[PATCH 0/8] Fix 8xx MMU/TLB

[PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Now updated with Scott's remarks.
There is still(probably) a trivial conflict in pte-8xx.h

Joakim Tjernlund (8):
  8xx: invalidate non present TLBs
  8xx: Update TLB asm so it behaves as linux mm expects.
  8xx: Tag DAR with 0x00f0 to catch buggy instructions.
  8xx: Fixup DAR from buggy dcbX instructions.
  8xx: Add missing Guarded setting in DTLB Error.
  8xx: Restore _PAGE_WRITETHRU
  8xx: start using dcbX instructions in various copy routines
  8xx: Remove DIRTY pte handling in DTLB Error.

 arch/powerpc/include/asm/pte-8xx.h |   14 +-
 arch/powerpc/kernel/head_8xx.S     |  341 +++++++++++++++++++++++------------
 arch/powerpc/kernel/misc_32.S      |   18 --
 arch/powerpc/lib/copy_32.S         |   24 ---
 arch/powerpc/mm/fault.c            |    8 +-
 5 files changed, 238 insertions(+), 167 deletions(-)

[PATCH 1/8] 8xx: invalidate non present TLBs

[Joakim Tjernlund]

8xx sometimes need to load a invalid/non-present TLBs in
it DTLB asm handler.
These must be invalidated separaly as linux mm don't.
---
 arch/powerpc/mm/fault.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index 7699394..071e0ca 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -39,7 +39,7 @@
 #include <asm/uaccess.h>
 #include <asm/tlbflush.h>
 #include <asm/siginfo.h>
-
+#include <mm/mmu_decl.h>
 
 #ifdef CONFIG_KPROBES
 static inline int notify_page_fault(struct pt_regs *regs)
@@ -243,6 +243,12 @@ good_area:
 		goto bad_area;
 #endif /* CONFIG_6xx */
 #if defined(CONFIG_8xx)
+	/* 8xx sometimes need to load a invalid/non-present TLBs.
+	 * These must be invalidated separately as linux mm don't.
+	 */
+	if (error_code & 0x40000000) /* no translation? */
+		_tlbil_va(address, 0, 0, 0);
+
         /* The MPC8xx seems to always set 0x80000000, which is
          * "undefined".  Of those that can be set, this is the only
          * one which seems bad.
-- 
1.6.4.4

[PATCH 2/8] 8xx: Update TLB asm so it behaves as linux mm expects.

[Joakim Tjernlund]

Update the TLB asm to make proper use of _PAGE_DIRY and _PAGE_ACCESSED.
Get rid of _PAGE_HWWRITE too.
Pros:
 - I/D TLB Miss never needs to write to the linux pte.
 - _PAGE_ACCESSED is only set on TLB Error fixing accounting
 - _PAGE_DIRTY is mapped to 0x100, the changed bit, and is set directly
    when a page has been made dirty.
 - Proper RO/RW mapping of user space.
 - Free up 2 SW TLB bits in the linux pte(add back _PAGE_WRITETHRU ?)
 - kernel RO/user NA support.
Cons:
 - A few more instructions in the TLB Miss routines.
---
 arch/powerpc/include/asm/pte-8xx.h |   13 ++---
 arch/powerpc/kernel/head_8xx.S     |   99 ++++++++++++++++++-----------------
 2 files changed, 57 insertions(+), 55 deletions(-)

diff --git a/arch/powerpc/include/asm/pte-8xx.h b/arch/powerpc/include/asm/pte-8xx.h
index 8c6e312..f23cd15 100644
--- a/arch/powerpc/include/asm/pte-8xx.h
+++ b/arch/powerpc/include/asm/pte-8xx.h
@@ -32,22 +32,21 @@
 #define _PAGE_FILE	0x0002	/* when !present: nonlinear file mapping */
 #define _PAGE_NO_CACHE	0x0002	/* I: cache inhibit */
 #define _PAGE_SHARED	0x0004	/* No ASID (context) compare */
+#define _PAGE_DIRTY	0x0100	/* C: page changed */
 
-/* These five software bits must be masked out when the entry is loaded
- * into the TLB.
+/* These 3 software bits must be masked out when the entry is loaded
+ * into the TLB, 2 SW bits left.
  */
 #define _PAGE_EXEC	0x0008	/* software: i-cache coherency required */
 #define _PAGE_GUARDED	0x0010	/* software: guarded access */
-#define _PAGE_DIRTY	0x0020	/* software: page changed */
-#define _PAGE_RW	0x0040	/* software: user write access allowed */
-#define _PAGE_ACCESSED	0x0080	/* software: page referenced */
+#define _PAGE_ACCESSED	0x0020	/* software: page referenced */
 
 /* Setting any bits in the nibble with the follow two controls will
  * require a TLB exception handler change.  It is assumed unused bits
  * are always zero.
  */
-#define _PAGE_HWWRITE	0x0100	/* h/w write enable: never set in Linux PTE */
-#define _PAGE_USER	0x0800	/* One of the PP bits, the other is USER&~RW */
+#define _PAGE_RW	0x0400	/* lsb PP bits, inverted in HW */
+#define _PAGE_USER	0x0800	/* msb PP bits */
 
 #define _PMD_PRESENT	0x0001
 #define _PMD_BAD	0x0ff0
diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 52ff8c5..2011230 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -333,26 +333,20 @@ InstructionTLBMiss:
 	mfspr	r11, SPRN_MD_TWC	/* ....and get the pte address */
 	lwz	r10, 0(r11)	/* Get the pte */
 
-#ifdef CONFIG_SWAP
-	/* do not set the _PAGE_ACCESSED bit of a non-present page */
-	andi.	r11, r10, _PAGE_PRESENT
-	beq	4f
-	ori	r10, r10, _PAGE_ACCESSED
-	mfspr	r11, SPRN_MD_TWC	/* get the pte address again */
-	stw	r10, 0(r11)
-4:
-#else
-	ori	r10, r10, _PAGE_ACCESSED
-	stw	r10, 0(r11)
-#endif
+	andi.	r11, r10, _PAGE_ACCESSED | _PAGE_PRESENT
+	cmpwi	cr0, r11, _PAGE_ACCESSED | _PAGE_PRESENT
+	bne-	cr0, 2f
+
+	/* Clear PP lsb, 0x400 */
+	rlwinm 	r10, r10, 0, 22, 20
 
 	/* The Linux PTE won't go exactly into the MMU TLB.
-	 * Software indicator bits 21, 22 and 28 must be clear.
+	 * Software indicator bits 22 and 28 must be clear.
 	 * Software indicator bits 24, 25, 26, and 27 must be
 	 * set.  All other Linux PTE bits control the behavior
 	 * of the MMU.
 	 */
-2:	li	r11, 0x00f0
+	li	r11, 0x00f0
 	rlwimi	r10, r11, 0, 24, 28	/* Set 24-27, clear 28 */
 	DO_8xx_CPU6(0x2d80, r3)
 	mtspr	SPRN_MI_RPN, r10	/* Update TLB entry */
@@ -365,6 +359,22 @@ InstructionTLBMiss:
 	lwz	r3, 8(r0)
 #endif
 	rfi
+2:
+	mfspr	r11, SPRN_SRR1
+	/* clear all error bits as TLB Miss
+	 * sets a few unconditionally
+	*/
+	rlwinm	r11, r11, 0, 0xffff
+	mtspr	SPRN_SRR1, r11
+
+	mfspr	r10, SPRN_M_TW	/* Restore registers */
+	lwz	r11, 0(r0)
+	mtcr	r11
+	lwz	r11, 4(r0)
+#ifdef CONFIG_8xx_CPU6
+	lwz	r3, 8(r0)
+#endif
+	b	InstructionAccess
 
 	. = 0x1200
 DataStoreTLBMiss:
@@ -409,21 +419,27 @@ DataStoreTLBMiss:
 	DO_8xx_CPU6(0x3b80, r3)
 	mtspr	SPRN_MD_TWC, r11
 
-#ifdef CONFIG_SWAP
-	/* do not set the _PAGE_ACCESSED bit of a non-present page */
-	andi.	r11, r10, _PAGE_PRESENT
-	beq	4f
-	ori	r10, r10, _PAGE_ACCESSED
-4:
-	/* and update pte in table */
-#else
-	ori	r10, r10, _PAGE_ACCESSED
-#endif
-	mfspr	r11, SPRN_MD_TWC	/* get the pte address again */
-	stw	r10, 0(r11)
+	/* Both _PAGE_ACCESSED and _PAGE_PRESENT has to be set.
+	 * We also need to know if the insn is a load/store, so:
+	 * Clear _PAGE_PRESENT and load that which will
+	 * trap into DTLB Error with store bit set accordinly.
+	 */
+	/* PRESENT=0x1, ACCESSED=0x20
+	 * r11 = ((r10 & PRESENT) & ((r10 & ACCESSED) >> 5));
+	 * r10 = (r10 & ~PRESENT) | r11;
+	 */
+	rlwinm	r11, r10, 32-5, 31, 31
+	and	r11, r11, r10
+	rlwimi	r10, r11, 0, 31, 31
+
+	/* Honour kernel RO, User NA */
+	andi.	r11, r10, _PAGE_USER | _PAGE_RW
+	bne-	cr0, 5f
+	ori	r10,r10, 0x200 /* Extended encoding, bit 22 */
+5:	xori	r10, r10, _PAGE_RW  /* invert RW bit */
 
 	/* The Linux PTE won't go exactly into the MMU TLB.
-	 * Software indicator bits 21, 22 and 28 must be clear.
+	 * Software indicator bits 22 and 28 must be clear.
 	 * Software indicator bits 24, 25, 26, and 27 must be
 	 * set.  All other Linux PTE bits control the behavior
 	 * of the MMU.
@@ -469,11 +485,12 @@ DataTLBError:
 	stw	r10, 0(r0)
 	stw	r11, 4(r0)
 
-	/* First, make sure this was a store operation.
+	mfspr	r11, SPRN_DSISR
+	andis.	r11, r11, 0x4800	/* !translation or protection */
+	bne	2f	/* branch if either is set */
+	/* Only Change bit left now, do it here as it is faster
+	 * than trapping to the C fault handler.
 	*/
-	mfspr	r10, SPRN_DSISR
-	andis.	r11, r10, 0x0200	/* If set, indicates store op */
-	beq	2f
 
