When context switching and dealing with non-nested interrupts,
the context to be restored are saved in the thread stack.
When userspace is enabled, this means saving context into
the user stacks for user threads. This allows PS values to be
manipulated externally by setting PS.RING in the saved PS
value to 0, resulting in granting kernel access privilege when
the thread is restored. To prevent this, we store the PS value
into the thread struct instead, where user threads cannot
manipulate that. Note that nested interrupts and syscalls are
not using the user stack but the interrupt stack and thread
privileged stack respectively, where they are not accessible
under user mode.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When syscall assembly is executed, the EPC points to the syscall
instruction, and we have to manually advance it so we will
return to the instruction after syscall to continue execution.
However, with zero-overhead loops and the syscall instruction is
the last instruction, this simple addition does not work as it
would point past the loop and would have skipped the loop.
Because of this, syscall entrance would need to look at the loop
registers and set the PC back to the beginning of loop if we are
still looping. Assuming most of the syscalls are not inside
loops, the extra handling code consumes quite a few cycles.
To workaround this, simply adds a nop after syscall so we no
longer have to deal with loops at syscall entrance, and that
a nop is faster than all the code to manipulate loop registers.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This extends arch_cohere_stacks() to handle privileged stacks of
user threads when userspace is enabled.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Towards the end of interrupt handling, and before restoring
context, we would spill all register windows. This requires
A0 and A1 to be restored from the saved context so spilling
would work correct. However, when coherence is enabled,
window spilling has already been done earlier so there is
no need to spill the register windows again. So there is
no need to restore A0 and A1. They will be restored again
before returning from interrupt anyway.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Instead of computing all the needed register values when
swapping page tables, we can pre-compute those values when
the memory domain is first initialized. Should save some
time during context switching.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
There is no need for ZSR_FLUSH when threads are pin only
(CONFIG_SCHED_CPU_MASK_PIN_ONLY=y), so there is no need to
reserve it.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
In xtensa_userspace_enter, we were hard-coding to use level 2
interrupt return mechanism to pivot to user mode and start
running the user thread. However, EPC2 and EPS2 may be used
for other purposes, and they could be used for interrupt
return if there are only two level interrupts. So change
the userspace enter to use ZSR_RFI_LEVEL, ZSR_EPC and ZSR_EPS
instead to be more explicit.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When returning from syscall, we cannot use RFE by using EPC1.
As there is no EPS1, we would need to write to PS before
returning. However, this creates a situation where interrupts
are being enabled (since PS is set), and any interrupts will
overwrite EPC1 before we return (which ensures chaos as we
would be returning to the wrong address). So utilize the same
mechanism as interrupt returning by use ZSR_EPS, ZSR_EPC and
ZSR_RFI_LEVEL.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
There is no need to do a jump to _syscall_returned as it is
the next to be run anyway. Keep the label there so we can
set breakpoint if needed.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
We stuff the 7th argument into stack by moving the stack pointer
before calling syscall handler. The Xtensa ABI says stack must
be 16-byte aligned. So instead of moving stack pointer 4 bytes,
we move 16 bytes (assuming stack has been aligned so far).
