diff options
| author | David S. Miller <davem@davemloft.net> | 2016-07-27 20:50:26 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-07-27 20:50:26 -0400 |
| commit | 4f6deb8cbab532a8d7250bc09234c1795ecb5e2c (patch) | |
| tree | 96a786e93f7da67cec53197cd148da61789b5ea4 | |
| parent | 8448cefe499a45222430ebbcabcd9e26369895c3 (diff) | |
sparc: Don't leak context bits into thread->fault_address
On pre-Niagara systems, we fetch the fault address on data TLB
exceptions from the TLB_TAG_ACCESS register. But this register also
contains the context ID assosciated with the fault in the low 13 bits
of the register value.
This propagates into current_thread_info()->fault_address and can
cause trouble later on.
So clear the low 13-bits out of the TLB_TAG_ACCESS value in the cases
where it matters.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | arch/sparc/kernel/dtlb_prot.S | 4 | ||||
| -rw-r--r-- | arch/sparc/kernel/ktlb.S | 12 | ||||
| -rw-r--r-- | arch/sparc/kernel/tsb.S | 12 |
3 files changed, 24 insertions, 4 deletions
diff --git a/arch/sparc/kernel/dtlb_prot.S b/arch/sparc/kernel/dtlb_prot.S index d668ca149e64..4087a62f96b0 100644 --- a/arch/sparc/kernel/dtlb_prot.S +++ b/arch/sparc/kernel/dtlb_prot.S | |||
| @@ -25,13 +25,13 @@ | |||
| 25 | 25 | ||
| 26 | /* PROT ** ICACHE line 2: More real fault processing */ | 26 | /* PROT ** ICACHE line 2: More real fault processing */ |
| 27 | ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 | 27 | ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 |
| 28 | srlx %g5, PAGE_SHIFT, %g5 | ||
| 29 | sllx %g5, PAGE_SHIFT, %g5 ! Clear context ID bits | ||
| 28 | bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup | 30 | bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup |
| 29 | mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4 | 31 | mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4 |
| 30 | ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault | 32 | ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault |
| 31 | nop | 33 | nop |
| 32 | nop | 34 | nop |
| 33 | nop | ||
| 34 | nop | ||
| 35 | 35 | ||
| 36 | /* PROT ** ICACHE line 3: Unused... */ | 36 | /* PROT ** ICACHE line 3: Unused... */ |
| 37 | nop | 37 | nop |
diff --git a/arch/sparc/kernel/ktlb.S b/arch/sparc/kernel/ktlb.S index ef0d8e9e1210..f22bec0db645 100644 --- a/arch/sparc/kernel/ktlb.S +++ b/arch/sparc/kernel/ktlb.S | |||
| @@ -20,6 +20,10 @@ kvmap_itlb: | |||
| 20 | mov TLB_TAG_ACCESS, %g4 | 20 | mov TLB_TAG_ACCESS, %g4 |
| 21 | ldxa [%g4] ASI_IMMU, %g4 | 21 | ldxa [%g4] ASI_IMMU, %g4 |
| 22 | 22 | ||
| 23 | /* The kernel executes in context zero, therefore we do not | ||
| 24 | * need to clear the context ID bits out of %g4 here. | ||
| 25 | */ | ||
| 26 | |||
| 23 | /* sun4v_itlb_miss branches here with the missing virtual | 27 | /* sun4v_itlb_miss branches here with the missing virtual |
