1/*
2 *  PowerPC version
3 *    Copyright (C) 1995-1996 Gary Thomas (gdt@linuxppc.org)
4 *  Rewritten by Cort Dougan (cort@cs.nmt.edu) for PReP
5 *    Copyright (C) 1996 Cort Dougan <cort@cs.nmt.edu>
6 *  Adapted for Power Macintosh by Paul Mackerras.
7 *  Low-level exception handlers and MMU support
8 *  rewritten by Paul Mackerras.
9 *    Copyright (C) 1996 Paul Mackerras.
10 *  MPC8xx modifications Copyright (C) 1997 Dan Malek (dmalek@jlc.net).
11 *
12 *  This file contains the system call entry code, context switch
13 *  code, and exception/interrupt return code for PowerPC.
14 *
15 *  This program is free software; you can redistribute it and/or
16 *  modify it under the terms of the GNU General Public License
17 *  as published by the Free Software Foundation; either version
18 *  2 of the License, or (at your option) any later version.
19 */
20
21#include <linux/errno.h>
22#include <linux/err.h>
23#include <asm/unistd.h>
24#include <asm/processor.h>
25#include <asm/page.h>
26#include <asm/mmu.h>
27#include <asm/thread_info.h>
28#include <asm/code-patching-asm.h>
29#include <asm/ppc_asm.h>
30#include <asm/asm-offsets.h>
31#include <asm/cputable.h>
32#include <asm/firmware.h>
33#include <asm/bug.h>
34#include <asm/ptrace.h>
35#include <asm/irqflags.h>
36#include <asm/hw_irq.h>
37#include <asm/context_tracking.h>
38#include <asm/tm.h>
39#include <asm/ppc-opcode.h>
40#include <asm/barrier.h>
41#include <asm/export.h>
42#include <asm/asm-compat.h>
43#ifdef CONFIG_PPC_BOOK3S
44#include <asm/exception-64s.h>
45#else
46#include <asm/exception-64e.h>
47#endif
48#include <asm/feature-fixups.h>
49
50/*
51 * System calls.
52 */
53	.section	".toc","aw"
54SYS_CALL_TABLE:
55	.tc sys_call_table[TC],sys_call_table
56
57/* This value is used to mark exception frames on the stack. */
58exception_marker:
59	.tc	ID_EXC_MARKER[TC],STACK_FRAME_REGS_MARKER
60
61	.section	".text"
62	.align 7
63
64	.globl system_call_common
65system_call_common:
66#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
67BEGIN_FTR_SECTION
68	extrdi.	r10, r12, 1, (63-MSR_TS_T_LG) /* transaction active? */
69	bne	.Ltabort_syscall
70END_FTR_SECTION_IFSET(CPU_FTR_TM)
71#endif
72	andi.	r10,r12,MSR_PR
73	mr	r10,r1
74	addi	r1,r1,-INT_FRAME_SIZE
75	beq-	1f
76	ld	r1,PACAKSAVE(r13)
771:	std	r10,0(r1)
78	std	r11,_NIP(r1)
79	std	r12,_MSR(r1)
80	std	r0,GPR0(r1)
81	std	r10,GPR1(r1)
82	beq	2f			/* if from kernel mode */
83	ACCOUNT_CPU_USER_ENTRY(r13, r10, r11)
842:	std	r2,GPR2(r1)
85	std	r3,GPR3(r1)
86	mfcr	r2
87	std	r4,GPR4(r1)
88	std	r5,GPR5(r1)
89	std	r6,GPR6(r1)
90	std	r7,GPR7(r1)
91	std	r8,GPR8(r1)
92	li	r11,0
93	std	r11,GPR9(r1)
94	std	r11,GPR10(r1)
95	std	r11,GPR11(r1)
96	std	r11,GPR12(r1)
97	std	r11,_XER(r1)
98	std	r11,_CTR(r1)
99	std	r9,GPR13(r1)
100	mflr	r10
101	/*
102	 * This clears CR0.SO (bit 28), which is the error indication on
103	 * return from this system call.
104	 */
105	rldimi	r2,r11,28,(63-28)
106	li	r11,0xc01
107	std	r10,_LINK(r1)
108	std	r11,_TRAP(r1)
109	std	r3,ORIG_GPR3(r1)
110	std	r2,_CCR(r1)
111	ld	r2,PACATOC(r13)
112	addi	r9,r1,STACK_FRAME_OVERHEAD
113	ld	r11,exception_marker@toc(r2)
114	std	r11,-16(r9)		/* "regshere" marker */
115#if defined(CONFIG_VIRT_CPU_ACCOUNTING_NATIVE) && defined(CONFIG_PPC_SPLPAR)
116BEGIN_FW_FTR_SECTION
117	beq	33f
118	/* if from user, see if there are any DTL entries to process */
119	ld	r10,PACALPPACAPTR(r13)	/* get ptr to VPA */
120	ld	r11,PACA_DTL_RIDX(r13)	/* get log read index */
121	addi	r10,r10,LPPACA_DTLIDX
122	LDX_BE	r10,0,r10		/* get log write index */
123	cmpd	cr1,r11,r10
124	beq+	cr1,33f
125	bl	accumulate_stolen_time
126	REST_GPR(0,r1)
127	REST_4GPRS(3,r1)
128	REST_2GPRS(7,r1)
129	addi	r9,r1,STACK_FRAME_OVERHEAD
13033:
131END_FW_FTR_SECTION_IFSET(FW_FEATURE_SPLPAR)
132#endif /* CONFIG_VIRT_CPU_ACCOUNTING_NATIVE && CONFIG_PPC_SPLPAR */
133
134	/*
135	 * A syscall should always be called with interrupts enabled
136	 * so we just unconditionally hard-enable here. When some kind
137	 * of irq tracing is used, we additionally check that condition
138	 * is correct
139	 */
140#if defined(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG) && defined(CONFIG_BUG)
141	lbz	r10,PACAIRQSOFTMASK(r13)
1421:	tdnei	r10,IRQS_ENABLED
143	EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING
144#endif
145
146#ifdef CONFIG_PPC_BOOK3E
147	wrteei	1
148#else
149	li	r11,MSR_RI
150	ori	r11,r11,MSR_EE
151	mtmsrd	r11,1
152#endif /* CONFIG_PPC_BOOK3E */
153
154system_call:			/* label this so stack traces look sane */
155	/* We do need to set SOFTE in the stack frame or the return
156	 * from interrupt will be painful
157	 */
158	li	r10,IRQS_ENABLED
159	std	r10,SOFTE(r1)
160
161	CURRENT_THREAD_INFO(r11, r1)
162	ld	r10,TI_FLAGS(r11)
163	andi.	r11,r10,_TIF_SYSCALL_DOTRACE
164	bne	.Lsyscall_dotrace		/* does not return */
165	cmpldi	0,r0,NR_syscalls
166	bge-	.Lsyscall_enosys
167
168.Lsyscall:
169/*
170 * Need to vector to 32 Bit or default sys_call_table here,
171 * based on caller's run-mode / personality.
