[RFC] Potential bug in kernel_thread() on i386.

Alexander Viro (viro@math.psu.edu)
Tue, 6 Oct 1998 17:59:26 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter T. Breuer: "Re: The /tmp and modules_install saga"
Previous message: Brandon S. Allbery KF8NH: "Re: [Off Topic Conspiracy Theories] RE: UDI and Free(tm) Software"

Folks, there's something strange with kernel_thread() on i386.
After reading old bug reports I've got a strong feeling that there is
a race somewhere around fput() and while I was (still am) hunting for it
I've stumbled across the request_module() and kernel_thread().
First of all, I was under the impression that kernel_thread() is
kosher only for pure kernel processes. Is that right? request_module() can
be called from a system call (e.g. mount()), so...
Now, kernel_thread(fn,arg,flags) expands to the following
(assuming that both flags and fn are constants):
movl %edx,fn
movl %eax,__NR_clone
movl %ebx,flags | CLONE_VM
movl %esp,%esi
int $0x80
cmpl %esp,%esi
je 1f
pushl arg
call *%edx
movl __NR_exit,%eax
int $0x80
1:
But... WTF? clone has _two_ arguments, not one. I've looked
through the sys_clone() and figured out that it takes the new stack
pointer from %ecx. If %ecx is NULL we keep the same stack. OK, but
the code above doesn't touch %ecx. I've looked through the code
surrounding kernel_thread() calls and, at least in case of
request_module(), %ecx may contain arbitrary garbage. Which means that
unless there is some serious magic that I've missed in do_fork() the
kernel_thread() may dance a nice fandango on the core.
Short glance through the sparc and sparc64 implementations had
shown that they pass 2 parameters (flags|VM_CLONE and NULL).

Thus the RFC: I don't like how the kernel_thread() looks like on
i386. I suspect that we should pass 0 in %ecx as it is done (modulo
different registers, indeed) on sparc and sparc64, but maybe I'm missing
some magic in sys_clone()/do_fork()/etc. Comments?

Al
PS: this code is in place at least since 2.1.106.
PPS: Down, not across!

-- "You're one of those condescending Unix computer users!" "Here's a nickel, kid. Get yourself a better computer" - Dilbert.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter T. Breuer: "Re: The /tmp and modules_install saga"
Previous message: Brandon S. Allbery KF8NH: "Re: [Off Topic Conspiracy Theories] RE: UDI and Free(tm) Software"