From owner-freebsd-stable@FreeBSD.ORG Mon Dec 8 11:34:57 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35D6216A4CE for ; Mon, 8 Dec 2003 11:34:57 -0800 (PST) Received: from bricore.com (adsl-64-168-71-68.dsl.snfc21.pacbell.net [64.168.71.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 800FE43D30 for ; Mon, 8 Dec 2003 11:34:35 -0800 (PST) (envelope-from lchen@briontech.com) Received: from lchenpc (lchen-pc.bricore.com [192.168.1.130]) (authenticated bits=0) by bricore.com (8.12.6/8.12.6) with ESMTP id hB8JOtCf064560; Mon, 8 Dec 2003 11:24:55 -0800 (PST) (envelope-from lchen@briontech.com) From: "Luoqi Chen" To: "Matthew Dillon" , Date: Mon, 8 Dec 2003 11:27:26 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <200312070413.hB74Dm7g058674@apollo.backplane.com> X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: RE: Bug in i386/i386/trap.c %gs handling on stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 19:34:57 -0000 > In i386/i386/trap.c if %gs is invalid... for example, a process with a > USER_LDT takes an interrupt while exiting, or if %gs is set > through procfs, > the fault check must occur regardless of the interrupt nesting > level because > mainline code does not push and load a %gs for the kernel. > I don't quite get it. There'll be fault only when the kernel tries to load an invalid %gs. And there's only one place that the kernel would load a new %gs: during a context switch, which could not take place in an interrupt context. > FreeBSD-5.x has already moved this check to outside the nesting > level test. > > It may also be possible that %fs can cause the same problem to occur in > the situation with a process takes an interrupt while exiting and %fs is > set to a USER_LDT entry. I have not checked this, but if it is > true it would > be a problem in both -current and -stable for the exiting case. > It's different for %fs, it holds a valid kernel segment at all time inside the kernel. > > if (intr_nesting_level == 0) { > /* > * Invalid %fs's and %gs's can be created using > * procfs or PT_SETREGS or by invalidating the > * underlying LDT entry. This causes a fault > * in kernel mode when the kernel attempts to > * switch contexts. Lose the bad context > * (XXX) so that we can continue, and generate > * a signal. > */ > if (frame.tf_eip == (int)cpu_switch_load_gs) { <<< WRONG > curpcb->pcb_gs = 0; <<< > psignal(p, SIGBUS); <<< > return; <<< > } > MAYBE_DORETI_FAULT(doreti_iret, > doreti_iret_fault); > > -lq