> From: "Theo de Raadt" <[email protected]>
> Date: Sun, 13 Sep 2020 08:56:04 -0600
>
> Sebastien Marie <[email protected]> wrote:
>
> > On Sun, Sep 13, 2020 at 03:29:57PM +0200, Martin Pieuchot wrote:
> > > I'm no longer able to reproduce the corruption while building lang/go
> > > with the diff below. Something relevant to threading change in go since
> > > march?
> > >
> > > Can someone try this diff and tell me if go and/or rust still fail?
> >
> > quickly tested with rustc build (nightly here), and it is failing at random
> > places (not always at the same) with memory errors (signal 11, compiler ICE
> > signal 6...)
>
> Ah, so that is a firm no. Totally busted.
>
> Clearly uvm_map_inentry_fix() obviously needs the KERNEL_LOCK in the
> presence of threads, I guess one thread can get into here while another
> is changing the map.
>
> The first check in uvm_map_inentry_fix does two checks against the map,
> but the map is not locked:
>
> if (addr < map->min_offset || addr >= map->max_offset)
No that should work; min_offset and max_offset are immutable after exec.
> > > Index: uvm/uvm_map.c
> > > ===================================================================
> > > RCS file: /cvs/src/sys/uvm/uvm_map.c,v
> > > retrieving revision 1.266
> > > diff -u -p -r1.266 uvm_map.c
> > > --- uvm/uvm_map.c 12 Sep 2020 17:08:50 -0000 1.266
> > > +++ uvm/uvm_map.c 13 Sep 2020 10:12:25 -0000
> > > @@ -1893,16 +1893,16 @@ uvm_map_inentry(struct proc *p, struct p
> > > boolean_t ok = TRUE;
> > >
> > > if (uvm_map_inentry_recheck(serial, addr, ie)) {
> > > - KERNEL_LOCK();
> > > ok = uvm_map_inentry_fix(p, ie, addr, fn, serial);
> > > if (!ok) {
> > > + KERNEL_LOCK();
> > > printf(fmt, p->p_p->ps_comm, p->p_p->ps_pid, p->p_tid,
> > > addr, ie->ie_start, ie->ie_end);
> > > p->p_p->ps_acflag |= AMAP;
> > > sv.sival_ptr = (void *)PROC_PC(p);
> > > trapsignal(p, SIGSEGV, 0, SEGV_ACCERR, sv);
> > > + KERNEL_UNLOCK();
> > > }
> > > - KERNEL_UNLOCK();
> > > }
> > > return (ok);
> > > }
> > >
> >
> > --
> > Sebastien Marie
> >
>
>
