From owner-freebsd-current@FreeBSD.ORG  Tue Apr 27 11:56:04 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6934716A4CE
	for <current@FreeBSD.ORG>; Tue, 27 Apr 2004 11:56:04 -0700 (PDT)
Received: from herbelot.dyndns.org (herbelot.net1.nerim.net [62.212.117.213])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB7443D31
	for <current@FreeBSD.ORG>; Tue, 27 Apr 2004 11:56:02 -0700 (PDT)
	(envelope-from thierry@herbelot.com)
Received: from [192.168.2.6] (diversion.herbelot.nom [192.168.2.6])
	by herbelot.dyndns.org (8.12.9/8.12.10) with ESMTP id i3RIh5sv006452
	for <current@FreeBSD.ORG>; Tue, 27 Apr 2004 20:43:05 +0200 (CEST)
From: Thierry Herbelot <thierry@herbelot.com>
To: current@FreeBSD.ORG
Date: Tue, 27 Apr 2004 20:56:00 +0200
User-Agent: KMail/1.6.2
X-Warning: Windows can lose your files
X-Op-Sys: Le FriBi de la mort qui tue
X-Org: TfH&Co
X-MailScanner: Found to be clean
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_AzqjAvWb5c829g/"
Message-Id: <200404272056.00109.thierry@herbelot.com>
Subject: panic while ripping a CDROM (via ATA)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: thierry@herbelot.com
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2004 18:56:04 -0000


--Boundary-00=_AzqjAvWb5c829g/
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,

It seems I hit a recurrent panic, while ripping an audio CD on an ATAPI drive 
with kaudiocreator (from kdemultimedia-3.2.2, compiled locally).

what should I send to have a better bug report ?

the panic backtrace is :
(kgdb) where
#0  doadump () at /files3/src/sys/kern/kern_shutdown.c:236
#1  0xc05e6861 in boot (howto=260) at /files3/src/sys/kern/kern_shutdown.c:370
#2  0xc05e6ba3 in __panic () at /files3/src/sys/kern/kern_shutdown.c:548
#3  0xc045cf37 in db_panic () at /files3/src/sys/ddb/db_command.c:453
#4  0xc045cec4 in db_command (last_cmdp=0xc08654a0, cmd_table=0x0,
    aux_cmd_tablep=0xc07e70fc, aux_cmd_tablep_end=0xc07e7114)
    at /files3/src/sys/ddb/db_command.c:348
#5  0xc045cfa4 in db_command_loop () at /files3/src/sys/ddb/db_command.c:475
#6  0xc045f739 in db_trap (type=12, code=0) 
at /files3/src/sys/ddb/db_trap.c:73
#7  0xc0747759 in kdb_trap (type=12, code=0, regs=0xcd347c60)
    at /files3/src/sys/i386/i386/db_interface.c:159
#8  0xc0759f3b in trap_fatal (frame=0xcd347c60, eva=3273337668)
    at /files3/src/sys/i386/i386/trap.c:810
#9  0xc0759c7f in trap_pfault (frame=0xcd347c60, usermode=0, eva=3273337668)
    at /files3/src/sys/i386/i386/trap.c:733
#10 0xc07598e1 in trap (frame=
      {tf_fs = 24, tf_es = -852230128, tf_ds = -1067515888, tf_edi = 
-1021629628, tf_esi = -1028144640, tf_ebp = -852198208, tf_isp = -852198260, 
tf_ebx = 0, tf_edx = 368, tf_ecx = 9, tf_eax = -1021662556, tf_trapno = 12, 
tf_err = 2, tf_eip = -1068808346, tf_cs = 8, tf_eflags = 66050, tf_esp = 
-1051786592, tf_ss = -1051822448}) at /files3/src/sys/i386/i386/trap.c:420
#11 0xc04b4766 in ata_pio_read (request=0xc31aaa8c, length=18)
    at machine/cpufunc.h:217
---Type <return> to continue, or q <return> to quit---
#12 0xc04b25b1 in ata_generic_interrupt (data=0xc2b7c200)
    at /files3/src/sys/dev/ata/ata-lowlevel.c:461
#13 0xc05d6c30 in ithread_loop (arg=0xc2ac9080)
    at /files3/src/sys/kern/kern_intr.c:574
#14 0xc05d5f78 in fork_exit (callout=0xc05d6a8c <ithread_loop>,
    arg=0xc2ac9080, frame=0xcd347d48) at /files3/src/sys/kern/kern_fork.c:816


(kgdb) up
#12 0xc04b25b1 in ata_generic_interrupt (data=0xc2b7c200)
    at /files3/src/sys/dev/ata/ata-lowlevel.c:461
461                 ata_pio_read(request, length);
(kgdb) list
456                     ata_prtdev(request->device,
457                                "%s trying to read on write buffer\n",
458                                ata_cmd2str(request));
459                     break;
460                 }
461                 ata_pio_read(request, length);
462                 request->donecount += length;
463
464                 /* set next transfer size according to HW capabilities */
465                 request->transfersize = 
min((request->bytecount-request->donecount),
(kgdb) print request
$1 = (struct ata_request *) 0xc31aaa8c
(kgdb) print length
$2 = 18
(kgdb) print request->donecount
$3 = 32928

after looking a bit I've found the following definition :
#define ATA_INSW_STRM(res, offset, addr, count) \
        bus_space_read_multi_stream_2(rman_get_bustag((res)), \
                                      rman_get_bushandle((res)), \
                                      (offset), (addr), (count))

which must be called in ata_pio_read(), but no man page for 
bus_space_read_multi_stream_2() !

could-there be a out of bound access from the ata-read function ?

