From owner-freebsd-questions Wed Jan 3 20:41: 6 2001 From owner-freebsd-questions@FreeBSD.ORG Wed Jan 3 20:41:00 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id 7714D37B400; Wed, 3 Jan 2001 20:40:58 -0800 (PST) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 2E2826A911; Thu, 4 Jan 2001 15:10:55 +1030 (CST) Date: Thu, 4 Jan 2001 15:10:55 +1030 From: Greg Lehey To: Jeff Fellin Cc: FreeBSD Hackers Subject: Re: debugging kernel buffer overwrite Message-ID: <20010104151054.N40668@wantadilla.lemis.com> References: <200101021935.OAA12733@zydeco.research.bell-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101021935.OAA12733@zydeco.research.bell-labs.com>; from jkf@research.bell-labs.com on Tue, Jan 02, 2001 at 02:35:39PM -0500 Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [following up to -hackers] On Tuesday, 2 January 2001 at 14:35:39 -0500, Jeff Fellin wrote: > > I previous sent this mail on freebsd-current, but realize it > was probably an incorrect list. So, I am reposting on to > freebsd-questions. If this is still the wrong list could > someone tell me the best list to post this question to? FreeBSD-hackers, probably. -questions is for administrative rather than programming issues. > I am having a problem with a device driver that uses physio > to transfer data to a SCSI adapter. Some times the after > passing the buffer to the CAM system, via xpt_action, the > buffer contents are modified. I've traced my driver and cannot > determine how this could be happening. I am running on a single > CPU Pentium II system with all system config defaults. > > What I would like to do is to dynamically set a watch point > on the buffer used by the write system call for the duration > of sending the data to the SCSI adapter. I want to do this > dynamically instead of manually setting a breakpoint in the > code and manually setting the watch point, because the problem > occurs around the 90'th time, and I don't want SCSI bus timeouts > while typing the watch address. > > I've examined the ddb code, and thought that if I emulated the > steps in db_trap() for the command of setting a watchpoint it > would work. However, it doesn't appear to be working. > > What I've done is: > > /* possible on data xfer >= 512 bytes */ > if (condition for problem) { > > db_watchpoint_cmd(bp->bio_addr, bp->bio_addr, > bp->bio_count, &"rw"); Why &"rw"? The parameter is a char *, which is the type of "rw". > db_continue_cmd(0, 0, 0, &"w"): > db_restart_at_pc(FALSE); > } > > When the buffer is done transmitting I do the following: > > db_clear_watchpoints(); > db_deletewatch_cmd(bp->bio_addr, bp->cio_addr, > bp->cio_count, &"rw"); > db_continue_cmd(0, 0, 0, &"w"); > db_restart_at_pc(FALSE); > > My driver trace printf's show the data at bp->bio_addr was > changed from 0x601000a3 to 0x0. That's a strange initial address. I didn't think we had anything mapped at 0x601000a3. > Additional traces show the data from the first 200+ bytes is changed > to zero. In the buffer header, or in the data buffer? > Any guidance on how to use the ddb functions to debug this problem > are appreciated. Also, alternative methods to determine what is > overwriting the buffer. In looking at the data on a SCSI bus > analyzer, the entire buffer has been zero'ed out. Hmm. You don't say what goes wrong, nor whether your breakpoints ever get set. In the past I've used the debug registers for this, which has the advantage that, if you know where it's going to get broken, you can set a memory access breakpoint and catch it in the act. I can drag out the functions if you like. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply. For more information, see http://www.lemis.com/questions.html Finger grog@lemis.com for PGP public key See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message