aboutsummaryrefslogtreecommitdiff
path: root/sys/i386/i386
diff options
context:
space:
mode:
authorKonstantin Belousov <kib@FreeBSD.org>2022-08-22 01:20:28 +0000
committerKonstantin Belousov <kib@FreeBSD.org>2022-08-24 19:11:49 +0000
commita03e4799e76bdfe432f560d96448895ba6ee6133 (patch)
tree58bdbb9461a41ffcc3757fcdb58ed96e6d88c12f /sys/i386/i386
parent95f773e59482b1a3462d2fe3901532d51fb053b3 (diff)
downloadsrc-a03e4799e76bdfe432f560d96448895ba6ee6133.tar.gz
src-a03e4799e76bdfe432f560d96448895ba6ee6133.zip
irettraps: i386 does not push %ss/%esp when exception does not switch rings
Which means that we must not copy top 8 bytes from the trampoline stack for the exception frame to the regular thread kstack. As consequence, this stops corruption of the pcb. The visible effect was often a broken fork(2) on the CPU where corruption occured. Account for the detail by substracting 8 from the copy byte count when moving exception frames from trampoline to the regular stack. [irettraps handles segmentation/stack/protection faults which could occur on the doreti path, where we might already switched stack and address space] Reported and tested by: pho Reviewed by: jhb Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D36302
Diffstat (limited to 'sys/i386/i386')
-rw-r--r--sys/i386/i386/exception.s9
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/i386/i386/exception.s b/sys/i386/i386/exception.s
index 42e9c474c3cd..5eef9c1d512c 100644
--- a/sys/i386/i386/exception.s
+++ b/sys/i386/i386/exception.s
@@ -229,22 +229,23 @@ irettraps:
leal (doreti_iret - 1b)(%ebx), %edx
cmpl %edx, TF_EIP(%esp)
jne 2f
- movl $(2 * TF_SZ - TF_EIP), %ecx
+ /* -8 because exception did not switch ring */
+ movl $(2 * TF_SZ - TF_EIP - 8), %ecx
jmp 6f
2: leal (doreti_popl_ds - 1b)(%ebx), %edx
cmpl %edx, TF_EIP(%esp)
jne 3f
- movl $(2 * TF_SZ - TF_DS), %ecx
+ movl $(2 * TF_SZ - TF_DS - 8), %ecx
jmp 6f
3: leal (doreti_popl_es - 1b)(%ebx), %edx
cmpl %edx, TF_EIP(%esp)
jne 4f
- movl $(2 * TF_SZ - TF_ES), %ecx
+ movl $(2 * TF_SZ - TF_ES - 8), %ecx
jmp 6f
4: leal (doreti_popl_fs - 1b)(%ebx), %edx
cmpl %edx, TF_EIP(%esp)
jne 5f
- movl $(2 * TF_SZ - TF_FS), %ecx
+ movl $(2 * TF_SZ - TF_FS - 8), %ecx
jmp 6f
/* kernel mode, normal */
5: jmp calltrap