This is with a fairly recent kernel (cvsupped this mornig), with the following 
ATA driver :
ulti-cur% ident /boot/kernel/kernel | grep ata
     $FreeBSD: src/sys/dev/ata/ata-all.c,v 1.208 2004/04/13 09:44:20 sos Exp $
     $FreeBSD: src/sys/dev/ata/ata-queue.c,v 1.26 2004/04/13 09:44:20 sos Exp$
     $FreeBSD: src/sys/dev/ata/ata-lowlevel.c,v 1.33 2004/04/19 18:29:43 sos 
Exp $
     $FreeBSD: src/sys/dev/ata/ata-isa.c,v 1.21 2004/04/13 09:44:20 sos Exp $
     $FreeBSD: src/sys/dev/ata/ata-card.c,v 1.23 2004/04/13 09:44:20 sos Exp $
     $FreeBSD: src/sys/dev/ata/ata-pci.c,v 1.81 2004/04/24 16:32:06 sos Exp $
     $FreeBSD: src/sys/dev/ata/ata-chipset.c,v 1.70 2004/04/24 15:54:20 sos 
Exp $
     $FreeBSD: src/sys/dev/ata/ata-dma.c,v 1.126 2004/04/13 09:44:20 sos Exp $
     $FreeBSD: src/sys/dev/ata/ata-disk.c,v 1.172 2004/04/13 09:44:20 sos Exp$
     $FreeBSD: src/sys/dev/ata/ata-raid.c,v 1.78 2004/02/18 21:36:51 phk Exp $
     $FreeBSD: src/sys/dev/ata/atapi-cd.c,v 1.165 2004/03/02 14:03:43 sos Exp$
     $FreeBSD: src/sys/dev/ata/atapi-fd.c,v 1.95 2004/03/01 13:17:07 sos Exp $
     $FreeBSD: src/sys/dev/ata/atapi-tape.c,v 1.90 2004/03/01 13:17:07 sos 
Exp$

The rip so far went to :
multi-cur% pushd /files3/tmp/kde-tfh/
/files3/tmp/kde-tfh ~
multi-cur% ll
total 6144
-rw-r--r--  1 tfh  wheel  6272828 Apr 27 20:07 kaudiocreatorIg5Lzf.tmp.part
multi-cur%

	TfH

enclosed : the dmesg 

--Boundary-00=_AzqjAvWb5c829g/
Content-Type: text/plain;
  charset="us-ascii";
  name="dmesg.boot"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="dmesg.boot"

Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD 5.2-CURRENT #114: Tue Apr 27 13:52:32 CEST 2004
    thierry.herbelot@multi-cur.herbelot.nom:/files3/obj/files3/src/sys/GENERIC
WARNING: WITNESS option enabled, expect reduced performance.
Preloaded elf kernel "/boot/kernel/kernel" at 0xc09da000.
Preloaded elf module "/boot/kernel/snd_es137x.ko" at 0xc09da1f4.
Preloaded elf module "/boot/kernel/snd_pcm.ko" at 0xc09da2a4.
Preloaded elf module "/boot/kernel/snd_mss.ko" at 0xc09da350.
Preloaded acpi_dsdt "/boot/DSDT.aml" at 0xc09da3fc.
Preloaded elf module "/boot/kernel/joy.ko" at 0xc09da440.
MPTable: <OEM00000 PROD00000000>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium II/Pentium II Xeon/Celeron (334.09-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x665  Stepping = 5
  Features=0x183fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
real memory  = 268435456 (256 MB)
avail memory = 253091840 (241 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Assuming intbase of 0
ioapic0 <Version 1.1> irqs 0-23 on motherboard
random: <entropy source, Software, Yarrow>
Pentium Pro MTRR support enabled
cpu0 on motherboard
cpu1 on motherboard
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Found $PIR table, 8 entries at 0xc00fd7e0
pcib0: <MPTable Host-PCI bridge> at pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
pcib0: slot 7 INTD routed to irq 19
pcib0: slot 9 INTA routed to irq 19
pcib0: slot 11 INTA routed to irq 18
pcib0: slot 13 INTA routed to irq 17
pcib0: slot 15 INTA routed to irq 16
pcib0: slot 19 INTA routed to irq 18
pcib0: slot 19 INTB routed to irq 18
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xd8000000-0xdbffffff at device 0.0 on pci0
agp0: Reserved 0x4000000 bytes for rid 0x10 type 3 at 0xd8000000
pcib1: <MPTable PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pcib1: slot 0 INTA routed to irq 16
pci1: <display, VGA> at device 0.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 7.1 on pci0
atapci0: Reserved 0x10 bytes for rid 0x20 type 4 at 0xf000
atapci0: Reserved 0x8 bytes for rid 0x10 type 4 at 0x1f0
atapci0: Reserved 0x1 bytes for rid 0x14 type 4 at 0x3f6
ata0: at 0x1f0 irq 14 on atapci0
atapci0: Reserved 0x8 bytes for rid 0x18 type 4 at 0x170
atapci0: Reserved 0x1 bytes for rid 0x1c type 4 at 0x376
ata1: at 0x170 irq 15 on atapci0
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xc000-0xc01f irq 19 at device 7.2 on pci0
uhci0: Reserved 0x20 bytes for rid 0x20 type 4 at 0xc000
uhci0: [GIANT-LOCKED]
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
Timecounter "PIIX" frequency 3579545 Hz quality 0
pcm0: <AudioPCI ES1370> port 0xc400-0xc43f irq 19 at device 9.0 on pci0
pcm0: Reserved 0x40 bytes for rid 0x10 type 4 at 0xc400
pcm0: [GIANT-LOCKED]
dc0: <82c169 PNIC 10/100BaseTX> port 0xc800-0xc8ff mem 0xdf000000-0xdf0000ff irq 18 at device 11.0 on pci0
dc0: Reserved 0x100 bytes for rid 0x10 type 4 at 0xc800
miibus0: <MII bus> on dc0
bmtphy0: <BCM5201 10/100baseTX PHY> on miibus0
bmtphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0: Ethernet address: 00:02:e3:08:63:af
dc0: [GIANT-LOCKED]
pcm1: <AudioPCI ES1373-8> port 0xcc00-0xcc3f irq 17 at device 13.0 on pci0
pcm1: Reserved 0x40 bytes for rid 0x10 type 4 at 0xcc00
pcm1: <Cirrus Logic CS4297A AC97 Codec>
pcm1: [GIANT-LOCKED]
re0: Reserved 0x100 bytes for rid 0x10 type 4 at 0xd000
rl0: <RealTek 8139 10/100BaseTX> port 0xd000-0xd0ff mem 0xdf001000-0xdf0010ff irq 16 at device 15.0 on pci0
miibus1: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus1
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:40:95:30:38:36
rl0: [GIANT-LOCKED]
atapci1: <HighPoint HPT366 UDMA66 controller> port 0xdc00-0xdcff,0xd800-0xd803,0xd400-0xd407 irq 18 at device 19.0 on pci0
atapci1: Reserved 0x100 bytes for rid 0x20 type 4 at 0xdc00
atapci1: Reserved 0x8 bytes for rid 0x10 type 4 at 0xd400
atapci1: Reserved 0x4 bytes for rid 0x14 type 4 at 0xd800
ata2: at 0xd400 on atapci1
atapci2: <HighPoint HPT366 UDMA66 controller> port 0xe800-0xe8ff,0xe400-0xe403,0xe000-0xe007 irq 18 at device 19.1 on pci0
atapci2: Reserved 0x100 bytes for rid 0x20 type 4 at 0xe800
atapci2: Reserved 0x8 bytes for rid 0x10 type 4 at 0xe000
atapci2: Reserved 0x4 bytes for rid 0x14 type 4 at 0xe400
ata3: at 0xe000 on atapci2
orm0: <Option ROMs> at iomem 0xef000-0xeffff,0xc0000-0xcbfff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model Generic PS/2 mouse, device ID 0
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x100>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A, console
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
pcm2: <Yamaha OPL-SAx> at port 0x370-0x371,0x330-0x331,0x388-0x38b,0x530-0x537,0x220-0x22f irq 5 drq 1,0 on isa0
pcm2: [GIANT-LOCKED]
joy0: <Generic PnP Joystick> at port 0x201 on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0c02> can't assign resources (memory)
unknown: <PNP0a03> can't assign resources (port)
unknown: <PNP0f13> can't assign resources (irq)
unknown: <PNP0501> can't assign resources (port)
unknown: <PNP0700> can't assign resources (port)
unknown: <PNP0400> can't assign resources (port)
unknown: <PNP0501> can't assign resources (port)
Timecounters tick every 1.000 msec
ad0: 6149MB <Maxtor 86480D6> [13328/15/63] at ata0-master UDMA33
acd0: CDROM <NEC CD-ROM DRIVE:28B> at ata1-master PIO4
SMP: AP CPU #1 Launched!
Mounting root from ufs:/dev/ad0s1a
WARNING: / was not properly dismounted

--Boundary-00=_AzqjAvWb5c829g/--