[issue871] gtk2 related: X mouse pointer jumps and sticks to top left corner

Matthew Dillon dillon at apollo.backplane.com
Sat Dec 8 12:16:55 PST 2007


    Ok, it looks like firefox is messing up the signal stack and this
    caused a GP fault in the kernel due to reserved bits in the MXCSR
    field in the floating point saved state being set by userland.

    I have added code to report and clear the bits.  I do not know why
    firefox is blowing up the state, though.

    I also fixed a bug in krateprintf() in kern/subr_prf.c (not included)...
    I committed that fix directly.

    PATCH #2 enclosed.

					-Matt
					Matthew Dillon 
					<dillon at backplane.com>

Index: platform/pc32/i386/machdep.c
===================================================================
RCS file: /cvs/src/sys/platform/pc32/i386/machdep.c,v
retrieving revision 1.128
diff -u -p -r1.128 machdep.c
--- platform/pc32/i386/machdep.c	7 Nov 2007 17:42:50 -0000	1.128
+++ platform/pc32/i386/machdep.c	7 Dec 2007 02:56:39 -0000
@@ -498,6 +498,11 @@ 		tf->tf_eflags &= ~(PSL_VM | PSL_NT | P
 	}
 
 	/*
+	 * Save the FPU state and reinit the FP unit
+	 */
+	npxpush(&sf.sf_uc.uc_mcontext);
+
+	/*
 	 * Copy the sigframe out to the user's stack.
 	 */
 	if (copyout(&sf, sfp, sizeof(struct sigframe)) != 0) {
@@ -679,6 +684,11 @@ 		bcopy(&ucp->uc_mcontext.mc_gs, regs, s
 	}
 
 	/*
+	 * Restore the FPU state from the frame
+	 */
+	npxpop(&ucp->uc_mcontext);
+
+	/*
 	 * Merge saved signal mailbox pending flag to maintain interlock
 	 * semantics against system calls.
 	 */
Index: platform/pc32/include/md_var.h
===================================================================
RCS file: /cvs/src/sys/platform/pc32/include/md_var.h,v
retrieving revision 1.25
diff -u -p -r1.25 md_var.h
--- platform/pc32/include/md_var.h	9 Jan 2007 23:34:03 -0000	1.25
+++ platform/pc32/include/md_var.h	7 Dec 2007 01:15:37 -0000
@@ -69,6 +69,7 @@ struct	fpreg;
 struct  dbreg;
 struct  mdglobaldata;
 struct  thread;
+struct	__mcontext;
 
 void	busdma_swi (void);
 void	cpu_gdinit (struct mdglobaldata *gd, int cpu);
@@ -113,5 +114,7 @@ 		    int selec);
 void	userconfig (void);
 int     user_dbreg_trap (void);
 int     npxdna(void);
+void	npxpush(struct __mcontext *mctx);
+void	npxpop(struct __mcontext *mctx);
 
 #endif /* !_MACHINE_MD_VAR_H_ */
Index: platform/pc32/isa/npx.c
===================================================================
RCS file: /cvs/src/sys/platform/pc32/isa/npx.c,v
retrieving revision 1.42
diff -u -p -r1.42 npx.c
--- platform/pc32/isa/npx.c	22 Feb 2007 15:50:49 -0000	1.42
+++ platform/pc32/isa/npx.c	8 Dec 2007 19:56:47 -0000
@@ -210,6 +210,8 @@ 	iret							\n\
 ");
 #endif /* SMP */
 
+static struct krate badfprate = { 1 };
+
 /*
  * Probe routine.  Initialize cr0 to give correct behaviour for [f]wait
  * whether the device exists or not (XXX should be elsewhere).  Set flags
@@ -513,7 +515,7 @@  */
 void
 npxinit(u_short control)
 {
-	static union savefpu dummy;
+	static union savefpu dummy __aligned(16);
 
 	if (!npx_exists)
 		return;
@@ -852,15 +854,29 @@  */
 int
 npxdna(void)
 {
+	thread_t td = curthread;
 	u_long *exstat;
+	int didinit = 0;
 
 	if (!npx_exists)
 		return (0);
 	if (mdcpu->gd_npxthread != NULL) {
 		kprintf("npxdna: npxthread = %p, curthread = %p\n",
-		       mdcpu->gd_npxthread, curthread);
+		       mdcpu->gd_npxthread, td);
 		panic("npxdna");
 	}
+
+	/*
+	 * Setup the initial saved state if the thread has never before
+	 * used the FP unit.  This also occurs when a thread pushes a
+	 * signal handler and uses FP in the handler.
+	 */
+	if ((td->td_flags & TDF_USINGFP) == 0) {
+		td->td_flags |= TDF_USINGFP;
+		npxinit(__INITIAL_NPXCW__);
+		didinit = 1;
+	}
+
 	/*
 	 * The setting of gd_npxthread and the call to fpurstor() must not
 	 * be preempted by an interrupt thread or we will take an npxdna
@@ -873,8 +889,8 @@ 	stop_emulating();
 	/*
 	 * Record new context early in case frstor causes an IRQ13.
 	 */
-	mdcpu->gd_npxthread = curthread;
-	exstat = GET_FPU_EXSW_PTR(curthread);
+	mdcpu->gd_npxthread = td;
+	exstat = GET_FPU_EXSW_PTR(td);
 	*exstat = 0;
 	/*
 	 * The following frstor may cause an IRQ13 when the state being
@@ -888,7 +904,13 @@ 	 * 386/Cyrix 387 system, fnclex works c
 	 * fnsave are broken, so our treatment breaks fnclex if it is the
 	 * first FPU instruction after a context switch.
 	 */
-	fpurstor(curthread->td_savefpu);
+	if (td->td_savefpu->sv_xmm.sv_env.en_mxcsr & ~0xFFBF) {
+		krateprintf(&badfprate,
+			    "FXRSTR: illegal FP MXCSR %08x didinit = %d\n",
+			    td->td_savefpu->sv_xmm.sv_env.en_mxcsr, didinit);
+		td->td_savefpu->sv_xmm.sv_env.en_mxcsr &= 0xFFBF;
+	}
+	fpurstor(td->td_savefpu);
 	crit_exit();
 
