diff options
| author | David S. Miller <davem@davemloft.net> | 2016-05-28 23:41:12 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-05-29 21:55:54 -0400 |
| commit | 7cafc0b8bf130f038b0ec2dcdd6a9de6dc59b65a (patch) | |
| tree | 9ec9c68be0644bb23bc60c089ac98fefc849b4f5 | |
| parent | d11c2a0de2824395656cf8ed15811580c9dd38aa (diff) | |
sparc64: Fix return from trap window fill crashes.
We must handle data access exception as well as memory address unaligned
exceptions from return from trap window fill faults, not just normal
TLB misses.
Otherwise we can get an OOPS that looks like this:
ld-linux.so.2(36808): Kernel bad sw trap 5 [#1]
CPU: 1 PID: 36808 Comm: ld-linux.so.2 Not tainted 4.6.0 #34
task: fff8000303be5c60 ti: fff8000301344000 task.ti: fff8000301344000
TSTATE: 0000004410001601 TPC: 0000000000a1a784 TNPC: 0000000000a1a788 Y: 00000002 Not tainted
TPC: <do_sparc64_fault+0x5c4/0x700>
g0: fff8000024fc8248 g1: 0000000000db04dc g2: 0000000000000000 g3: 0000000000000001
g4: fff8000303be5c60 g5: fff800030e672000 g6: fff8000301344000 g7: 0000000000000001
o0: 0000000000b95ee8 o1: 000000000000012b o2: 0000000000000000 o3: 0000000200b9b358
o4: 0000000000000000 o5: fff8000301344040 sp: fff80003013475c1 ret_pc: 0000000000a1a77c
RPC: <do_sparc64_fault+0x5bc/0x700>
l0: 00000000000007ff l1: 0000000000000000 l2: 000000000000005f l3: 0000000000000000
l4: fff8000301347e98 l5: fff8000024ff3060 l6: 0000000000000000 l7: 0000000000000000
i0: fff8000301347f60 i1: 0000000000102400 i2: 0000000000000000 i3: 0000000000000000
i4: 0000000000000000 i5: 0000000000000000 i6: fff80003013476a1 i7: 0000000000404d4c
I7: <user_rtt_fill_fixup+0x6c/0x7c>
Call Trace:
[0000000000404d4c] user_rtt_fill_fixup+0x6c/0x7c
The window trap handlers are slightly clever, the trap table entries for them are
composed of two pieces of code. First comes the code that actually performs
the window fill or spill trap handling, and then there are three instructions at
the end which are for exception processing.
The userland register window fill handler is:
add %sp, STACK_BIAS + 0x00, %g1; \
ldxa [%g1 + %g0] ASI, %l0; \
mov 0x08, %g2; \
mov 0x10, %g3; \
ldxa [%g1 + %g2] ASI, %l1; \
mov 0x18, %g5; \
ldxa [%g1 + %g3] ASI, %l2; \
ldxa [%g1 + %g5] ASI, %l3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %l4; \
ldxa [%g1 + %g2] ASI, %l5; \
ldxa [%g1 + %g3] ASI, %l6; \
ldxa [%g1 + %g5] ASI, %l7; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i0; \
ldxa [%g1 + %g2] ASI, %i1; \
ldxa [%g1 + %g3] ASI, %i2; \
ldxa [%g1 + %g5] ASI, %i3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i4; \
ldxa [%g1 + %g2] ASI, %i5; \
ldxa [%g1 + %g3] ASI, %i6; \
ldxa [%g1 + %g5] ASI, %i7; \
restored; \
retry; nop; nop; nop; nop; \
b,a,pt %xcc, fill_fixup_dax; \
b,a,pt %xcc, fill_fixup_mna; \
b,a,pt %xcc, fill_fixup;
And the way this works is that if any of those memory accesses
generate an exception, the exception handler can revector to one of
those final three branch instructions depending upon which kind of
exception the memory access took. In this way, the fault handler
doesn't have to know if it was a spill or a fill that it's handling
the fault for. It just always branches to the last instruction in
the parent trap's handler.
For example, for a regular fault, the code goes:
winfix_trampoline:
rdpr %tpc, %g3
or %g3, 0x7c, %g3
wrpr %g3, %tnpc
done
All window trap handlers are 0x80 aligned, so if we "or" 0x7c into the
trap time program counter, we'll get that final instruction in the
trap handler.
On return from trap, we have to pull the register window in but we do
this by hand instead of just executing a "restore" instruction for
several reasons. The largest being that from Niagara and onward we
simply don't have enough levels in the trap stack to fully resolve all
possible exception cases of a window fault when we are already at
trap level 1 (which we enter to get ready to return from the original
trap).
This is executed inline via the FILL_*_RTRAP handlers. rtrap_64.S's
code branches directly to these to do the window fill by hand if
necessary. Now if you look at them, we'll see at the end:
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
And oops, all three cases are handled like a fault.