172 */
173	ld	r11,SYS_CALL_TABLE@toc(2)
174	andi.	r10,r10,_TIF_32BIT
175	beq	15f
176	addi	r11,r11,8	/* use 32-bit syscall entries */
177	clrldi	r3,r3,32
178	clrldi	r4,r4,32
179	clrldi	r5,r5,32
180	clrldi	r6,r6,32
181	clrldi	r7,r7,32
182	clrldi	r8,r8,32
18315:
184	slwi	r0,r0,4
185
186	barrier_nospec_asm
187	/*
188	 * Prevent the load of the handler below (based on the user-passed
189	 * system call number) being speculatively executed until the test
190	 * against NR_syscalls and branch to .Lsyscall_enosys above has
191	 * committed.
192	 */
193
194	ldx	r12,r11,r0	/* Fetch system call handler [ptr] */
195	mtctr   r12
196	bctrl			/* Call handler */
197
198.Lsyscall_exit:
199	std	r3,RESULT(r1)
200
201#ifdef CONFIG_DEBUG_RSEQ
202	/* Check whether the syscall is issued inside a restartable sequence */
203	addi    r3,r1,STACK_FRAME_OVERHEAD
204	bl      rseq_syscall
205	ld	r3,RESULT(r1)
206#endif
207
208	CURRENT_THREAD_INFO(r12, r1)
209
210	ld	r8,_MSR(r1)
211#ifdef CONFIG_PPC_BOOK3S
212	/* No MSR:RI on BookE */
213	andi.	r10,r8,MSR_RI
214	beq-	.Lunrecov_restore
215#endif
216
217/*
218 * This is a few instructions into the actual syscall exit path (which actually
219 * starts at .Lsyscall_exit) to cater to kprobe blacklisting and to reduce the
220 * number of visible symbols for profiling purposes.
221 *
222 * We can probe from system_call until this point as MSR_RI is set. But once it
223 * is cleared below, we won't be able to take a trap.
224 *
225 * This is blacklisted from kprobes further below with _ASM_NOKPROBE_SYMBOL().
226 */
227system_call_exit:
228	/*
229	 * Disable interrupts so current_thread_info()->flags can't change,
230	 * and so that we don't get interrupted after loading SRR0/1.
231	 */
232#ifdef CONFIG_PPC_BOOK3E
233	wrteei	0
234#else
235	/*
236	 * For performance reasons we clear RI the same time that we
237	 * clear EE. We only need to clear RI just before we restore r13
238	 * below, but batching it with EE saves us one expensive mtmsrd call.
239	 * We have to be careful to restore RI if we branch anywhere from
240	 * here (eg syscall_exit_work).
241	 */
242	li	r11,0
243	mtmsrd	r11,1
244#endif /* CONFIG_PPC_BOOK3E */
245
246	ld	r9,TI_FLAGS(r12)
247	li	r11,-MAX_ERRNO
248	andi.	r0,r9,(_TIF_SYSCALL_DOTRACE|_TIF_SINGLESTEP|_TIF_USER_WORK_MASK|_TIF_PERSYSCALL_MASK)
249	bne-	.Lsyscall_exit_work
250
251	andi.	r0,r8,MSR_FP
252	beq 2f
253#ifdef CONFIG_ALTIVEC
254	andis.	r0,r8,MSR_VEC@h
255	bne	3f
256#endif
2572:	addi    r3,r1,STACK_FRAME_OVERHEAD
258#ifdef CONFIG_PPC_BOOK3S
259	li	r10,MSR_RI
260	mtmsrd	r10,1		/* Restore RI */
261#endif
262	bl	restore_math
263#ifdef CONFIG_PPC_BOOK3S
264	li	r11,0
265	mtmsrd	r11,1
266#endif
267	ld	r8,_MSR(r1)
268	ld	r3,RESULT(r1)
269	li	r11,-MAX_ERRNO
270
2713:	cmpld	r3,r11
272	ld	r5,_CCR(r1)
273	bge-	.Lsyscall_error
274.Lsyscall_error_cont:
275	ld	r7,_NIP(r1)
276BEGIN_FTR_SECTION
277	stdcx.	r0,0,r1			/* to clear the reservation */
278END_FTR_SECTION_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
279	andi.	r6,r8,MSR_PR
280	ld	r4,_LINK(r1)
281
282	beq-	1f
283	ACCOUNT_CPU_USER_EXIT(r13, r11, r12)
284
285BEGIN_FTR_SECTION
286	HMT_MEDIUM_LOW
287END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
288
289	ld	r13,GPR13(r1)	/* only restore r13 if returning to usermode */
290	ld	r2,GPR2(r1)
291	ld	r1,GPR1(r1)
292	mtlr	r4
293	mtcr	r5
294	mtspr	SPRN_SRR0,r7
295	mtspr	SPRN_SRR1,r8
296	RFI_TO_USER
297	b	.	/* prevent speculative execution */
298
299	/* exit to kernel */
3001:	ld	r2,GPR2(r1)
301	ld	r1,GPR1(r1)
302	mtlr	r4
303	mtcr	r5
304	mtspr	SPRN_SRR0,r7
305	mtspr	SPRN_SRR1,r8
306	RFI_TO_KERNEL
307	b	.	/* prevent speculative execution */
308
309.Lsyscall_error:
310	oris	r5,r5,0x1000	/* Set SO bit in CR */
311	neg	r3,r3
312	std	r5,_CCR(r1)
313	b	.Lsyscall_error_cont
314
315/* Traced system call support */
316.Lsyscall_dotrace:
317	bl	save_nvgprs
318	addi	r3,r1,STACK_FRAME_OVERHEAD
319	bl	do_syscall_trace_enter
320
321	/*
322	 * We use the return value of do_syscall_trace_enter() as the syscall
323	 * number. If the syscall was rejected for any reason do_syscall_trace_enter()
324	 * returns an invalid syscall number and the test below against
325	 * NR_syscalls will fail.