| 24 | * address already loaded into %g4 | 28 | * address already loaded into %g4 |
| 25 | */ | 29 | */ |
| @@ -128,6 +132,10 @@ kvmap_dtlb: | |||
| 128 | mov TLB_TAG_ACCESS, %g4 | 132 | mov TLB_TAG_ACCESS, %g4 |
| 129 | ldxa [%g4] ASI_DMMU, %g4 | 133 | ldxa [%g4] ASI_DMMU, %g4 |
| 130 | 134 | ||
| 135 | /* The kernel executes in context zero, therefore we do not | ||
| 136 | * need to clear the context ID bits out of %g4 here. | ||
| 137 | */ | ||
| 138 | |||
| 131 | /* sun4v_dtlb_miss branches here with the missing virtual | 139 | /* sun4v_dtlb_miss branches here with the missing virtual |
| 132 | * address already loaded into %g4 | 140 | * address already loaded into %g4 |
| 133 | */ | 141 | */ |
| @@ -251,6 +259,10 @@ kvmap_dtlb_longpath: | |||
| 251 | nop | 259 | nop |
| 252 | .previous | 260 | .previous |
| 253 | 261 | ||
| 262 | /* The kernel executes in context zero, therefore we do not | ||
| 263 | * need to clear the context ID bits out of %g5 here. | ||
| 264 | */ | ||
| 265 | |||
| 254 | be,pt %xcc, sparc64_realfault_common | 266 | be,pt %xcc, sparc64_realfault_common |
| 255 | mov FAULT_CODE_DTLB, %g4 | 267 | mov FAULT_CODE_DTLB, %g4 |
| 256 | ba,pt %xcc, winfix_trampoline | 268 | ba,pt %xcc, winfix_trampoline |
diff --git a/arch/sparc/kernel/tsb.S b/arch/sparc/kernel/tsb.S index be98685c14c6..d568c8207af7 100644 --- a/arch/sparc/kernel/tsb.S +++ b/arch/sparc/kernel/tsb.S | |||
| @@ -29,13 +29,17 @@ | |||
| 29 | */ | 29 | */ |
| 30 | tsb_miss_dtlb: | 30 | tsb_miss_dtlb: |
| 31 | mov TLB_TAG_ACCESS, %g4 | 31 | mov TLB_TAG_ACCESS, %g4 |
| 32 | ldxa [%g4] ASI_DMMU, %g4 | ||
| 33 | srlx %g4, PAGE_SHIFT, %g4 | ||
| 32 | ba,pt %xcc, tsb_miss_page_table_walk | 34 | ba,pt %xcc, tsb_miss_page_table_walk |
| 33 | ldxa [%g4] ASI_DMMU, %g4 | 35 | sllx %g4, PAGE_SHIFT, %g4 |
| 34 | 36 | ||
| 35 | tsb_miss_itlb: | 37 | tsb_miss_itlb: |
| 36 | mov TLB_TAG_ACCESS, %g4 | 38 | mov TLB_TAG_ACCESS, %g4 |
| 39 | ldxa [%g4] ASI_IMMU, %g4 | ||
| 40 | srlx %g4, PAGE_SHIFT, %g4 | ||
| 37 | ba,pt %xcc, tsb_miss_page_table_walk | 41 | ba,pt %xcc, tsb_miss_page_table_walk |
| 38 | ldxa [%g4] ASI_IMMU, %g4 | 42 | sllx %g4, PAGE_SHIFT, %g4 |
| 39 | 43 | ||
| 40 | /* At this point we have: | 44 | /* At this point we have: |
| 41 | * %g1 -- PAGE_SIZE TSB entry address | 45 | * %g1 -- PAGE_SIZE TSB entry address |
| @@ -284,6 +288,10 @@ tsb_do_dtlb_fault: | |||
| 284 | nop | 288 | nop |
| 285 | .previous | 289 | .previous |
| 286 | 290 | ||
| 291 | /* Clear context ID bits. */ | ||
| 292 | srlx %g5, PAGE_SHIFT, %g5 | ||
| 293 | sllx %g5, PAGE_SHIFT, %g5 | ||
| 294 | |||
| 287 | be,pt %xcc, sparc64_realfault_common | 295 | be,pt %xcc, sparc64_realfault_common |
| 288 | mov FAULT_CODE_DTLB, %g4 | 296 | mov FAULT_CODE_DTLB, %g4 |
| 289 | ba,pt %xcc, winfix_trampoline | 297 | ba,pt %xcc, winfix_trampoline |