Date: Wed, 10 Dec 2014 15:09:03 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 195853] New: During removing device entry of a powered off tape drive camcontrol devlist causes page fault Message-ID: <bug-195853-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195853 Bug ID: 195853 Summary: During removing device entry of a powered off tape drive camcontrol devlist causes page fault Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: longwitz@incore.de On a system running FreeBSD 8.4-STABLE r273833 (amd64) a tape tape drive was powered off. A little time later the command "camcontrol devlist" lets the system crash with page fault: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: (sa1:mpt0:0:10:0): removing device entry Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xa0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff803c63a7 stack pointer = 0x28:0xffffff8245b3adc0 frame pointer = 0x28:0xffffff8245b3ae00 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 76133 (camcontrol) Dumping 1399 out of 8181 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91% Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from /boot/kernel/geom_journal.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_journal.ko Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_mirror.ko #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266 266 if (textdump_pending) Loading gdb init file /home/crash/.gdbinit ... set height 100 ... source gdb6 (and gdb6.i386) ... source mygdb6 ... Working directory /home/crash. (kgdb) where #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266 #1 0xffffffff80201c8c in db_fncall (dummy1=<value optimized out>, dummy2=<value optimized out>, dummy3=<value optimized out>, dummy4=<value optimized out>) at /usr/src/sys/ddb/db_command.c:548 #2 0xffffffff80201f3d in db_command (last_cmdp=0xffffffff808a16c0, cmd_table=<value optimized out>, dopager=0) at /usr/src/sys/ddb/db_command.c:445 #3 0xffffffff802065f3 in db_script_exec (scriptname=0xffffffff806770be "kdb.enter.default", warnifnotfound=0) at /usr/src/sys/ddb/db_script.c:302 #4 0xffffffff802066ee in db_script_kdbenter (eventname=<value optimized out>) at /usr/src/sys/ddb/db_script.c:325 #5 0xffffffff802042d4 in db_trap (type=<value optimized out>, code=<value optimized out>) at /usr/src/sys/ddb/db_main.c:230 #6 0xffffffff80444901 in kdb_trap (type=12, code=0, tf=0xffffff8245b3ad10) at /usr/src/sys/kern/subr_kdb.c:654 #7 0xffffffff805f8d4d in trap_fatal (frame=0xffffff8245b3ad10, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:844 #8 0xffffffff805f90ff in trap_pfault (frame=0xffffff8245b3ad10, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:765 #9 0xffffffff805f95b2 in trap (frame=0xffffff8245b3ad10) at /usr/src/sys/amd64/amd64/trap.c:457 #10 0xffffffff805df1a8 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228 #11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938 #12 0xffffffff803c6779 in destroy_dev (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:959 #13 0xffffffff801ac9a3 in sacleanup (periph=0xffffff0141d0d300) at /usr/src/sys/cam/scsi/scsi_sa.c:1389 #14 0xffffffff8017f00a in camperiphfree (periph=0xffffff0141d0d300) at /usr/src/sys/cam/cam_periph.c:572 #15 0xffffffff80181d78 in xptperiphtraverse (device=<value optimized out>, start_periph=0xffffff0141d0d300, tr_func=0xffffffff801821f0 <xptedtperiphfunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2164 #16 0xffffffff801830bc in xptdevicetraverse (target=<value optimized out>, start_device=<value optimized out>, tr_func=0xffffffff80184930 <xptedtdevicefunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2097 #17 0xffffffff80181529 in xpttargettraverse (bus=<value optimized out>, start_target=<value optimized out>, tr_func=0xffffffff80183130 <xptedttargetfunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2065 #18 0xffffffff8018161e in xptbustraverse (start_bus=<value optimized out>, tr_func=0xffffffff801823c0 <xptedtbusfunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2000 #19 0xffffffff801881ad in xpt_action_default (start_ccb=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:1798 #20 0xffffffff8018600f in xptioctl (dev=<value optimized out>, cmd=<value optimized out>, addr=0xffffff013a68f800 "", flag=<value optimized out>, td=<value optimized out>) at /usr/src/sys/cam/cam_xpt.c:586 #21 0xffffffff803828db in devfs_ioctl_f (fp=0xffffff00bd631be0, com=3299349762, data=<value optimized out>, cred=<value optimized out>, td=0xffffff01009978e0) at /usr/src/sys/fs/devfs/devfs_vnops.c:700 #22 0xffffffff804571f2 in kern_ioctl (td=<value optimized out>, fd=<value optimized out>, com=3299349762, data=0xffffff013a68f800 "") at file.h:277 #23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679 #24 0xffffffff805f81df in amd64_syscall (td=0xffffff01009978e0, traced=0) at subr_syscall.c:114 #25 0xffffffff805df49c in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387 #26 0x0000000180a8478c in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) f 23 #23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679 679 error = kern_ioctl(td, uap->fd, com, data); (kgdb) x/8sb td->td_proc->p_args 0xffffff00024b8180: "\001" 0xffffff00024b8182: "" 0xffffff00024b8183: "" 0xffffff00024b8184: "\023" 0xffffff00024b8186: "" 0xffffff00024b8187: "" 0xffffff00024b8188: "camcontrol" 0xffffff00024b8193: "devlist" (kgdb) f 11 #11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938 938 if (LIST_EMPTY(&csw->d_devs)) { (kgdb) list 933 if (!(dev->si_flags & SI_ALIAS)) { 934 /* Remove from cdevsw list */ 935 LIST_REMOVE(dev, si_list); 936 937 /* If cdevsw has no more struct cdev *'s, clean it */ 938 if (LIST_EMPTY(&csw->d_devs)) { 939 fini_cdevsw(csw); 940 wakeup(&csw->d_devs); 941 } 942 } (kgdb) p *dev $1 = {__si_reserved = 0x0, si_flags = 0, si_atime = {tv_sec = 1417519453, tv_nsec = 0}, si_ctime = {tv_sec = 1417519453, tv_nsec = 0}, si_mtime = { tv_sec = 1417519453, tv_nsec = 0}, si_uid = 0, si_gid = 5, si_mode = 432, si_cred = 0x0, si_drv0 = 16, si_refcount = 2, si_list = { le_next = 0xffffff009aaaac00, le_prev = 0xffffff0062982460}, si_clone = {le_next = 0x0, le_prev = 0x0}, si_children = {lh_first = 0x0}, si_siblings = {le_next = 0x0, le_prev = 0x0}, si_parent = 0x0, si_name = 0xffffff013e73a6e0 "sa1.ctl", si_drv1 = 0x0, si_drv2 = 0x0, si_devsw = 0x0, si_iosize_max = 0, si_usecount = 0, si_threadcount = 0, __si_u = {__sid_snapdata = 0x0}, __si_namebuf = "sa1.ctl", '\0' <repeats 56 times>} (kgdb) p &csw $2 = (struct cdevsw **) 0xffffff8245b3ade0 (kgdb) p csw $3 = (struct cdevsw *) 0x0 I can give more information from the crash dump. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-195853-8>