1/*
2 *  arch/ppc/kernel/except_8xx.S
3 *
4 *  PowerPC version
5 *    Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
6 *  Rewritten by Cort Dougan (cort@cs.nmt.edu) for PReP
7 *    Copyright (C) 1996 Cort Dougan <cort@cs.nmt.edu>
8 *  Low-level exception handlers and MMU support
9 *  rewritten by Paul Mackerras.
10 *    Copyright (C) 1996 Paul Mackerras.
11 *  MPC8xx modifications by Dan Malek
12 *    Copyright (C) 1997 Dan Malek (dmalek@jlc.net).
13 *
14 *  This file contains low-level support and setup for PowerPC 8xx
15 *  embedded processors, including trap and interrupt dispatch.
16 *
17 *  This program is free software; you can redistribute it and/or
18 *  modify it under the terms of the GNU General Public License
19 *  as published by the Free Software Foundation; either version
20 *  2 of the License, or (at your option) any later version.
21 *
22 */
23
24#include <linux/config.h>
25#include <asm/processor.h>
26#include <asm/page.h>
27#include <asm/mmu.h>
28#include <asm/cache.h>
29#include <asm/pgtable.h>
30#include <asm/cputable.h>
31#include <asm/ppc_asm.h>
32#include "ppc_defs.h"
33
34	.text
35	.globl	_stext
36_stext:
37
38/*
39 * _start is defined this way because the XCOFF loader in the OpenFirmware
40 * on the powermac expects the entry point to be a procedure descriptor.
41 */
42	.text
43	.globl	_start
44_start:
45
46/* MPC8xx
47 * This port was done on an MBX board with an 860.  Right now I only
48 * support an ELF compressed (zImage) boot from EPPC-Bug because the
49 * code there loads up some registers before calling us:
50 *   r3: ptr to board info data
51 *   r4: initrd_start or if no initrd then 0
52 *   r5: initrd_end - unused if r4 is 0
53 *   r6: Start of command line string
54 *   r7: End of command line string
55 *
56 * I decided to use conditional compilation instead of checking PVR and
57 * adding more processor specific branches around code I don't need.
58 * Since this is an embedded processor, I also appreciate any memory
59 * savings I can get.
60 *
61 * The MPC8xx does not have any BATs, but it supports large page sizes.
62 * We first initialize the MMU to support 8M byte pages, then load one
63 * entry into each of the instruction and data TLBs to map the first
64 * 8M 1:1.  I also mapped an additional I/O space 1:1 so we can get to
65 * the "internal" processor registers before MMU_init is called.
66 *
67 * The TLB code currently contains a major hack.  Since I use the condition
68 * code register, I have to save and restore it.  I am out of registers, so
69 * I just store it in memory location 0 (the TLB handlers are not reentrant).
70 * To avoid making any decisions, I need to use the "segment" valid bit
71 * in the first level table, but that would require many changes to the
72 * Linux page directory/table functions that I don't want to do right now.
73 *
74 * I used to use SPRG2 for a temporary register in the TLB handler, but it
75 * has since been put to other uses.  I now use a hack to save a register
76 * and the CCR at memory location 0.....Someday I'll fix this.....
77 *
78 * With regard to resetting the CPM. The UART console has a number of subtle
79 * assumptions built around the initialization to support kgdb/xmon debugging.
80 * The quick answer is we don't want to reset the CPM so we can proper support
81 * this debugging.
82 *
83 * When the kernel is first booted, kgdb/xmon use the CPM as it was set up by
84 * the boot rom.  There is a second initialization of the UART driver, but
85 * before the console is initialized.  This changes the BDs, but the UART
86 * still operates for kgdb/xmon.  The final stage initialization occurs when
87 * the console is initialized, and all of the "normal path" debugging and
88 * messages can occur after this point.  So the only time we want to do a CPM
89 * is in the case of a microcode patch.
90 *
91 *	-- Dan
92 */
93
94	.globl	__start
95__start:
96	/* To accomodate some SMP systems that overwrite the first few
97	 * locations before cpu 0 starts, the bootloader starts us at 0xc.
98	 */
99	nop
100	nop
101	nop
102	mr	r31,r3			/* save parameters */
103	mr	r30,r4
104	mr	r29,r5
105	mr	r28,r6
106	mr	r27,r7
107	li	r24,0			/* cpu # */
108
109	/* We have to turn on the MMU right away so we get cache modes
110	 * set correctly.
111	 */
112	bl	initial_mmu
113
114/* We now have the lower 8 Meg mapped into TLB entries, and the caches
115 * ready to work.
116 */
117
118turn_on_mmu:
119	mfmsr	r0
120	ori	r0,r0,MSR_DR|MSR_IR
121	mtspr	SRR1,r0
122	lis	r0,start_here@h
123	ori	r0,r0,start_here@l
124	mtspr	SRR0,r0
125	SYNC
126	rfi				/* enables MMU */
127
128/*
129 * Exception entry code.  This code runs with address translation
130 * turned off, i.e. using physical addresses.
