Bug in kse_switchin()?

Thu Sep 23 03:20:56 PDT 2004

Hello!

I long time work on libkse library for FreeBSD/sparc64. Some work is done.
Recently I have found a bug in kernel.

Here details.

 From sys/kern/kern_kse.c:
---------------------------------------------------------------------------
  1 int
  2 kse_switchin(struct thread *td, struct kse_switchin_args *uap)
  3 {
  4 	struct kse_thr_mailbox tmbx;
  5 	struct kse_upcall *ku;
  6 	int error;
  7
  8 	if ((ku = td->td_upcall) == NULL || TD_CAN_UNBIND(td))
  9 		return (EINVAL);
10 	error = (uap->tmbx == NULL) ? EINVAL : 0;
11 	if (!error)
12 		error = copyin(uap->tmbx, &tmbx, sizeof(tmbx));
13 	if (!error && (uap->flags & KSE_SWITCHIN_SETTMBX))
14 		error = (suword(&ku->ku_mailbox->km_curthread,
15 			 (long)uap->tmbx) != 0 ? EINVAL : 0);
16 	if (!error)
17 		error = set_mcontext(td, &tmbx.tm_context.uc_mcontext);
18 	if (!error) {
19 		suword32(&uap->tmbx->tm_lwp, td->td_tid);
20 		if (uap->flags & KSE_SWITCHIN_SETTMBX) {
21 			td->td_mailbox = uap->tmbx;
22 			td->td_pflags |= TDP_CAN_UNBIND;
23 		}
24 		if (td->td_proc->p_flag & P_TRACED) {
25 			if (tmbx.tm_dflags & TMDF_SSTEP)
26 				ptrace_single_step(td);
27 			else
28 				ptrace_clear_single_step(td);
29 			if (tmbx.tm_dflags & TMDF_SUSPEND) {
30 				mtx_lock_spin(&sched_lock);
31 				/* fuword can block, check again */
32 				if (td->td_upcall)
33 					ku->ku_flags |= KUF_DOUPCALL;
34 				mtx_unlock_spin(&sched_lock);
35 			}
36 		}
37 	}
38 	return ((error == 0) ? EJUSTRETURN : error);
39 }
---------------------------------------------------------------------------

1. On FreeBSD/sparc64 uap structure (line 2) is stored in trap stack frame, if number of
    syscall arguments is 6 or less (see: sys/sparc64/sparc64/trap.c).

2. set_mcontext() function overwriting trap stack frame for restore saved
    context (line 17).

3. uap structure used after overwriting by set_mcontext() in following lines:
    19, 20, 21.

Same problem in thr_create() (see sys/kern/kern_thr.c).

Where bug?
- In sparc64 specific core?
- In kern/kern_kse.c and kern/kern_thr.c code?

-- 
With best regards,
Andrew Belashov.