From owner-freebsd-current  Wed Mar 28  7:35:44 2001
Delivered-To: freebsd-current@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP
	id AB88737B71D; Wed, 28 Mar 2001 07:35:40 -0800 (PST)
	(envelope-from bde@zeta.org.au)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id BAA17563;
	Thu, 29 Mar 2001 01:35:37 +1000
Date: Thu, 29 Mar 2001 01:34:58 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: John Baldwin <jhb@FreeBSD.ORG>
Cc: Terry Lambert <tlambert@primenet.com>, current@FreeBSD.ORG
Subject: RE: Fun way to panic -current
In-Reply-To: <XFMail.010328035902.jhb@FreeBSD.org>
Message-ID: <Pine.BSF.4.21.0103290119520.26647-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 28 Mar 2001, John Baldwin wrote:

> On 28-Mar-01 Terry Lambert wrote:
> > Run the 4.3 mountd on it.
> > 
> > Boom!  Kernel memory allocation way to large; unrecoverable!

Does this really panic -current?  It panics old versions of -current, and
the -current mountd panics RELENG_4, but current versions of -current are
supposed to check the parameters passwd by mountd (etc.) enough to avoid
the panic.

> Yes, struct ucred sucks.  In -current the userland now uses a static struct
> xucred that doesn't contain things like mutexes and thus mountd shouldn't crash
> in current anymore when struct ucred changes size.  Too bad we can't retrofit
> that. :(

But we did retrofit binary compatibility of ucred stuff.  struct xucred
in -current has the same size and layout as struct ucred in RELENG_4.
This should make old mountd's binary compatible with -current kernels
and -current mountd's compatible with RELENG_4 kernels.  However, the
binary compatibility of struct export_args was broken at the same time
that struct ucred was unbroken, by changing some fields from int to
char.  The -current mountd puts stack garbage in the padding after
the chars, and RELENG_4 kernels interpret the garbage as high bits and
do malloc(TOOBIG).  bzero()ing the struct in mountd "fixed" the problem.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message