>I'm right in assuming its legal to swap the return address - so the TLB >handler can do a short piece of TLB handling for a present page miss, >then stash the return into the kernel stack and rfi into the page fault handler >so it will in turn return to the user context ? Yes.