 	/* The EA of a data TLB miss is automatically stored in the MD_EPN
 	 * register.  The EA of a data TLB error is automatically stored in
@@ -522,26 +539,12 @@ DataTLBError:
 	mfspr	r11, SPRN_MD_TWC		/* ....and get the pte address */
 	lwz	r10, 0(r11)		/* Get the pte */
 
-	andi.	r11, r10, _PAGE_RW	/* Is it writeable? */
-	beq	2f			/* Bail out if not */
-
-	/* Update 'changed', among others.
-	*/
-#ifdef CONFIG_SWAP
-	ori	r10, r10, _PAGE_DIRTY|_PAGE_HWWRITE
-	/* do not set the _PAGE_ACCESSED bit of a non-present page */
-	andi.	r11, r10, _PAGE_PRESENT
-	beq	4f
-	ori	r10, r10, _PAGE_ACCESSED
-4:
-#else
-	ori	r10, r10, _PAGE_DIRTY|_PAGE_ACCESSED|_PAGE_HWWRITE
-#endif
-	mfspr	r11, SPRN_MD_TWC		/* Get pte address again */
+	ori	r10, r10, _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_HWWRITE
 	stw	r10, 0(r11)		/* and update pte in table */
+	xori	r10, r10, _PAGE_RW	/* RW bit is inverted */
 
 	/* The Linux PTE won't go exactly into the MMU TLB.
-	 * Software indicator bits 21, 22 and 28 must be clear.
+	 * Software indicator bits 22 and 28 must be clear.
 	 * Software indicator bits 24, 25, 26, and 27 must be
 	 * set.  All other Linux PTE bits control the behavior
 	 * of the MMU.
-- 
1.6.4.4

[PATCH 3/8] 8xx: Tag DAR with 0x00f0 to catch buggy instructions.

[Joakim Tjernlund]

dcbz, dcbf, dcbi, dcbst and icbi do not set DAR when they
cause a DTLB Error. Dectect this by tagging DAR with 0x00f0
at every exception exit that modifies DAR.
Test for DAR=0x00f0 in DataTLBError and bail
to handle_page_fault().
---
 arch/powerpc/kernel/head_8xx.S |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 2011230..bca22fa 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -206,6 +206,8 @@ MachineCheck:
 	EXCEPTION_PROLOG
 	mfspr r4,SPRN_DAR
 	stw r4,_DAR(r11)
+	li r5,0x00f0
+	mtspr SPRN_DAR,r5	/* Tag DAR, to be used in DTLB Error */
 	mfspr r5,SPRN_DSISR
 	stw r5,_DSISR(r11)
 	addi r3,r1,STACK_FRAME_OVERHEAD
@@ -222,6 +224,8 @@ DataAccess:
 	stw	r10,_DSISR(r11)
 	mr	r5,r10
 	mfspr	r4,SPRN_DAR
+	li	r10,0x00f0
+	mtspr	SPRN_DAR,r10	/* Tag DAR, to be used in DTLB Error */
 	EXC_XFER_EE_LITE(0x300, handle_page_fault)
 
 /* Instruction access exception.
@@ -244,6 +248,8 @@ Alignment:
 	EXCEPTION_PROLOG
 	mfspr	r4,SPRN_DAR
 	stw	r4,_DAR(r11)
+	li	r5,0x00f0
+	mtspr	SPRN_DAR,r5	/* Tag DAR, to be used in DTLB Error */
 	mfspr	r5,SPRN_DSISR
 	stw	r5,_DSISR(r11)
 	addi	r3,r1,STACK_FRAME_OVERHEAD
@@ -445,6 +451,7 @@ DataStoreTLBMiss:
 	 * of the MMU.
 	 */
 2:	li	r11, 0x00f0
+	mtspr	SPRN_DAR,r11	/* Tag DAR */
 	rlwimi	r10, r11, 0, 24, 28	/* Set 24-27, clear 28 */
 	DO_8xx_CPU6(0x3d80, r3)
 	mtspr	SPRN_MD_RPN, r10	/* Update TLB entry */
@@ -485,6 +492,10 @@ DataTLBError:
 	stw	r10, 0(r0)
 	stw	r11, 4(r0)
 
+	mfspr	r10, SPRN_DAR
+	cmpwi	cr0, r10, 0x00f0
+	beq-	2f	/* must be a buggy dcbX, icbi insn. */
+
 	mfspr	r11, SPRN_DSISR
 	andis.	r11, r11, 0x4800	/* !translation or protection */
 	bne	2f	/* branch if either is set */
@@ -508,7 +519,8 @@ DataTLBError:
 	 * are initialized in mapin_ram().  This will avoid the problem,
 	 * assuming we only use the dcbi instruction on kernel addresses.
 	 */
-	mfspr	r10, SPRN_DAR
+
+	/* DAR is in r10 already */
 	rlwinm	r11, r10, 0, 0, 19
 	ori	r11, r11, MD_EVALID
 	mfspr	r10, SPRN_M_CASID
@@ -550,6 +562,7 @@ DataTLBError:
 	 * of the MMU.
 	 */
 	li	r11, 0x00f0
+	mtspr	SPRN_DAR,r11	/* Tag DAR */
 	rlwimi	r10, r11, 0, 24, 28	/* Set 24-27, clear 28 */
 	DO_8xx_CPU6(0x3d80, r3)
 	mtspr	SPRN_MD_RPN, r10	/* Update TLB entry */
-- 
1.6.4.4

[PATCH 4/8] 8xx: Fixup DAR from buggy dcbX instructions.

[Joakim Tjernlund]

This is an assembler version to fixup DAR not being set
by dcbX, icbi instructions. There are two versions, one
uses selfmodifing code, the other uses a
jump table but is much bigger(default).
---
 arch/powerpc/kernel/head_8xx.S |  180 +++++++++++++++++++++++++++++++++++++++-
 1 files changed, 176 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index bca22fa..320f333 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -494,11 +494,16 @@ DataTLBError:
 
 	mfspr	r10, SPRN_DAR
 	cmpwi	cr0, r10, 0x00f0
-	beq-	2f	/* must be a buggy dcbX, icbi insn. */
-
+	beq-	FixupDAR	/* must be a buggy dcbX, icbi insn. */
+DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR */
 	mfspr	r11, SPRN_DSISR
-	andis.	r11, r11, 0x4800	/* !translation or protection */
-	bne	2f	/* branch if either is set */
+	/* As the DAR fixup may clear store we may have all 3 states zero.
+	 * Make sure only 0x0200(store) falls down into DIRTY handling
+	 */
+	andis.	r11, r11, 0x4a00	/* !translation, protection or store */
+	srwi	r11, r11, 16
+	cmpwi	cr0, r11, 0x0200	/* just store ? */
+	bne	2f
 	/* Only Change bit left now, do it here as it is faster
 	 * than trapping to the C fault handler.
 	*/
@@ -604,6 +609,173 @@ DataTLBError:
 