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Xtensa ISA mentions that stack always needs to be aligned on
16 bytes. So we need to pad the stack frame to be also 16 bytes
aligned when dealing with interrupts. Or else the stack would
not be 16 bytes aligned when we add the stack frame to stack
during interrupt handling.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When crossing stack during interrupt handling, we do two call4
to pivot to the interrupt stack, with arguments to these two
call4 stashed in A6, A10 and A11. However, A4-A11 may be marked
as invalid in the register file, and accessing them would
result in window overflowing. At that point, A0 and A1 are not
setup to handle window overflows, and will result in registers
being stashed in incorrect location, resulting in incorrect
value being restored during window underflowing. So move around
the code a bit to restore A0 and A1 properly before accessing
A4-A11.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Do not force CONFIG_XTENSA_SMALL_VECTOR_TABLE_ENTRY when MMU
is enabled. It is up to the SoC to decide whether they need
this.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The logic to swap page tables or MPU entries is moved to the end
of cross stack call, since it is still running in the interrupt
stack instead of the thread stack. The old logic was calling
the swap functions in the outgoing thread stack, which is not
desirable.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When switching page table and MPU enties, we need to call
corresponding functions via call4 which would move the register
window. So we need to do that earlier before we start saving
context into stack by manipulating stack pointer manually which
definitely would interfere with window spilling.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
During arch_cohere_stacks(), the used portion of the outgoing
thread is cache flushed, and then the unused portion of cache
invalidated. However, this results in the cache line at
the stack pointer being flushed and then invalidated due to
how sys_cache_data_*() operates. If we are swapping back to
the same thread (e.g. after handling interrupt), this cache
line will need to be retrieved again from main memory since
it has already been invalidated. This creates unnecessary
data move between cache and main memory. So create our own
version of cache flushing and invalidation routines just for
arch_cohere_stacks(). Bouns is that these work directly with
bounding addresses and skips the size calculation which should
save a little bit amount of execution time.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This removes _xstack_call1_* trampoline as we can simply use
callx4 to jump to the interrupt handler.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Before cross stack call is setup correctly, we cannot allow
interrupts to be triggered or it may interfere with register
window spilling since we are clobbering registers needed for
that to work. However, there was a brief period where higher
level interrupts could fire due to code writing to PS with
lowered interrupt mask before raising it again. So rework
that part to avoid writing PS with intermediate value, and
now we mask interrupt until everything is setup correctly
before interrupt is enabled again.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When initializing the stack at thread creation, we should not
set the pointer to privileged stack pointer yet as the thread
can be a kernel thread. Only when a thread is transitioning to
user mode, then we need to set the pointer to point to
the privileged stack. This is a purely semantic change and
should not affect any functionality.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This moves the calculation of the return PC earlier in syscall
entry. There is no need to stash it into BSA, load it, do
the calculation and save it back. We can do the calculation
first and save it in BSA at the same time.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
We should not perform a straight OR operation on INTLEVEL as
we have no idea what existing PS.INTLEVEL is. Also, to avoid
any interferences, we disable interrupts very early during
syscall entrance. So we can remove the OR operation as
PS.INTLEVEL will still have all interrupts masked. Note that
we do not really need to OR PS_WOE into PS as we currently
only support windowed ABI which must have PS_WOE set in PS
anyway.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Syscall entrance makes use of ODD_REG_SAVE but it does not
really need to save FPU registers as it is technically
the same thread and same context. So extract call to
FPU_REG_SAVE to interrupt handling code.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This adds ODD_REG_RESTORE as a counterpart to ODD_REG_SAVE.
Both the code in interrupt handling and syscall exit have
been refactored to use this new macro.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This adds two parameters for ODD_REG_SAVE for scratch register
and BSA pointer, thus allowing a bit more flexibility on how
it can be called.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This removes the call to _xtensa_hifi_save() to save the HiFi
registers during syscalls. During syscall, we are not doing
context switching, and technically it is still the same thread.
There is no need to save HiFi registers.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The Xtensa ISA reference manual says to do rsync after wsr to
make sure register is updated before rsr. So do that.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Remove CONFIG_XTENSA_INVALIDATE_MEM_DOMAIN_TLB_ON_SWAP as it is
remnant from early MMU enabling work which is not needed as
the page table code is different from early version where
the PTEVADDR would be the same for all memory domains.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
__cxa_atexit was originally defined by the IA64 C++ ABI, but it has been
adopted by other C++ implementations since then. This function is already
present in lib/cpp/api/cpp_dtors.c, which is built by default when C++
support is enabled, so we don't need another copy in the MWDT-specific
code.
Signed-off-by: Keith Packard <keithp@keithp.com>
thread_page_tables_get() is only used when userspace is
enabled. So move it with userspace #ifdef, or else
compiler would complain about it being unused.
Fixes#88421
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Allow relocate_vector_table() to be overwritten. This is necessary if
the IRQ vector table is handled proprietary, e.g. before the zephyr
kernel is initialized. In this case we want this function to be empty to
avoid overriding the previous configuration.
Co-authored-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no>
Signed-off-by: Eivind Jølsgard <eivind.jolsgard@nordicsemi.no>
Add support for processing the Fault Status Registers and recoverable
data abort for the cortex A7.
Based on Cortex-A7 MPCore Technical Reference Manual (ARM DDI 0406).
(see https://developer.arm.com/documentation/ddi0406)
Signed-off-by: Julien Racki <julien.racki@st.com>
When Zephyr boot from EL2, D-Cache, I-Cache and MMU should be disabled
by default, but in some cases, for example use U-Boot "go" command
to boot Zephyr Image, Cache and MMU are already been enabled by U-Boot.