131 * We assume sprg3 has the physical address of the current
132 * task's thread_struct.
133 */
134#define EXCEPTION_PROLOG	\
135	mtspr	SPRG0,r20;	\
136	mtspr	SPRG1,r21;	\
137	mfcr	r20;		\
138	mfspr	r21,SPRG2;		/* exception stack to use from */ \
139	cmpwi	0,r21,0;		/* user mode or RTAS */ \
140	bne	1f;		\
141	tophys(r21,r1);			/* use tophys(kernel sp) otherwise */ \
142	subi	r21,r21,INT_FRAME_SIZE;	/* alloc exc. frame */\
1431:	stw	r20,_CCR(r21);		/* save registers */ \
144	stw	r22,GPR22(r21);	\
145	stw	r23,GPR23(r21);	\
146	mfspr	r20,SPRG0;	\
147	stw	r20,GPR20(r21);	\
148	mfspr	r22,SPRG1;	\
149	stw	r22,GPR21(r21);	\
150	mflr	r20;		\
151	stw	r20,_LINK(r21);	\
152	mfctr	r22;		\
153	stw	r22,_CTR(r21);	\
154	mfspr	r20,XER;	\
155	stw	r20,_XER(r21);	\
156	mfspr	r22,SRR0;	\
157	mfspr	r23,SRR1;	\
158	stw	r0,GPR0(r21);	\
159	stw	r1,GPR1(r21);	\
160	stw	r2,GPR2(r21);	\
161	stw	r1,0(r21);	\
162	tovirt(r1,r21);			/* set new kernel sp */	\
163	SAVE_4GPRS(3, r21);	\
164	SAVE_GPR(7, r21);
165/*
166 * Note: code which follows this uses cr0.eq (set if from kernel),
167 * r21, r22 (SRR0), and r23 (SRR1).
168 */
169
170/*
171 * Exception vectors.
172 */
173
174#define FINISH_EXCEPTION(func)			\
175	bl	transfer_to_handler;		\
176	.long	func;				\
177	.long	ret_from_except
178
179#define STD_EXCEPTION(n, label, hdlr)		\
180	. = n;					\
181label:						\
182	EXCEPTION_PROLOG;			\
183	addi	r3,r1,STACK_FRAME_OVERHEAD;	\
184	li	r20,MSR_KERNEL;			\
185	FINISH_EXCEPTION(hdlr)
186
187/* System reset */
188	STD_EXCEPTION(0x100, Reset, UnknownException)
189
190/* Machine check */
191	STD_EXCEPTION(0x200, MachineCheck, MachineCheckException)
192
193/* Data access exception.
194 * This is "never generated" by the MPC8xx.  We jump to it for other
195 * translation errors.
196 */
197	. = 0x300
198DataAccess:
199	EXCEPTION_PROLOG
200	mfspr	r20,DSISR
201	stw	r20,_DSISR(r21)
202	mr	r5,r20
203	mfspr	r4,DAR
204	stw	r4,_DAR(r21)
205	addi	r3,r1,STACK_FRAME_OVERHEAD
206	li	r20,MSR_KERNEL
207	rlwimi	r20,r23,0,16,16		/* copy EE bit from saved MSR */
208	FINISH_EXCEPTION(do_page_fault)
209
210/* Instruction access exception.
211 * This is "never generated" by the MPC8xx.  We jump to it for other
212 * translation errors.
213 */
214	. = 0x400
215InstructionAccess:
216	EXCEPTION_PROLOG
217	addi	r3,r1,STACK_FRAME_OVERHEAD
218	mr	r4,r22
219	mr	r5,r23
220	li	r20,MSR_KERNEL
221	rlwimi	r20,r23,0,16,16		/* copy EE bit from saved MSR */
222	FINISH_EXCEPTION(do_page_fault)
223
224/* External interrupt */
225	. = 0x500;
226HardwareInterrupt:
227	EXCEPTION_PROLOG;
228	addi	r3,r1,STACK_FRAME_OVERHEAD
229	li	r20,MSR_KERNEL
230	li	r4,0
231	bl	transfer_to_handler
232	.globl	do_IRQ_intercept
233do_IRQ_intercept:
234	.long	do_IRQ;
235	.long	ret_from_intercept
236
237/* Alignment exception */
238	. = 0x600
239Alignment:
240	EXCEPTION_PROLOG
241	mfspr	r4,DAR
242	stw	r4,_DAR(r21)
243	mfspr	r5,DSISR
244	stw	r5,_DSISR(r21)
245	addi	r3,r1,STACK_FRAME_OVERHEAD
246	li	r20,MSR_KERNEL
247	rlwimi	r20,r23,0,16,16		/* copy EE bit from saved MSR */
248	FINISH_EXCEPTION(AlignmentException)
249
250/* Program check exception */
251	. = 0x700
252ProgramCheck:
253	EXCEPTION_PROLOG
254	addi	r3,r1,STACK_FRAME_OVERHEAD
255	li	r20,MSR_KERNEL
256	rlwimi	r20,r23,0,16,16		/* copy EE bit from saved MSR */
257	FINISH_EXCEPTION(ProgramCheckException)
258
259/* No FPU on MPC8xx.  This exception is not supposed to happen.