 	. = 0x2000
 
+/* This is the procedure to calculate the data EA for buggy dcbx,dcbi instructions
+ * by decoding the registers used by the dcbx instruction and adding them.
+ * DAR is set to the calculated address and r10 also holds the EA on exit.
+ */
+#define NO_SELF_MODIFYING_CODE /* define if you don't want to use self modifying code */
+	nop	/* A few nops to make the modified_instr: space below cache line aligned */
+	nop
+139:	/* fetch instruction from userspace memory */
+	DO_8xx_CPU6(0x3780, r3)
+	mtspr	SPRN_MD_EPN, r10
+	mfspr	r11, SPRN_M_TWB	/* Get level 1 table entry address */
+	lwz	r11, 0(r11)	/* Get the level 1 entry */
+	tophys  (r11, r11)
+	DO_8xx_CPU6(0x3b80, r3)
+	mtspr	SPRN_MD_TWC, r11	/* Load pte table base address */
+	mfspr	r11, SPRN_MD_TWC	/* ....and get the pte address */
+	lwz	r11, 0(r11)	/* Get the pte */
+	/* concat physical page address(r11) and page offset(r10) */
+	rlwimi	r11, r10, 0, 20, 31
+	b	140f
+FixupDAR:	/* Entry point for dcbx workaround. */
+	/* fetch instruction from memory. */
+	mfspr	r10, SPRN_SRR0
+	andis.	r11, r10, 0x8000
+	tophys  (r11, r10)
+	beq-	139b		/* Branch if user space address */
+140:	lwz	r11,0(r11)
+/* Check if it really is a dcbx instruction. */
+/* dcbt and dcbtst does not generate DTLB Misses/Errors,
+ * no need to include them here */
+	srwi	r10, r11, 26	/* check if major OP code is 31 */
+	cmpwi	cr0, r10, 31
+	bne-	141f
+	rlwinm	r10, r11, 0, 21, 30
+	cmpwi	cr0, r10, 2028	/* Is dcbz? */
+	beq+	142f
+	cmpwi	cr0, r10, 940	/* Is dcbi? */
+	beq+	142f
+	cmpwi	cr0, r10, 108	/* Is dcbst? */
+	beq+	144f		/* Fix up store bit! */
+	cmpwi	cr0, r10, 172	/* Is dcbf? */
+	beq+	142f
+	cmpwi	cr0, r10, 1964	/* Is icbi? */
+	beq+	142f
+141:	mfspr	r10, SPRN_DAR	/* r10 must hold DAR at exit */
+	b	DARfix		/* Nope, go back to normal TLB processing */
+
+144:	mfspr	r10, SPRN_DSISR
+	rlwinm	r10, r10,0,7,5	/* Clear store bit for buggy dcbst insn */
+	mtspr	SPRN_DSISR, r10
+142:	/* continue, it was a dcbx, dcbi instruction. */
+#ifdef CONFIG_8xx_CPU6
+	lwz	r3, 8(r0)	/* restore r3 from memory */
+#endif
+#ifndef NO_SELF_MODIFYING_CODE
+	andis.	r10,r11,0x1f	/* test if reg RA is r0 */
+	li	r10,modified_instr@l
+	dcbtst	r0,r10		/* touch for store */
+	rlwinm	r11,r11,0,0,20	/* Zero lower 10 bits */
+	oris	r11,r11,640	/* Transform instr. to a "add r10,RA,RB" */
+	ori	r11,r11,532
+	stw	r11,0(r10)	/* store add/and instruction */
+	dcbf	0,r10		/* flush new instr. to memory. */
+	icbi	0,r10		/* invalidate instr. cache line */
+	lwz	r11, 4(r0)	/* restore r11 from memory */
+	mfspr	r10, SPRN_M_TW	/* restore r10 from M_TW */
+	isync			/* Wait until new instr is loaded from memory */
+modified_instr:
+	.space	4		/* this is where the add/and instr. is stored */
+	bne+	143f
+	subf	r10,r0,r10	/* r10=r10-r0, only if reg RA is r0 */
+143:	mtdar	r10		/* store faulting EA in DAR */
+	b	DARFixed	/* Go back to normal TLB handling */
+#else
+	mfctr	r10
+	mtdar	r10			/* save ctr reg in DAR */
+	rlwinm	r10, r11, 24, 24, 28	/* offset into jump table for reg RB */
+	addi	r10, r10, 150f@l	/* add start of table */
+	mtctr	r10			/* load ctr with jump address */
+	xor	r10, r10, r10		/* sum starts at zero */
+	bctr				/* jump into table */
+150:
+	add	r10, r10, r0
+	b	151f
+	add	r10, r10, r1
+	b	151f
+	add	r10, r10, r2
+	b	151f
+	add	r10, r10, r3
+	b	151f
+	add	r10, r10, r4
+	b	151f
+	add	r10, r10, r5
+	b	151f
+	add	r10, r10, r6
+	b	151f
+	add	r10, r10, r7
+	b	151f
+	add	r10, r10, r8
+	b	151f
+	add	r10, r10, r9
+	b	151f
+	add	r10, r10, r10
+	b	151f
+	add	r10, r10, r11
+	b	151f
+	add	r10, r10, r12
+	b	151f
+	add	r10, r10, r13
+	b	151f
+	add	r10, r10, r14
+	b	151f
+	add	r10, r10, r15
+	b	151f
+	add	r10, r10, r16
+	b	151f
+	add	r10, r10, r17
+	b	151f
+	add	r10, r10, r18
+	b	151f
+	add	r10, r10, r19
+	b	151f
+	mtctr	r11	/* r10 needs special handling */
+	b	154f
+	mtctr	r11	/* r11 needs special handling */
+	b	153f
+	add	r10, r10, r22
+	b	151f
+	add	r10, r10, r23
+	b	151f
+	add	r10, r10, r24
+	b	151f
+	add	r10, r10, r25
+	b	151f
+	add	r10, r10, r25
+	b	151f
+	add	r10, r10, r27
+	b	151f
+	add	r10, r10, r28
+	b	151f
+	add	r10, r10, r29
+	b	151f
+	add	r10, r10, r30
+	b	151f
+	add	r10, r10, r31
+151:
+	rlwinm. r11,r11,19,24,28	/* offset into jump table for reg RA */
+	beq	152f			/* if reg RA is zero, don't add it */ 
+	addi	r11, r11, 150b@l	/* add start of table */
+	mtctr	r11			/* load ctr with jump address */
+	rlwinm	r11,r11,0,16,10		/* make sure we don't execute this more than once */
+	bctr				/* jump into table */
+152:
+	mfdar	r11
+	mtctr	r11			/* restore ctr reg from DAR */
+	mtdar	r10			/* save fault EA to DAR */
+	b	DARFixed		/* Go back to normal TLB handling */
+
+	/* special handling for r10,r11 since these are modified already */
+153:	lwz	r11, 4(r0)	/* load r11 from memory */
+	b	155f
+154:	mfspr	r11, SPRN_M_TW	/* load r10 from M_TW */
+155:	add	r10, r10, r11	/* add it */
+	mfctr	r11		/* restore r11 */
+	b	151b
+#endif
+
 	.globl	giveup_fpu
 giveup_fpu:
 	blr
-- 
1.6.4.4

[PATCH 5/8] 8xx: Add missing Guarded setting in DTLB Error.

[Joakim Tjernlund]

only DTLB Miss did set this bit, DTLB Error needs too otherwise
the setting is lost when the page becomes dirty.
---
 arch/powerpc/kernel/head_8xx.S |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 320f333..a1512e9 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -552,9 +552,16 @@ DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR
 	 */
 	ori	r11, r11, 1		/* Set valid bit in physical L2 page */
 	DO_8xx_CPU6(0x3b80, r3)
-	mtspr	SPRN_MD_TWC, r11		/* Load pte table base address */
-	mfspr	r11, SPRN_MD_TWC		/* ....and get the pte address */
-	lwz	r10, 0(r11)		/* Get the pte */
+	mtspr	SPRN_MD_TWC, r11	/* Load pte table base address */
+	mfspr	r10, SPRN_MD_TWC	/* ....and get the pte address */
+	lwz	r10, 0(r10)		/* Get the pte */
+	/* Insert the Guarded flag into the TWC from the Linux PTE.
+	 * It is bit 27 of both the Linux PTE and the TWC
+	 */
+	rlwimi	r11, r10, 0, 27, 27
+	DO_8xx_CPU6(0x3b80, r3)
+	mtspr	SPRN_MD_TWC, r11
+	mfspr	r11, SPRN_MD_TWC	/* get the pte address again */
 
 	ori	r10, r10, _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_HWWRITE
 	stw	r10, 0(r11)		/* and update pte in table */
-- 
1.6.4.4

[PATCH 6/8] 8xx: Restore _PAGE_WRITETHRU

[Joakim Tjernlund]

8xx has not had WRITETHRU due to lack of bits in the pte.
After the recent rewrite of the 8xx TLB code, there are
two bits left. Use one of them to WRITETHRU.

Perhaps use the last SW bit to PAGE_SPECIAL or PAGE_FILE?
---
 arch/powerpc/include/asm/pte-8xx.h |    5 +++--
 arch/powerpc/kernel/head_8xx.S     |    8 ++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/include/asm/pte-8xx.h b/arch/powerpc/include/asm/pte-8xx.h
index f23cd15..9349d83 100644
--- a/arch/powerpc/include/asm/pte-8xx.h
+++ b/arch/powerpc/include/asm/pte-8xx.h
@@ -34,12 +34,13 @@
 #define _PAGE_SHARED	0x0004	/* No ASID (context) compare */
 #define _PAGE_DIRTY	0x0100	/* C: page changed */
 
-/* These 3 software bits must be masked out when the entry is loaded
- * into the TLB, 2 SW bits left.
+/* These 4 software bits must be masked out when the entry is loaded
+ * into the TLB, 1 SW bit left(0x0080).
  */
 #define _PAGE_EXEC	0x0008	/* software: i-cache coherency required */
 #define _PAGE_GUARDED	0x0010	/* software: guarded access */
 #define _PAGE_ACCESSED	0x0020	/* software: page referenced */
+#define _PAGE_WRITETHRU	0x0040	/* software: caching is write through */
 
 /* Setting any bits in the nibble with the follow two controls will
  * require a TLB exception handler change.  It is assumed unused bits
diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index a1512e9..6fadc44 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -422,6 +422,10 @@ DataStoreTLBMiss:
 	 * above.
 	 */
 	rlwimi	r11, r10, 0, 27, 27
+	/* Insert the WriteThru flag into the TWC from the Linux PTE.
+	 * It is bit 25 in the Linux PTE and bit 30 in the TWC
+	 */
+	rlwimi	r11, r10, 32-5, 30, 30
 	DO_8xx_CPU6(0x3b80, r3)
 	mtspr	SPRN_MD_TWC, r11
 
@@ -559,6 +563,10 @@ DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR
 	 * It is bit 27 of both the Linux PTE and the TWC
 	 */
 	rlwimi	r11, r10, 0, 27, 27
+	/* Insert the WriteThru flag into the TWC from the Linux PTE.
+	 * It is bit 25 in the Linux PTE and bit 30 in the TWC
+	 */
+	rlwimi	r11, r10, 32-5, 30, 30
 	DO_8xx_CPU6(0x3b80, r3)
 	mtspr	SPRN_MD_TWC, r11
 	mfspr	r11, SPRN_MD_TWC	/* get the pte address again */
-- 
1.6.4.4

[PATCH 7/8] 8xx: start using dcbX instructions in various copy routines

[Joakim Tjernlund]

Now that 8xx can fixup dcbX instructions, start using them
where possible like every other PowerPc arch do.
---
 arch/powerpc/kernel/misc_32.S |   18 ------------------
 arch/powerpc/lib/copy_32.S    |   24 ------------------------
 2 files changed, 0 insertions(+), 42 deletions(-)

diff --git a/arch/powerpc/kernel/misc_32.S b/arch/powerpc/kernel/misc_32.S
index 15f28e0..b92095e 100644
--- a/arch/powerpc/kernel/misc_32.S
+++ b/arch/powerpc/kernel/misc_32.S
@@ -495,15 +495,7 @@ _GLOBAL(clear_pages)
 	li	r0,PAGE_SIZE/L1_CACHE_BYTES
 	slw	r0,r0,r4
 	mtctr	r0
-#ifdef CONFIG_8xx
-	li	r4, 0
-1:	stw	r4, 0(r3)
-	stw	r4, 4(r3)
-	stw	r4, 8(r3)
-	stw	r4, 12(r3)
-#else
 1:	dcbz	0,r3
-#endif
 	addi	r3,r3,L1_CACHE_BYTES
 	bdnz	1b
 	blr
@@ -528,15 +520,6 @@ _GLOBAL(copy_page)
 	addi	r3,r3,-4
 	addi	r4,r4,-4
 
-#ifdef CONFIG_8xx
-	/* don't use prefetch on 8xx */
-    	li	r0,4096/L1_CACHE_BYTES
-	mtctr	r0
-1:	COPY_16_BYTES
-	bdnz	1b
-	blr
-
-#else	/* not 8xx, we can prefetch */
 	li	r5,4
 
 #if MAX_COPY_PREFETCH > 1
@@ -577,7 +560,6 @@ _GLOBAL(copy_page)
 	li	r0,MAX_COPY_PREFETCH
 	li	r11,4
 	b	2b
-#endif	/* CONFIG_8xx */
 