 	return (1);
@@ -975,6 +997,90 @@ #endif
 		fnsave(addr);
 }
 
+/*
+ * Save the FP state to the mcontext structure.
+ *
+ * WARNING: If you want to try to npxsave() directly to mctx->mc_fpregs,
+ * then it MUST be 16-byte aligned.  Currently this is not guarenteed.
+ */
+void
+npxpush(mcontext_t *mctx)
+{
+	thread_t td = curthread;
+
+	if (td->td_flags & TDF_USINGFP) {
+		if (mdcpu->gd_npxthread == td) {
+			/*
+			 * XXX Note: This is a bit inefficient if the signal
+			 * handler uses floating point, extra faults will
+			 * occur.
+			 */
+			mctx->mc_ownedfp = _MC_FPOWNED_FPU;
+			npxsave(td->td_savefpu);
+		} else {
+			mctx->mc_ownedfp = _MC_FPOWNED_PCB;
+		}
+		bcopy(td->td_savefpu, mctx->mc_fpregs, sizeof(mctx->mc_fpregs));
+		td->td_flags &= ~TDF_USINGFP;
+	} else {
+		mctx->mc_ownedfp = _MC_FPOWNED_NONE;
+	}
+}
+
+/*
+ * Restore the FP state from the mcontext structure.
+ */
+void
+npxpop(mcontext_t *mctx)
+{
+	thread_t td = curthread;
+
+	switch(mctx->mc_ownedfp) {
+	case _MC_FPOWNED_NONE:
+		/*
+		 * If the signal handler used the FP unit but the interrupted
+		 * code did not, release the FP unit.  Clear TDF_USINGFP will
+		 * force the FP unit to reinit so the interrupted code sees
+		 * a clean slate.
+		 */
+		if (td->td_flags & TDF_USINGFP) {
+			if (td == mdcpu->gd_npxthread)
+				npxsave(td->td_savefpu);
+			td->td_flags &= ~TDF_USINGFP;
+		}
+		break;
+	case _MC_FPOWNED_FPU:
+	case _MC_FPOWNED_PCB:
+		/*
+		 * Clear ownership of the FP unit and restore our saved state.
+		 *
+		 * NOTE: The signal handler may have set-up some FP state and
+		 * enabled the FP unit, so we have to restore no matter what.
+		 *
+		 * XXX: This is bit inefficient, if the code being returned
+		 * to is actively using the FP this results in multiple
+		 * kernel faults.
+		 *
+		 * WARNING: The saved state was exposed to userland and may
+		 * have to be sanitized to avoid a GP fault in the kernel.
+		 */
+		if (td == mdcpu->gd_npxthread)
+			npxsave(td->td_savefpu);
+		bcopy(mctx->mc_fpregs, td->td_savefpu, sizeof(*td->td_savefpu));
+		if (td->td_savefpu->sv_xmm.sv_env.en_mxcsr & ~0xFFBF) {
+			krateprintf(&badfprate,
+				    "pid %d (%s) signal return from user: "
+				    "illegal FP MXCSR %08x\n",
+				    td->td_proc->p_pid,
+				    td->td_proc->p_comm,
+				    td->td_savefpu->sv_xmm.sv_env.en_mxcsr);
+			td->td_savefpu->sv_xmm.sv_env.en_mxcsr &= 0xFFBF;
+		}
+		td->td_flags |= TDF_USINGFP;
+		break;
+	}
+}
+
 #ifndef CPU_DISABLE_SSE
 /*
  * On AuthenticAMD processors, the fxrstor instruction does not restore
Index: sys/thread.h
===================================================================
RCS file: /cvs/src/sys/sys/thread.h,v
retrieving revision 1.89
diff -u -p -r1.89 thread.h
--- sys/thread.h	18 Nov 2007 09:53:19 -0000	1.89
+++ sys/thread.h	7 Dec 2007 01:12:37 -0000
@@ -284,6 +284,7 @@ #define TDF_PANICWARN		0x00080000	/* pan
 #define TDF_BLOCKQ		0x00100000	/* on block queue */
 #define TDF_MPSAFE		0x00200000	/* (thread creation) */
 #define TDF_EXITING		0x00400000	/* thread exiting */
+#define TDF_USINGFP		0x00800000	/* thread using fp coproc */
 
 /*
  * Thread priorities.  Typically only one thread from any given





More information about the Bugs mailing list