From owner-freebsd-hackers  Tue Feb 17 02:46:34 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA23666
          for freebsd-hackers-outgoing; Tue, 17 Feb 1998 02:46:34 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23659
          for <hackers@freebsd.org>; Tue, 17 Feb 1998 02:46:28 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id KAA04658
	for <hackers@freebsd.org>; Tue, 17 Feb 1998 10:46:26 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.6/8.8.6) id LAA13711;
	Tue, 17 Feb 1998 11:46:24 +0100 (MET)
Message-ID: <19980217114623.18048@follo.net>
Date: Tue, 17 Feb 1998 11:46:23 +0100
From: Eivind Eklund <eivind@yes.no>
To: hackers@FreeBSD.ORG
Subject: ed overwrite clue?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This might be a clue for the strange ED overwrites (or it might be
something completely unrelated :-)

I'm getting panic()s from if_ed.c overwriting strange locations from


	/* get pointer to this buffer's header structure */
	packet_ptr = sc->mem_ring +
	    (sc->next_packet - sc->rec_page_start) * ED_PAGE_SIZE;

	/*
	 * The byte count includes a 4 byte header that was added by
	 * the NIC.
	 */
	if (sc->mem_shared)
		packet_hdr = *(struct ed_ring *) packet_ptr;
	else
HERE-->		ed_pio_readmem(sc, (int)packet_ptr, (char *) &packet_hdr,
			       sizeof(packet_hdr));
	len = packet_hdr.count;
	if (len > (ETHER_MAX_LEN - ETHER_CRC_LEN + sizeof(struct ed_ring)) ||
	    len < (ETHER_MIN_LEN - ETHER_CRC_LEN + sizeof(struct ed_ring))) {
		/*
		 * Length is a wild value. There's a good chance that

The backtrace look like this (don't mind the line-numbers - they're
from something that is somewhat like a merge between -current now and
RELENG_2_2_2_RELEASE).

diablo(root)/intercom/var/crash# gdb -k /intercom/kernel.debug vmcore.0
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd), 
Copyright 1996 Free Software Foundation, Inc...
IdlePTD 202000
current pcb at 1e5c80
panic: general protection fault
#0  boot (howto=256) at ../../kern/kern_shutdown.c:243
243                                     dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:243
#1  0xf0114922 in panic (fmt=0xf01ad315 "general protection fault")
    at ../../kern/kern_shutdown.c:367
#2  0xf01ade66 in trap_fatal (frame=0xefbfff28) at ../../i386/i386/trap.c:742
#3  0xf01ad716 in trap (frame={tf_es = 39, tf_ds = 16, tf_edi = -272629824, 
      tf_esi = 553, tf_ebp = -272629884, tf_isp = -272629936, 
      tf_ebx = -266415104, tf_edx = 560, tf_ecx = 2, tf_eax = 2, 
      tf_trapno = 9, tf_err = 0, tf_eip = -266652498, tf_cs = 8, 
      tf_eflags = 65538, tf_esp = 551, tf_ss = -266415104})
    at ../../i386/i386/trap.c:440
#4  0xf01b34ae in ed_pio_readmem (sc=0xf01ed400, src=25088, 
    dst=0xefbfffc0 "'", amount=4) at machine/cpufunc.h:185
#5  0xf01b2e17 in edintr_sc (sc=0xf01ed400) at ../../i386/isa/if_ed.c:2284
#6  0xf01b2fda in edintr (unit=0) at ../../i386/isa/if_ed.c:2619
#7  0xf01a6047 in Xfastintr5 ()
#8  0x1b40 in ?? ()
#9  0x1095 in ?? ()
(kgdb) 

and the actual panic() is here

diablo(root)/intercom/var/crash# gdb -k /intercom/kernel.debug vmcore.0
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd), 
Copyright 1996 Free Software Foundation, Inc...
IdlePTD 202000
current pcb at 1e5c80
panic: general protection fault
#0  boot (howto=256) at ../../kern/kern_shutdown.c:243
243                                     dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:243
#1  0xf0114922 in panic (fmt=0xf01ad315 "general protection fault")
    at ../../kern/kern_shutdown.c:367
#2  0xf01ade66 in trap_fatal (frame=0xefbfff28) at ../../i386/i386/trap.c:742
#3  0xf01ad716 in trap (frame={tf_es = 39, tf_ds = 16, tf_edi = -272629824, 
      tf_esi = 553, tf_ebp = -272629884, tf_isp = -272629936, 
      tf_ebx = -266415104, tf_edx = 560, tf_ecx = 2, tf_eax = 2, 
      tf_trapno = 9, tf_err = 0, tf_eip = -266652498, tf_cs = 8, 
      tf_eflags = 65538, tf_esp = 551, tf_ss = -266415104})
    at ../../i386/i386/trap.c:440
#4  0xf01b34ae in ed_pio_readmem (sc=0xf01ed400, src=25088, 
    dst=0xefbfffc0 "'", amount=4) at machine/cpufunc.h:185
#5  0xf01b2e17 in edintr_sc (sc=0xf01ed400) at ../../i386/isa/if_ed.c:2284
#6  0xf01b2fda in edintr (unit=0) at ../../i386/isa/if_ed.c:2619
#7  0xf01a6047 in Xfastintr5 ()
#8  0x1b40 in ?? ()
#9  0x1095 in ?? ()
(kgdb) 

and I can reproduce at will.  I haven't looked too closely yet, but
just thought I'd throw out the relevant info at once.  (It's on a
modified RELENG_2_2_2_RELEASE with a PnP ed0 and running ipfw; I don't
think more of the info is really relevant.  Nothing that looks
relevant has changed in if_ed.c from the version I have to -current).

I'll be working on this in the coming hours.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message