326	 */
327	mr	r0,r3
328
329	/* Restore argument registers just clobbered and/or possibly changed. */
330	ld	r3,GPR3(r1)
331	ld	r4,GPR4(r1)
332	ld	r5,GPR5(r1)
333	ld	r6,GPR6(r1)
334	ld	r7,GPR7(r1)
335	ld	r8,GPR8(r1)
336
337	/* Repopulate r9 and r10 for the syscall path */
338	addi	r9,r1,STACK_FRAME_OVERHEAD
339	CURRENT_THREAD_INFO(r10, r1)
340	ld	r10,TI_FLAGS(r10)
341
342	cmpldi	r0,NR_syscalls
343	blt+	.Lsyscall
344
345	/* Return code is already in r3 thanks to do_syscall_trace_enter() */
346	b	.Lsyscall_exit
347
348
349.Lsyscall_enosys:
350	li	r3,-ENOSYS
351	b	.Lsyscall_exit
352
353.Lsyscall_exit_work:
354#ifdef CONFIG_PPC_BOOK3S
355	li	r10,MSR_RI
356	mtmsrd	r10,1		/* Restore RI */
357#endif
358	/* If TIF_RESTOREALL is set, don't scribble on either r3 or ccr.
359	 If TIF_NOERROR is set, just save r3 as it is. */
360
361	andi.	r0,r9,_TIF_RESTOREALL
362	beq+	0f
363	REST_NVGPRS(r1)
364	b	2f
3650:	cmpld	r3,r11		/* r11 is -MAX_ERRNO */
366	blt+	1f
367	andi.	r0,r9,_TIF_NOERROR
368	bne-	1f
369	ld	r5,_CCR(r1)
370	neg	r3,r3
371	oris	r5,r5,0x1000	/* Set SO bit in CR */
372	std	r5,_CCR(r1)
3731:	std	r3,GPR3(r1)
3742:	andi.	r0,r9,(_TIF_PERSYSCALL_MASK)
375	beq	4f
376
377	/* Clear per-syscall TIF flags if any are set.  */
378
379	li	r11,_TIF_PERSYSCALL_MASK
380	addi	r12,r12,TI_FLAGS
3813:	ldarx	r10,0,r12
382	andc	r10,r10,r11
383	stdcx.	r10,0,r12
384	bne-	3b
385	subi	r12,r12,TI_FLAGS
386
3874:	/* Anything else left to do? */
388BEGIN_FTR_SECTION
389	lis	r3,INIT_PPR@highest	/* Set thread.ppr = 3 */
390	ld	r10,PACACURRENT(r13)
391	sldi	r3,r3,32	/* bits 11-13 are used for ppr */
392	std	r3,TASKTHREADPPR(r10)
393END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
394
395	andi.	r0,r9,(_TIF_SYSCALL_DOTRACE|_TIF_SINGLESTEP)
396	beq	ret_from_except_lite
397
398	/* Re-enable interrupts */
399#ifdef CONFIG_PPC_BOOK3E
400	wrteei	1
401#else
402	li	r10,MSR_RI
403	ori	r10,r10,MSR_EE
404	mtmsrd	r10,1
405#endif /* CONFIG_PPC_BOOK3E */
406
407	bl	save_nvgprs
408	addi	r3,r1,STACK_FRAME_OVERHEAD
409	bl	do_syscall_trace_leave
410	b	ret_from_except
411
412#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
413.Ltabort_syscall:
414	/* Firstly we need to enable TM in the kernel */
415	mfmsr	r10
416	li	r9, 1
417	rldimi	r10, r9, MSR_TM_LG, 63-MSR_TM_LG
418	mtmsrd	r10, 0
419
420	/* tabort, this dooms the transaction, nothing else */
421	li	r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
422	TABORT(R9)
423
424	/*
425	 * Return directly to userspace. We have corrupted user register state,
426	 * but userspace will never see that register state. Execution will
427	 * resume after the tbegin of the aborted transaction with the
428	 * checkpointed register state.
429	 */
430	li	r9, MSR_RI
431	andc	r10, r10, r9
432	mtmsrd	r10, 1
433	mtspr	SPRN_SRR0, r11
434	mtspr	SPRN_SRR1, r12
435	RFI_TO_USER
436	b	.	/* prevent speculative execution */
437#endif
438_ASM_NOKPROBE_SYMBOL(system_call_common);
439_ASM_NOKPROBE_SYMBOL(system_call_exit);
440
441/* Save non-volatile GPRs, if not already saved. */
442_GLOBAL(save_nvgprs)
443	ld	r11,_TRAP(r1)
444	andi.	r0,r11,1
445	beqlr-
446	SAVE_NVGPRS(r1)
447	clrrdi	r0,r11,1
448	std	r0,_TRAP(r1)
449	blr
450_ASM_NOKPROBE_SYMBOL(save_nvgprs);
451
452
453/*
454 * The sigsuspend and rt_sigsuspend system calls can call do_signal
455 * and thus put the process into the stopped state where we might
456 * want to examine its user state with ptrace.  Therefore we need
457 * to save all the nonvolatile registers (r14 - r31) before calling
458 * the C code.  Similarly, fork, vfork and clone need the full
459 * register state on the stack so that it can be copied to the child.
