This is the mail archive of the
ecos-bugs@sources.redhat.com
mailing list for the eCos project.
[Bug 1000170] New: SuperH context switch code vulnerable to stack corruption by ISR
- From: bugzilla at ecoscentric dot com
- To: ecos-bugs at sources dot redhat dot com
- Date: Mon, 18 Apr 2005 09:39:56 +0100 (BST)
- Subject: [Bug 1000170] New: SuperH context switch code vulnerable to stack corruption by ISR
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1000170
Summary: SuperH context switch code vulnerable to stack
corruption by ISR
Product: eCos
Version: 2.0
Platform: Other
OS/Version: SuperH
Status: UNCONFIRMED
Severity: critical
Priority: normal
Component: HAL
AssignedTo: jifl@ecoscentric.com
ReportedBy: michaelb@ieee.org
QAContact: ecos-bugs@sources.redhat.com
Discovered this in version 2.0, but would seem to be present in the latest CVS
code as well...
The implementation of hal_thread_load_context for the SuperH architecture
restores the stack pointer to its old value (pointing to a location above the
thread context being restored) before it has restored the status register from
that thread context. Thus if an interrupt occurs after the stack pointer is
restored, but before the status register is, then it will corrupt the as yet
unrestored status register value on the stack. The net effect of this is to
have threads being scheduled with extremely strange interrupt mask values,
which causes havoc with interrupt handling.
The fix is to delay the restoration of the stack pointer until *all* other
register values from the thread context have been restored. This ensures that
the stack pointer satisfies the invariant that the space below it on the stack
is always unused, thereby making the thread context routine interrupt safe.
The following patch seems to do the trick...
--- hal/sh/arch/v2_0/src/context.S-old 2005-04-18 18:37:13.814931904 +1000
+++ hal/sh/arch/v2_0/src/context.S 2005-04-15 18:17:52.000000000 +1000
@@ -155,11 +155,11 @@
lds.l @r0+,macl ! macl
lds.l @r0+,pr ! pr
- mov r3,r15 ! update stack pointer
-
mov.l @r0+,r2 ! SR
hal_cpu_int_merge r2,r0,r1 ! restore interrupt state
+ mov r3,r15 ! update stack pointer
+
rts ! and return
nop
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.