If we get a fault in the gateway page, which would happen if we try

to deliver a signal and the RSE backing store has been exhausted or
the backing store pointer has been clobbered, we need to make sure
we call userret() and do_ast() when we exit from trap(). Not adjusting
the local variable 'user' in this case will prevent the faulty process
from being terminated and we end up in an infinite fault repetition.

Faulty process provided by: bento

1 files changed, 5 insertions, 2 deletions

diff --git a/sys/ia64/ia64/trap.c b/sys/ia64/ia64/trap.c
index 8626641..d22b8ff0 100644
--- a/sys/ia64/ia64/trap.c
+++ b/sys/ia64/ia64/trap.c
@@ -699,7 +699,9 @@ trap(int vector, struct trapframe *framep)
 		/*
 		 * Additionally check the privilege level. We don't want to
 		 * panic when we're in the gateway page, running at user
-		 * level. This happens for the signal trampolines.
+		 * level. This happens for the signal trampolines. Note that
+		 * when that happens, user is defined as 0 above. We need to
+		 * set user to 1 to force calling userret() and do_ast().
 		 */
 		if (!TRAPF_USERMODE(framep)) {
 			/* Check for copyin/copyout fault. */
@@ -711,7 +713,8 @@ trap(int vector, struct trapframe *framep)
 				goto out;
 			}
 			goto dopanic;
-		}
+		} else
+			user = 1;
 		ucode = va;	
 		i = (rv == KERN_PROTECTION_FAILURE) ? SIGBUS : SIGSEGV;
 		break;