460 */
461
462_GLOBAL(ppc_fork)
463	bl	save_nvgprs
464	bl	sys_fork
465	b	.Lsyscall_exit
466
467_GLOBAL(ppc_vfork)
468	bl	save_nvgprs
469	bl	sys_vfork
470	b	.Lsyscall_exit
471
472_GLOBAL(ppc_clone)
473	bl	save_nvgprs
474	bl	sys_clone
475	b	.Lsyscall_exit
476
477_GLOBAL(ppc32_swapcontext)
478	bl	save_nvgprs
479	bl	compat_sys_swapcontext
480	b	.Lsyscall_exit
481
482_GLOBAL(ppc64_swapcontext)
483	bl	save_nvgprs
484	bl	sys_swapcontext
485	b	.Lsyscall_exit
486
487_GLOBAL(ppc_switch_endian)
488	bl	save_nvgprs
489	bl	sys_switch_endian
490	b	.Lsyscall_exit
491
492_GLOBAL(ret_from_fork)
493	bl	schedule_tail
494	REST_NVGPRS(r1)
495	li	r3,0
496	b	.Lsyscall_exit
497
498_GLOBAL(ret_from_kernel_thread)
499	bl	schedule_tail
500	REST_NVGPRS(r1)
501	mtlr	r14
502	mr	r3,r15
503#ifdef PPC64_ELF_ABI_v2
504	mr	r12,r14
505#endif
506	blrl
507	li	r3,0
508	b	.Lsyscall_exit
509
510#ifdef CONFIG_PPC_BOOK3S_64
511
512#define FLUSH_COUNT_CACHE	\
5131:	nop;			\
514	patch_site 1b, patch__call_flush_count_cache
515
516
517#define BCCTR_FLUSH	.long 0x4c400420
518
519.macro nops number
520	.rept \number
521	nop
522	.endr
523.endm
524
525.balign 32
526.global flush_count_cache
527flush_count_cache:
528	/* Save LR into r9 */
529	mflr	r9
530
531	.rept 64
532	bl	.+4
533	.endr
534	b	1f
535	nops	6
536
537	.balign 32
538	/* Restore LR */
5391:	mtlr	r9
540	li	r9,0x7fff
541	mtctr	r9
542
543	BCCTR_FLUSH
544
5452:	nop
546	patch_site 2b patch__flush_count_cache_return
547
548	nops	3
549
550	.rept 278
551	.balign 32
552	BCCTR_FLUSH
553	nops	7
554	.endr
555
556	blr
557#else
558#define FLUSH_COUNT_CACHE
559#endif /* CONFIG_PPC_BOOK3S_64 */
560
561/*
562 * This routine switches between two different tasks.  The process
563 * state of one is saved on its kernel stack.  Then the state
564 * of the other is restored from its kernel stack.  The memory
565 * management hardware is updated to the second process's state.
566 * Finally, we can return to the second process, via ret_from_except.
567 * On entry, r3 points to the THREAD for the current task, r4
568 * points to the THREAD for the new task.
569 *
570 * Note: there are two ways to get to the "going out" portion
571 * of this code; either by coming in via the entry (_switch)
572 * or via "fork" which must set up an environment equivalent
573 * to the "_switch" path.  If you change this you'll have to change
574 * the fork code also.
575 *
576 * The code which creates the new task context is in 'copy_thread'
577 * in arch/powerpc/kernel/process.c
578 */
579	.align	7
580_GLOBAL(_switch)
581	mflr	r0
582	std	r0,16(r1)
583	stdu	r1,-SWITCH_FRAME_SIZE(r1)
584	/* r3-r13 are caller saved -- Cort */
585	SAVE_8GPRS(14, r1)
586	SAVE_10GPRS(22, r1)
587	std	r0,_NIP(r1)	/* Return to switch caller */
588	mfcr	r23
589	std	r23,_CCR(r1)
590	std	r1,KSP(r3)	/* Set old stack pointer */
591
592	FLUSH_COUNT_CACHE
593
594	/*
595	 * On SMP kernels, care must be taken because a task may be
596	 * scheduled off CPUx and on to CPUy. Memory ordering must be
597	 * considered.
598	 *
599	 * Cacheable stores on CPUx will be visible when the task is
600	 * scheduled on CPUy by virtue of the core scheduler barriers
601	 * (see "Notes on Program-Order guarantees on SMP systems." in
602	 * kernel/sched/core.c).
603	 *
604	 * Uncacheable stores in the case of involuntary preemption must
605	 * be taken care of. The smp_mb__before_spin_lock() in __schedule()
606	 * is implemented as hwsync on powerpc, which orders MMIO too. So
607	 * long as there is an hwsync in the context switch path, it will
608	 * be executed on the source CPU after the task has performed
609	 * all MMIO ops on that CPU, and on the destination CPU before the
610	 * task performs any MMIO ops there.
611	 */
612
613	/*
614	 * The kernel context switch path must contain a spin_lock,
615	 * which contains larx/stcx, which will clear any reservation
616	 * of the task being switched.
617	 */
618#ifdef CONFIG_PPC_BOOK3S
619/* Cancel all explict user streams as they will have no use after context
620 * switch and will stop the HW from creating streams itself
621 */
622	DCBT_BOOK3S_STOP_ALL_STREAM_IDS(r6)
623#endif
624
625	addi	r6,r4,-THREAD	/* Convert THREAD to 'current' */
626	std	r6,PACACURRENT(r13)	/* Set new 'current' */
627
628	ld	r8,KSP(r4)	/* new stack pointer */
629#ifdef CONFIG_PPC_BOOK3S_64
630BEGIN_MMU_FTR_SECTION
631	b	2f
632END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX)
633BEGIN_FTR_SECTION
634	clrrdi	r6,r8,28	/* get its ESID */
635	clrrdi	r9,r1,28	/* get current sp ESID */
636FTR_SECTION_ELSE
637	clrrdi	r6,r8,40	/* get its 1T ESID */
638	clrrdi	r9,r1,40	/* get current sp 1T ESID */
639ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_1T_SEGMENT)
640	clrldi.	r0,r6,2		/* is new ESID c00000000? */
641	cmpd	cr1,r6,r9	/* or is new ESID the same as current ESID? */
642	cror	eq,4*cr1+eq,eq
643	beq	2f		/* if yes, don't slbie it */
644
645	/* Bolt in the new stack SLB entry */
646	ld	r7,KSP_VSID(r4)	/* Get new stack's VSID */
647	oris	r0,r6,(SLB_ESID_V)@h
648	ori	r0,r0,(SLB_NUM_BOLTED-1)@l
649BEGIN_FTR_SECTION
650	li	r9,MMU_SEGSIZE_1T	/* insert B field */
651	oris	r6,r6,(MMU_SEGSIZE_1T << SLBIE_SSIZE_SHIFT)@h
652	rldimi	r7,r9,SLB_VSID_SSIZE_SHIFT,0
653END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT)
654
655	/* Update the last bolted SLB.  No write barriers are needed
656	 * here, provided we only update the current CPU's SLB shadow
657	 * buffer.
658	 */
659	ld	r9,PACA_SLBSHADOWPTR(r13)
660	li	r12,0
661	std	r12,SLBSHADOW_STACKESID(r9)	/* Clear ESID */
662	li	r12,SLBSHADOW_STACKVSID
663	STDX_BE	r7,r12,r9			/* Save VSID */
664	li	r12,SLBSHADOW_STACKESID
665	STDX_BE	r0,r12,r9			/* Save ESID */
666
667	/* No need to check for MMU_FTR_NO_SLBIE_B here, since when
668	 * we have 1TB segments, the only CPUs known to have the errata
669	 * only support less than 1TB of system memory and we'll never
670	 * actually hit this code path.
