From owner-freebsd-hackers Sat Nov 16 17:25:43 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D4F637B401 for ; Sat, 16 Nov 2002 17:25:42 -0800 (PST) Received: from merlot.juniper.net (natint.juniper.net [207.17.136.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id A15E943E75 for ; Sat, 16 Nov 2002 17:25:41 -0800 (PST) (envelope-from raja@juniper.net) Received: from zircon.juniper.net (zircon.juniper.net [172.17.28.113]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id gAH1PfS88217 for ; Sat, 16 Nov 2002 17:25:41 -0800 (PST) (envelope-from raja@juniper.net) Received: from localhost (raja@localhost) by zircon.juniper.net (8.11.6/8.11.3) with ESMTP id gAH1Pfv71424 for ; Sat, 16 Nov 2002 17:25:41 -0800 (PST) (envelope-from raja@juniper.net) X-Authentication-Warning: zircon.juniper.net: raja owned process doing -bs Date: Sat, 16 Nov 2002 17:25:41 -0800 (PST) From: Raja Sivaramakrishnan To: Subject: help with stack corruption Message-ID: <20021116170104.F71003-100000@zircon.juniper.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have seen two instances of this problem in the last 4 months and it is not reproducible, so I was wondering if somebody could point me to some potential causes. The problem appears to be that there are 2 extra stack pops while executing in the kernel in a routine. This function looks as follows: push ebp // let's assume value of ebp is X at this point mov esp, ebp push esi push ebx ..... pop ebx pop esi leave ret Upon returning from this function, the values of ebx and esi are not what the values that were pushed on the stack at the beginning of the function. Instead, the value of ebx is X (the saved ebp) and the value of esi is the return address from this function! This appears consistent with having 2 additional stack pops that removed the callee saved registers from the stack. This function does not do any stack operations other than the ones mentioned above, so perhaps there was an interrupt/exception while executing in this routine which caused this? This function was executing due to a call from swi_net_next(), so the kernel was already in the middle of handling an interrupt. So, one possibility is that there is a bug in handling nested interrupts? Any help will be appreciated. This is from the 4.2 code base. On other curious thing is that after returning from this function, esi now contains a pointer into the instruction stream. esi is actually an mbuf pointer and the kernel dereferences this pointer and succesfully writes into the instruction stream. There was no protection fault and the dump (kernel did take a page fault while trying to free the mbuf after a while) confirms that the instruction stream was modified. Isn't the code segment write-protected? Thanks, Raja To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message