260*/
261	STD_EXCEPTION(0x800, FPUnavailable, UnknownException)
262
263	. = 0x900
264Decrementer:
265	EXCEPTION_PROLOG
266	addi	r3,r1,STACK_FRAME_OVERHEAD
267	li	r20,MSR_KERNEL
268	bl	transfer_to_handler
269	.globl	timer_interrupt_intercept
270timer_interrupt_intercept:
271	.long	timer_interrupt
272	.long	ret_from_intercept
273
274	STD_EXCEPTION(0xa00, Trap_0a, UnknownException)
275	STD_EXCEPTION(0xb00, Trap_0b, UnknownException)
276
277/* System call */
278	. = 0xc00
279SystemCall:
280	EXCEPTION_PROLOG
281	stw	r3,ORIG_GPR3(r21)
282	li	r20,MSR_KERNEL
283	rlwimi	r20,r23,0,16,16		/* copy EE bit from saved MSR */
284	FINISH_EXCEPTION(DoSyscall)
285
286/* Single step - not used on 601 */
287	STD_EXCEPTION(0xd00, SingleStep, SingleStepException)
288
289	STD_EXCEPTION(0xe00, Trap_0e, UnknownException)
290	STD_EXCEPTION(0xf00, Trap_0f, UnknownException)
291
292/* On the MPC8xx, this is a software emulation interrupt.  It occurs
293 * for all unimplemented and illegal instructions.
294 */
295	STD_EXCEPTION(0x1000, SoftEmu, SoftwareEmulation)
296
297	. = 0x1100
298/*
299 * For the MPC8xx, this is a software tablewalk to load the instruction
300 * TLB.  It is modelled after the example in the Motorola manual.  The task
301 * switch loads the M_TWB register with the pointer to the first level table.
302 * If we discover there is no second level table (the value is zero), the
303 * plan was to load that into the TLB, which causes another fault into the
304 * TLB Error interrupt where we can handle such problems.  However, that did
305 * not work, so if we discover there is no second level table, we restore
306 * registers and branch to the error exception.  We have to use the MD_xxx
307 * registers for the tablewalk because the equivalent MI_xxx registers
308 * only perform the attribute functions.
309 */
310InstructionTLBMiss:
311#ifdef CONFIG_8xx_CPU6
312	stw	r3, 8(r0)
313	li	r3, 0x3f80
314	stw	r3, 12(r0)
315	lwz	r3, 12(r0)
316#endif
317	mtspr	M_TW, r20	/* Save a couple of working registers */
318	mfcr	r20
319	stw	r20, 0(r0)
320	stw	r21, 4(r0)
321	mfspr	r20, SRR0	/* Get effective address of fault */
322#ifdef CONFIG_8xx_CPU6
323	li	r3, 0x3780
324	stw	r3, 12(r0)
325	lwz	r3, 12(r0)
326#endif
327	mtspr	MD_EPN, r20	/* Have to use MD_EPN for walk, MI_EPN can't */
328	mfspr	r20, M_TWB	/* Get level 1 table entry address */
329
330	/* If we are faulting a kernel address, we have to use the
331	 * kernel page tables.
332	 */
333	andi.	r21, r20, 0x0800	/* Address >= 0x80000000 */
334	beq	3f
335	lis	r21, swapper_pg_dir@h
336	ori	r21, r21, swapper_pg_dir@l
337	rlwimi	r20, r21, 0, 2, 19
3383:
339	lwz	r21, 0(r20)	/* Get the level 1 entry */
340	rlwinm.	r20, r21,0,0,19	/* Extract page descriptor page address */
341
342	/* We have a pte table, so load the MI_TWC with the attributes
343	 * for this "segment."
344	 */
345	tophys(r21,r21)
346	ori	r21,r21,1		/* Set valid bit */
347	beq-	2f			/* If zero, don't try to find a pte */
348#ifdef CONFIG_8xx_CPU6
349	li	r3, 0x2b80
350	stw	r3, 12(r0)
351	lwz	r3, 12(r0)
352#endif
353	mtspr	MI_TWC, r21	/* Set segment attributes */
354#ifdef CONFIG_8xx_CPU6
355	li	r3, 0x3b80
356	stw	r3, 12(r0)
357	lwz	r3, 12(r0)
358#endif
359	mtspr	MD_TWC, r21	/* Load pte table base address */
360	mfspr	r21, MD_TWC	/* ....and get the pte address */
361	lwz	r20, 0(r21)	/* Get the pte */
362
363	ori	r20, r20, _PAGE_ACCESSED
364	stw	r20, 0(r21)
365
366	/* The Linux PTE won't go exactly into the MMU TLB.
367	 * Software indicator bits 21, 22 and 28 must be clear.
368	 * Software indicator bits 24, 25, 26, and 27 must be
369	 * set.  All other Linux PTE bits control the behavior
370	 * of the MMU.
