From: Michael Cree <mcree@orcon.net.nz>
To: linux-alpha@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Richard Henderson <rth@twiddle.net>
Subject: Bug: retry of clone() on Alpha can result in zeroed process thread pointer
Date: Wed, 23 Jul 2014 20:52:44 +1200 [thread overview]
Message-ID: <20140723085244.GB4799@omega> (raw)
I am seeing a bug in clone() on the Alpha architecture. Reported to
Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755397
The test suite of glibc sometimes fails in the nptl/tst-eintr3 test
with a segmentation fault. I have tracked it down to the thread
pointer returned by the rduniq PALcall is occasionally zero when
it should point to the TLS. I have only ever seen this occur when
running a SMP kernel.
Running strace on nptl/tst-eintr3 reveals that the clone() syscall
is retried by the kernel if an ERESTARTNOINTR error occurs. At
$syscall_error in arch/alpha/kernel/entry.S the kernel handles the
error and in doing that it writes to 72(sp) which is where the value
of the a3 CPU register on entry to the kernel is stored. Then the
kernel retries the clone() function. But the alpha specific code
for copy_thread() in arch/alpha/kernel/process.c does not use the
passed a3 cpu register (the argument tls), instead it goes to the
saved stack to get the value of the a3 register, which on the
second call to clone() has been modified to no longer be the value
of the a3 cpu register on entry to the kernel. And a latent bomb
is laid for userspace in the form of an incorrect process unique
value (which is the thread pointer) in the PCB.
Am I correct in my analysis and, if so, can we get a fix for this
please.
Cheers
Michael.
next reply other threads:[~2014-07-23 8:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-23 8:52 Michael Cree [this message]
2014-07-24 18:19 ` Bug: retry of clone() on Alpha can result in zeroed process thread pointer Richard Henderson
2014-07-24 19:30 ` Michael Cree
2014-07-29 22:23 ` Richard Henderson
2014-07-30 4:51 ` Michael Cree
2014-07-30 17:56 ` Richard Henderson
2014-07-30 19:30 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140723085244.GB4799@omega \
--to=mcree@orcon.net.nz \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).