NetBSD Problem Report #41552

From martin@duskware.de  Sun Jun  7 20:00:28 2009
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id BC2E063B8B4
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  7 Jun 2009 20:00:28 +0000 (UTC)
Message-Id: <20090607200026.193F133A82@mail.duskware.de>
Date: Sun,  7 Jun 2009 22:00:21 +0200 (CEST)
From: martin
Reply-To: martin
To: gnats-bugs@gnats.NetBSD.org
Subject: lwp_trampoline missused in cpu_setfunc
X-Send-Pr-Version: 3.95

>Number:         41552
>Category:       port-arm
>Synopsis:       lwp_trampoline missused in cpu_setfunc
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    port-arm-maintainer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 07 20:05:00 +0000 2009
>Closed-Date:    Tue Feb 01 14:06:46 +0000 2011
>Last-Modified:  Tue Feb 01 14:06:46 +0000 2011
>Originator:     Martin Husemann
>Release:        NetBSD 5.0_STABLE
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-porter.duskware.de 5.0_STABLE NetBSD 5.0_STABLE (PORTER) #10: Sun May 24 14:53:26 CEST 2009 martin@night-porter.duskware.de:/usr/src-5/sys/arch/i386/compile/PORTER i386
Architecture: i386
Machine: i386
>Description:

The cpu_setfunc() function abuses lwp_trampoline, which is not a valid thing
to do after the latter started calling lwp_startup().

I do not understand where the %r0 and %r1 arguments (oldlwp and newlwp) to
lwp_startup() come from, so I did not dare to touch it myself.

>How-To-Repeat:
code inspection

>Fix:
Something like the patch below - untested, and due to lack of understanding
of the current situation probably wrong...

Index: cpuswitch.S
===================================================================
RCS file: /cvsroot/src/sys/arch/arm/arm32/cpuswitch.S,v
retrieving revision 1.59
diff -c -u -r1.59 cpuswitch.S
--- cpuswitch.S	19 Nov 2008 06:34:21 -0000	1.59
+++ cpuswitch.S	7 Jun 2009 19:53:56 -0000
@@ -345,6 +345,7 @@
 	 */
 	bl	_C_LABEL(lwp_startup)

+ENTRY(setfunc_trampoline)
 	mov	r0, r5
 	mov	r1, sp
 	mov	lr, pc
Index: vm_machdep.c
===================================================================
RCS file: /cvsroot/src/sys/arch/arm/arm32/vm_machdep.c,v
retrieving revision 1.49
diff -c -u -r1.49 vm_machdep.c
--- vm_machdep.c	14 Mar 2009 21:04:05 -0000	1.49
+++ vm_machdep.c	7 Jun 2009 19:53:56 -0000
@@ -79,6 +79,7 @@
 int process_read_fpregs(struct proc *p, struct fpreg *regs);

 void lwp_trampoline(void);
+void setfunc_trampoline(void);

 /*
  * Special compilation symbols:
@@ -112,7 +113,7 @@
 	sf->sf_r4 = (u_int)func;
 	sf->sf_r5 = (u_int)arg;
 	sf->sf_sp = (u_int)tf;
-	sf->sf_pc = (u_int)lwp_trampoline;
+	sf->sf_pc = (u_int)setfunc_trampoline;
 	pcb->pcb_un.un_32.pcb32_sp = (u_int)sf;
 }

@@ -134,6 +135,7 @@
 {
 	struct pcb *pcb = &l2->l_addr->u_pcb;
 	struct trapframe *tf;
+	struct switchframe *sf;

 #ifdef PMAP_DEBUG
 	if (pmap_debug_level >= 0)
@@ -200,7 +202,11 @@
 	if (stack != NULL)
 		tf->tf_usr_sp = (u_int)stack + stacksize;

-	cpu_setfunc(l2, func, arg);
+	sf->sf_r4 = (u_int)func;
+	sf->sf_r5 = (u_int)arg;
+	sf->sf_sp = (u_int)tf;
+	sf->sf_pc = (u_int)lwp_trampoline;
+	pcb->pcb_un.un_32.pcb32_sp = (u_int)sf;
 }

 /*

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Tue, 01 Feb 2011 14:06:46 +0000
State-Changed-Why:
See PR 44500


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.