371	 */
3722:	li	r21, 0x00f0
373	rlwimi	r20, r21, 0, 24, 28	/* Set 24-27, clear 28 */
374
375#ifdef CONFIG_8xx_CPU6
376	li	r3, 0x2d80
377	stw	r3, 12(r0)
378	lwz	r3, 12(r0)
379#endif
380	mtspr	MI_RPN, r20	/* Update TLB entry */
381
382	mfspr	r20, M_TW	/* Restore registers */
383	lwz	r21, 0(r0)
384	mtcr	r21
385	lwz	r21, 4(r0)
386#ifdef CONFIG_8xx_CPU6
387	lwz	r3, 8(r0)
388#endif
389	rfi
390
391	. = 0x1200
392DataStoreTLBMiss:
393#ifdef CONFIG_8xx_CPU6
394	stw	r3, 8(r0)
395	li	r3, 0x3f80
396	stw	r3, 12(r0)
397	lwz	r3, 12(r0)
398#endif
399	mtspr	M_TW, r20	/* Save a couple of working registers */
400	mfcr	r20
401	stw	r20, 0(r0)
402	stw	r21, 4(r0)
403	mfspr	r20, M_TWB	/* Get level 1 table entry address */
404
405	/* If we are faulting a kernel address, we have to use the
406	 * kernel page tables.
407	 */
408	andi.	r21, r20, 0x0800
409	beq	3f
410	lis	r21, swapper_pg_dir@h
411	ori	r21, r21, swapper_pg_dir@l
412	rlwimi r20, r21, 0, 2, 19
4133:
414	lwz	r21, 0(r20)	/* Get the level 1 entry */
415	rlwinm.	r20, r21,0,0,19	/* Extract page descriptor page address */
416
417	/* We have a pte table, so load fetch the pte from the table.
418	 */
419	tophys(r21, r21)
420	ori	r21, r21, 1	/* Set valid bit in physical L2 page */
421	beq-	2f		/* If zero, don't try to find a pte */
422#ifdef CONFIG_8xx_CPU6
423	li	r3, 0x3b80
424	stw	r3, 12(r0)
425	lwz	r3, 12(r0)
426#endif
427	mtspr	MD_TWC, r21	/* Load pte table base address */
428	mfspr	r20, MD_TWC	/* ....and get the pte address */
429	lwz	r20, 0(r20)	/* Get the pte */
430
431	/* Insert the Guarded flag into the TWC from the Linux PTE.
432	 * It is bit 27 of both the Linux PTE and the TWC (at least
433	 * I got that right :-).  It will be better when we can put
434	 * this into the Linux pgd/pmd and load it in the operation
435	 * above.
436	 */
437	rlwimi	r21, r20, 0, 27, 27
438#ifdef CONFIG_8xx_CPU6
439	li	r3, 0x3b80
440	stw	r3, 12(r0)
441	lwz	r3, 12(r0)
442#endif
443	mtspr	MD_TWC, r21
444
445	mfspr	r21, MD_TWC	/* get the pte address again */
446	ori	r20, r20, _PAGE_ACCESSED
447	stw	r20, 0(r21)
448
449	/* The Linux PTE won't go exactly into the MMU TLB.
450	 * Software indicator bits 21, 22 and 28 must be clear.
451	 * Software indicator bits 24, 25, 26, and 27 must be
452	 * set.  All other Linux PTE bits control the behavior
453	 * of the MMU.
454	 */
4552:	li	r21, 0x00f0
456	rlwimi	r20, r21, 0, 24, 28	/* Set 24-27, clear 28 */
457
458#ifdef CONFIG_8xx_CPU6
459	li	r3, 0x3d80
460	stw	r3, 12(r0)
461	lwz	r3, 12(r0)
462#endif
463	mtspr	MD_RPN, r20	/* Update TLB entry */
464
465	mfspr	r20, M_TW	/* Restore registers */
466	lwz	r21, 0(r0)
467	mtcr	r21
468	lwz	r21, 4(r0)
469#ifdef CONFIG_8xx_CPU6
470	lwz	r3, 8(r0)
471#endif
472	rfi
473
474/* This is an instruction TLB error on the MPC8xx.  This could be due
475 * to many reasons, such as executing guarded memory or illegal instruction
476 * addresses.  There is nothing to do but handle a big time error fault.
477 */
478	. = 0x1300
479InstructionTLBError:
480	b	InstructionAccess
481
482/* This is the data TLB error on the MPC8xx.  This could be due to
483 * many reasons, including a dirty update to a pte.  We can catch that
484 * one here, but anything else is an error.  First, we track down the
485 * Linux pte.  If it is valid, write access is allowed, but the
486 * page dirty bit is not set, we will set it and reload the TLB.  For
487 * any other case, we bail out to a higher level function that can
488 * handle it.
