Date: Thu, 25 Mar 2021 21:54:59 +0800 From: Tai-hwa Liang <atliang@gmail.com> To: freebsd-current@freebsd.org Subject: GPF: xpt_done_process got invalid ccb_h->path->bus pointer Message-ID: <CAE9vrO1QvNiR9dRAsU%2BwoFb7bCNaFeacNK1tk%2BJeUfX=sEuL1g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
-CURRENT as of 24cd2796cf10211964be8a2cb3ea3e161adea746
This race can be triggered on a host with 1394 enclosure attached by
using the following loop:
while true; do
kldload sbp; kldunload sbp
done
Fatal trap 9: general protection fault while in kernel mode
cpuid = 13; apic id = 0d
instruction pointer = 0x20:0xffffffff8038be3a
stack pointer = 0x28:0xfffffe0269e07b30
frame pointer = 0x28:0xfffffe0269e07b60
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 41 (doneq0)
trap number = 9
panic: general protection fault
cpuid = 13
time = 1616639524
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0269e07840
vpanic() at vpanic+0x181/frame 0xfffffe0269e07890
panic() at panic+0x43/frame 0xfffffe0269e078f0
trap_fatal() at trap_fatal+0x387/frame 0xfffffe0269e07950
trap() at trap+0xa4/frame 0xfffffe0269e07a60
calltrap() at calltrap+0x8/frame 0xfffffe0269e07a60
--- trap 0x9, rip = 0xffffffff8038be3a, rsp = 0xfffffe0269e07b30, rbp
= 0xfffffe0269e07b60 ---
xpt_done_process() at xpt_done_process+0x12a/frame 0xfffffe0269e07b60
xpt_done_td() at xpt_done_td+0xf5/frame 0xfffffe0269e07bb0
fork_exit() at fork_exit+0x80/frame 0xfffffe0269e07bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0269e07bf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
__curthread () at /home/freebsd-current/sys/amd64/include/pcpu_aux.h:55
55 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n"
(offsetof(struct pcpu,
(kgdb) where
#0 __curthread () at /home/freebsd-current/sys/amd64/include/pcpu_aux.h:55
#1 doadump (textdump=textdump@entry=0) at
/home/freebsd-current/sys/kern/kern_shutdown.c:399
#2 0xffffffff804c7d2a in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/home/freebsd-current/sys/ddb/db_command.c:575
#3 0xffffffff804c7aee in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=dopager@entry=1) at
/home/freebsd-current/sys/ddb/db_command.c:482
#4 0xffffffff804c782d in db_command_loop () at
/home/freebsd-current/sys/ddb/db_command.c:535
#5 0xffffffff804cafb6 in db_trap (type=<optimized out>,
code=<optimized out>) at /home/freebsd-current/sys/ddb/db_main.c:270
#6 0xffffffff80c5c754 in kdb_trap (type=type@entry=3,
code=code@entry=0, tf=<optimized out>, tf@entry=0xfffffe0269e07770) at
/home/freebsd-current/sys/kern/subr_kdb.c:727
#7 0xffffffff810bf97e in trap (frame=0xfffffe0269e07770) at
/home/freebsd-current/sys/amd64/amd64/trap.c:576
#8 <signal handler called>
#9 kdb_enter (why=0xffffffff812b664a "panic", msg=<optimized out>) at
/home/freebsd-current/sys/kern/subr_kdb.c:506
#10 0xffffffff80c0faf2 in vpanic (fmt=<optimized out>, ap=<optimized
out>, ap@entry=0xfffffe0269e078d0) at
/home/freebsd-current/sys/kern/kern_shutdown.c:907
#11 0xffffffff80c0f883 in panic (fmt=0xffffffff81e9a738 <cnputs_mtx>
"\202;'\201\377\377\377\377") at
/home/freebsd-current/sys/kern/kern_shutdown.c:843
#12 0xffffffff810bfdd7 in trap_fatal (frame=0xfffffe0269e07a70, eva=0)
at /home/freebsd-current/sys/amd64/amd64/trap.c:915
#13 0xffffffff810bf264 in trap (frame=0xfffffe0269e07a70) at
/home/freebsd-current/sys/amd64/amd64/trap.c:212
#14 <signal handler called>
#15 xpt_done_process (ccb_h=0xfffff80102f2f000) at
/home/freebsd-current/sys/cam/cam_xpt.c:5419
#16 0xffffffff8038e0f5 in xpt_done_td
(arg=arg@entry=0xffffffff81bc4980 <cam_doneqs>) at
/home/freebsd-current/sys/cam/cam_xpt.c:5544
#17 0xffffffff80bc9a60 in fork_exit (callout=0xffffffff8038e000
<xpt_done_td>, arg=0xffffffff81bc4980 <cam_doneqs>,
frame=0xfffffe0269e07c00)
at /home/freebsd-current/sys/kern/kern_fork.c:1077
#18 <signal handler called>
(kgdb) up 15
#15 xpt_done_process (ccb_h=0xfffff80102f2f000) at
/home/freebsd-current/sys/cam/cam_xpt.c:5419
5419 sim = ccb_h->path->bus->sim;
(kgdb) print *ccb_h
$1 = {pinfo = {priority = 1, generation = 11, index = -3}, xpt_links =
{le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe =
{tqe_next = 0x0, tqe_prev = 0x0}, stqe = {
stqe_next = 0x0}}, sim_links = {le = {le_next = 0x0, le_prev =
0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0},
stqe = {stqe_next = 0x0}}, periph_links = {le = {
le_next = 0xffffffffffffffff, le_prev = 0xffffffffffffffff}, sle
= {sle_next = 0xffffffffffffffff}, tqe = {tqe_next =
0xffffffffffffffff, tqe_prev = 0xffffffffffffffff}, stqe = {
stqe_next = 0xffffffffffffffff}}, retry_count = 0, cbfcnp =
0xffffffff826fdfe0 <sbp_cam_scan_lun>, func_code = XPT_SCAN_LUN,
status = 1, path = 0xfffff820d9c10fa0, path_id = 6,
target_id = 0, target_lun = 0, flags = 2048, xflags = 0, periph_priv
= {entries = {{ptr = 0x0, field = 0, bytes =
"\000\000\000\000\000\000\000"}, {ptr = 0x0, field = 0,
bytes = "\000\000\000\000\000\000\000"}}, bytes = '\000'
<repeats 15 times>}, sim_priv = {entries = {{ptr = 0xfffff820d9d8dd80,
field = 18446735418710351232,
bytes = "\200\335\330\331 \370\377\377"}, {ptr = 0x0, field =
0, bytes = "\000\000\000\000\000\000\000"}}, bytes = "\200\335\330\331
\370\377\377\000\000\000\000\000\000\000"},
qos = {etime = 0x0, sim_data = 0, periph_data = 1050626691830},
timeout = 0, softtimeout = {tv_sec = 0, tv_usec = 0}}
(kgdb) print *ccb_h->path
$2 = {periph = 0xdeadc0dedeadc0de, bus = 0xdeadc0dedeadc0de, target =
0xdeadc0dedeadc0de, device = 0xffffffff81a49810 <M_CAMPATH>}
(kgdb) print *ccb_h->path->bus
access memory at address 0xdeadc0dedeadc0de
Not sure how we ended up with device pointer appears to be valid
whilst the others are 0xdeadc0dedeadc0de.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE9vrO1QvNiR9dRAsU%2BwoFb7bCNaFeacNK1tk%2BJeUfX=sEuL1g>