10, (MD_RSV4I | MD_RESETVAL)@h
755 lis r10, MD_RESETVAL@h
757 #ifndef CONFIG_8xx_COPYBACK
758 oris r10, r10, MD_WTDEF@h
760 mtspr MD_CTR, r10 /* Set data TLB control */
762 /* Now map the lower 8 Meg into the TLBs. For this quick hack,
763 * we can load the instruction and data TLB registers with the
766 lis r8, KERNELBASE@h /* Create vaddr for TLB */
767 ori r8, r8, MI_EVALID /* Mark it valid */
770 li r8, MI_PS8MEG /* Set 8M byte page */
771 ori r8, r8, MI_SVALID /* Make it valid */
774 li r8, MI_BOOTINIT /* Create RPN for address 0 */
775 mtspr MI_RPN, r8 /* Store TLB entry */
777 lis r8, MI_Kp@h /* Set the protection mode */
781 /* Map another 8 MByte at the IMMR to get the processor
782 * internal registers (among other things).
784 #ifdef CONFIG_PIN_TLB
785 addi r10, r10, 0x0100
788 mfspr r9, 638 /* Get current IMMR */
789 andis. r9, r9, 0xff80 /* Get 8Mbyte boundary */
791 mr r8, r9 /* Create vaddr for TLB */
792 ori r8, r8, MD_EVALID /* Mark it valid */
794 li r8, MD_PS8MEG /* Set 8M byte page */
795 ori r8, r8, MD_SVALID /* Make it valid */
797 mr r8, r9 /* Create paddr for TLB */
798 ori r8, r8, MI_BOOTINIT|0x2 /* Inhibit cache -- Cort */
801 #ifdef CONFIG_PIN_TLB
802 /* Map two more 8M kernel data pages.
804 addi r10, r10, 0x0100
807 lis r8, KERNELBASE@h /* Create vaddr for TLB */
808 addis r8, r8, 0x0080 /* Add 8M */
809 ori r8, r8, MI_EVALID /* Mark it valid */
811 li r9, MI_PS8MEG /* Set 8M byte page */
812 ori r9, r9, MI_SVALID /* Make it valid */
814 li r11, MI_BOOTINIT /* Create RPN for address 0 */
815 addis r11, r11, 0x0080 /* Add 8M */
818 addis r8, r8, 0x0080 /* Add 8M */
821 addis r11, r11, 0x0080 /* Add 8M */
825 /* Since the cache is enabled according to the information we
826 * just loaded into the TLB, invalidate and enable the caches here.
827 * We should probably check/set other modes....later.
834 #ifdef CONFIG_8xx_COPYBACK
837 /* For a debug option, I left this here to easily enable
838 * the write through cache mode
849 * Set up to use a given MMU context.
850 * r3 is context number, r4 is PGD pointer.
852 * We place the physical address of the new task page directory loaded
853 * into the MMU base register, and set the ASID compare register with
858 #ifdef CONFIG_BDI_SWITCH
859 /* Context switch the PTE pointer for the Abatron BDI2000.
860 * The PGDIR is passed as second argument.
867 #ifdef CONFIG_8xx_CPU6
868 lis r6, cpu6_errata_word@h
869 ori r6, r6, cpu6_errata_word@l
874 mtspr M_TWB, r4 /* Update MMU base address */
878 mtspr M_CASID, r3 /* Update context */
880 mtspr M_CASID,r3 /* Update context */
882 mtspr M_TWB, r4 /* and pgd */
887 #ifdef CONFIG_8xx_CPU6
888 /* It's here because it is unique to the 8xx.
889 * It is important we get called with interrupts disabled. I used to
890 * do that, but it appears that all code that calls this already had
891 * interrupt disabled.
895 lis r7, cpu6_errata_word@h
896 ori r7, r7, cpu6_errata_word@l
900 mtspr 22, r3 /* Update Decrementer */
906 * We put a few things here that have to be page-aligned.
907 * This stuff goes at the beginning of the data segment,
908 * which is page-aligned.
913 .globl empty_zero_page
917 .globl swapper_pg_dir
922 * This space gets a copy of optional info passed to us by the bootstrap
923 * Used to pass parameters into the kernel like root=/dev/sda1, etc.
929 /* Room for two PTE table poiners, usually the kernel and current user
930 * pointer to their respective root page table (pgdir).
935 #ifdef CONFIG_8xx_CPU6
936 .globl cpu6_errata_word