From owner-freebsd-bugs@FreeBSD.ORG Wed Dec 10 15:09:03 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1BE156F for ; Wed, 10 Dec 2014 15:09:03 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 92725E7A for ; Wed, 10 Dec 2014 15:09:03 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sBAF93Id088586 for ; Wed, 10 Dec 2014 15:09:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 195853] New: During removing device entry of a powered off tape drive camcontrol devlist causes page fault Date: Wed, 10 Dec 2014 15:09:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 8.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: longwitz@incore.de X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2014 15:09:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195853 Bug ID: 195853 Summary: During removing device entry of a powered off tape drive camcontrol devlist causes page fault Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: longwitz@incore.de On a system running FreeBSD 8.4-STABLE r273833 (amd64) a tape tape drive was powered off. A little time later the command "camcontrol devlist" lets the system crash with page fault: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: (sa1:mpt0:0:10:0): removing device entry Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0xa0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff803c63a7 stack pointer = 0x28:0xffffff8245b3adc0 frame pointer = 0x28:0xffffff8245b3ae00 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 76133 (camcontrol) Dumping 1399 out of 8181 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91% Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from /boot/kernel/geom_journal.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_journal.ko Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_mirror.ko #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266 266 if (textdump_pending) Loading gdb init file /home/crash/.gdbinit ... set height 100 ... source gdb6 (and gdb6.i386) ... source mygdb6 ... Working directory /home/crash. (kgdb) where #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266 #1 0xffffffff80201c8c in db_fncall (dummy1=, dummy2=, dummy3=, dummy4=) at /usr/src/sys/ddb/db_command.c:548 #2 0xffffffff80201f3d in db_command (last_cmdp=0xffffffff808a16c0, cmd_table=, dopager=0) at /usr/src/sys/ddb/db_command.c:445 #3 0xffffffff802065f3 in db_script_exec (scriptname=0xffffffff806770be "kdb.enter.default", warnifnotfound=0) at /usr/src/sys/ddb/db_script.c:302 #4 0xffffffff802066ee in db_script_kdbenter (eventname=) at /usr/src/sys/ddb/db_script.c:325 #5 0xffffffff802042d4 in db_trap (type=, code=) at /usr/src/sys/ddb/db_main.c:230 #6 0xffffffff80444901 in kdb_trap (type=12, code=0, tf=0xffffff8245b3ad10) at /usr/src/sys/kern/subr_kdb.c:654 #7 0xffffffff805f8d4d in trap_fatal (frame=0xffffff8245b3ad10, eva=) at /usr/src/sys/amd64/amd64/trap.c:844 #8 0xffffffff805f90ff in trap_pfault (frame=0xffffff8245b3ad10, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:765 #9 0xffffffff805f95b2 in trap (frame=0xffffff8245b3ad10) at /usr/src/sys/amd64/amd64/trap.c:457 #10 0xffffffff805df1a8 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228 #11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938 #12 0xffffffff803c6779 in destroy_dev (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:959 #13 0xffffffff801ac9a3 in sacleanup (periph=0xffffff0141d0d300) at /usr/src/sys/cam/scsi/scsi_sa.c:1389 #14 0xffffffff8017f00a in camperiphfree (periph=0xffffff0141d0d300) at /usr/src/sys/cam/cam_periph.c:572 #15 0xffffffff80181d78 in xptperiphtraverse (device=, start_periph=0xffffff0141d0d300, tr_func=0xffffffff801821f0 , arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2164 #16 0xffffffff801830bc in xptdevicetraverse (target=, start_device=, tr_func=0xffffffff80184930 , arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2097 #17 0xffffffff80181529 in xpttargettraverse (bus=, start_target=, tr_func=0xffffffff80183130 , arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2065 #18 0xffffffff8018161e in xptbustraverse (start_bus=, tr_func=0xffffffff801823c0 , arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2000 #19 0xffffffff801881ad in xpt_action_default (start_ccb=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:1798 #20 0xffffffff8018600f in xptioctl (dev=, cmd=, addr=0xffffff013a68f800 "", flag=, td=) at /usr/src/sys/cam/cam_xpt.c:586 #21 0xffffffff803828db in devfs_ioctl_f (fp=0xffffff00bd631be0, com=3299349762, data=, cred=, td=0xffffff01009978e0) at /usr/src/sys/fs/devfs/devfs_vnops.c:700 #22 0xffffffff804571f2 in kern_ioctl (td=, fd=, com=3299349762, data=0xffffff013a68f800 "") at file.h:277 #23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679 #24 0xffffffff805f81df in amd64_syscall (td=0xffffff01009978e0, traced=0) at subr_syscall.c:114 #25 0xffffffff805df49c in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387 #26 0x0000000180a8478c in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) f 23 #23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679 679 error = kern_ioctl(td, uap->fd, com, data); (kgdb) x/8sb td->td_proc->p_args 0xffffff00024b8180: "\001" 0xffffff00024b8182: "" 0xffffff00024b8183: "" 0xffffff00024b8184: "\023" 0xffffff00024b8186: "" 0xffffff00024b8187: "" 0xffffff00024b8188: "camcontrol" 0xffffff00024b8193: "devlist" (kgdb) f 11 #11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938 938 if (LIST_EMPTY(&csw->d_devs)) { (kgdb) list 933 if (!(dev->si_flags & SI_ALIAS)) { 934 /* Remove from cdevsw list */ 935 LIST_REMOVE(dev, si_list); 936 937 /* If cdevsw has no more struct cdev *'s, clean it */ 938 if (LIST_EMPTY(&csw->d_devs)) { 939 fini_cdevsw(csw); 940 wakeup(&csw->d_devs); 941 } 942 } (kgdb) p *dev $1 = {__si_reserved = 0x0, si_flags = 0, si_atime = {tv_sec = 1417519453, tv_nsec = 0}, si_ctime = {tv_sec = 1417519453, tv_nsec = 0}, si_mtime = { tv_sec = 1417519453, tv_nsec = 0}, si_uid = 0, si_gid = 5, si_mode = 432, si_cred = 0x0, si_drv0 = 16, si_refcount = 2, si_list = { le_next = 0xffffff009aaaac00, le_prev = 0xffffff0062982460}, si_clone = {le_next = 0x0, le_prev = 0x0}, si_children = {lh_first = 0x0}, si_siblings = {le_next = 0x0, le_prev = 0x0}, si_parent = 0x0, si_name = 0xffffff013e73a6e0 "sa1.ctl", si_drv1 = 0x0, si_drv2 = 0x0, si_devsw = 0x0, si_iosize_max = 0, si_usecount = 0, si_threadcount = 0, __si_u = {__sid_snapdata = 0x0}, __si_namebuf = "sa1.ctl", '\0' } (kgdb) p &csw $2 = (struct cdevsw **) 0xffffff8245b3ade0 (kgdb) p csw $3 = (struct cdevsw *) 0x0 I can give more information from the crash dump. -- You are receiving this mail because: You are the assignee for the bug.