Fix bug in mips3_proc_trampoline: SR wasn't disabled on entry, allowing an

interrupt to sneak in after EXL had been set; the interrupt EPC was stale as PC isn't saved if EXL is set, causing the eret to return to the wrong place and leading to kernel-mode TLB misses on user addresses. The bug was discovered by the japanese NetBSD/*mips folks and the same fix was found independently by shinohara-san (shin@netbsd.org).
2001-07-24 23:13:33 +00:00 · 2001-07-24 23:13:33 +00:00 · e9ad38e77d
parent d2cede024b
commit e9ad38e77d
1 changed files with 11 additions and 1 deletions
--- a/sys/arch/mips/mips/locore_mips3.S
+++ b/sys/arch/mips/mips/locore_mips3.S
@ -1,4 +1,4 @@
-/*	$NetBSD: locore_mips3.S,v 1.69 2001/06/11 23:52:39 thorpej Exp $	*/
+/*	$NetBSD: locore_mips3.S,v 1.70 2001/07/24 23:13:33 rafal Exp $	*/

 /*
 * Copyright (c) 1997 Jonathan Stone (hereinafter referred to as the author)
@ -2127,6 +2127,16 @@ LEAF(mips3_proc_trampoline)
 	jal	ra, s0
 	move	a0, s1
 	.set	noat
+	#
+	# Make sure to disable interrupts here, as otherwise
+	# we can take an interrupt *after* EXL is set, and
+	# end up returning to a bogus PC since the PC is not
+	# saved if EXL=1.
+	#
+	mtc0	zero, MIPS_COP_0_STATUS		# disable int
+	nop					# 3 op delay
+	nop
+	nop
 	li	a0, MIPS_SR_EXL			# set exception level
 	mtc0	a0, MIPS_COP_0_STATUS
 	nop