Date: Thu, 23 Sep 2004 14:20:51 +0400 From: Andrew Belashov <bel@orel.ru> To: freebsd-threads@freebsd.org Cc: freebsd-sparc64@freebsd.org Subject: Bug in kse_switchin()? Message-ID: <4152A383.3090901@orel.ru> In-Reply-To: <41518130.3000704@orel.ru> References: <Pine.GSO.4.43.0409220743460.857-100000@sea.ntplx.net> <41518130.3000704@orel.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! I long time work on libkse library for FreeBSD/sparc64. Some work is done. Recently I have found a bug in kernel. Here details. From sys/kern/kern_kse.c: --------------------------------------------------------------------------- 1 int 2 kse_switchin(struct thread *td, struct kse_switchin_args *uap) 3 { 4 struct kse_thr_mailbox tmbx; 5 struct kse_upcall *ku; 6 int error; 7 8 if ((ku = td->td_upcall) == NULL || TD_CAN_UNBIND(td)) 9 return (EINVAL); 10 error = (uap->tmbx == NULL) ? EINVAL : 0; 11 if (!error) 12 error = copyin(uap->tmbx, &tmbx, sizeof(tmbx)); 13 if (!error && (uap->flags & KSE_SWITCHIN_SETTMBX)) 14 error = (suword(&ku->ku_mailbox->km_curthread, 15 (long)uap->tmbx) != 0 ? EINVAL : 0); 16 if (!error) 17 error = set_mcontext(td, &tmbx.tm_context.uc_mcontext); 18 if (!error) { 19 suword32(&uap->tmbx->tm_lwp, td->td_tid); 20 if (uap->flags & KSE_SWITCHIN_SETTMBX) { 21 td->td_mailbox = uap->tmbx; 22 td->td_pflags |= TDP_CAN_UNBIND; 23 } 24 if (td->td_proc->p_flag & P_TRACED) { 25 if (tmbx.tm_dflags & TMDF_SSTEP) 26 ptrace_single_step(td); 27 else 28 ptrace_clear_single_step(td); 29 if (tmbx.tm_dflags & TMDF_SUSPEND) { 30 mtx_lock_spin(&sched_lock); 31 /* fuword can block, check again */ 32 if (td->td_upcall) 33 ku->ku_flags |= KUF_DOUPCALL; 34 mtx_unlock_spin(&sched_lock); 35 } 36 } 37 } 38 return ((error == 0) ? EJUSTRETURN : error); 39 } --------------------------------------------------------------------------- 1. On FreeBSD/sparc64 uap structure (line 2) is stored in trap stack frame, if number of syscall arguments is 6 or less (see: sys/sparc64/sparc64/trap.c). 2. set_mcontext() function overwriting trap stack frame for restore saved context (line 17). 3. uap structure used after overwriting by set_mcontext() in following lines: 19, 20, 21. Same problem in thr_create() (see sys/kern/kern_thr.c). Where bug? - In sparc64 specific core? - In kern/kern_kse.c and kern/kern_thr.c code? -- With best regards, Andrew Belashov.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4152A383.3090901>