next vforkup chapter: lwpctl

To: tech-kern%netbsd.org@localhost
Subject: next vforkup chapter: lwpctl
From: Antti Kantee <pooka%cs.hut.fi@localhost>
Date: Mon, 14 Feb 2011 15:16:11 +0200

Hi,

Alexander pointed me at a problem where under suitable conditions a
process with rump syscall hijacking would crash when after vfork() and
sent the attached test program.  Under further examination, it turned
out that the problem is due to libpthread and lwpctl.

Having pthread linked causes malloc to use pthread routines instead
of the libc stubs.  Now, the vfork() child will use a pointer to the
parent's lwpctl area and thinks it is running on LWPCTL_CPU_NONE (-1).
When malloc uses this to index the arena map, it unsurprisingly gets
total garbage back.

The following patch makes a vfork child update the parent's lwpctl area
while the child is running.  Comments or better ideas?

-- 
älä karot toivorikkauttas, kyl rätei ja lumpui piisaa

#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
    malloc(1);
    switch(vfork())
    {
    case -1:
        return EXIT_FAILURE;
    case 0:
        malloc(1);
        _exit(EXIT_FAILURE);
    default:
        ;
    }

    return EXIT_SUCCESS;
}

Index: kern/kern_exec.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_exec.c,v
retrieving revision 1.305
diff -p -u -r1.305 kern_exec.c
--- kern/kern_exec.c    18 Jan 2011 08:21:03 -0000      1.305
+++ kern/kern_exec.c    14 Feb 2011 12:25:28 -0000
@@ -979,6 +979,7 @@ execve1(struct lwp *l, const char *path,
                mutex_enter(proc_lock);
                p->p_lflag &= ~PL_PPWAIT;
                cv_broadcast(&p->p_pptr->p_waitcv);
+               l->l_lwpctl = NULL; /* borrowed from parent */
                mutex_exit(proc_lock);
        }
 
Index: kern/kern_exit.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_exit.c,v
retrieving revision 1.231
diff -p -u -r1.231 kern_exit.c
--- kern/kern_exit.c    18 Dec 2010 01:36:19 -0000      1.231
+++ kern/kern_exit.c    14 Feb 2011 12:25:28 -0000
@@ -343,6 +343,7 @@ exit1(struct lwp *l, int rv)
        if (p->p_lflag & PL_PPWAIT) {
                p->p_lflag &= ~PL_PPWAIT;
                cv_broadcast(&p->p_pptr->p_waitcv);
+               l->l_lwpctl = NULL; /* borrowed from parent */
        }
 
        if (SESS_LEADER(p)) {
Index: kern/kern_lwp.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_lwp.c,v
retrieving revision 1.154
diff -p -u -r1.154 kern_lwp.c
--- kern/kern_lwp.c     17 Jan 2011 08:26:58 -0000      1.154
+++ kern/kern_lwp.c     14 Feb 2011 12:25:29 -0000
@@ -696,6 +696,12 @@ lwp_create(lwp_t *l1, proc_t *p2, vaddr_
        l2->l_pflag = LP_MPSAFE;
        TAILQ_INIT(&l2->l_ld_locks);
 
+       /* For vfork, borrow parent's lwpctl context */
+       if (flags & LWP_VFORK && l1->l_lwpctl) {
+               l2->l_lwpctl = l1->l_lwpctl;
+               l2->l_flag |= LW_LWPCTL;
+       }
+
        /*
         * If not the first LWP in the process, grab a reference to the
         * descriptor table.
@@ -1376,6 +1382,17 @@ lwp_userret(struct lwp *l)
                        KASSERT(0);
                        /* NOTREACHED */
                }
+
+               /* update lwpctl process (for vfork child_return) */
+               if (l->l_flag & LW_LWPCTL) {
+                       lwp_lock(l);
+                       l->l_flag &= ~LW_LWPCTL;
+                       lwp_unlock(l);
+                       KPREEMPT_DISABLE(l);
+                       l->l_lwpctl->lc_curcpu = (int)cpu_index(l->l_cpu);
+                       l->l_lwpctl->lc_pctr++;
+                       KPREEMPT_ENABLE(l);
+               }
        }
 
 #ifdef KERN_SA
@@ -1529,6 +1546,10 @@ lwp_ctl_alloc(vaddr_t *uaddr)
        l = curlwp;
        p = l->l_proc;
 
+       /* don't allow a vforked process to create lwp ctls */
+       if (p->p_lflag & PL_PPWAIT)
+               return EBUSY;
+
        if (l->l_lcpage != NULL) {
                lcp = l->l_lcpage;
                *uaddr = lcp->lcp_uaddr + (vaddr_t)l->l_lwpctl - lcp->lcp_kaddr;
@@ -1653,11 +1674,16 @@ lwp_ctl_alloc(vaddr_t *uaddr)
 void
 lwp_ctl_free(lwp_t *l)
 {
+       struct proc *p = l->l_proc;
        lcproc_t *lp;
        lcpage_t *lcp;
        u_int map, offset;
 
-       lp = l->l_proc->p_lwpctl;
+       /* don't free a lwp context we borrowed for vfork */
+       if (p->p_lflag & PL_PPWAIT)
+               return;
+
+       lp = p->p_lwpctl;
        KASSERT(lp != NULL);
 
        lcp = l->l_lcpage;
Index: sys/lwp.h
===================================================================
RCS file: /cvsroot/src/sys/sys/lwp.h,v
retrieving revision 1.142
diff -p -u -r1.142 lwp.h
--- sys/lwp.h   28 Jan 2011 16:58:27 -0000      1.142
+++ sys/lwp.h   14 Feb 2011 12:25:29 -0000
@@ -214,6 +214,7 @@ extern lwp_t                lwp0;           /* LWP for 
proc0. *
 
 /* These flags are kept in l_flag. */
 #define        LW_IDLE         0x00000001 /* Idle lwp. */
+#define        LW_LWPCTL       0x00000002 /* Adjust lwpctl in userret */
 #define        LW_SINTR        0x00000080 /* Sleep is interruptible. */
 #define        LW_SA_SWITCHING 0x00000100 /* SA LWP in context switch */
 #define        LW_SYSTEM       0x00000200 /* Kernel thread */
@@ -258,7 +259,7 @@ extern lwp_t                lwp0;           /* LWP for 
proc0. *
  * user.
  */
 #define        LW_USERRET 
(LW_WEXIT|LW_PENDSIG|LW_WREBOOT|LW_WSUSPEND|LW_WCORE|\
-                   LW_SA_BLOCKING|LW_SA_UPCALL)
+                   LW_SA_BLOCKING|LW_SA_UPCALL|LW_LWPCTL)
 
 /*
  * Status values.

Follow-Ups:
- Re: next vforkup chapter: lwpctl
  - From: Joerg Sonnenberger

Prev by Date: Re: Importing Flash and NAND subsystem for NetBSD
Next by Date: Re: next vforkup chapter: lwpctl
Previous by Thread: Importing Flash and NAND subsystem for NetBSD
Next by Thread: Re: next vforkup chapter: lwpctl
Indexes:

Home | Main Index | Thread Index | Old Index