 /*
  * void atomic_clear_mask(atomic_t mask, atomic_t *addr)
diff --git a/arch/powerpc/lib/copy_32.S b/arch/powerpc/lib/copy_32.S
index c657de5..74a7f41 100644
--- a/arch/powerpc/lib/copy_32.S
+++ b/arch/powerpc/lib/copy_32.S
@@ -98,20 +98,7 @@ _GLOBAL(cacheable_memzero)
 	bdnz	4b
 3:	mtctr	r9
 	li	r7,4
-#if !defined(CONFIG_8xx)
 10:	dcbz	r7,r6
-#else
-10:	stw	r4, 4(r6)
-	stw	r4, 8(r6)
-	stw	r4, 12(r6)
-	stw	r4, 16(r6)
-#if CACHE_LINE_SIZE >= 32
-	stw	r4, 20(r6)
-	stw	r4, 24(r6)
-	stw	r4, 28(r6)
-	stw	r4, 32(r6)
-#endif /* CACHE_LINE_SIZE */
-#endif
 	addi	r6,r6,CACHELINE_BYTES
 	bdnz	10b
 	clrlwi	r5,r8,32-LG_CACHELINE_BYTES
@@ -200,9 +187,7 @@ _GLOBAL(cacheable_memcpy)
 	mtctr	r0
 	beq	63f
 53:
-#if !defined(CONFIG_8xx)
 	dcbz	r11,r6
-#endif
 	COPY_16_BYTES
 #if L1_CACHE_BYTES >= 32
 	COPY_16_BYTES
@@ -356,14 +341,6 @@ _GLOBAL(__copy_tofrom_user)
 	li	r11,4
 	beq	63f
 
-#ifdef CONFIG_8xx
-	/* Don't use prefetch on 8xx */
-	mtctr	r0
-	li	r0,0
-53:	COPY_16_BYTES_WITHEX(0)
-	bdnz	53b
-
-#else /* not CONFIG_8xx */
 	/* Here we decide how far ahead to prefetch the source */
 	li	r3,4
 	cmpwi	r0,1
@@ -416,7 +393,6 @@ _GLOBAL(__copy_tofrom_user)
 	li	r3,4
 	li	r7,0
 	bne	114b
-#endif /* CONFIG_8xx */
 
 63:	srwi.	r0,r5,2
 	mtctr	r0
-- 
1.6.4.4

[PATCH 8/8] 8xx: Remove DIRTY pte handling in DTLB Error.

[Joakim Tjernlund]

There is no need to do set the DIRTY bit directly in DTLB Error.
Trap to do_page_fault() and let the generic MM code do the work.
---
 arch/powerpc/kernel/head_8xx.S |   96 ----------------------------------------
 1 files changed, 0 insertions(+), 96 deletions(-)

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 6fadc44..c60636e 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -500,102 +500,6 @@ DataTLBError:
 	cmpwi	cr0, r10, 0x00f0
 	beq-	FixupDAR	/* must be a buggy dcbX, icbi insn. */
 DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR */
-	mfspr	r11, SPRN_DSISR
-	/* As the DAR fixup may clear store we may have all 3 states zero.
-	 * Make sure only 0x0200(store) falls down into DIRTY handling
-	 */
-	andis.	r11, r11, 0x4a00	/* !translation, protection or store */
-	srwi	r11, r11, 16
-	cmpwi	cr0, r11, 0x0200	/* just store ? */
-	bne	2f
-	/* Only Change bit left now, do it here as it is faster
-	 * than trapping to the C fault handler.
-	*/
-
-	/* The EA of a data TLB miss is automatically stored in the MD_EPN
-	 * register.  The EA of a data TLB error is automatically stored in
-	 * the DAR, but not the MD_EPN register.  We must copy the 20 most
-	 * significant bits of the EA from the DAR to MD_EPN before we
-	 * start walking the page tables.  We also need to copy the CASID
-	 * value from the M_CASID register.
-	 * Addendum:  The EA of a data TLB error is _supposed_ to be stored
-	 * in DAR, but it seems that this doesn't happen in some cases, such
-	 * as when the error is due to a dcbi instruction to a page with a
-	 * TLB that doesn't have the changed bit set.  In such cases, there
-	 * does not appear to be any way  to recover the EA of the error
-	 * since it is neither in DAR nor MD_EPN.  As a workaround, the
-	 * _PAGE_HWWRITE bit is set for all kernel data pages when the PTEs
-	 * are initialized in mapin_ram().  This will avoid the problem,
-	 * assuming we only use the dcbi instruction on kernel addresses.
-	 */
-
-	/* DAR is in r10 already */
-	rlwinm	r11, r10, 0, 0, 19
-	ori	r11, r11, MD_EVALID
-	mfspr	r10, SPRN_M_CASID
-	rlwimi	r11, r10, 0, 28, 31
-	DO_8xx_CPU6(0x3780, r3)
-	mtspr	SPRN_MD_EPN, r11
-
-	mfspr	r10, SPRN_M_TWB	/* Get level 1 table entry address */
-
-	/* If we are faulting a kernel address, we have to use the
-	 * kernel page tables.
-	 */
-	andi.	r11, r10, 0x0800
-	beq	3f
-	lis	r11, swapper_pg_dir@h
-	ori	r11, r11, swapper_pg_dir@l
-	rlwimi	r10, r11, 0, 2, 19
-3:
-	lwz	r11, 0(r10)	/* Get the level 1 entry */
-	rlwinm.	r10, r11,0,0,19	/* Extract page descriptor page address */
-	beq	2f		/* If zero, bail */
-
-	/* We have a pte table, so fetch the pte from the table.
-	 */
-	ori	r11, r11, 1		/* Set valid bit in physical L2 page */
-	DO_8xx_CPU6(0x3b80, r3)
-	mtspr	SPRN_MD_TWC, r11	/* Load pte table base address */
-	mfspr	r10, SPRN_MD_TWC	/* ....and get the pte address */
-	lwz	r10, 0(r10)		/* Get the pte */
-	/* Insert the Guarded flag into the TWC from the Linux PTE.
-	 * It is bit 27 of both the Linux PTE and the TWC
-	 */
-	rlwimi	r11, r10, 0, 27, 27
-	/* Insert the WriteThru flag into the TWC from the Linux PTE.
-	 * It is bit 25 in the Linux PTE and bit 30 in the TWC
-	 */
-	rlwimi	r11, r10, 32-5, 30, 30
-	DO_8xx_CPU6(0x3b80, r3)
-	mtspr	SPRN_MD_TWC, r11
-	mfspr	r11, SPRN_MD_TWC	/* get the pte address again */
-
-	ori	r10, r10, _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_HWWRITE
-	stw	r10, 0(r11)		/* and update pte in table */
-	xori	r10, r10, _PAGE_RW	/* RW bit is inverted */
-
-	/* The Linux PTE won't go exactly into the MMU TLB.
-	 * Software indicator bits 22 and 28 must be clear.
-	 * Software indicator bits 24, 25, 26, and 27 must be
-	 * set.  All other Linux PTE bits control the behavior
-	 * of the MMU.
-	 */
-	li	r11, 0x00f0
-	mtspr	SPRN_DAR,r11	/* Tag DAR */
-	rlwimi	r10, r11, 0, 24, 28	/* Set 24-27, clear 28 */
-	DO_8xx_CPU6(0x3d80, r3)
-	mtspr	SPRN_MD_RPN, r10	/* Update TLB entry */
-
-	mfspr	r10, SPRN_M_TW	/* Restore registers */
-	lwz	r11, 0(r0)
-	mtcr	r11
-	lwz	r11, 4(r0)
-#ifdef CONFIG_8xx_CPU6
-	lwz	r3, 8(r0)
-#endif
-	rfi
-2:
 	mfspr	r10, SPRN_M_TW	/* Restore registers */
 	lwz	r11, 0(r0)
 	mtcr	r11
-- 
1.6.4.4

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Rex Feany]

arch/powerpc/kernel/head_8xx.o: In function `FixupDAR':
/home/rfeany/src/lnxnm/linux-dev/arch/powerpc/kernel/head_8xx.S:576: undefined reference to `DARfix'

With all of your patches applied I have this problem:

open("/proc/mounts", O_RDONLY)          = 3
fstat64(0x3, 0x7fc6ad58)                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3001f000
read(3, 0x3001f000, 1024)               = -1 EFAULT (Bad address)
exit_group(0)                           = ?

but it works fine with /dev/zero:

open("/dev/zero", O_RDONLY)             = 3
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30001000
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024

If I revert "8xx: start using dcbX instructions in various copy
routines" then it works again. I think it is the cache instructions
added to __copy_tofrom_user: reading from /dev/zero is OK (it uses
__clear_user, no dcbX), but copy_to_user() fails.

It seems stable with all but the dcbX patch applied. I haven't been able
to crash it yet, anyway :)

take care!
/rex.

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

Joakim Tjernlund wrote:
> Now updated with Scott's remarks.
> There is still(probably) a trivial conflict in pte-8xx.h
> 
> Joakim Tjernlund (8):
>   8xx: invalidate non present TLBs
>   8xx: Update TLB asm so it behaves as linux mm expects.
>   8xx: Tag DAR with 0x00f0 to catch buggy instructions.
>   8xx: Fixup DAR from buggy dcbX instructions.
>   8xx: Add missing Guarded setting in DTLB Error.
>   8xx: Restore _PAGE_WRITETHRU
>   8xx: start using dcbX instructions in various copy routines
>   8xx: Remove DIRTY pte handling in DTLB Error.
> 
>  arch/powerpc/include/asm/pte-8xx.h |   14 +-
>  arch/powerpc/kernel/head_8xx.S     |  341 +++++++++++++++++++++++------------
>  arch/powerpc/kernel/misc_32.S      |   18 --
>  arch/powerpc/lib/copy_32.S         |   24 ---
>  arch/powerpc/mm/fault.c            |    8 +-
>  5 files changed, 238 insertions(+), 167 deletions(-)

I still see the lockup with the dcbX patch.  Reverting that (and with 
Rex's patch) things look OK.

