Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ll-xn!ames!amdcad!sun!shannon
From: shannon@sun.uucp (Bill Shannon)
Newsgroups: comp.bugs.4bsd
Subject: exec (really vinifod) can scribble random kernel data
Message-ID: <24281@sun.uucp>
Date: Mon, 27-Jul-87 19:58:30 EDT
Article-I.D.: sun.24281
Posted: Mon Jul 27 19:58:30 1987
Date-Received: Wed, 29-Jul-87 01:48:50 EDT
Organization: Sun Microsystems, Inc. - Mtn View, CA
Lines: 22

Index:	sys/kern_exec.c 4.3BSD [FIX]


Description:
	vinifod (in vm_subr.c) is called with a pointer to pte's.  vinifod
	calls bmap, which can sleep.  While the process is sleeping in bmap,
	it can be swapped out.  When it is swapped back in, the pte's can
	be allocated at a different kernel virtual address.  vinifod will
	then use the old pte address and scribble on random kernel data.
Repeat-By:
	Lotsa luck.  While debugging new hardware we had just the right
	combination of events to make this occur repeatably.  I wouldn't
	expect it to occur very often in general.
Fix:
	The quick fix is to prevent the process from being swapped during the
	time the pte's are being initialized.  (Sorry I don't have better
	diff's or something.)

	In kern_exec.c, change line 453 to

		u.u_procp->p_flag |= pagi | SKEEP;

	After line 469 (after the call to vinifod) add:

		u.u_procp->p_flag &= ~SKEEP;