From owner-svn-src-all@FreeBSD.ORG Sun Feb 17 00:51:35 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1D06713D; Sun, 17 Feb 2013 00:51:35 +0000 (UTC) (envelope-from marcel@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id E708222D; Sun, 17 Feb 2013 00:51:34 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r1H0pYmq006946; Sun, 17 Feb 2013 00:51:34 GMT (envelope-from marcel@svn.freebsd.org) Received: (from marcel@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r1H0pYwp006945; Sun, 17 Feb 2013 00:51:34 GMT (envelope-from marcel@svn.freebsd.org) Message-Id: <201302170051.r1H0pYwp006945@svn.freebsd.org> From: Marcel Moolenaar Date: Sun, 17 Feb 2013 00:51:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r246890 - head/sys/ia64/ia64 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Feb 2013 00:51:35 -0000 Author: marcel Date: Sun Feb 17 00:51:34 2013 New Revision: 246890 URL: http://svnweb.freebsd.org/changeset/base/246890 Log: Close a race relating to setting the PCPU pointer (r13). Register r13 points to the TLS in user space and points to the PCPU structure in the kernel. The race is the result of having the exception handler on the one hand and the RPC system call entry on the other. The EPC syscall path is non-atomic in that interrupts are enabled while the two stacks are switched. The register stack is switched last as that is the stack used to determine whether we're going back to user space by the exception handler. If we go back to user space, we restore r13, otherwise we leave r13 alone. The EPC syscall path however set r13 to the PCPU structure *before* switching the register stack, which means that there was a window in which the exception handler would restore r13 when it was already pointing to the PCPU structure. This is fatal when the exception happened on CPU x, but left from the exception on anotehr CPU. In that case r13 would point to the PCPU of the CPU the thread was running on. This immediately results in getting the wrong value for curthread. The fix is to make sure we assign r13 *after* we set ar.bspstore to point to the kernel register stack for the thread. Modified: head/sys/ia64/ia64/syscall.S Modified: head/sys/ia64/ia64/syscall.S ============================================================================== --- head/sys/ia64/ia64/syscall.S Sun Feb 17 00:41:15 2013 (r246889) +++ head/sys/ia64/ia64/syscall.S Sun Feb 17 00:51:34 2013 (r246890) @@ -228,7 +228,7 @@ ENTRY_NOPROFILE(epc_syscall, 8) { .mmi mov r16=ar.rsc mov ar.rsc=0 - mov r17=r13 + nop 0 ;; } { .mmi @@ -239,13 +239,13 @@ ENTRY_NOPROFILE(epc_syscall, 8) ;; } { .mmi - mov r13=ar.k4 + mov r21=ar.unat add r30=-SIZEOF_TRAPFRAME,r14 mov r20=sp ;; } { .mii - mov r21=ar.unat + mov r17=r13 dep r30=0,r30,0,10 ;; add sp=-16,r30 @@ -258,10 +258,10 @@ ENTRY_NOPROFILE(epc_syscall, 8) add r31=8,r30 ;; } -{ .mii +{ .mmi + mov r13=ar.k4 mov r22=ar.fpsr sub r29=r14,r30 - nop 0 } { .mmi mov r23=ar.bsp