489 */
490	. = 0x1400
491DataTLBError:
492#ifdef CONFIG_8xx_CPU6
493	stw	r3, 8(r0)
494	li	r3, 0x3f80
495	stw	r3, 12(r0)
496	lwz	r3, 12(r0)
497#endif
498	mtspr	M_TW, r20	/* Save a couple of working registers */
499	mfcr	r20
500	stw	r20, 0(r0)
501	stw	r21, 4(r0)
502
503	/* First, make sure this was a store operation.
504	*/
505	mfspr	r20, DSISR
506	andis.	r21, r20, 0x0200	/* If set, indicates store op */
507	beq	2f
508
509	/* The EA of a data TLB miss is automatically stored in the MD_EPN
510	 * register.  The EA of a data TLB error is automatically stored in
511	 * the DAR, but not the MD_EPN register.  We must copy the 20 most
512	 * significant bits of the EA from the DAR to MD_EPN before we
513	 * start walking the page tables.  We also need to copy the CASID
514	 * value from the M_CASID register.
515	 * Addendum:  The EA of a data TLB error is _supposed_ to be stored
516	 * in DAR, but it seems that this doesn't happen in some cases, such
517	 * as when the error is due to a dcbi instruction to a page with a
518	 * TLB that doesn't have the changed bit set.  In such cases, there
519	 * does not appear to be any way  to recover the EA of the error
520	 * since it is neither in DAR nor MD_EPN.  As a workaround, the
521	 * _PAGE_HWWRITE bit is set for all kernel data pages when the PTEs
522	 * are initialized in mapin_ram().  This will avoid the problem,
523	 * assuming we only use the dcbi instruction on kernel addresses.
524	 */
525	mfspr	r20, DAR
526	rlwinm	r21, r20, 0, 0, 19
527	ori	r21, r21, MD_EVALID
528	mfspr	r20, M_CASID
529	rlwimi	r21, r20, 0, 28, 31
530#ifdef CONFIG_8xx_CPU6
531	li	r3, 0x3780
532	stw	r3, 12(r0)
533	lwz	r3, 12(r0)
534#endif
535	mtspr	MD_EPN, r21
536
537	mfspr	r20, M_TWB	/* Get level 1 table entry address */
538
539	/* If we are faulting a kernel address, we have to use the
540	 * kernel page tables.
541	 */
542	andi.	r21, r20, 0x0800
543	beq	3f
544	lis	r21, swapper_pg_dir@h
545	ori	r21, r21, swapper_pg_dir@l
546	rlwimi	r20, r21, 0, 2, 19
5473:
548	lwz	r21, 0(r20)	/* Get the level 1 entry */
549	rlwinm.	r20, r21,0,0,19	/* Extract page descriptor page address */
550	beq	2f		/* If zero, bail */
551
552	/* We have a pte table, so fetch the pte from the table.
553	 */
554	tophys(r21, r21)
555	ori	r21, r21, 1		/* Set valid bit in physical L2 page */
556#ifdef CONFIG_8xx_CPU6
557	li	r3, 0x3b80
558	stw	r3, 12(r0)
559	lwz	r3, 12(r0)
560#endif
561	mtspr	MD_TWC, r21		/* Load pte table base address */
562	mfspr	r21, MD_TWC		/* ....and get the pte address */
563	lwz	r20, 0(r21)		/* Get the pte */
564
565	andi.	r21, r20, _PAGE_RW	/* Is it writeable? */
566	beq	2f			/* Bail out if not */
567
568	/* Update 'changed', among others.
569	*/
570	ori	r20, r20, _PAGE_DIRTY|_PAGE_ACCESSED|_PAGE_HWWRITE
571	mfspr	r21, MD_TWC		/* Get pte address again */
572	stw	r20, 0(r21)		/* and update pte in table */
573
574	/* The Linux PTE won't go exactly into the MMU TLB.
575	 * Software indicator bits 21, 22 and 28 must be clear.
576	 * Software indicator bits 24, 25, 26, and 27 must be
577	 * set.  All other Linux PTE bits control the behavior
578	 * of the MMU.
579	 */
580	li	r21, 0x00f0
581	rlwimi	r20, r21, 0, 24, 28	/* Set 24-27, clear 28 */
582
583#ifdef CONFIG_8xx_CPU6
584	li	r3, 0x3d80
585	stw	r3, 12(r0)
586	lwz	r3, 12(r0)
587#endif
588	mtspr	MD_RPN, r20	/* Update TLB entry */
589
590	mfspr	r20, M_TW	/* Restore registers */
591	lwz	r21, 0(r0)
592	mtcr	r21
593	lwz	r21, 4(r0)
594#ifdef CONFIG_8xx_CPU6
595	lwz	r3, 8(r0)
596#endif
597	rfi
5982:
599	mfspr	r20, M_TW	/* Restore registers */
600	lwz	r21, 0(r0)
601	mtcr	r21
602	lwz	r21, 4(r0)
603#ifdef CONFIG_8xx_CPU6
604	lwz	r3, 8(r0)
605#endif
606	b	DataAccess
607
608	STD_EXCEPTION(0x1500, Trap_15, UnknownException)
609	STD_EXCEPTION(0x1600, Trap_16, UnknownException)
610	STD_EXCEPTION(0x1700, Trap_17, TAUException)
611	STD_EXCEPTION(0x1800, Trap_18, UnknownException)
612	STD_EXCEPTION(0x1900, Trap_19, UnknownException)
613	STD_EXCEPTION(0x1a00, Trap_1a, UnknownException)
614	STD_EXCEPTION(0x1b00, Trap_1b, UnknownException)
615
616/* On the MPC8xx, these next four traps are used for development
617 * support of breakpoints and such.  Someday I will get around to
618 * using them.
