irettraps: i386 does not push %ss/%esp when exception does not switch rings

Which means that we must not copy top 8 bytes from the trampoline stack for the exception frame to the regular thread kstack. As consequence, this stops corruption of the pcb. The visible effect was often a broken fork(2) on the CPU where corruption occured. Account for the detail by substracting 8 from the copy byte count when moving exception frames from trampoline to the regular stack. [irettraps handles segmentation/stack/protection faults which could occur on the doreti path, where we might already switched stack and address space] Reported and tested by: pho Reviewed by: jhb Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D36302
2022-08-22 04:20:28 +03:00 · 2022-08-22 04:20:28 +03:00 · a03e4799e7
commit a03e4799e7
parent 95f773e594
1 changed files with 5 additions and 4 deletions
--- a/sys/i386/i386/exception.s
+++ b/sys/i386/i386/exception.s
@ -229,22 +229,23 @@ irettraps:
 	leal	(doreti_iret - 1b)(%ebx), %edx
 	cmpl	%edx, TF_EIP(%esp)
 	jne	2f
-	movl	$(2 * TF_SZ - TF_EIP), %ecx
+	/* -8 because exception did not switch ring */
+	movl	$(2 * TF_SZ - TF_EIP - 8), %ecx
 	jmp	6f
 2:	leal	(doreti_popl_ds - 1b)(%ebx), %edx
 	cmpl	%edx, TF_EIP(%esp)
 	jne	3f
-	movl	$(2 * TF_SZ - TF_DS), %ecx
+	movl	$(2 * TF_SZ - TF_DS - 8), %ecx
 	jmp	6f
 3:	leal	(doreti_popl_es - 1b)(%ebx), %edx
 	cmpl	%edx, TF_EIP(%esp)
 	jne	4f
-	movl	$(2 * TF_SZ - TF_ES), %ecx
+	movl	$(2 * TF_SZ - TF_ES - 8), %ecx
 	jmp	6f
 4:	leal	(doreti_popl_fs - 1b)(%ebx), %edx
 	cmpl	%edx, TF_EIP(%esp)
 	jne	5f
-	movl	$(2 * TF_SZ - TF_FS), %ecx
+	movl	$(2 * TF_SZ - TF_FS - 8), %ecx
 	jmp	6f
 	/* kernel mode, normal */
 5:	jmp	calltrap