bug-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

oskit-mach: device_write

From: Daniel Wagner
Subject: oskit-mach: device_write
Date: Sat, 2 Mar 2002 22:13:40 +0100
User-agent: Mutt/1.3.24i 
I restarted to work on the problem I reported several 
months ago [1]. It is very difficult for me to say what's 
going wrong. I wrote a minimal program, which let the 
oskit-mach kernel crash:

--------------------------------------------------------
#include <stdlib.h>
#include <error.h>
#include <device/device.h> 

int
main (int argc, char** argv)
{  
  int err;
  device_t ether_port;
  device_t master_device;
  char *name = "eth0";
  u_int count;

  struct _data {
    char string[100];
  } data;

  memset (&data, 0, sizeof(struct _data));
  
  err = get_privileged_ports (0, &master_device);
  if (err)
    error (2, err, "cannot get device master port");
  
  err = device_open (master_device, D_WRITE, name, &ether_port);
  mach_port_deallocate (mach_task_self (), master_device);
  if (err)
    error (2, err, "%s", name);
  
  if (0)
    /* The correct way (hopefully) */
    device_write (ether_port, D_NOWAIT, 0, 
                  (io_buf_ptr_t)&data, sizeof (struct _data), &count);
  else
    /* The size (5 parameter) is wrong */
    device_write (ether_port, D_NOWAIT, 0, 
                  (io_buf_ptr_t)&data, 4, &count);
  
  return 0;
}
------------------------------------------------------

As you can see, of the 5 parameter of the device_write 
function is wrong than oskit-mach crashes. Gnumach instead
keeps cool and puts the packet on the wire. Therefore I suspect
that the glue code is not completely correct. 

I found following lines in gnuamch/linux/dev/glue/net.c

static io_return_t
device_write (void *d, ipc_port_t reply_port,
              mach_msg_type_name_t reply_port_type, dev_mode_t mode,
              recnum_t bn, io_buf_ptr_t data, unsigned int count,
              int *bytes_written)
{
[...]

if (count == 0 || count > dev->mtu + dev->hard_header_len)
    return D_INVALID_SIZE;

  /* Allocate a sk_buff.  */
  amt = PAGE_SIZE - (copy->offset & PAGE_MASK);
  skblen = (amt >= count) ? 0 : count;

[...]
}

If I interpret this correctly there is at least one page allocated 
and later it will be freed. And therefore the wrong argument does 
no harm. 

The next step for me is to understand what exactly happends in
the oskit-mach code. 

wagi


[1] http://mail.gnu.org/pipermail/bug-hurd/2001-October/005627.html
-- 
Daniel Wagner                              "use quit to exit"
email: wagi@gmx.ch

GnuPG: 1024D/DCDE890A (public key available on any keyserver)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]