619 */
620	STD_EXCEPTION(0x1c00, Trap_1c, UnknownException)
621	STD_EXCEPTION(0x1d00, Trap_1d, UnknownException)
622	STD_EXCEPTION(0x1e00, Trap_1e, UnknownException)
623	STD_EXCEPTION(0x1f00, Trap_1f, UnknownException)
624
625	. = 0x2000
626
627/*
628 * This code finishes saving the registers to the exception frame
629 * and jumps to the appropriate handler for the exception, turning
630 * on address translation.
631 */
632	.globl	transfer_to_handler
633transfer_to_handler:
634	stw	r22,_NIP(r21)
635	lis	r22,MSR_POW@h
636	andc	r23,r23,r22
637	stw	r23,_MSR(r21)
638	SAVE_4GPRS(8, r21)
639	SAVE_8GPRS(12, r21)
640	SAVE_8GPRS(24, r21)
641	andi.	r23,r23,MSR_PR
642	mfspr	r23,SPRG3		/* if from user, fix up THREAD.regs */
643	beq	2f
644	addi	r24,r1,STACK_FRAME_OVERHEAD
645	stw	r24,PT_REGS(r23)
6462:	addi	r2,r23,-THREAD		/* set r2 to current */
647	tovirt(r2,r2)
648	mflr	r23
649	andi.	r24,r23,0x3f00		/* get vector offset */
650	stw	r24,TRAP(r21)
651	li	r22,0
652	stw	r22,RESULT(r21)
653	mtspr	SPRG2,r22		/* r1 is now kernel sp */
654	addi	r24,r2,TASK_STRUCT_SIZE	/* check for kernel stack overflow */
655	cmplw	0,r1,r2
656	cmplw	1,r1,r24
657	crand	1,1,4
658	bgt-	stack_ovf		/* if r2 < r1 < r2+TASK_STRUCT_SIZE */
659	lwz	r24,0(r23)		/* virtual address of handler */
660	lwz	r23,4(r23)		/* where to go when done */
661	mtspr	SRR0,r24
662	mtspr	SRR1,r20
663	mtlr	r23
664	SYNC
665	rfi				/* jump to handler, enable MMU */
666
667/*
668 * On kernel stack overflow, load up an initial stack pointer
669 * and call StackOverflow(regs), which should not return.
670 */
671stack_ovf:
672	addi	r3,r1,STACK_FRAME_OVERHEAD
673	lis	r1,init_task_union@ha
674	addi	r1,r1,init_task_union@l
675	addi	r1,r1,TASK_UNION_SIZE-STACK_FRAME_OVERHEAD
676	lis	r24,StackOverflow@ha
677	addi	r24,r24,StackOverflow@l
678	li	r20,MSR_KERNEL
679	mtspr	SRR0,r24
680	mtspr	SRR1,r20
681	SYNC
682	rfi
683
684	.globl	giveup_fpu
685giveup_fpu:
686	blr
687
688/* Maybe someday.......
689*/
690_GLOBAL(__setup_cpu_8xx)
691	blr
692
693/*
694 * This is where the main kernel code starts.
695 */
696start_here:
697
698	/* ptr to current */
699	lis	r2,init_task_union@h
700	ori	r2,r2,init_task_union@l
701
702	/* ptr to phys current thread */
703	tophys(r4,r2)
704	addi	r4,r4,THREAD	/* init task's THREAD */
705	mtspr	SPRG3,r4
706	li	r3,0
707	mtspr	SPRG2,r3	/* 0 => r1 has kernel sp */
708
709	/* stack */
710	addi	r1,r2,TASK_UNION_SIZE
711	li	r0,0
712	stwu	r0,-STACK_FRAME_OVERHEAD(r1)
713
714	bl	early_init	/* We have to do this with MMU on */
715
716/*
717 * Decide what sort of machine this is and initialize the MMU.
718 */
719	mr	r3,r31
720	mr	r4,r30
721	mr	r5,r29
722	mr	r6,r28
723	mr	r7,r27
724	bl	machine_init
725	bl	MMU_init
726
727/*
728 * Go back to running unmapped so we can load up new values
729 * and change to using our exception vectors.
730 * On the 8xx, all we have to do is invalidate the TLB to clear
731 * the old 8M byte TLB mappings and load the page table base register.
732 */
733	/* The right way to do this would be to track it down through
734	 * init's THREAD like the context switch code does, but this is
735	 * easier......until someone changes init's static structures.