This doesn't work because each of these trap types (data access
exception, memory address unaligned, and faults) store their auxiliary
info in different registers to pass on to the C handler which does the
real work.
So in the case where the stack was unaligned, the unaligned trap
handler sets up the arg registers one way, and then we branched to
the fault handler which expects them setup another way.
So the FAULT_TYPE_* value ends up basically being garbage, and
randomly would generate the backtrace seen above.
Reported-by: Nick Alcock <nix@esperi.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | arch/sparc/include/asm/head_64.h | 4 | ||||
| -rw-r--r-- | arch/sparc/include/asm/ttable.h | 8 | ||||
| -rw-r--r-- | arch/sparc/kernel/Makefile | 1 | ||||
| -rw-r--r-- | arch/sparc/kernel/rtrap_64.S | 57 | ||||
| -rw-r--r-- | arch/sparc/kernel/urtt_fill.S | 98 |
5 files changed, 116 insertions, 52 deletions
diff --git a/arch/sparc/include/asm/head_64.h b/arch/sparc/include/asm/head_64.h index 10e9dabc4c41..f0700cfeedd7 100644 --- a/arch/sparc/include/asm/head_64.h +++ b/arch/sparc/include/asm/head_64.h | |||
| @@ -15,6 +15,10 @@ | |||
| 15 | 15 | ||
| 16 | #define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ) | 16 | #define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ) |
| 17 | 17 | ||
| 18 | #define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE) | ||
| 19 | #define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV) | ||
| 20 | #define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG) | ||
| 21 | |||
| 18 | #define __CHEETAH_ID 0x003e0014 | 22 | #define __CHEETAH_ID 0x003e0014 |
| 19 | #define __JALAPENO_ID 0x003e0016 | 23 | #define __JALAPENO_ID 0x003e0016 |
| 20 | #define __SERRANO_ID 0x003e0022 | 24 | #define __SERRANO_ID 0x003e0022 |
diff --git a/arch/sparc/include/asm/ttable.h b/arch/sparc/include/asm/ttable.h index 71b5a67522ab..781b9f1dbdc2 100644 --- a/arch/sparc/include/asm/ttable.h +++ b/arch/sparc/include/asm/ttable.h | |||
| @@ -589,8 +589,8 @@ user_rtt_fill_64bit: \ | |||
| 589 | restored; \ | 589 | restored; \ |
| 590 | nop; nop; nop; nop; nop; nop; \ | 590 | nop; nop; nop; nop; nop; nop; \ |
| 591 | nop; nop; nop; nop; nop; \ | 591 | nop; nop; nop; nop; nop; \ |
| 592 | ba,a,pt %xcc, user_rtt_fill_fixup; \ | 592 | ba,a,pt %xcc, user_rtt_fill_fixup_dax; \ |
| 593 | ba,a,pt %xcc, user_rtt_fill_fixup; \ | 593 | ba,a,pt %xcc, user_rtt_fill_fixup_mna; \ |
| 594 | ba,a,pt %xcc, user_rtt_fill_fixup; | 594 | ba,a,pt %xcc, user_rtt_fill_fixup; |
| 595 | 595 | ||
| 596 | 596 | ||
| @@ -652,8 +652,8 @@ user_rtt_fill_32bit: \ | |||
| 652 | restored; \ | 652 | restored; \ |
| 653 | nop; nop; nop; nop; nop; \ | 653 | nop; nop; nop; nop; nop; \ |
| 654 | nop; nop; nop; \ | 654 | nop; nop; nop; \ |
| 655 | ba,a,pt %xcc, user_rtt_fill_fixup; \ | 655 | ba,a,pt %xcc, user_rtt_fill_fixup_dax; \ |
| 656 | ba,a,pt %xcc, user_rtt_fill_fixup; \ | 656 | ba,a,pt %xcc, user_rtt_fill_fixup_mna; \ |
| 657 | ba,a,pt %xcc, user_rtt_fill_fixup; | 657 | ba,a,pt %xcc, user_rtt_fill_fixup; |
| 658 | 658 | ||
| 659 | 659 | ||
diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile index 7cf9c6ea3f1f..fdb13327fded 100644 --- a/arch/sparc/kernel/Makefile +++ b/arch/sparc/kernel/Makefile | |||
