From owner-freebsd-threads@FreeBSD.ORG Thu Sep 23 11:25:03 2004 Return-Path: Delivered-To: freebsd-threads@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C1AD16A4CF; Thu, 23 Sep 2004 11:25:03 +0000 (GMT) Received: from mail.ntplx.net (mail.ntplx.net [204.213.176.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1504C43D1D; Thu, 23 Sep 2004 11:25:03 +0000 (GMT) (envelope-from deischen@freebsd.org) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) i8NBP194028609; Thu, 23 Sep 2004 07:25:01 -0400 (EDT) Date: Thu, 23 Sep 2004 07:25:01 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Andrew Belashov In-Reply-To: <4152A383.3090901@orel.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.ntplx.net) cc: freebsd-sparc64@freebsd.org cc: freebsd-threads@freebsd.org Subject: Re: Bug in kse_switchin()? X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Daniel Eischen List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 11:25:03 -0000 On Thu, 23 Sep 2004, Andrew Belashov wrote: > Hello! > > I long time work on libkse library for FreeBSD/sparc64. Some work is done. > Recently I have found a bug in kernel. > > Here details. > > From sys/kern/kern_kse.c: > --------------------------------------------------------------------------- > 1 int > 2 kse_switchin(struct thread *td, struct kse_switchin_args *uap) > 3 { > 4 struct kse_thr_mailbox tmbx; > 5 struct kse_upcall *ku; > 6 int error; > 7 > 8 if ((ku = td->td_upcall) == NULL || TD_CAN_UNBIND(td)) > 9 return (EINVAL); > 10 error = (uap->tmbx == NULL) ? EINVAL : 0; > 11 if (!error) > 12 error = copyin(uap->tmbx, &tmbx, sizeof(tmbx)); > 13 if (!error && (uap->flags & KSE_SWITCHIN_SETTMBX)) > 14 error = (suword(&ku->ku_mailbox->km_curthread, > 15 (long)uap->tmbx) != 0 ? EINVAL : 0); > 16 if (!error) > 17 error = set_mcontext(td, &tmbx.tm_context.uc_mcontext); > 18 if (!error) { > 19 suword32(&uap->tmbx->tm_lwp, td->td_tid); > 20 if (uap->flags & KSE_SWITCHIN_SETTMBX) { > 21 td->td_mailbox = uap->tmbx; > 22 td->td_pflags |= TDP_CAN_UNBIND; > 23 } > 24 if (td->td_proc->p_flag & P_TRACED) { > 25 if (tmbx.tm_dflags & TMDF_SSTEP) > 26 ptrace_single_step(td); > 27 else > 28 ptrace_clear_single_step(td); > 29 if (tmbx.tm_dflags & TMDF_SUSPEND) { > 30 mtx_lock_spin(&sched_lock); > 31 /* fuword can block, check again */ > 32 if (td->td_upcall) > 33 ku->ku_flags |= KUF_DOUPCALL; > 34 mtx_unlock_spin(&sched_lock); > 35 } > 36 } > 37 } > 38 return ((error == 0) ? EJUSTRETURN : error); > 39 } > --------------------------------------------------------------------------- > > 1. On FreeBSD/sparc64 uap structure (line 2) is stored in trap stack frame, if number of > syscall arguments is 6 or less (see: sys/sparc64/sparc64/trap.c). > > 2. set_mcontext() function overwriting trap stack frame for restore saved > context (line 17). > > 3. uap structure used after overwriting by set_mcontext() in following lines: > 19, 20, 21. > > Same problem in thr_create() (see sys/kern/kern_thr.c). > > Where bug? > - In sparc64 specific core? > - In kern/kern_kse.c and kern/kern_thr.c code? Wouldn't you also see same behavior (bugs) in other things, like getcontext(), setcontext(), and swapcontext() (kern_context.c)? -- Dan Eischen