From owner-svn-src-all@freebsd.org Mon Dec 7 16:27:12 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1E119B9DB9; Mon, 7 Dec 2015 16:27:12 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD0831382; Mon, 7 Dec 2015 16:27:12 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tB7GRBf3001387; Mon, 7 Dec 2015 16:27:11 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tB7GRBIQ001386; Mon, 7 Dec 2015 16:27:11 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201512071627.tB7GRBIQ001386@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Mon, 7 Dec 2015 16:27:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r291947 - head/sys/i386/i386 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2015 16:27:13 -0000 Author: jhb Date: Mon Dec 7 16:27:11 2015 New Revision: 291947 URL: https://svnweb.freebsd.org/changeset/base/291947 Log: Set %esp correctly in the extended TSS. The pcb is saved at the top of the kernel stack on x86 platforms. The initial kenrel stack pointer is set in the TSS so that the trapframe from user -> kernel transitions begins directly below the pcb and grows down. The XSAVE changes moved the FPU save area out of the pcb and into a variable-sized area after the pcb. This required updating the expressions to calculate the initial stack pointer from 'stacktop - sizeof(pcb)' to 'stacktop - sizeof(pcb) + FPU save area size'. The i386_set_ioperm() system call allows user applications to access individual I/O ports via the I/O port permission bitmap in the TSS. On FreeBSD this requires allocating a custom per-process TSS instead of using the shared per-CPU TSS. The expression to initialize the initial kernel stack pointer in the per-process TSS created for i386_set_ioperm() was not properly updated after the XSAVE changes. Processes that used i386_set_ioperm() would trash the trapframe during subsequent context switches resulting in panics from memory corruption. This changes fixes the kernel stack pointer calculation for the per-process TSS. Reviewed by: kib, n_hibma Reported by: n_hibma MFC after: 1 week Modified: head/sys/i386/i386/sys_machdep.c Modified: head/sys/i386/i386/sys_machdep.c ============================================================================== --- head/sys/i386/i386/sys_machdep.c Mon Dec 7 16:08:26 2015 (r291946) +++ head/sys/i386/i386/sys_machdep.c Mon Dec 7 16:27:11 2015 (r291947) @@ -275,8 +275,7 @@ i386_extend_pcb(struct thread *td) ext = (struct pcb_ext *)kmem_malloc(kernel_arena, ctob(IOPAGES+1), M_WAITOK | M_ZERO); /* -16 is so we can convert a trapframe into vm86trapframe inplace */ - ext->ext_tss.tss_esp0 = td->td_kstack + ctob(td->td_kstack_pages) - - sizeof(struct pcb) - 16; + ext->ext_tss.tss_esp0 = (vm_offset_t)td->td_pcb - 16; ext->ext_tss.tss_ss0 = GSEL(GDATA_SEL, SEL_KPL); /* * The last byte of the i/o map must be followed by an 0xff byte.