671	 */
672
673	isync
674	slbie	r6
675	slbie	r6		/* Workaround POWER5 < DD2.1 issue */
676	slbmte	r7,r0
677	isync
6782:
679#endif /* CONFIG_PPC_BOOK3S_64 */
680
681	CURRENT_THREAD_INFO(r7, r8)  /* base of new stack */
682	/* Note: this uses SWITCH_FRAME_SIZE rather than INT_FRAME_SIZE
683	   because we don't need to leave the 288-byte ABI gap at the
684	   top of the kernel stack. */
685	addi	r7,r7,THREAD_SIZE-SWITCH_FRAME_SIZE
686
687	/*
688	 * PMU interrupts in radix may come in here. They will use r1, not
689	 * PACAKSAVE, so this stack switch will not cause a problem. They
690	 * will store to the process stack, which may then be migrated to
691	 * another CPU. However the rq lock release on this CPU paired with
692	 * the rq lock acquire on the new CPU before the stack becomes
693	 * active on the new CPU, will order those stores.
694	 */
695	mr	r1,r8		/* start using new stack pointer */
696	std	r7,PACAKSAVE(r13)
697
698	ld	r6,_CCR(r1)
699	mtcrf	0xFF,r6
700
701	/* r3-r13 are destroyed -- Cort */
702	REST_8GPRS(14, r1)
703	REST_10GPRS(22, r1)
704
705	/* convert old thread to its task_struct for return value */
706	addi	r3,r3,-THREAD
707	ld	r7,_NIP(r1)	/* Return to _switch caller in new task */
708	mtlr	r7
709	addi	r1,r1,SWITCH_FRAME_SIZE
710	blr
711
712	.align	7
713_GLOBAL(ret_from_except)
714	ld	r11,_TRAP(r1)
715	andi.	r0,r11,1
716	bne	ret_from_except_lite
717	REST_NVGPRS(r1)
718
719_GLOBAL(ret_from_except_lite)
720	/*
721	 * Disable interrupts so that current_thread_info()->flags
722	 * can't change between when we test it and when we return
723	 * from the interrupt.
724	 */
725#ifdef CONFIG_PPC_BOOK3E
726	wrteei	0
727#else
728	li	r10,MSR_RI
729	mtmsrd	r10,1		  /* Update machine state */
730#endif /* CONFIG_PPC_BOOK3E */
731
732	CURRENT_THREAD_INFO(r9, r1)
733	ld	r3,_MSR(r1)
734#ifdef CONFIG_PPC_BOOK3E
735	ld	r10,PACACURRENT(r13)
736#endif /* CONFIG_PPC_BOOK3E */
737	ld	r4,TI_FLAGS(r9)
738	andi.	r3,r3,MSR_PR
739	beq	resume_kernel
740#ifdef CONFIG_PPC_BOOK3E
741	lwz	r3,(THREAD+THREAD_DBCR0)(r10)
742#endif /* CONFIG_PPC_BOOK3E */
743
744	/* Check current_thread_info()->flags */
745	andi.	r0,r4,_TIF_USER_WORK_MASK
746	bne	1f
747#ifdef CONFIG_PPC_BOOK3E
748	/*
749	 * Check to see if the dbcr0 register is set up to debug.
750	 * Use the internal debug mode bit to do this.
751	 */
752	andis.	r0,r3,DBCR0_IDM@h
753	beq	restore
754	mfmsr	r0
755	rlwinm	r0,r0,0,~MSR_DE	/* Clear MSR.DE */
756	mtmsr	r0
757	mtspr	SPRN_DBCR0,r3
758	li	r10, -1
759	mtspr	SPRN_DBSR,r10
760	b	restore
761#else
762	addi	r3,r1,STACK_FRAME_OVERHEAD
763	bl	restore_math
764	b	restore
765#endif
7661:	andi.	r0,r4,_TIF_NEED_RESCHED
767	beq	2f
768	bl	restore_interrupts
769	SCHEDULE_USER
770	b	ret_from_except_lite
7712:
772#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
773	andi.	r0,r4,_TIF_USER_WORK_MASK & ~_TIF_RESTORE_TM
774	bne	3f		/* only restore TM if nothing else to do */
775	addi	r3,r1,STACK_FRAME_OVERHEAD
776	bl	restore_tm_state
777	b	restore
7783:
779#endif
780	bl	save_nvgprs
781	/*
782	 * Use a non volatile GPR to save and restore our thread_info flags
783	 * across the call to restore_interrupts.
784	 */
785	mr	r30,r4
786	bl	restore_interrupts
787	mr	r4,r30
788	addi	r3,r1,STACK_FRAME_OVERHEAD
789	bl	do_notify_resume
790	b	ret_from_except
791
792resume_kernel:
793	/* check current_thread_info, _TIF_EMULATE_STACK_STORE */
794	andis.	r8,r4,_TIF_EMULATE_STACK_STORE@h
795	beq+	1f
796
797	addi	r8,r1,INT_FRAME_SIZE	/* Get the kprobed function entry */
798
799	ld	r3,GPR1(r1)
800	subi	r3,r3,INT_FRAME_SIZE	/* dst: Allocate a trampoline exception frame */
801	mr	r4,r1			/* src:  current exception frame */
802	mr	r1,r3			/* Reroute the trampoline frame to r1 */
803
804	/* Copy from the original to the trampoline. */
805	li	r5,INT_FRAME_SIZE/8	/* size: INT_FRAME_SIZE */
806	li	r6,0			/* start offset: 0 */
807	mtctr	r5
8082:	ldx	r0,r6,r4
809	stdx	r0,r6,r3
810	addi	r6,r6,8
811	bdnz	2b
812
813	/* Do real store operation to complete stdu */
814	ld	r5,GPR1(r1)
815	std	r8,0(r5)
816
817	/* Clear _TIF_EMULATE_STACK_STORE flag */
818	lis	r11,_TIF_EMULATE_STACK_STORE@h
819	addi	r5,r9,TI_FLAGS
8200:	ldarx	r4,0,r5
821	andc	r4,r4,r11
822	stdcx.	r4,0,r5
823	bne-	0b
8241:
825
826#ifdef CONFIG_PREEMPT
827	/* Check if we need to preempt */
828	andi.	r0,r4,_TIF_NEED_RESCHED
829	beq+	restore
830	/* Check that preempt_count() == 0 and interrupts are enabled */
831	lwz	r8,TI_PREEMPT(r9)
832	cmpwi	cr0,r8,0
833	bne	restore
834	ld	r0,SOFTE(r1)
835	andi.	r0,r0,IRQS_DISABLED
836	bne	restore
837
838	/*
839	 * Here we are preempting the current task. We want to make
840	 * sure we are soft-disabled first and reconcile irq state.
