From owner-freebsd-hackers  Tue Feb 17 14:50:42 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA09047
          for freebsd-hackers-outgoing; Tue, 17 Feb 1998 14:50:42 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08826
          for <hackers@FreeBSD.ORG>; Tue, 17 Feb 1998 14:49:03 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id WAA18205;
	Tue, 17 Feb 1998 22:48:53 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.6/8.8.6) id XAA16229;
	Tue, 17 Feb 1998 23:48:53 +0100 (MET)
Message-ID: <19980217234852.01126@follo.net>
Date: Tue, 17 Feb 1998 23:48:52 +0100
From: Eivind Eklund <eivind@yes.no>
To: Mike Smith <mike@smith.net.au>, Eivind Eklund <eivind@yes.no>
Cc: hackers@FreeBSD.ORG
Subject: Re: ed overwrite clue?
References: <19980217130957.45413@follo.net> <199802172227.OAA03189@dingo.cdrom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <199802172227.OAA03189@dingo.cdrom.com>; from Mike Smith on Tue, Feb 17, 1998 at 02:27:32PM -0800
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Feb 17, 1998 at 02:27:32PM -0800, Mike Smith wrote:
> > > One question; the destination of the insw - is that actually a
> > > legitimate address?  ie. is it on the kernel stack, or somewhere
> > > else?
> > 
> > It looks like the destination is on the kernel stack.  The source
> > looks more suspicious - it is at 0x6200...
> 
> That's not unreasonable; the onboard memory on an NE card isn't based 
> at zero.  See the comments and code in the Novell-specific probe 
> section for details on this.

I've been looking more closesly now - I'm having the destination
addresses switch between 0xefbX XXXX and 0xf01X XXXX.  The
0xf01*-addresses never crash.  And there are much more of the
0xf01*-addresses - I've seen hundreds of 0xf01* pass without getting
any crashes, while between 10% and 20% of the 0xefb* crash.  (But not
100%, which makes this more complicated).

Throwing the interrupt in an splhigh() don't seem to make a
difference, so that's not where the problem is.

I'm about to start trigging some crashdumps on purpose now, so I can
get a good look at how a dump for an OK case is.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message