736	 */
737	lis	r6, swapper_pg_dir@h
738	ori	r6, r6, swapper_pg_dir@l
739	tophys(r6,r6)
740#ifdef CONFIG_8xx_CPU6
741	lis	r4, cpu6_errata_word@h
742	ori	r4, r4, cpu6_errata_word@l
743	li	r3, 0x3980
744	stw	r3, 12(r4)
745	lwz	r3, 12(r4)
746#endif
747	mtspr	M_TWB, r6
748	lis	r4,2f@h
749	ori	r4,r4,2f@l
750	tophys(r4,r4)
751	li	r3,MSR_KERNEL & ~(MSR_IR|MSR_DR)
752	mtspr	SRR0,r4
753	mtspr	SRR1,r3
754	rfi
755/* Load up the kernel context */
7562:
757	SYNC			/* Force all PTE updates to finish */
758	tlbia			/* Clear all TLB entries */
759	sync			/* wait for tlbia/tlbie to finish */
760	TLBSYNC			/* ... on all CPUs */
761
762#ifdef CONFIG_BDI_SWITCH
763	/* Add helper information for the Abatron bdiGDB debugger.
764	 * We do this here because we know the mmu is disabled, and
765	 * will be enabled for real in just a few instructions.
766	 */
767	tovirt(r6,r6)
768	lis	r5, abatron_pteptrs@h
769	ori	r5, r5, abatron_pteptrs@l
770	stw	r5, 0xf0(r0)	/* Must match your Abatron config file */
771	tophys(r5,r5)
772	stw	r6, 0(r5)
773#endif
774
775/* Now turn on the MMU for real! */
776	li	r4,MSR_KERNEL
777	lis	r3,start_kernel@h
778	ori	r3,r3,start_kernel@l
779	mtspr	SRR0,r3
780	mtspr	SRR1,r4
781	rfi			/* enable MMU and jump to start_kernel */
782
783/* Set up the initial MMU state so we can do the first level of
784 * kernel initialization.  This maps the first 8 MBytes of memory 1:1
785 * virtual to physical.  Also, set the cache mode since that is defined
786 * by TLB entries and perform any additional mapping (like of the IMMR).
787 * If configured to pin some TLBs, we pin the first 8 Mbytes of kernel,
788 * 24 Mbytes of data, and the 8M IMMR space.  Anything not covered by
789 * these mappings is mapped by page tables.
790 */
791initial_mmu:
792	tlbia			/* Invalidate all TLB entries */
793#ifdef CONFIG_PIN_TLB
794	lis	r8, MI_RSV4I@h
795	ori	r8, r8, 0x1c00
796#else
797	li	r8, 0
798#endif
799	mtspr	MI_CTR, r8	/* Set instruction MMU control */
800
801#ifdef CONFIG_PIN_TLB
802	lis	r10, (MD_RSV4I | MD_RESETVAL)@h
803	ori	r10, r10, 0x1c00
804	mr	r8, r10
805#else
806	lis	r10, MD_RESETVAL@h
807#endif
808#ifndef CONFIG_8xx_COPYBACK
809	oris	r10, r10, MD_WTDEF@h
810#endif
811	mtspr	MD_CTR, r10	/* Set data TLB control */
812
813	/* Now map the lower 8 Meg into the TLBs.  For this quick hack,
814	 * we can load the instruction and data TLB registers with the
815	 * same values.
816	 */
817	lis	r8, KERNELBASE@h	/* Create vaddr for TLB */
818	ori	r8, r8, MI_EVALID	/* Mark it valid */
819	mtspr	MI_EPN, r8
820	mtspr	MD_EPN, r8
821	li	r8, MI_PS8MEG		/* Set 8M byte page */
822	ori	r8, r8, MI_SVALID	/* Make it valid */
823	mtspr	MI_TWC, r8
824	mtspr	MD_TWC, r8
825	li	r8, MI_BOOTINIT		/* Create RPN for address 0 */
826	mtspr	MI_RPN, r8		/* Store TLB entry */
827	mtspr	MD_RPN, r8
828	lis	r8, MI_Kp@h		/* Set the protection mode */
829	mtspr	MI_AP, r8
830	mtspr	MD_AP, r8
831
832	/* Map another 8 MByte at the IMMR to get the processor
833	 * internal registers (among other things).
834	 */
835#ifdef CONFIG_PIN_TLB
836	addi	r10, r10, 0x0100
837	mtspr	MD_CTR, r10
838#endif
839	mfspr	r9, 638			/* Get current IMMR */
840	andis.	r9, r9, 0xff80		/* Get 8Mbyte boundary */
841
842	mr	r8, r9			/* Create vaddr for TLB */
843	ori	r8, r8, MD_EVALID	/* Mark it valid */
844	mtspr	MD_EPN, r8
845	li	r8, MD_PS8MEG		/* Set 8M byte page */
846	ori	r8, r8, MD_SVALID	/* Make it valid */
847	mtspr	MD_TWC, r8
848	mr	r8, r9			/* Create paddr for TLB */
849	ori	r8, r8, MI_BOOTINIT|0x2 /* Inhibit cache -- Cort */
850	mtspr	MD_RPN, r8
851
852#ifdef CONFIG_PIN_TLB
853	/* Map two more 8M kernel data pages.