841	 */
842	RECONCILE_IRQ_STATE(r3,r4)
8431:	bl	preempt_schedule_irq
844
845	/* Re-test flags and eventually loop */
846	CURRENT_THREAD_INFO(r9, r1)
847	ld	r4,TI_FLAGS(r9)
848	andi.	r0,r4,_TIF_NEED_RESCHED
849	bne	1b
850
851	/*
852	 * arch_local_irq_restore() from preempt_schedule_irq above may
853	 * enable hard interrupt but we really should disable interrupts
854	 * when we return from the interrupt, and so that we don't get
855	 * interrupted after loading SRR0/1.
856	 */
857#ifdef CONFIG_PPC_BOOK3E
858	wrteei	0
859#else
860	li	r10,MSR_RI
861	mtmsrd	r10,1		  /* Update machine state */
862#endif /* CONFIG_PPC_BOOK3E */
863#endif /* CONFIG_PREEMPT */
864
865	.globl	fast_exc_return_irq
866fast_exc_return_irq:
867restore:
868	/*
869	 * This is the main kernel exit path. First we check if we
870	 * are about to re-enable interrupts
871	 */
872	ld	r5,SOFTE(r1)
873	lbz	r6,PACAIRQSOFTMASK(r13)
874	andi.	r5,r5,IRQS_DISABLED
875	bne	.Lrestore_irq_off
876
877	/* We are enabling, were we already enabled ? Yes, just return */
878	andi.	r6,r6,IRQS_DISABLED
879	beq	cr0,.Ldo_restore
880
881	/*
882	 * We are about to soft-enable interrupts (we are hard disabled
883	 * at this point). We check if there's anything that needs to
884	 * be replayed first.
885	 */
886	lbz	r0,PACAIRQHAPPENED(r13)
887	cmpwi	cr0,r0,0
888	bne-	.Lrestore_check_irq_replay
889
890	/*
891	 * Get here when nothing happened while soft-disabled, just
892	 * soft-enable and move-on. We will hard-enable as a side
893	 * effect of rfi
894	 */
895.Lrestore_no_replay:
896	TRACE_ENABLE_INTS
897	li	r0,IRQS_ENABLED
898	stb	r0,PACAIRQSOFTMASK(r13);
899
900	/*
901	 * Final return path. BookE is handled in a different file
902	 */
903.Ldo_restore:
904#ifdef CONFIG_PPC_BOOK3E
905	b	exception_return_book3e
906#else
907	/*
908	 * Clear the reservation. If we know the CPU tracks the address of
909	 * the reservation then we can potentially save some cycles and use
910	 * a larx. On POWER6 and POWER7 this is significantly faster.
911	 */
912BEGIN_FTR_SECTION
913	stdcx.	r0,0,r1		/* to clear the reservation */
914FTR_SECTION_ELSE
915	ldarx	r4,0,r1
916ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
917
918	/*
919	 * Some code path such as load_up_fpu or altivec return directly
920	 * here. They run entirely hard disabled and do not alter the
921	 * interrupt state. They also don't use lwarx/stwcx. and thus
922	 * are known not to leave dangling reservations.
923	 */
924	.globl	fast_exception_return
925fast_exception_return:
926	ld	r3,_MSR(r1)
927	ld	r4,_CTR(r1)
928	ld	r0,_LINK(r1)
929	mtctr	r4
930	mtlr	r0
931	ld	r4,_XER(r1)
932	mtspr	SPRN_XER,r4
933
934	REST_8GPRS(5, r1)
935
936	andi.	r0,r3,MSR_RI
937	beq-	.Lunrecov_restore
938
939	/* Load PPR from thread struct before we clear MSR:RI */
940BEGIN_FTR_SECTION
941	ld	r2,PACACURRENT(r13)
942	ld	r2,TASKTHREADPPR(r2)
943END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
944
945	/*
946	 * Clear RI before restoring r13.  If we are returning to
947	 * userspace and we take an exception after restoring r13,
948	 * we end up corrupting the userspace r13 value.
949	 */
950	li	r4,0
951	mtmsrd	r4,1
952
953#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
954	/* TM debug */
955	std	r3, PACATMSCRATCH(r13) /* Stash returned-to MSR */
956#endif
957	/*
958	 * r13 is our per cpu area, only restore it if we are returning to
959	 * userspace the value stored in the stack frame may belong to
960	 * another CPU.
961	 */
962	andi.	r0,r3,MSR_PR
963	beq	1f
964BEGIN_FTR_SECTION
965	mtspr	SPRN_PPR,r2	/* Restore PPR */
966END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
967	ACCOUNT_CPU_USER_EXIT(r13, r2, r4)
968	REST_GPR(13, r1)
969
970	mtspr	SPRN_SRR1,r3
971
972	ld	r2,_CCR(r1)
973	mtcrf	0xFF,r2
974	ld	r2,_NIP(r1)
975	mtspr	SPRN_SRR0,r2
976
977	ld	r0,GPR0(r1)
978	ld	r2,GPR2(r1)
979	ld	r3,GPR3(r1)
980	ld	r4,GPR4(r1)
981	ld	r1,GPR1(r1)
982	RFI_TO_USER
983	b	.	/* prevent speculative execution */
984
9851:	mtspr	SPRN_SRR1,r3
986
987	ld	r2,_CCR(r1)
988	mtcrf	0xFF,r2
989	ld	r2,_NIP(r1)
990	mtspr	SPRN_SRR0,r2
991
992	ld	r0,GPR0(r1)
993	ld	r2,GPR2(r1)
994	ld	r3,GPR3(r1)
995	ld	r4,GPR4(r1)
996	ld	r1,GPR1(r1)
997	RFI_TO_KERNEL
998	b	.	/* prevent speculative execution */
999
1000#endif /* CONFIG_PPC_BOOK3E */
1001
1002	/*
1003	 * We are returning to a context with interrupts soft disabled.