So disable them at reset code to make it safety when the code goes
into C code.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
The TOOLCHAIN_DISABLE_WARNING/TOOLCHAIN_ENABLE_WARNING macros are easier
to read and compiler agnostic.
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Add sys_trace_idle_exit to RISCV cpu_idle functions and allow
enabling CPU_LOAD module for RISCV and disable it for SMP.
Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no>
What is the change?
- PXN attributes is set for static mpu regions such that
__ramfunc and __ram_text_reloc having userspace code
cannot be executed in privileged mode.
- Updated the notable change section to inform about the change in
behaviour of code executed from __ramfunc and __ram_text_reloc MPU
regions.
Why do we need this change?
- The current static MPU regions allows executing userspace/unprivileged
code from privileged mode which may not be expected and can lead to
secure privileged escalation attacks.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
What is the change?
This commit adds support for Armv8.1-M MPU architecture's PXN attribute.
This includes support for configuring MPU regions with PXN via
custom mpu_config, devicetree and static mpu_config.
The existing MPU region attribute macros are updated to retain existing
behaviour with this change with an addition of REGION_RAM_ATTR_PXN to be
used if one needs to configure a RAM region with PXN MPU attribute.
Why do we need this change?
Armv8.1-M architecture introduced a new MPU region attribute called
Privilege eXecute Never (PXN).
If an MPU region is configured with the PXN attribute set and if the,
processor attempts to execute code in this region while at
privileged level, a Memory Management Fault exception is triggered.
This ensures that specific tasks are executed only in unprivileged mode
and helps in preventing secure privilege escalation attacks.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
It has been discovered that direct IPI support does not work
correctly when CONFIG_X2APIC is enabled. Until that can be
fixed, restrict this feature on x86 to platforms that do not
enable CONFIG_X2APIC.
Fixes#87046
Signed-off-by: Peter Mitsis <peter.mitsis@intel.com>
Since commit 0aa6b1c9de, the 'ldr_parm' pointer is guaranteed to be
valid inside all the functions of the llext_load() call tree.
This commit fixes the only exception of llext_copy_strings(), which was
not passed the 'ldr_parm' pointer, and remove the redundant checks.
No functional change is intended by this commit.
Signed-off-by: Luca Burelli <l.burelli@arduino.cc>
Since 3466dab804 the generic llext_symbol_name() function abstracts
the use of llext_string() for (non-section) symbols. Define a similar
llext_section_name() function and replace current occurrences of
llext_string() with the proper abstraction.
By extending llext_symbol_name(), this commit also allows to print the
correct name of sections that are referred to by a symbol.
Signed-off-by: Luca Burelli <l.burelli@arduino.cc>
IAR doesn't support the __volatile__ keyword, and since the
toolchain.h isn't included by these arm-specific files and
other arm-specific files already uses volatile, I've made
them all use volatile.
Signed-off-by: Lars-Ove Karlsson <lars-ove.karlsson@iar.com>
Previously, the arch_icache_invd_range function simply returned
-ENOTSUP for Cortex A/R. However, this causes a correctness issue when
the processor modifies memory and then executes it as instructions, like
the LLEXT subsystem does. The CPU might not see the up-to-date instructions
in memory.
This caused an LLEXT test failure when running on an emulated Cortex-R5
in QEMU with caches enabled. QEMU doesn't actually emulate the cache,
but it does seem to need the ISB barrier that is executed as part of the
cache invalidate operation in order to handle self-modifying code
properly.
These CPUs do in fact support a selective I-cache invalidate operation
(ICIMVAU) but the CMSIS library doesn't currently support it. For now,
just invalidate the entire I-cache when an icache_invd_range operation
is performed.
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
The current_fp field in the z_kernel structure is only used
by 32-bit x86 (which does not support SMP). As such, it should
reside in the arch specific of section of _kernel.cpus[0].
This also changes the name of 'current_fp' to 'fpu_owner' to
be more consistent with other architectures.
Signed-off-by: Peter Mitsis <peter.mitsis@intel.com>
Inside map_memory() with double mapping enabled, we should not
be mapping the memory with the incoming attributes as-is since
the incoming address may be on un-cached region but with
caching attribute. So we need to sanitize the attributes
according to the incoming address.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
