From owner-freebsd-scsi@FreeBSD.ORG Sun May 8 10:45:45 2011 Return-Path: Delivered-To: freebsd-scsi@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49C511065670 for ; Sun, 8 May 2011 10:45:45 +0000 (UTC) (envelope-from j@uriah.heep.sax.de) Received: from uriah.heep.sax.de (uriah.heep.sax.de [213.240.137.9]) by mx1.freebsd.org (Postfix) with ESMTP id E49258FC08 for ; Sun, 8 May 2011 10:45:44 +0000 (UTC) Received: by uriah.heep.sax.de (Postfix, from userid 107) id 6274C8; Sun, 8 May 2011 12:45:43 +0200 (MET DST) Date: Sun, 8 May 2011 12:45:43 +0200 From: Joerg Wunsch To: freebsd-scsi@freebsd.org Message-ID: <20110508104543.GB5364@uriah.heep.sax.de> References: <20110508085314.GA5364@uriah.heep.sax.de> <20110508094509.GT48734@deviant.kiev.zoral.com.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110508094509.GT48734@deviant.kiev.zoral.com.ua> X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E X-GPG-Fingerprint: 5E84 F980 C3CA FD4B B584 1070 F48C A81B 69A8 5873 User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Subject: Re: Panic when removing a SCSI device entry X-BeenThere: freebsd-scsi@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Wunsch List-Id: SCSI subsystem List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 10:45:45 -0000 As Kostik Belousov wrote: > > and it's the indirection of *(dev)->si_siblings.le_prev that hits a > > NULL pointer. Obviously, LIST_REMOVE doesn't anticipate that > Is it NULL pointer dereference ? See below. Yes, the fault address in the page fault is 0. > Please provide the full printout from the panic. Also, it would > be useful to get the dump and do "p *dev" from the frame of > destroy_devl(). I might need further information after the requested > data is provided. Unfortunately, I somehow cannot get the system to provide a coredump. The dmesg printout from the panic is: sa0 at sym0 bus 0 scbus1 target 0 lun 0 sa0: Removable Sequential Access SCSI-2 device sa0: 20.000MB/s transfers (10.000MHz, offset 15, 16bit) (sa0:sym0:0:0:0): removing device entry Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor write, page not present instruction pointer = 0x20:0xc052f346 stack pointer = 0x28:0xe98504a0 frame pointer = 0x28:0xe98504c4 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 52518 (mt) trap number = 12 panic: page fault cpuid = 0 Uptime: 1d4h55m31s (This includes the sa0 device arrival/removal messages.) The disassembly of the respective part of destroy_devl() is: 0xc052f32e : test $0x10,%dl 0xc052f331 : je 0xc052f34c 0xc052f333 : mov 0x4c(%esi),%edx 0xc052f336 : test %edx,%edx 0xc052f338 : je 0xc052f340 0xc052f33a : mov 0x50(%esi),%eax 0xc052f33d : mov %eax,0x50(%edx) 0xc052f340 : mov 0x50(%esi),%edx 0xc052f343 : mov 0x4c(%esi),%eax 0xc052f346 : mov %eax,(%edx) 0xc052f348 : andl $0xffffffef,0x4(%esi) I could perhaps setup a serial console, so to get at least DDB functioning if you'd like to see more details. A remote GDB might also be possible, but will require more work (setting up the respective environment on a second machine). > Thing you may try meantime is the following patch. OK, I'll do that tonight, so let's see how the subsequent nightly backups proceed. -- cheers, J"org .-.-. --... ...-- -.. . DL8DTL http://www.sax.de/~joerg/ NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)