1004	 *
1005	 * However, we may also about to hard enable, so we need to
1006	 * make sure that in this case, we also clear PACA_IRQ_HARD_DIS
1007	 * or that bit can get out of sync and bad things will happen
1008	 */
1009.Lrestore_irq_off:
1010	ld	r3,_MSR(r1)
1011	lbz	r7,PACAIRQHAPPENED(r13)
1012	andi.	r0,r3,MSR_EE
1013	beq	1f
1014	rlwinm	r7,r7,0,~PACA_IRQ_HARD_DIS
1015	stb	r7,PACAIRQHAPPENED(r13)
10161:
1017#if defined(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG) && defined(CONFIG_BUG)
1018	/* The interrupt should not have soft enabled. */
1019	lbz	r7,PACAIRQSOFTMASK(r13)
10201:	tdeqi	r7,IRQS_ENABLED
1021	EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING
1022#endif
1023	b	.Ldo_restore
1024
1025	/*
1026	 * Something did happen, check if a re-emit is needed
1027	 * (this also clears paca->irq_happened)
1028	 */
1029.Lrestore_check_irq_replay:
1030	/* XXX: We could implement a fast path here where we check
1031	 * for irq_happened being just 0x01, in which case we can
1032	 * clear it and return. That means that we would potentially
1033	 * miss a decrementer having wrapped all the way around.
1034	 *
1035	 * Still, this might be useful for things like hash_page
1036	 */
1037	bl	__check_irq_replay
1038	cmpwi	cr0,r3,0
1039	beq	.Lrestore_no_replay
1040
1041	/*
1042	 * We need to re-emit an interrupt. We do so by re-using our
1043	 * existing exception frame. We first change the trap value,
1044	 * but we need to ensure we preserve the low nibble of it
1045	 */
1046	ld	r4,_TRAP(r1)
1047	clrldi	r4,r4,60
1048	or	r4,r4,r3
1049	std	r4,_TRAP(r1)
1050
1051	/*
1052	 * PACA_IRQ_HARD_DIS won't always be set here, so set it now
1053	 * to reconcile the IRQ state. Tracing is already accounted for.
1054	 */
1055	lbz	r4,PACAIRQHAPPENED(r13)
1056	ori	r4,r4,PACA_IRQ_HARD_DIS
1057	stb	r4,PACAIRQHAPPENED(r13)
1058
1059	/*
1060	 * Then find the right handler and call it. Interrupts are
1061	 * still soft-disabled and we keep them that way.
1062	*/
1063	cmpwi	cr0,r3,0x500
1064	bne	1f
1065	addi	r3,r1,STACK_FRAME_OVERHEAD;
1066 	bl	do_IRQ
1067	b	ret_from_except
10681:	cmpwi	cr0,r3,0xf00
1069	bne	1f
1070	addi	r3,r1,STACK_FRAME_OVERHEAD;
1071	bl	performance_monitor_exception
1072	b	ret_from_except
10731:	cmpwi	cr0,r3,0xe60
1074	bne	1f
1075	addi	r3,r1,STACK_FRAME_OVERHEAD;
1076	bl	handle_hmi_exception
1077	b	ret_from_except
10781:	cmpwi	cr0,r3,0x900
1079	bne	1f
1080	addi	r3,r1,STACK_FRAME_OVERHEAD;
1081	bl	timer_interrupt
1082	b	ret_from_except
1083#ifdef CONFIG_PPC_DOORBELL
10841:
1085#ifdef CONFIG_PPC_BOOK3E
1086	cmpwi	cr0,r3,0x280
1087#else
1088	cmpwi	cr0,r3,0xa00
1089#endif /* CONFIG_PPC_BOOK3E */
1090	bne	1f
1091	addi	r3,r1,STACK_FRAME_OVERHEAD;
1092	bl	doorbell_exception
1093#endif /* CONFIG_PPC_DOORBELL */
10941:	b	ret_from_except /* What else to do here ? */
1095
1096.Lunrecov_restore:
1097	addi	r3,r1,STACK_FRAME_OVERHEAD
1098	bl	unrecoverable_exception
1099	b	.Lunrecov_restore
1100
1101_ASM_NOKPROBE_SYMBOL(ret_from_except);
1102_ASM_NOKPROBE_SYMBOL(ret_from_except_lite);
1103_ASM_NOKPROBE_SYMBOL(resume_kernel);
1104_ASM_NOKPROBE_SYMBOL(fast_exc_return_irq);
1105_ASM_NOKPROBE_SYMBOL(restore);
1106_ASM_NOKPROBE_SYMBOL(fast_exception_return);
1107
1108
1109#ifdef CONFIG_PPC_RTAS
1110/*
1111 * On CHRP, the Run-Time Abstraction Services (RTAS) have to be
1112 * called with the MMU off.
1113 *
1114 * In addition, we need to be in 32b mode, at least for now.
1115 *
1116 * Note: r3 is an input parameter to rtas, so don't trash it...
1117 */
1118_GLOBAL(enter_rtas)
1119	mflr	r0
1120	std	r0,16(r1)
1121        stdu	r1,-RTAS_FRAME_SIZE(r1)	/* Save SP and create stack space. */
1122
1123	/* Because RTAS is running in 32b mode, it clobbers the high order half
1124	 * of all registers that it saves.  We therefore save those registers
1125	 * RTAS might touch to the stack.  (r0, r3-r13 are caller saved)
1126   	 */
1127	SAVE_GPR(2, r1)			/* Save the TOC */
1128	SAVE_GPR(13, r1)		/* Save paca */
1129	SAVE_8GPRS(14, r1)		/* Save the non-volatiles */
1130	SAVE_10GPRS(22, r1)		/* ditto */
1131
1132	mfcr	r4
1133	std	r4,_CCR(r1)
1134	mfctr	r5
1135	std	r5,_CTR(r1)
1136	mfspr	r6,SPRN_XER
1137	std	r6,_XER(r1)
1138	mfdar	r7
1139	std	r7,_DAR(r1)
1140	mfdsisr	r8
1141	std	r8,_DSISR(r1)
1142
1143	/* Temporary workaround to clear CR until RTAS can be modified to
1144	 * ignore all bits.
1145	 */
1146	li	r0,0
1147	mtcr	r0
1148
1149#ifdef CONFIG_BUG
1150	/* There is no way it is acceptable to get here with interrupts enabled,
1151	 * check it with the asm equivalent of WARN_ON
1152	 */
1153	lbz	r0,PACAIRQSOFTMASK(r13)
11541:	tdeqi	r0,IRQS_ENABLED
1155	EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING
1156#endif
1157
1158	/* Hard-disable interrupts */
1159	mfmsr	r6
1160	rldicl	r7,r6,48,1
1161	rotldi	r7,r7,16
1162	mtmsrd	r7,1
1163
1164	/* Unfortunately, the stack pointer and the MSR are also clobbered,
1165	 * so they are saved in the PACA which allows us to restore
1166	 * our original state after RTAS returns.