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Rex Feany <RFeany@mrv.com> wrote on 15/10/2009 18:56:50:
>
> arch/powerpc/kernel/head_8xx.o: In function `FixupDAR':
> /home/rfeany/src/lnxnm/linux-dev/arch/powerpc/kernel/head_8xx.S:576: undefined
> reference to `DARfix'
>
> With all of your patches applied I have this problem:
>
> open("/proc/mounts", O_RDONLY)          = 3
> fstat64(0x3, 0x7fc6ad58)                = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3001f000
> read(3, 0x3001f000, 1024)               = -1 EFAULT (Bad address)
> exit_group(0)                           = ?
>
> but it works fine with /dev/zero:
>
> open("/dev/zero", O_RDONLY)             = 3
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30001000
> read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> \0"..., 1024) = 1024
>
> If I revert "8xx: start using dcbX instructions in various copy
> routines" then it works again. I think it is the cache instructions
> added to __copy_tofrom_user: reading from /dev/zero is OK (it uses
> __clear_user, no dcbX), but copy_to_user() fails.

Yes, only copy_tofrom_user will actually case a TLBError with
the dcbX insn.

>
> It seems stable with all but the dcbX patch applied. I haven't been able
> to crash it yet, anyway :)

Right, it is the pte table walk that is blowing up.
I just noted that 2.6 lacks a tophys() call in its table walk
so I removed that one(there is one more tophys call but I don't think
it should be removed).
Try this addon patch:

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 3df4a17..0e91da4 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -540,7 +540,6 @@ DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR
      mtspr SPRN_MD_EPN, r10
      mfspr r11, SPRN_M_TWB	/* Get level 1 table entry address */
      lwz   r11, 0(r11)	/* Get the level 1 entry */
-     tophys  (r11, r11)
      DO_8xx_CPU6(0x3b80, r3)
      mtspr SPRN_MD_TWC, r11	/* Load pte table base address */
      mfspr r11, SPRN_MD_TWC	/* ....and get the pte address */

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Rex Feany]

Thus spake Joakim Tjernlund (joakim.tjernlund@transmode.se):

> Right, it is the pte table walk that is blowing up.
> I just noted that 2.6 lacks a tophys() call in its table walk
> so I removed that one(there is one more tophys call but I don't think
> it should be removed).
> Try this addon patch:

no difference

take care!
/rex.

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Rex Feany <RFeany@mrv.com> wrote on 16/10/2009 22:25:41:
>
> Thus spake Joakim Tjernlund (joakim.tjernlund@transmode.se):
>
> > Right, it is the pte table walk that is blowing up.
> > I just noted that 2.6 lacks a tophys() call in its table walk
> > so I removed that one(there is one more tophys call but I don't think
> > it should be removed).
> > Try this addon patch:
>
> no difference

OK, thinking a bit more, this part should not be executed as
copy_tofrom_user executes in kernel space.

Any chance you can stick a HW breakpoint on FixupDAR?
Perhaps there is something different with kernel
virtual address to phys address?
A simple topys() works in 2.4, but perhaps not in 2.6?
this is the part of interest:
FixupDAR:	/* Entry point for dcbx workaround. */
      /* fetch instruction from memory. */
      mfspr r10, SPRN_SRR0
      andis.      r11, r10, 0x8000
      tophys  (r11, r10)
      beq-  139b		/* Branch if user space address */
140:  lwz   r11,0(r11)

If not kernel dcbX works, you could see if user space does.
Here is a start:

#include <errno.h>
#include <sys/mman.h>
#include <stdio.h>

dcbz(void const *ptr)
{
      __asm__ ("dcbz 0, %0" : : "r" (ptr) : "memory");
}

dcbf(void const *ptr)
{
      __asm__ ("dcbf 0, %0" : : "r" (ptr) : "memory");
}

dcbi(void const *ptr)
{
      __asm__ ("dcbi 0, %0" : : "r" (ptr) : "memory");
}

dcbst(void const *ptr)
{
      __asm__ ("dcbst 0, %0" : : "r" (ptr) : "memory");
}

icbi(void const *ptr)
{
      __asm__ ("icbi 0, %0" : : "r" (ptr) : "memory");
}

dcbt(void const *ptr) /* no TLB Miss */
{
      __asm__ ("dcbt 0, %0" : : "r" (ptr) : "memory");
}

dcbtst(void const *ptr) /* no TLB Miss */
{
      __asm__ ("dcbtst 0, %0" : : "r" (ptr) : "memory");
}

static const unsigned long const a[16*4094] ;
main()
{
      volatile unsigned long b, *ptr = &a[10*4096], *mptr;
      b = *ptr;

      mptr = mmap(NULL, 16*4094, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      if (mptr == MAP_FAILED)
            printf("mmap failed:%s\n", strerror(errno));

      ptr = mptr;
#if 0
      dcbst(&a[2*4096]);
      b = *ptr;
      dcbf(&a[6*4096]);
      b = *ptr;
      dcbz(&a[4*4096]);
      b = *ptr;
      dcbst(&a[8*4096]);
      dcbst(&a[8*4096]);
#endif
      *ptr = 17;
      printf("dcbst(ptr)\n"); fflush(stdout);
      dcbst(ptr);
      *(ptr+3+1024) = 18;

      printf("dcbst(ptr+3*1024)\n"); fflush(stdout);
      dcbst(ptr+3*1024);

      printf("dcbt(ptr+5*1024)\n"); fflush(stdout);
      dcbt(ptr+5*1024);

      printf("dcbz(ptr+2*1024)\n"); fflush(stdout);
      dcbf(&a[6*4096]);

      printf("dcbz(&a[4*4096])\n"); fflush(stdout);
      dcbz(&a[4*4096]); fflush(stdout);

      printf("dcbf(&a[6*4096])\n"); fflush(stdout);
      dcbf(&a[6*4096]);

      //dcbz(ptr+2*1024);
      //dcbi(&a[6*4096]);
      //icbi(&a[8*4096]);
}

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Joakim Tjernlund/Transmode wrote on 17/10/2009 13:24:18:
>
> Rex Feany <RFeany@mrv.com> wrote on 16/10/2009 22:25:41:
> >
> > Thus spake Joakim Tjernlund (joakim.tjernlund@transmode.se):
> >
> > > Right, it is the pte table walk that is blowing up.
> > > I just noted that 2.6 lacks a tophys() call in its table walk
> > > so I removed that one(there is one more tophys call but I don't think
> > > it should be removed).
> > > Try this addon patch:
> >
> > no difference

> OK, thinking a bit more, this part should not be executed as
> copy_tofrom_user executes in kernel space.
>
> Any chance you can stick a HW breakpoint on FixupDAR?
> Perhaps there is something different with kernel
> virtual address to phys address?
> A simple topys() works in 2.4, but perhaps not in 2.6?
> this is the part of interest:
> FixupDAR: /* Entry point for dcbx workaround. */
>  /* fetch instruction from memory. */
>  mfspr r10, SPRN_SRR0
>  andis. r11, r10, 0x8000
>  tophys  (r11, r10)
>  beq- 139b  /* Branch if user space address */
> 140: lwz r11,0(r11)

Probably better to walk the kernel page table too. Does this
make a difference(needs the tophys() patch I posted earlier):


>From 862dda30c3d3d3bedcc605e8520626408a26891c Mon Sep 17 00:00:00 2001
From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Date: Sat, 17 Oct 2009 13:54:03 +0200
Subject: [PATCH] 8xx: Walk the page table for kernel addresses too.

---
 arch/powerpc/kernel/head_8xx.S |   25 ++++++++++++-------------
 1 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 0e91da4..edc9e9b 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -532,28 +532,27 @@ DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR
  * by decoding the registers used by the dcbx instruction and adding them.
  * DAR is set to the calculated address and r10 also holds the EA on exit.
  */
-#define NO_SELF_MODIFYING_CODE /* define if you don't want to use self modifying code */
-     nop	/* A few nops to make the modified_instr: space below cache line aligned */
-     nop
-139:	/* fetch instruction from userspace memory */
+ /* define if you don't want to use self modifying code */
+#define NO_SELF_MODIFYING_CODE
+FixupDAR:/* Entry point for dcbx workaround. */
+	/* fetch instruction from memory. */
+     mfspr r10, SPRN_SRR0
      DO_8xx_CPU6(0x3780, r3)
      mtspr SPRN_MD_EPN, r10
      mfspr r11, SPRN_M_TWB	/* Get level 1 table entry address */
-     lwz   r11, 0(r11)	/* Get the level 1 entry */
+     cmplwi      cr0, r11, 0x0800
+     blt-  3f		/* Branch if user space */
+     lis   r11, swapper_pg_dir@h
+     ori   r11, r11, swapper_pg_dir@l
+     rlwimi      r11, r11, 0, 2, 19
+3:   lwz   r11, 0(r11)	/* Get the level 1 entry */
      DO_8xx_CPU6(0x3b80, r3)
      mtspr SPRN_MD_TWC, r11	/* Load pte table base address */
      mfspr r11, SPRN_MD_TWC	/* ....and get the pte address */
      lwz   r11, 0(r11)	/* Get the pte */
      /* concat physical page address(r11) and page offset(r10) */
      rlwimi      r11, r10, 0, 20, 31
-     b     140f
-FixupDAR:	/* Entry point for dcbx workaround. */
-	/* fetch instruction from memory. */
-     mfspr r10, SPRN_SRR0
-     andis.      r11, r10, 0x8000
-     tophys  (r11, r10)
-     beq-  139b		/* Branch if user space address */
-140: lwz   r11,0(r11)
+     lwz   r11,0(r11)
 /* Check if it really is a dcbx instruction. */
 /* dcbt and dcbtst does not generate DTLB Misses/Errors,
  * no need to include them here */
--
1.6.4.4

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Benjamin Herrenschmidt]

> Probably better to walk the kernel page table too. Does this
> make a difference(needs the tophys() patch I posted earlier):

This whole thing would be a -lot- easier to do from C code. Why ? Simply
because you could just use get_user() to load the instruction rather
than doing this page table walking in asm, which is simpler, faster, and
more fool proof (ok, you do pay the price of a kernel entry/exit
instead, but I still believe that code simplicity and maintainability
wins here).

Ben.