| @@ -21,6 +21,7 @@ CFLAGS_REMOVE_perf_event.o := -pg | |||
| 21 | CFLAGS_REMOVE_pcr.o := -pg | 21 | CFLAGS_REMOVE_pcr.o := -pg |
| 22 | endif | 22 | endif |
| 23 | 23 | ||
| 24 | obj-$(CONFIG_SPARC64) += urtt_fill.o | ||
| 24 | obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o | 25 | obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o |
| 25 | obj-$(CONFIG_SPARC32) += etrap_32.o | 26 | obj-$(CONFIG_SPARC32) += etrap_32.o |
| 26 | obj-$(CONFIG_SPARC32) += rtrap_32.o | 27 | obj-$(CONFIG_SPARC32) += rtrap_32.o |
diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S index d08bdaffdbfc..216948ca4382 100644 --- a/arch/sparc/kernel/rtrap_64.S +++ b/arch/sparc/kernel/rtrap_64.S | |||
| @@ -14,10 +14,6 @@ | |||
| 14 | #include <asm/visasm.h> | 14 | #include <asm/visasm.h> |
| 15 | #include <asm/processor.h> | 15 | #include <asm/processor.h> |
| 16 | 16 | ||
| 17 | #define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE) | ||
| 18 | #define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV) | ||
| 19 | #define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG) | ||
| 20 | |||
| 21 | #ifdef CONFIG_CONTEXT_TRACKING | 17 | #ifdef CONFIG_CONTEXT_TRACKING |
| 22 | # define SCHEDULE_USER schedule_user | 18 | # define SCHEDULE_USER schedule_user |
| 23 | #else | 19 | #else |
| @@ -242,52 +238,17 @@ rt_continue: ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1 | |||
| 242 | wrpr %g1, %cwp | 238 | wrpr %g1, %cwp |
| 243 | ba,a,pt %xcc, user_rtt_fill_64bit | 239 | ba,a,pt %xcc, user_rtt_fill_64bit |
| 244 | 240 | ||
| 245 | user_rtt_fill_fixup: | 241 | user_rtt_fill_fixup_dax: |
| 246 | rdpr %cwp, %g1 | 242 | ba,pt %xcc, user_rtt_fill_fixup_common |
| 247 | add %g1, 1, %g1 | 243 | mov 1, %g3 |
| 248 | wrpr %g1, 0x0, %cwp | ||
| 249 | |||
| 250 | rdpr %wstate, %g2 | ||
| 251 | sll %g2, 3, %g2 | ||
| 252 | wrpr %g2, 0x0, %wstate | ||
| 253 | |||
| 254 | /* We know %canrestore and %otherwin are both zero. */ | ||
| 255 | |||
| 256 | sethi %hi(sparc64_kern_pri_context), %g2 | ||
| 257 | ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2 | ||
| 258 | mov PRIMARY_CONTEXT, %g1 | ||
| 259 | |||
| 260 | 661: stxa %g2, [%g1] ASI_DMMU | ||
| 261 | .section .sun4v_1insn_patch, "ax" | ||
| 262 | .word 661b | ||
| 263 | stxa %g2, [%g1] ASI_MMU | ||
| 264 | .previous | ||
| 265 | |||
| 266 | sethi %hi(KERNBASE), %g1 | ||
| 267 | flush %g1 | ||
| 268 | 244 | ||
| 269 | or %g4, FAULT_CODE_WINFIXUP, %g4 | 245 | user_rtt_fill_fixup_mna: |
| 270 | stb %g4, [%g6 + TI_FAULT_CODE] | 246 | ba,pt %xcc, user_rtt_fill_fixup_common |
| 271 | stx %g5, [%g6 + TI_FAULT_ADDR] | 247 | mov 2, %g3 |
| 272 | 248 | ||
| 273 | mov %g6, %l1 | 249 | user_rtt_fill_fixup: |
| 274 | wrpr %g0, 0x0, %tl | 250 | ba,pt %xcc, user_rtt_fill_fixup_common |
| 275 | 251 | clr %g3 | |
| 276 | 661: nop | ||
| 277 | .section .sun4v_1insn_patch, "ax" | ||
| 278 | .word 661b | ||
| 279 | SET_GL(0) | ||
| 280 | .previous | ||
| 281 | |||
| 282 | wrpr %g0, RTRAP_PSTATE, %pstate | ||
| 283 | |||
| 284 | mov %l1, %g6 | ||
| 285 | ldx [%g6 + TI_TASK], %g4 | ||
| 286 | LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3) | ||
| 287 | call do_sparc64_fault | ||