1167         */
1168	std	r1,PACAR1(r13)
1169        std	r6,PACASAVEDMSR(r13)
1170
1171	/* Setup our real return addr */
1172	LOAD_REG_ADDR(r4,rtas_return_loc)
1173	clrldi	r4,r4,2			/* convert to realmode address */
1174       	mtlr	r4
1175
1176	li	r0,0
1177	ori	r0,r0,MSR_EE|MSR_SE|MSR_BE|MSR_RI
1178	andc	r0,r6,r0
1179
1180        li      r9,1
1181        rldicr  r9,r9,MSR_SF_LG,(63-MSR_SF_LG)
1182	ori	r9,r9,MSR_IR|MSR_DR|MSR_FE0|MSR_FE1|MSR_FP|MSR_RI|MSR_LE
1183	andc	r6,r0,r9
1184
1185__enter_rtas:
1186	sync				/* disable interrupts so SRR0/1 */
1187	mtmsrd	r0			/* don't get trashed */
1188
1189	LOAD_REG_ADDR(r4, rtas)
1190	ld	r5,RTASENTRY(r4)	/* get the rtas->entry value */
1191	ld	r4,RTASBASE(r4)		/* get the rtas->base value */
1192
1193	mtspr	SPRN_SRR0,r5
1194	mtspr	SPRN_SRR1,r6
1195	RFI_TO_KERNEL
1196	b	.	/* prevent speculative execution */
1197
1198rtas_return_loc:
1199	FIXUP_ENDIAN
1200
1201	/*
1202	 * Clear RI and set SF before anything.
1203	 */
1204	mfmsr   r6
1205	li	r0,MSR_RI
1206	andc	r6,r6,r0
1207	sldi	r0,r0,(MSR_SF_LG - MSR_RI_LG)
1208	or	r6,r6,r0
1209	sync
1210	mtmsrd  r6
1211
1212	/* relocation is off at this point */
1213	GET_PACA(r4)
1214	clrldi	r4,r4,2			/* convert to realmode address */
1215
1216	bcl	20,31,$+4
12170:	mflr	r3
1218	ld	r3,(1f-0b)(r3)		/* get &rtas_restore_regs */
1219
1220        ld	r1,PACAR1(r4)           /* Restore our SP */
1221        ld	r4,PACASAVEDMSR(r4)     /* Restore our MSR */
1222
1223	mtspr	SPRN_SRR0,r3
1224	mtspr	SPRN_SRR1,r4
1225	RFI_TO_KERNEL
1226	b	.	/* prevent speculative execution */
1227_ASM_NOKPROBE_SYMBOL(__enter_rtas)
1228_ASM_NOKPROBE_SYMBOL(rtas_return_loc)
1229
1230	.align	3
12311:	.8byte	rtas_restore_regs
1232
1233rtas_restore_regs:
1234	/* relocation is on at this point */
1235	REST_GPR(2, r1)			/* Restore the TOC */
1236	REST_GPR(13, r1)		/* Restore paca */
1237	REST_8GPRS(14, r1)		/* Restore the non-volatiles */
1238	REST_10GPRS(22, r1)		/* ditto */
1239
1240	GET_PACA(r13)
1241
1242	ld	r4,_CCR(r1)
1243	mtcr	r4
1244	ld	r5,_CTR(r1)
1245	mtctr	r5
1246	ld	r6,_XER(r1)
1247	mtspr	SPRN_XER,r6
1248	ld	r7,_DAR(r1)
1249	mtdar	r7
1250	ld	r8,_DSISR(r1)
1251	mtdsisr	r8
1252
1253        addi	r1,r1,RTAS_FRAME_SIZE	/* Unstack our frame */
1254	ld	r0,16(r1)		/* get return address */
1255
1256	mtlr    r0
1257        blr				/* return to caller */
1258
1259#endif /* CONFIG_PPC_RTAS */
1260
1261_GLOBAL(enter_prom)
1262	mflr	r0
1263	std	r0,16(r1)
1264        stdu	r1,-PROM_FRAME_SIZE(r1)	/* Save SP and create stack space */
1265
1266	/* Because PROM is running in 32b mode, it clobbers the high order half
1267	 * of all registers that it saves.  We therefore save those registers
1268	 * PROM might touch to the stack.  (r0, r3-r13 are caller saved)
1269   	 */
1270	SAVE_GPR(2, r1)
1271	SAVE_GPR(13, r1)
1272	SAVE_8GPRS(14, r1)
1273	SAVE_10GPRS(22, r1)
1274	mfcr	r10
1275	mfmsr	r11
1276	std	r10,_CCR(r1)
1277	std	r11,_MSR(r1)
1278
1279	/* Put PROM address in SRR0 */
1280	mtsrr0	r4
1281
1282	/* Setup our trampoline return addr in LR */
1283	bcl	20,31,$+4
12840:	mflr	r4
1285	addi	r4,r4,(1f - 0b)
1286       	mtlr	r4
1287
1288	/* Prepare a 32-bit mode big endian MSR
1289	 */
1290#ifdef CONFIG_PPC_BOOK3E
1291	rlwinm	r11,r11,0,1,31
1292	mtsrr1	r11
1293	rfi
1294#else /* CONFIG_PPC_BOOK3E */
1295	LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE)
1296	andc	r11,r11,r12
1297	mtsrr1	r11
1298	RFI_TO_KERNEL
1299#endif /* CONFIG_PPC_BOOK3E */
1300
13011:	/* Return from OF */
1302	FIXUP_ENDIAN
1303
1304	/* Just make sure that r1 top 32 bits didn't get
1305	 * corrupt by OF
1306	 */
1307	rldicl	r1,r1,0,32
1308
1309	/* Restore the MSR (back to 64 bits) */
1310	ld	r0,_MSR(r1)
1311	MTMSRD(r0)
1312        isync
1313
1314	/* Restore other registers */
1315	REST_GPR(2, r1)
1316	REST_GPR(13, r1)
1317	REST_8GPRS(14, r1)
1318	REST_10GPRS(22, r1)
1319	ld	r4,_CCR(r1)
1320	mtcr	r4
1321
1322        addi	r1,r1,PROM_FRAME_SIZE
1323	ld	r0,16(r1)
1324	mtlr    r0
1325        blr
1326