> >From 862dda30c3d3d3bedcc605e8520626408a26891c Mon Sep 17 00:00:00 2001
> From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
> Date: Sat, 17 Oct 2009 13:54:03 +0200
> Subject: [PATCH] 8xx: Walk the page table for kernel addresses too.
> 
> ---
>  arch/powerpc/kernel/head_8xx.S |   25 ++++++++++++-------------
>  1 files changed, 12 insertions(+), 13 deletions(-)
> 
> diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
> index 0e91da4..edc9e9b 100644
> --- a/arch/powerpc/kernel/head_8xx.S
> +++ b/arch/powerpc/kernel/head_8xx.S
> @@ -532,28 +532,27 @@ DARFixed:/* Return from dcbx instruction bug workaround, r10 holds value of DAR
>   * by decoding the registers used by the dcbx instruction and adding them.
>   * DAR is set to the calculated address and r10 also holds the EA on exit.
>   */
> -#define NO_SELF_MODIFYING_CODE /* define if you don't want to use self modifying code */
> -     nop	/* A few nops to make the modified_instr: space below cache line aligned */
> -     nop
> -139:	/* fetch instruction from userspace memory */
> + /* define if you don't want to use self modifying code */
> +#define NO_SELF_MODIFYING_CODE
> +FixupDAR:/* Entry point for dcbx workaround. */
> +	/* fetch instruction from memory. */
> +     mfspr r10, SPRN_SRR0
>       DO_8xx_CPU6(0x3780, r3)
>       mtspr SPRN_MD_EPN, r10
>       mfspr r11, SPRN_M_TWB	/* Get level 1 table entry address */
> -     lwz   r11, 0(r11)	/* Get the level 1 entry */
> +     cmplwi      cr0, r11, 0x0800
> +     blt-  3f		/* Branch if user space */
> +     lis   r11, swapper_pg_dir@h
> +     ori   r11, r11, swapper_pg_dir@l
> +     rlwimi      r11, r11, 0, 2, 19
> +3:   lwz   r11, 0(r11)	/* Get the level 1 entry */
>       DO_8xx_CPU6(0x3b80, r3)
>       mtspr SPRN_MD_TWC, r11	/* Load pte table base address */
>       mfspr r11, SPRN_MD_TWC	/* ....and get the pte address */
>       lwz   r11, 0(r11)	/* Get the pte */
>       /* concat physical page address(r11) and page offset(r10) */
>       rlwimi      r11, r10, 0, 20, 31
> -     b     140f
> -FixupDAR:	/* Entry point for dcbx workaround. */
> -	/* fetch instruction from memory. */
> -     mfspr r10, SPRN_SRR0
> -     andis.      r11, r10, 0x8000
> -     tophys  (r11, r10)
> -     beq-  139b		/* Branch if user space address */
> -140: lwz   r11,0(r11)
> +     lwz   r11,0(r11)
>  /* Check if it really is a dcbx instruction. */
>  /* dcbt and dcbtst does not generate DTLB Misses/Errors,
>   * no need to include them here */
> --
> 1.6.4.4

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Dan Malek]

On Oct 26, 2009, at 3:47 PM, Benjamin Herrenschmidt wrote:

> This whole thing would be a -lot- easier to do from C code. Why ?  
> Simply
> because you could just use get_user() to load the instruction rather
> than doing this page table walking in asm,

Just be careful the get_user() doesn't regenerate the same
translation error you are trying to fix by being here......
It is nice doing things in C code, but you have to be aware
of the environment and the side effects when in this kind
of exception state.

Thanks.

	-- Dan

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Benjamin Herrenschmidt]

On Mon, 2009-10-26 at 16:26 -0700, Dan Malek wrote:
> Just be careful the get_user() doesn't regenerate the same
> translation error you are trying to fix by being here......

It shouldn't since it will always come up with a proper DAR but
you may want to double check before hand that your instruction
address you are loading from is -not- your marker value for bad DAR.

> It is nice doing things in C code, but you have to be aware
> of the environment and the side effects when in this kind 

Yup.

Cheers,
Ben.

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Benjamin Herrenschmidt <benh@kernel.crashing.org> wrote on 27/10/2009 01:00:53:
>
> On Mon, 2009-10-26 at 16:26 -0700, Dan Malek wrote:
> > Just be careful the get_user() doesn't regenerate the same
> > translation error you are trying to fix by being here......

yes, I had some problems with this initially but managed to work around that.
I noticed another problem though, I got multiple TLB errors for the same
address when I did it in C. Noticed by just printk:ing every hit
for a dcbX insn in do_page_fault. I can't explain it, but it seems
like when moving to C you have to execute a rfi insn and that might somehow
restart the dcbX insn before moving on to the page fault routine(or something
totally different)

>
> It shouldn't since it will always come up with a proper DAR but
> you may want to double check before hand that your instruction
> address you are loading from is -not- your marker value for bad DAR.

hmm, I check that the insn really is a dcbX insn, but not that the address is
!= 0x00f0. Don't see how it could be as if something is wrong with
the insn address you get ITLB error instead of a DTLB error.

Anyhow, things seems stalled as I haven't heard from Scott or Rex for a while.
If this isn't working now, I really don't know what is wrong and need
some debugging help.

>
> > It is nice doing things in C code, but you have to be aware
> > of the environment and the side effects when in this kind
>
> Yup.
>
> Cheers,
> Ben.
>
>
>

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

On Tue, Oct 27, 2009 at 10:16:17AM +0100, Joakim Tjernlund wrote:
> Benjamin Herrenschmidt <benh@kernel.crashing.org> wrote on 27/10/2009 01:00:53:
> >
> > On Mon, 2009-10-26 at 16:26 -0700, Dan Malek wrote:
> > > Just be careful the get_user() doesn't regenerate the same
> > > translation error you are trying to fix by being here......
> 
> yes, I had some problems with this initially but managed to work around
> that. I noticed another problem though, I got multiple TLB errors for the
> same address when I did it in C. Noticed by just printk:ing every hit for
> a dcbX insn in do_page_fault. I can't explain it, but it seems like when
> moving to C you have to execute a rfi insn and that might somehow restart
> the dcbX insn before moving on to the page fault routine(or something
> totally different)

The rfi should be to other kernel code -- there is no way that it should be
restarting the dcbX (other than when trying to turn a TLB miss into a TLB
error).  Can you post the C version, maybe we can see what's going wrong? 
Is the empty TLB entry from the miss getting invalidated in the dcbX fixup
case?

> > It shouldn't since it will always come up with a proper DAR but
> > you may want to double check before hand that your instruction
> > address you are loading from is -not- your marker value for bad DAR.
> 
> hmm, I check that the insn really is a dcbX insn, but not that the address is
> != 0x00f0. Don't see how it could be as if something is wrong with
> the insn address you get ITLB error instead of a DTLB error.

I'm guessing he meant the data address you're loading.

> Anyhow, things seems stalled as I haven't heard from Scott or Rex for a
> while. If this isn't working now, I really don't know what is wrong and
> need some debugging help.

I'll test the latest version, but I have some scheduling latency. :-)

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 27/10/2009 16:58:41:
>
> On Tue, Oct 27, 2009 at 10:16:17AM +0100, Joakim Tjernlund wrote:
> > Benjamin Herrenschmidt <benh@kernel.crashing.org> wrote on 27/10/2009 01:00:53:
> > >
> > > On Mon, 2009-10-26 at 16:26 -0700, Dan Malek wrote:
> > > > Just be careful the get_user() doesn't regenerate the same
> > > > translation error you are trying to fix by being here......
> >
> > yes, I had some problems with this initially but managed to work around
> > that. I noticed another problem though, I got multiple TLB errors for the
> > same address when I did it in C. Noticed by just printk:ing every hit for
> > a dcbX insn in do_page_fault. I can't explain it, but it seems like when
> > moving to C you have to execute a rfi insn and that might somehow restart
> > the dcbX insn before moving on to the page fault routine(or something
> > totally different)
>
> The rfi should be to other kernel code -- there is no way that it should be
> restarting the dcbX (other than when trying to turn a TLB miss into a TLB
> error).  Can you post the C version, maybe we can see what's going wrong?

I don't have it for 2.6 and I never did cleanup up my 2.4 version.
Your best bet is to look at one of the earlier patches such
as:
  Add some debug code to do_page_fault
and fix the remaining bits.

> Is the empty TLB entry from the miss getting invalidated in the dcbX fixup
> case?

Yes, in all cases it was invalidated.

>
> > > It shouldn't since it will always come up with a proper DAR but
> > > you may want to double check before hand that your instruction
> > > address you are loading from is -not- your marker value for bad DAR.
> >
> > hmm, I check that the insn really is a dcbX insn, but not that the address is
> > != 0x00f0. Don't see how it could be as if something is wrong with
> > the insn address you get ITLB error instead of a DTLB error.
>
> I'm guessing he meant the data address you're loading.

Hopefully and I am already looking at the OP code to make sure it is
a dcbX insn.

>
> > Anyhow, things seems stalled as I haven't heard from Scott or Rex for a
> > while. If this isn't working now, I really don't know what is wrong and
> > need some debugging help.
>
> I'll test the latest version, but I have some scheduling latency. :-)

Get yourself a new scheduler :)

   Jocke

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> Joakim Tjernlund/Transmode wrote on 17/10/2009 13:24:18:
> >
> > Rex Feany <RFeany@mrv.com> wrote on 16/10/2009 22:25:41:
> > >
> > > Thus spake Joakim Tjernlund (joakim.tjernlund@transmode.se):
> > >
> > > > Right, it is the pte table walk that is blowing up.
> > > > I just noted that 2.6 lacks a tophys() call in its table walk
> > > > so I removed that one(there is one more tophys call but I don't think
> > > > it should be removed).
> > > > Try this addon patch:
> > >
> > > no difference
> 
> > OK, thinking a bit more, this part should not be executed as
> > copy_tofrom_user executes in kernel space.
> >
> > Any chance you can stick a HW breakpoint on FixupDAR?
> > Perhaps there is something different with kernel
> > virtual address to phys address?
> > A simple topys() works in 2.4, but perhaps not in 2.6?
> > this is the part of interest:
> > FixupDAR: /* Entry point for dcbx workaround. */
> >  /* fetch instruction from memory. */
> >  mfspr r10, SPRN_SRR0
> >  andis. r11, r10, 0x8000
> >  tophys  (r11, r10)
> >  beq- 139b  /* Branch if user space address */
> > 140: lwz r11,0(r11)
> 
> Probably better to walk the kernel page table too. Does this
> make a difference(needs the tophys() patch I posted earlier):

After applying by hand (whitespace damage), I get this and a bunch more:

VFS: Mounted root (nfs filesystem) readonly on device 0:12.                     
Freeing unused kernel memory: 96k init                                          
INIT: version 2.85 booting                                                      
Mounting /proc and /sys                                                         
Oops: Machine check, sig: 7 [#1]                                                
Embedded Planet EP88xC                                                          
NIP: 00002020 LR: c0089c58 CTR: 00000038                                        
REGS: c38d7de0 TRAP: 0200   Not tainted  (2.6.32-rc4-00971-g2edbf13-dirty)      
MSR: 00001000 <ME>  CR: 44002428  XER: 00000000                                 
TASK = c383b7a0[173] 'udev' THREAD: c38d6000                                    
GPR00: 00000001 c38d7e90 c383b7a0 00000014 c380bffc 0000000c 3001fffc 00000001  
GPR08: 00000038 0000039b c001137c c021c000 00000000 100c7368 c01f59f4 c01f59d0  
GPR16: c0240000 100982dc 100c0aac 10095ccc 00000047 c38a5868 c38d7f20 00000000  
GPR24: c38dd880 00000400 30020000 00000000 c38d7ea0 00000000 0000039c c38a5840  
NIP [00002020] 0x2020                                                           
LR [c0089c58] seq_read+0x488/0x558                                              
Call Trace:                                                                     
[c38d7e90] [c0089a74] seq_read+0x2a4/0x558 (unreliable)                         
[c38d7ee0] [c00ac264] proc_reg_read+0x4c/0x70                                   
[c38d7ef0] [c006f7f4] vfs_read+0xb4/0x158                                       
[c38d7f10] [c006fb04] sys_read+0x4c/0x90                                        
[c38d7f40] [c000dfb8] ret_from_syscall+0x0/0x38                                 
Instruction dump:                                                               
00000000 XXXXXXXX XXXXXXXX XXXXXXXX 7d5a02a6 XXXXXXXX XXXXXXXX XXXXXXXX         
41800010 XXXXXXXX XXXXXXXX XXXXXXXX 816b0000 XXXXXXXX XXXXXXXX XXXXXXXX         
---[ end trace fab819d28e265675 ]---                                            
/etc/rc.d/rcS: line 24:   173 Bus error               /etc/rc.d/init.d/$i $mode 

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 30/10/2009 01:12:28:
>
> On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> > Joakim Tjernlund/Transmode wrote on 17/10/2009 13:24:18:
> > >
> > > Rex Feany <RFeany@mrv.com> wrote on 16/10/2009 22:25:41:
> > > >
> > > > Thus spake Joakim Tjernlund (joakim.tjernlund@transmode.se):
> > > >
> > > > > Right, it is the pte table walk that is blowing up.
> > > > > I just noted that 2.6 lacks a tophys() call in its table walk
> > > > > so I removed that one(there is one more tophys call but I don't think
> > > > > it should be removed).
> > > > > Try this addon patch:
> > > >
> > > > no difference
> >
> > > OK, thinking a bit more, this part should not be executed as
> > > copy_tofrom_user executes in kernel space.
> > >
> > > Any chance you can stick a HW breakpoint on FixupDAR?
> > > Perhaps there is something different with kernel
> > > virtual address to phys address?
> > > A simple topys() works in 2.4, but perhaps not in 2.6?
> > > this is the part of interest:
> > > FixupDAR: /* Entry point for dcbx workaround. */
> > >  /* fetch instruction from memory. */
> > >  mfspr r10, SPRN_SRR0
> > >  andis. r11, r10, 0x8000
> > >  tophys  (r11, r10)
> > >  beq- 139b  /* Branch if user space address */
> > > 140: lwz r11,0(r11)
> >
> > Probably better to walk the kernel page table too. Does this
> > make a difference(needs the tophys() patch I posted earlier):
>
> After applying by hand (whitespace damage), I get this and a bunch more:

OK, please send your diff to head_8xx.S. Maybe I can spot an
error, otherwise you will have to set a hw BP on fixDAR and step
through it.

 Jocke

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> +     mfspr r10, SPRN_SRR0
>       DO_8xx_CPU6(0x3780, r3)
>       mtspr SPRN_MD_EPN, r10
>       mfspr r11, SPRN_M_TWB	/* Get level 1 table entry address */
> -     lwz   r11, 0(r11)	/* Get the level 1 entry */
> +     cmplwi      cr0, r11, 0x0800
> +     blt-  3f		/* Branch if user space */
> +     lis   r11, swapper_pg_dir@h
> +     ori   r11, r11, swapper_pg_dir@l
> +     rlwimi      r11, r11, 0, 2, 19

That rlwimi is a no-op -- I think you meant to use a different register
here?

> +3:   lwz   r11, 0(r11)	/* Get the level 1 entry */
>       DO_8xx_CPU6(0x3b80, r3)
>       mtspr SPRN_MD_TWC, r11	/* Load pte table base address */
>       mfspr r11, SPRN_MD_TWC	/* ....and get the pte address */
>       lwz   r11, 0(r11)	/* Get the pte */
>       /* concat physical page address(r11) and page offset(r10) */
>       rlwimi      r11, r10, 0, 20, 31

But r10 here contains SRR0 from above, and this is a data TLB error.

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

On Fri, Oct 30, 2009 at 12:16:07PM -0500, Scott Wood wrote:
> On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> > +     mfspr r10, SPRN_SRR0
> >       DO_8xx_CPU6(0x3780, r3)
> >       mtspr SPRN_MD_EPN, r10
> >       mfspr r11, SPRN_M_TWB	/* Get level 1 table entry address */
> > -     lwz   r11, 0(r11)	/* Get the level 1 entry */
> > +     cmplwi      cr0, r11, 0x0800
> > +     blt-  3f		/* Branch if user space */
> > +     lis   r11, swapper_pg_dir@h
> > +     ori   r11, r11, swapper_pg_dir@l
> > +     rlwimi      r11, r11, 0, 2, 19
> 
> That rlwimi is a no-op -- I think you meant to use a different register
> here?
> 
> > +3:   lwz   r11, 0(r11)	/* Get the level 1 entry */
> >       DO_8xx_CPU6(0x3b80, r3)
> >       mtspr SPRN_MD_TWC, r11	/* Load pte table base address */
> >       mfspr r11, SPRN_MD_TWC	/* ....and get the pte address */
> >       lwz   r11, 0(r11)	/* Get the pte */
> >       /* concat physical page address(r11) and page offset(r10) */
> >       rlwimi      r11, r10, 0, 20, 31
> 
> But r10 here contains SRR0 from above, and this is a data TLB error.

Never mind that last one, forgot that you'd be wanting to load the
instruction. :-P

But the rlwimi is what's causing the machine checks.  I replaced it with:
rlwinm	r11, r11, 0, 0x3ffff000
rlwimi	r11, r10, 22, 0xffc

and things seem to work.  You could probably replace the rlwinm by
subtracting PAGE_OFFSET from swapper_pg_dir instead.

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 30/10/2009 18:37:49:
>
> On Fri, Oct 30, 2009 at 12:16:07PM -0500, Scott Wood wrote:
> > On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> > > +     mfspr r10, SPRN_SRR0
> > >       DO_8xx_CPU6(0x3780, r3)
> > >       mtspr SPRN_MD_EPN, r10
> > >       mfspr r11, SPRN_M_TWB   /* Get level 1 table entry address */
> > > -     lwz   r11, 0(r11)   /* Get the level 1 entry */
> > > +     cmplwi      cr0, r11, 0x0800
> > > +     blt-  3f      /* Branch if user space */
> > > +     lis   r11, swapper_pg_dir@h
> > > +     ori   r11, r11, swapper_pg_dir@l
> > > +     rlwimi      r11, r11, 0, 2, 19
> >
> > That rlwimi is a no-op -- I think you meant to use a different register
> > here?
> >
> > > +3:   lwz   r11, 0(r11)   /* Get the level 1 entry */
> > >       DO_8xx_CPU6(0x3b80, r3)
> > >       mtspr SPRN_MD_TWC, r11   /* Load pte table base address */
> > >       mfspr r11, SPRN_MD_TWC   /* ....and get the pte address */
> > >       lwz   r11, 0(r11)   /* Get the pte */
> > >       /* concat physical page address(r11) and page offset(r10) */
> > >       rlwimi      r11, r10, 0, 20, 31
> >
> > But r10 here contains SRR0 from above, and this is a data TLB error.
>
> Never mind that last one, forgot that you'd be wanting to load the
> instruction. :-P
>
> But the rlwimi is what's causing the machine checks.  I replaced it with:

Yes, I see now that it is wrong.

> rlwinm   r11, r11, 0, 0x3ffff000
> rlwimi   r11, r10, 22, 0xffc
>
> and things seem to work.  You could probably replace the rlwinm by
> subtracting PAGE_OFFSET from swapper_pg_dir instead.

Would you mind produce a proper path on top of my series? I am blind
here so I can only guess what will work or not.
Then Rex can give it some beating and we can push this to Ben

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 30/10/2009 18:37:49:
>
> On Fri, Oct 30, 2009 at 12:16:07PM -0500, Scott Wood wrote:
> > On Sat, Oct 17, 2009 at 02:01:38PM +0200, Joakim Tjernlund wrote:
> > > +     mfspr r10, SPRN_SRR0
> > >       DO_8xx_CPU6(0x3780, r3)
> > >       mtspr SPRN_MD_EPN, r10
> > >       mfspr r11, SPRN_M_TWB   /* Get level 1 table entry address */
> > > -     lwz   r11, 0(r11)   /* Get the level 1 entry */
> > > +     cmplwi      cr0, r11, 0x0800
> > > +     blt-  3f      /* Branch if user space */
> > > +     lis   r11, swapper_pg_dir@h
> > > +     ori   r11, r11, swapper_pg_dir@l
> > > +     rlwimi      r11, r11, 0, 2, 19
> >
> > That rlwimi is a no-op -- I think you meant to use a different register
> > here?
> >
> > > +3:   lwz   r11, 0(r11)   /* Get the level 1 entry */
> > >       DO_8xx_CPU6(0x3b80, r3)
> > >       mtspr SPRN_MD_TWC, r11   /* Load pte table base address */
> > >       mfspr r11, SPRN_MD_TWC   /* ....and get the pte address */
> > >       lwz   r11, 0(r11)   /* Get the pte */
> > >       /* concat physical page address(r11) and page offset(r10) */
> > >       rlwimi      r11, r10, 0, 20, 31
> >
> > But r10 here contains SRR0 from above, and this is a data TLB error.
>
> Never mind that last one, forgot that you'd be wanting to load the
> instruction. :-P
>
> But the rlwimi is what's causing the machine checks.  I replaced it with:
> rlwinm   r11, r11, 0, 0x3ffff000
> rlwimi   r11, r10, 22, 0xffc
>
> and things seem to work.  You could probably replace the rlwinm by
> subtracting PAGE_OFFSET from swapper_pg_dir instead.