| 288 | add %sp, PTREGS_OFF, %o0 | ||
| 289 | ba,pt %xcc, rtrap | ||
| 290 | nop | ||
| 291 | 252 | ||
| 292 | user_rtt_pre_restore: | 253 | user_rtt_pre_restore: |
| 293 | add %g1, 1, %g1 | 254 | add %g1, 1, %g1 |
diff --git a/arch/sparc/kernel/urtt_fill.S b/arch/sparc/kernel/urtt_fill.S new file mode 100644 index 000000000000..5604a2b051d4 --- /dev/null +++ b/arch/sparc/kernel/urtt_fill.S | |||
| @@ -0,0 +1,98 @@ | |||
| 1 | #include <asm/thread_info.h> | ||
| 2 | #include <asm/trap_block.h> | ||
| 3 | #include <asm/spitfire.h> | ||
| 4 | #include <asm/ptrace.h> | ||
| 5 | #include <asm/head.h> | ||
| 6 | |||
| 7 | .text | ||
| 8 | .align 8 | ||
| 9 | .globl user_rtt_fill_fixup_common | ||
| 10 | user_rtt_fill_fixup_common: | ||
| 11 | rdpr %cwp, %g1 | ||
| 12 | add %g1, 1, %g1 | ||
| 13 | wrpr %g1, 0x0, %cwp | ||
| 14 | |||
| 15 | rdpr %wstate, %g2 | ||
| 16 | sll %g2, 3, %g2 | ||
| 17 | wrpr %g2, 0x0, %wstate | ||
| 18 | |||
| 19 | /* We know %canrestore and %otherwin are both zero. */ | ||
| 20 | |||
| 21 | sethi %hi(sparc64_kern_pri_context), %g2 | ||
| 22 | ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2 | ||
| 23 | mov PRIMARY_CONTEXT, %g1 | ||
| 24 | |||
| 25 | 661: stxa %g2, [%g1] ASI_DMMU | ||
| 26 | .section .sun4v_1insn_patch, "ax" | ||
| 27 | .word 661b | ||
| 28 | stxa %g2, [%g1] ASI_MMU | ||
| 29 | .previous | ||
| 30 | |||
| 31 | sethi %hi(KERNBASE), %g1 | ||
| 32 | flush %g1 | ||
| 33 | |||
| 34 | mov %g4, %l4 | ||
| 35 | mov %g5, %l5 | ||
| 36 | brnz,pn %g3, 1f | ||
| 37 | mov %g3, %l3 | ||
| 38 | |||
| 39 | or %g4, FAULT_CODE_WINFIXUP, %g4 | ||
| 40 | stb %g4, [%g6 + TI_FAULT_CODE] | ||
| 41 | stx %g5, [%g6 + TI_FAULT_ADDR] | ||
| 42 | 1: | ||
| 43 | mov %g6, %l1 | ||
| 44 | wrpr %g0, 0x0, %tl | ||
| 45 | |||
| 46 | 661: nop | ||
| 47 | .section .sun4v_1insn_patch, "ax" | ||
| 48 | .word 661b | ||
| 49 | SET_GL(0) | ||
| 50 | .previous | ||
| 51 | |||
| 52 | wrpr %g0, RTRAP_PSTATE, %pstate | ||
| 53 | |||
| 54 | mov %l1, %g6 | ||
| 55 | ldx [%g6 + TI_TASK], %g4 | ||
| 56 | LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3) | ||
| 57 | |||
| 58 | brnz,pn %l3, 1f | ||
| 59 | nop | ||
| 60 | |||
| 61 | call do_sparc64_fault | ||
| 62 | add %sp, PTREGS_OFF, %o0 | ||
| 63 | ba,pt %xcc, rtrap | ||
| 64 | nop | ||
| 65 | |||
| 66 | 1: cmp %g3, 2 | ||
| 67 | bne,pn %xcc, 2f | ||
| 68 | nop | ||
| 69 | |||
| 70 | sethi %hi(tlb_type), %g1 | ||
| 71 | lduw [%g1 + %lo(tlb_type)], %g1 | ||
| 72 | cmp %g1, 3 | ||
| 73 | bne,pt %icc, 1f | ||
| 74 | add %sp, PTREGS_OFF, %o0 | ||
| 75 | mov %l4, %o2 | ||
| 76 | call sun4v_do_mna | ||
| 77 | mov %l5, %o1 | ||
| 78 | ba,a,pt %xcc, rtrap | ||
| 79 | 1: mov %l4, %o1 | ||
| 80 | mov %l5, %o2 | ||
| 81 | call mem_address_unaligned | ||
| 82 | nop | ||
| 83 | ba,a,pt %xcc, rtrap | ||
| 84 | |||
| 85 | 2: sethi %hi(tlb_type), %g1 | ||
| 86 | mov %l4, %o1 | ||
| 87 | lduw [%g1 + %lo(tlb_type)], %g1 | ||
| 88 | mov %l5, %o2 | ||
| 89 | cmp %g1, 3 | ||
| 90 | bne,pt %icc, 1f | ||
| 91 | add %sp, PTREGS_OFF, %o0 | ||
| 92 | call sun4v_data_access_exception | ||
| 93 | nop | ||
| 94 | ba,a,pt %xcc, rtrap | ||
| 95 | |||
| 96 | 1: call spitfire_data_access_exception | ||
| 97 | nop | ||
| 98 | ba,a,pt %xcc, rtrap | ||