[driver-discuss] Strange behavior: MAC_PROP_FLOWCTRL (Brussels)

[Steven Stallion]

All,

I am working on adding Brussels support to the re driver, and I am
noticing some odd behavior. The following code causes a panic (NULL
pointer deref).

I have verified that barg is not NULL (see trace below). The cause of
the panic is the bcopy invocation, which again, as far as I can tell is
valid.

Have there been any changes to the Brussels interfaces recently?

 823 int
 824 re_m_getprop(void *barg, const char *pr_name, mac_prop_id_t pr_num,
 825     uint_t pr_flags, uint_t pr_valsize, void *pr_val)
 826 {
 827         re_t *rep = barg;
 828
 829         if (pr_valsize == 0) {
 830                 return (EINVAL);
 831         }
 832
 833         switch (pr_num) {
 834         case MAC_PROP_FLOWCTRL: {
 835                 link_flowctrl_t flowctrl;
 836
 837                 if (pr_valsize < sizeof (link_flowctrl_t)) {
 838                         return (EINVAL);
 839                 }
 840
 841                 if (pr_flags & MAC_PROP_DEFAULT) {
 842                         flowctrl = (rep->re_mode & RE_MODE_RTL8029AS ?
 843                             LINK_FLOWCTRL_BI : LINK_FLOWCTRL_NONE);
 844                 } else {
 845                         flowctrl = rep->re_flowctrl;
 846                 }
 847
 848                 bcopy(&flowctrl, pr_val, sizeof (link_flowctrl_t));
 849                 break;
 850         }
 851
 852         default:
 853                 return (ENOTSUP);
 854         }
 855         return (0);
 856 }

The associated trace is:

[0]> $c
kmdb_enter(10c60e0, 0, 1815108, 2a10305dae0, 0, 12b0c00)
panicsys+0x3e4(30001dc1a20, 10c6000, 180c000, 0, 40, 183c400)
vpanic+0xcc(10c0fd0, 2a10305ce98, 9, 48, 9, 7fe2ab64)
panic+0x1c(10c0fd0, 31, 2a10305d0f0, 9, 0, 18bbd74)
die+0x74(10c0c00, 2a10305d0f0, 9, 0, 1, 2a10305ced0)
trap+0x9d8(2a10305d0f0, 0, 31, 1c00, 9, 5)
ktl0+0x48(2a10305d244, 9, 1, 0, 0, 2)
re`re_m_getprop+0x80(6001450fb40, 1142d344, 3, 1, 6001142d344, 9)
dld`drv_ioc_prop_common+0xe0(6001142d240, 600135b3b40, 0, 60011bb1a28,
60018f43040, 60019c6db70)
putnext+0x208(60019c6dc68, 60019c6db70, 600135b3b40, 100, 1815800, 0)
strdoioctl+0x364(60019c6bcd0, 2a10305d7e0, 100003, 1, c50, 600135b3b40)
strioctl+0x13e0(60019c6bcd0, 444bf0e4, 0, 600179766d0, 1, 444c4415)
specfs`spec_ioctl+0x80(f100000024, 5308, ffbfed80, 100003, 600179766d0,
2a10305dadc)
fop_ioctl+0x58(60019c6f900, 5308, ffbfed80, 100003, 0, 2a10305dadc)
ioctl+0x16c(7, 5308, ffbfed80, 121, 60018ef1ab0, 0)
syscall_trap32+0xcc(7, 5308, ffbfed80, 121, ff392a00, 0)
[0]>

TIA,

Steve

--
Yet magic and hierarchy
arise from the same source,
and this source has a null pointer.

Reference the NULL within NULL,
it is the gateway to all wizardry.
_______________________________________________
driver-discuss mailing list
driver-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/driver-discuss