854	*/
855	addi	r10, r10, 0x0100
856	mtspr	MD_CTR, r10
857
858	lis	r8, KERNELBASE@h	/* Create vaddr for TLB */
859	addis	r8, r8, 0x0080		/* Add 8M */
860	ori	r8, r8, MI_EVALID	/* Mark it valid */
861	mtspr	MD_EPN, r8
862	li	r9, MI_PS8MEG		/* Set 8M byte page */
863	ori	r9, r9, MI_SVALID	/* Make it valid */
864	mtspr	MD_TWC, r9
865	li	r11, MI_BOOTINIT	/* Create RPN for address 0 */
866	addis	r11, r11, 0x0080	/* Add 8M */
867	mtspr	MD_RPN, r8
868
869	addis	r8, r8, 0x0080		/* Add 8M */
870	mtspr	MD_EPN, r8
871	mtspr	MD_TWC, r9
872	addis	r11, r11, 0x0080	/* Add 8M */
873	mtspr	MD_RPN, r8
874#endif
875
876	/* Since the cache is enabled according to the information we
877	 * just loaded into the TLB, invalidate and enable the caches here.
878	 * We should probably check/set other modes....later.
879	 */
880	lis	r8, IDC_INVALL@h
881	mtspr	IC_CST, r8
882	mtspr	DC_CST, r8
883	lis	r8, IDC_ENABLE@h
884	mtspr	IC_CST, r8
885#ifdef CONFIG_8xx_COPYBACK
886	mtspr	DC_CST, r8
887#else
888	/* For a debug option, I left this here to easily enable
889	 * the write through cache mode
890	 */
891	lis	r8, DC_SFWT@h
892	mtspr	DC_CST, r8
893	lis	r8, IDC_ENABLE@h
894	mtspr	DC_CST, r8
895#endif
896	blr
897
898
899/*
900 * Set up to use a given MMU context.
901 * r3 is context number, r4 is PGD pointer.
902 *
903 * We place the physical address of the new task page directory loaded
904 * into the MMU base register, and set the ASID compare register with
905 * the new "context."
906 */
907_GLOBAL(set_context)
908
909#ifdef CONFIG_BDI_SWITCH
910	/* Context switch the PTE pointer for the Abatron BDI2000.
911	 * The PGDIR is passed as second argument.
912	 */
913	lis	r5, KERNELBASE@h
914	lwz	r5, 0xf0(r5)
915	stw	r4, 0x4(r5)
916#endif
917
918#ifdef CONFIG_8xx_CPU6
919	lis	r6, cpu6_errata_word@h
920	ori	r6, r6, cpu6_errata_word@l
921	tophys	(r4, r4)
922	li	r7, 0x3980
923	stw	r7, 12(r6)
924	lwz	r7, 12(r6)
925        mtspr   M_TWB, r4               /* Update MMU base address */
926	li	r7, 0x3380
927	stw	r7, 12(r6)
928	lwz	r7, 12(r6)
929        mtspr   M_CASID, r3             /* Update context */
930#else
931        mtspr   M_CASID,r3		/* Update context */
932	tophys	(r4, r4)
933	mtspr	M_TWB, r4		/* and pgd */
934#endif
935	SYNC
936	blr
937
938#ifdef CONFIG_8xx_CPU6
939/* It's here because it is unique to the 8xx.
940 * It is important we get called with interrupts disabled.  I used to
941 * do that, but it appears that all code that calls this already had
942 * interrupt disabled.
943 */
944	.globl	set_dec_cpu6
945set_dec_cpu6:
946	lis	r7, cpu6_errata_word@h
947	ori	r7, r7, cpu6_errata_word@l
948	li	r4, 0x2c00
949	stw	r4, 8(r7)
950	lwz	r4, 8(r7)
951        mtspr   22, r3		/* Update Decrementer */
952	SYNC
953	blr
954#endif
955
956/*
957 * We put a few things here that have to be page-aligned.
958 * This stuff goes at the beginning of the data segment,
959 * which is page-aligned.
960 */
961	.data
962	.globl	sdata
963sdata:
964	.globl	empty_zero_page
965empty_zero_page:
966	.space	4096
967
968	.globl	swapper_pg_dir
969swapper_pg_dir:
970	.space	4096
971
972/*
973 * This space gets a copy of optional info passed to us by the bootstrap
974 * Used to pass parameters into the kernel like root=/dev/sda1, etc.
975 */
976	.globl	cmd_line
977cmd_line:
978	.space	512
979
980#ifdef CONFIG_BDI_SWITCH
981/* Room for two PTE table poiners, usually the kernel and current user
982 * pointer to their respective root page table (pgdir).
983 */
984abatron_pteptrs:
985	.space	8
986#endif
987
988#ifdef CONFIG_8xx_CPU6
989	.globl	cpu6_errata_word
990cpu6_errata_word:
991	.space	16
992#endif
993