amd64: clear PSL.AC in the right frame

If copyin family of routines fault, kernel does clear PSL.AC on the
fault entry, but the AC flag of the faulted frame is kept intact.  Since
onfault handler is effectively jump, AC survives until syscall exit.

Reported by:	m00nbsd, via Sony
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
admbugs:	975

sys/amd64/amd64/support.S

@@ -919,9 +919,11 @@ ENTRY(copyin_smap_erms)
 END(copyin_smap_erms)
 
 	ALIGN_TEXT
-	/* Trap entry clears PSL.AC */
 copy_fault:
-	movq	$0,PCB_ONFAULT(%r11)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r11)
 	movl	$EFAULT,%eax
 	POP_FRAME_POINTER
 	ret
@@ -1358,9 +1360,11 @@ ENTRY(subyte_smap)
 END(subyte_smap)
 
 	ALIGN_TEXT
-	/* Fault entry clears PSL.AC */
 fusufault:
-	movq	PCPU(CURPCB),%rcx
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	PCPU(CURPCB),%rcx
 	xorl	%eax,%eax
 	movq	%rax,PCB_ONFAULT(%rcx)
 	decq	%rax
@@ -1443,8 +1447,10 @@ ENTRY(copyinstr_smap)
 END(copyinstr_smap)
 
 cpystrflt:
-	/* Fault entry clears PSL.AC */
-	movl	$EFAULT,%eax
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movl	$EFAULT,%eax
 cpystrflt_x:
 	/* set *lencopied and return %eax */
 	movq	$0,PCB_ONFAULT(%r9)

sys/amd64/linux/linux_support.s

@@ -34,7 +34,10 @@
 #include "assym.inc"
 
 futex_fault:
-	movq	$0,PCB_ONFAULT(%r8)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r8)
 	movl	$-EFAULT,%eax
 	ret
 

sys/amd64/linux32/linux32_support.s

@@ -34,7 +34,10 @@
 #include "assym.inc"
 
 futex_fault:
-	movq	$0,PCB_ONFAULT(%r8)
+	testl	$CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip)
+	je	1f
+	clac
+1:	movq	$0,PCB_ONFAULT(%r8)
 	movl	$-EFAULT,%eax
 	ret