From owner-freebsd-alpha Fri May 17 5: 4:51 2002 Delivered-To: freebsd-alpha@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 2D04537B40D for ; Fri, 17 May 2002 05:04:47 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id g4HC4j200310; Fri, 17 May 2002 14:04:45 +0200 (MEST) Received: from hyperion.informatik.rwth-aachen.de (hyperion.Informatik.RWTH-Aachen.DE [137.226.194.33]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/7) with ESMTP id g4HC4id00290; Fri, 17 May 2002 14:04:44 +0200 (MEST) Received: from margaux.informatik.rwth-aachen.de (margaux.Informatik.RWTH-Aachen.DE [137.226.194.72]) by hyperion.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1) with ESMTP id OAA20571; Fri, 17 May 2002 14:04:37 +0200 (MET DST) Received: (from stolz@localhost) by margaux.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1-gb-2) id OAA00354; Fri, 17 May 2002 14:04:36 +0200 (MET DST) Date: Fri, 17 May 2002 14:04:36 +0200 From: Volker Stolz To: Bernd Walter Cc: alpha@freebsd.org Subject: Re: memory management fault during netbooting on 4.6-PRERELEASE Message-ID: <20020517140436.A347@i2.informatik.rwth-aachen.de> References: <20020514235608.A69014@xor.obsecurity.org> <15586.25870.79809.901266@grasshopper.cs.duke.edu> <20020515173553.GK4401@cicely5.cicely.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <20020515173553.GK4401@cicely5.cicely.de> Sender: owner-freebsd-alpha@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In local.freebsd-alpha, you wrote: > There are many potential of them waiting for a small change elsewhere. > One PR (alpha/34232) is open containing a fix for one of them, which > might be the same you are seeing. > I just did not found the time yet to check if the fix might leak > some kernel internal data in the padding. After I discovered the reason, I toyed some more with the fixes and I think the cure is worse than the cause. The problem is that some kernel functions/ioctls which export data to userland are not 64bit friendly because of missing padding -- not in the structures, but how they are used. You will find some comments by itojun(?) in the NetBSD sources where he states the same. What happened for my case is that the interfaces got reported by an ioctl and I had IPv6 addresses on the interfaces. Unluckily, IPv6 address are not x*8 in size, but rather x*8+n. Now the kernel allocates one chunk of contigous memory for all interface addresses and starts to fill them in. This means that the next sa_address following an IPv6 entry will start at an unaligned address. I was using 'dhclient', too, and did observe the same behaviour and tracked it to the same place with gdb in -STABLE (the first IP6 address is one of the fec80, so the first "real" IPv6 address will trigger this). So, to fix this, you'd have to change the layout of the addresses in the chunk *and* fix all applications to behave accrodingly, otherwise they'd read from the wrong offset. That's where SA_ALIGN came into play, which does exactly that. Maybe you could just add trailing padding to the IP6-struct in the header and rebuild world ;) However, YMMV, and the bug DES reported might already be something else. Some patches are still lying around on my disks, but remember, you have to fix the kernel and the userland :-/ Volker To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-alpha" in the body of the message