From owner-freebsd-stable@FreeBSD.ORG  Sat Dec  6 20:13:49 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B98C016A4D3
	for <stable@freebsd.org>; Sat,  6 Dec 2003 20:13:49 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE25343FBD
	for <stable@freebsd.org>; Sat,  6 Dec 2003 20:13:48 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.9p2/8.12.9) with ESMTP id hB74DmiF058675
	for <stable@freebsd.org>; Sat, 6 Dec 2003 20:13:48 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id hB74Dm7g058674;
	Sat, 6 Dec 2003 20:13:48 -0800 (PST)
	(envelope-from dillon)
Date: Sat, 6 Dec 2003 20:13:48 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200312070413.hB74Dm7g058674@apollo.backplane.com>
To: stable@freebsd.org
Subject: Bug in i386/i386/trap.c %gs handling on stable
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2003 04:13:49 -0000

In i386/i386/trap.c if %gs is invalid... for example, a process with a 
USER_LDT takes an interrupt while exiting, or if %gs is set through procfs,
the fault check must occur regardless of the interrupt nesting level because
mainline code does not push and load a %gs for the kernel. 

FreeBSD-5.x has already moved this check to outside the nesting level test.

It may also be possible that %fs can cause the same problem to occur in
the situation with a process takes an interrupt while exiting and %fs is
set to a USER_LDT entry.  I have not checked this, but if it is true it would
be a problem in both -current and -stable for the exiting case.


    if (intr_nesting_level == 0) {
	    /*
	     * Invalid %fs's and %gs's can be created using
	     * procfs or PT_SETREGS or by invalidating the
	     * underlying LDT entry.  This causes a fault
	     * in kernel mode when the kernel attempts to
	     * switch contexts.  Lose the bad context
	     * (XXX) so that we can continue, and generate
	     * a signal.
	     */
	    if (frame.tf_eip == (int)cpu_switch_load_gs) {   	<<< WRONG
		    curpcb->pcb_gs = 0;   			<<<
		    psignal(p, SIGBUS);				<<<
		    return;					<<<
	    }
	    MAYBE_DORETI_FAULT(doreti_iret,
			       doreti_iret_fault);