port-vax/60102: kernel longjmp(9) on vax reads stack garbage instead of returning 1 (patch)

["pyhirricturtle%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60102
>Category:       port-vax
>Synopsis:       kernel longjmp(9) on vax reads stack garbage instead of returning 1 (patch)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-vax-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 19 04:10:00 +0000 2026
>Originator:     FireTurtle
>Release:        10.1_STABLE
>Organization:
>Environment:
NetBSD 10.1_STABLE (GENERIC) vax on SIMH MicroVAX 3900
>Description:
Patch for PR port-vax/59308.

As noted in 59308, kernel longjmp(9) takes only one argument (the
jmp_buf) but the VAX implementation at sys/arch/vax/vax/subr.S line 278
reads 8(%ap) as the return value.  Since there is no second argument,
this returns whatever stack garbage happens to be there -- which might
be zero, causing the setjmp(9) caller to take the wrong branch.

longjmp(9) is used by DDB for fault recovery, so this bug could
cause unpredictable debugger behavior.

--- a/sys/arch/vax/vax/subr.S
+++ b/sys/arch/vax/vax/subr.S
@@ -275,7 +275,7 @@

 _C_LABEL(longjmp):.word0
 movl4(%ap), %r1
-movl8(%ap), %r0
+movl$1, %r0
 movl(%r1), %ap
 movl4(%r1), %fp
 movl12(%r1), %sp

Built and boot-tested on SIMH MicroVAX 3900, NetBSD 10.1_STABLE.
>How-To-Repeat:
Code inspection of sys/arch/vax/vax/subr.S line 278.  See also PR port-vax/59308.
>Fix:
Change movl 8(%ap), %r0 to movl $1, %r0 in longjmp at sys/arch/vax/vax/subr.S.  Patch included in description.