Just guessing here, do you mean:
	lis	r11, (swapper_pg_dir-PAGE_OFFSET)@h
	ori	r11, r11, (swapper_pg_dir-PAGE_OFFSET)@l
	rlwimi	r11, r10, 22, 0xffc
or
	lis	r11, swapper_pg_dir@h
	ori	r11, r11, swapper_pg_dir@l
	subis	r11, r11 PAGE_OFFSET
	rlwimi	r11, r10, 22, 0xffc

 Jocke

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Scott Wood]

Joakim Tjernlund wrote:
>> and things seem to work.  You could probably replace the rlwinm by
>> subtracting PAGE_OFFSET from swapper_pg_dir instead.
> 
> Just guessing here, do you mean:
> 	lis	r11, (swapper_pg_dir-PAGE_OFFSET)@h
> 	ori	r11, r11, (swapper_pg_dir-PAGE_OFFSET)@l
> 	rlwimi	r11, r10, 22, 0xffc
> or
> 	lis	r11, swapper_pg_dir@h
> 	ori	r11, r11, swapper_pg_dir@l
> 	subis	r11, r11 PAGE_OFFSET
> 	rlwimi	r11, r10, 22, 0xffc

The former.

-Scott

Re: [PATCH 0/8] Fix 8xx MMU/TLB

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 03/11/2009 17:59:30:
>
> Joakim Tjernlund wrote:
> >> and things seem to work.  You could probably replace the rlwinm by
> >> subtracting PAGE_OFFSET from swapper_pg_dir instead.
> >
> > Just guessing here, do you mean:
> >    lis   r11, (swapper_pg_dir-PAGE_OFFSET)@h
> >    ori   r11, r11, (swapper_pg_dir-PAGE_OFFSET)@l
> >    rlwimi   r11, r10, 22, 0xffc
> > or
> >    lis   r11, swapper_pg_dir@h
> >    ori   r11, r11, swapper_pg_dir@l
> >    subis   r11, r11 PAGE_OFFSET
> >    rlwimi   r11, r10, 22, 0xffc
>
> The former.

OK, I will regenerate the patch series with the
 lis   r11, (swapper_pg_dir-PAGE_OFFSET)@h
 ori   r11, r11, (swapper_pg_dir-PAGE_OFFSET)@l
 rlwimi   r11, r10, 22, 0xffc
fix.
Have you already confirmed that this works too?

 Jocke

Re: [PATCH 0/8] Fix 8xx MMU/TLB.

[Joakim Tjernlund]

Scott Wood <scottwood@freescale.com> wrote on 14/10/2009 19:23:51:
>
> On Sun, Oct 11, 2009 at 06:35:04PM +0200, Joakim Tjernlund wrote:
> > This is the latest batch of mu 8xx MMU/TLB rework.
> > I think this is complete now and will relax with
> > other work the next few days. I hope I can get some
> > testing from Scott and Rex during this time.
>
> I applied this stack plus "Remove DIRTY pte handling in DTLB Error" (fixing
> up conflicts again, as well as the noted build errors), and got this:

Sorry about the build problems, will fixup.

Don't know what is causing the error though, works just fine on 2.4 :(

Assuming you fixup this error:
 arch/powerpc/kernel/head_8xx.S:577: undefined reference to `DARfix'
with a "b DARFix" I can only guess and I don't have a good guess even :(

You could back out
8xx: start using dcbX instructions in various copy routines
to see if it is the dcbX insn that is causing the error.


>
> INIT: version 2.85 booting
> Mounting /proc and /sys
> Starting the hotplug events dispatcher udevd
> udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:4
> udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:10
> udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:14
> Synthesizing initial hotplug events
> /etc/rc.d/init.d/udev: line 41:   187 Segmentation fault      udevsettle --timeout=300

This looks like the first error?

> Setting the hostname to 8xx
> Running depmod
> WARNING: Couldn't open directory /lib/modules/2.6.31-08384-g2cb4b47-dirty: No
> such file or directory
> FATAL: Could not open /lib/modules/2.6.31-08384-g2cb4b47-dirty/
> modules.dep.tempfor writing: No such file or directory
> Mounting filesystems
> BUG: soft lockup - CPU#0 stuck for 61s! [cat:265]

Perhaps it is looping on the same TLB Error, caused by dcbX insn?

> NIP: c000f160 LR: c000f160 CTR: 00000007
> REGS: c3919c70 TRAP: 0901   Not tainted  (2.6.31-08384-g2cb4b47-dirty)
> MSR: 00009032 <EE,ME,IR,DR>  CR: 88008424  XER: 00000000
> TASK = c3944bd0[265] 'cat' THREAD: c3918000
> GPR00: c000f160 c3919d20 c3944bd0 00000000 100180fc 00000000 00000000 00000001
> GPR08: c393e700 00000000 03ca9d21 00000001 48000428
> NIP [c000f160] do_page_fault+0x188/0x49c
> LR [c000f160] do_page_fault+0x188/0x49c
> Call Trace:
> [c3919d20] [c000f160] do_page_fault+0x188/0x49c (unreliable)
> [c3919dd0] [c000e3f0] handle_page_fault+0xc/0x80
> [c3919e90] [c008910c] seq_read+0x2a4/0x558
> [c3919ee0] [c00ab7c0] proc_reg_read+0x4c/0x70
> [c3919ef0] [c006f47c] vfs_read+0xb4/0x158
> [c3919f10] [c006f78c] sys_read+0x4c/0x90
> [c3919f40] [c000dfc0] ret_from_syscall+0x0/0x38
> Instruction dump:
> 2f990000 419e01f0 801f0014 700a0002 418201f8 7c1900d0 541e0ffe 7fe4fb78
> 7f85e378 7fc6f378 7f63db78 4804c31d <70690003> 7c601b78 40820230 70690004
>
> -Scott
>
>

Re: [PATCH 0/8] Fix 8xx MMU/TLB.

[Scott Wood]

On Sun, Oct 11, 2009 at 06:35:04PM +0200, Joakim Tjernlund wrote:
> This is the latest batch of mu 8xx MMU/TLB rework.
> I think this is complete now and will relax with
> other work the next few days. I hope I can get some
> testing from Scott and Rex during this time.

I applied this stack plus "Remove DIRTY pte handling in DTLB Error" (fixing
up conflicts again, as well as the noted build errors), and got this:

INIT: version 2.85 booting
Mounting /proc and /sys
Starting the hotplug events dispatcher udevd
udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:4
udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:10
udevd[177]: add_to_rules: unknown key 'MODALIAS' in /etc/udev/rules.d/60-pcmcia.rules:14
Synthesizing initial hotplug events
/etc/rc.d/init.d/udev: line 41:   187 Segmentation fault      udevsettle --timeout=300
Setting the hostname to 8xx
Running depmod
WARNING: Couldn't open directory /lib/modules/2.6.31-08384-g2cb4b47-dirty: No such file or directory
FATAL: Could not open /lib/modules/2.6.31-08384-g2cb4b47-dirty/modules.dep.tempfor writing: No such file or directory
Mounting filesystems
BUG: soft lockup - CPU#0 stuck for 61s! [cat:265]
NIP: c000f160 LR: c000f160 CTR: 00000007
REGS: c3919c70 TRAP: 0901   Not tainted  (2.6.31-08384-g2cb4b47-dirty)
MSR: 00009032 <EE,ME,IR,DR>  CR: 88008424  XER: 00000000
TASK = c3944bd0[265] 'cat' THREAD: c3918000
GPR00: c000f160 c3919d20 c3944bd0 00000000 100180fc 00000000 00000000 00000001
GPR08: c393e700 00000000 03ca9d21 00000001 48000428
NIP [c000f160] do_page_fault+0x188/0x49c
LR [c000f160] do_page_fault+0x188/0x49c
Call Trace:
[c3919d20] [c000f160] do_page_fault+0x188/0x49c (unreliable)
[c3919dd0] [c000e3f0] handle_page_fault+0xc/0x80
[c3919e90] [c008910c] seq_read+0x2a4/0x558
[c3919ee0] [c00ab7c0] proc_reg_read+0x4c/0x70
[c3919ef0] [c006f47c] vfs_read+0xb4/0x158
[c3919f10] [c006f78c] sys_read+0x4c/0x90
[c3919f40] [c000dfc0] ret_from_syscall+0x0/0x38
Instruction dump:
2f990000 419e01f0 801f0014 700a0002 418201f8 7c1900d0 541e0ffe 7fe4fb78
7f85e378 7fc6f378 7f63db78 4804c31d <70690003> 7c601b78 40820230 70690004

-Scott

[PATCH 0/8] Fix 8xx MMU/TLB.

[Joakim Tjernlund]

This is the latest batch of mu 8xx MMU/TLB rework.
I think this is complete now and will relax with
other work the next few days. I hope I can get some
testing from Scott and Rex during this time.

Joakim Tjernlund (8):
  8xx: invalidate non present TLBs
  8xx: Update TLB asm so it behaves as linux mm expects.
  8xx: Tag DAR with 0x00f0 to catch buggy instructions.
  8xx: Fixup DAR from buggy dcbX instructions.
  8xx: dcbst sets store bit in DTLB error, workaround.
  8xx: Add missing Guarded setting in DTLB Error.
  8xx: Restore _PAGE_WRITETHRU
  8xx: start using dcbX instructions in various copy routines

 arch/powerpc/include/asm/pte-8xx.h |   14 +-
 arch/powerpc/kernel/head_8xx.S     |  307 ++++++++++++++++++++++++++++++------
 arch/powerpc/kernel/misc_32.S      |   18 --
 arch/powerpc/lib/copy_32.S         |   24 ---
 arch/powerpc/mm/fault.c            |    8 +-
 5 files changed, 269 insertions(+), 102 deletions(-)