Do not map the trap vectors into the kernel's address space. They are

only used in real mode and keeping them mapped only serves to make NULL
a valid address, which results in silent NULL pointer deferences.

Suggested by:   Patrick Kerharo
Obtained from:	projects/ppc64

2 files changed, 13 insertions, 6 deletions

diff --git a/sys/powerpc/aim/mmu_oea64.c b/sys/powerpc/aim/mmu_oea64.c
index 9a40036..680a391 100644
--- a/sys/powerpc/aim/mmu_oea64.c
+++ b/sys/powerpc/aim/mmu_oea64.c
@@ -868,15 +868,17 @@ moea64_bridge_bootstrap(mmu_t mmup, vm_offset_t kernelstart, vm_offset_t kernele
 	ENABLE_TRANS(msr);
 
 	/*
-	 * Map certain important things, like ourselves and the exception
-	 * vectors
+	 * Map certain important things, like ourselves.
+	 *
+	 * NOTE: We do not map the exception vector space. That code is
+	 * used only in real mode, and leaving it unmapped allows us to
+	 * catch NULL pointer deferences, instead of making NULL a valid
+	 * address.
 	 */
 
 	DISABLE_TRANS(msr);
 	for (pa = kernelstart & ~PAGE_MASK; pa < kernelend; pa += PAGE_SIZE) 
 		moea64_kenter(mmup, pa, pa);
-	for (pa = EXC_RSVD; pa < EXC_LAST; pa += PAGE_SIZE) 
-		moea64_kenter(mmup, pa, pa);
 	ENABLE_TRANS(msr);
 
 	if (!ofw_real_mode) {
diff --git a/sys/powerpc/aim/trap_subr.S b/sys/powerpc/aim/trap_subr.S
index bcffb29..5d9596b 100644
--- a/sys/powerpc/aim/trap_subr.S
+++ b/sys/powerpc/aim/trap_subr.S
@@ -275,10 +275,16 @@ CNAME(restorebridgesize) = .-CNAME(restorebridge)
 /*
  * Processor reset exception handler. These are typically
  * the first instructions the processor executes after a
- * software reset.
+ * software reset. We do this in two bits so that we are
+ * not still hanging around in the trap handling region
+ * once the MMU is turned on.
  */
 	.globl	CNAME(rstcode), CNAME(rstsize)
 CNAME(rstcode):
+	ba	cpu_reset
+CNAME(rstsize) = . - CNAME(rstcode)
+
+cpu_reset:
 	bl	1f
 
 	.space	124
@@ -296,7 +302,6 @@ CNAME(rstcode):
 	/* Should not be reached */
 9:
 	b	9b
-CNAME(rstsize) = . - CNAME(rstcode)
 #endif
 
 /*