linux/arch/sparc/kernel/dtlb_prot.S
David S. Miller 4f6deb8cba sparc: Don't leak context bits into thread->fault_address
On pre-Niagara systems, we fetch the fault address on data TLB
exceptions from the TLB_TAG_ACCESS register.  But this register also
contains the context ID assosciated with the fault in the low 13 bits
of the register value.

This propagates into current_thread_info()->fault_address and can
cause trouble later on.

So clear the low 13-bits out of the TLB_TAG_ACCESS value in the cases
where it matters.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-27 17:50:26 -07:00

55 lines
1.3 KiB
ArmAsm

/*
* dtlb_prot.S: DTLB protection trap strategy.
* This is included directly into the trap table.
*
* Copyright (C) 1996,1998 David S. Miller (davem@redhat.com)
* Copyright (C) 1997,1998 Jakub Jelinek (jj@ultra.linux.cz)
*/
/* Ways we can get here:
*
* [TL == 0] 1) User stores to readonly pages.
* [TL == 0] 2) Nucleus stores to user readonly pages.
* [TL > 0] 3) Nucleus stores to user readonly stack frame.
*/
/* PROT ** ICACHE line 1: User DTLB protection trap */
mov TLB_SFSR, %g1
stxa %g0, [%g1] ASI_DMMU ! Clear FaultValid bit
membar #Sync ! Synchronize stores
rdpr %pstate, %g5 ! Move into alt-globals
wrpr %g5, PSTATE_AG|PSTATE_MG, %pstate
rdpr %tl, %g1 ! Need a winfixup?
cmp %g1, 1 ! Trap level >1?
mov TLB_TAG_ACCESS, %g4 ! For reload of vaddr
/* PROT ** ICACHE line 2: More real fault processing */
ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5
srlx %g5, PAGE_SHIFT, %g5
sllx %g5, PAGE_SHIFT, %g5 ! Clear context ID bits
bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup
mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4
ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault
nop
nop
/* PROT ** ICACHE line 3: Unused... */
nop
nop
nop
nop
nop
nop
nop
nop
/* PROT ** ICACHE line 4: Unused... */
nop
nop
nop
nop
nop
nop
nop
nop