Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Jul 1999 01:04:08 +0200 (CEST)
From:      Nick Hibma <hibma@skylink.it>
To:        FreeBSD Hackers mailing list <hackers@freebsd.org>
Subject:   CAM panic in camq_fini
Message-ID:  <Pine.BSF.3.96.990706004946.13864A-100000@heidi.plazza.it>
next in thread | raw e-mail | index | archive | help 

When, after attaching to the CAM later with 

   cam_simq_alloc(1)
   cam_sim_alloc(action, poll, "umass", sc, unit, 1, 0, devq)
   xpt_bus_register(sc->sim, 0)
   xpt_create_path(&sc->path, NULL, cam_sim_path(sc->sim),
                       CAM_TARGET_WILDCARD, CAM_LUN_WILDCARD)

doing an immediate detach from it again, like so:

   xpt_async(AC_LOST_DEVICE, sc->path, NULL)
   xpt_free_path(sc->path)
   xpt_bus_deregister(cam_sim_path(sc->sim))
   cam_sim_free(sc->sim, /*free_devq*/TRUE)

(see also umass.c available at

   http://www.etla.net/~n_hibma/usb/umass.c.new

after adding a call to umass_cam_detach right after umass_cam_attach).

I get the following panic (frame #10):

panic: free: address 0xdeadc0e2 out of range

#0  0xc014b838 in boot ()
#1  0xc014ba85 in panic ()
#2  0xc012ea35 in db_panic ()
#3  0xc012e9d5 in db_command ()
#4  0xc012ea9a in db_command_loop ()
#5  0xc0130bfb in db_trap ()
#6  0xc021cc90 in kdb_trap ()
#7  0xc0228bb4 in trap ()
#8  0xc021ced3 in Debugger ()
#9  0xc014ba7c in panic ()
#10 0xc01482c6 in free ()
#11 0xc0122e22 in camq_fini ()
#12 0xc0122df5 in camq_free ()
#13 0xc012301e in cam_devq_free ()
#14 0xc01246db in cam_simq_free ()
#15 0xc0124785 in cam_sim_free ()
#16 0xc0209e46 in umass_cam_detach ()
#17 0xc0209067 in umass_detach ()
#18 0xc011d5eb in DEVICE_DETACH ()
#19 0xc01520c8 in device_detach ()
#20 0xc0151a6f in device_delete_child ()
#21 0xc0203836 in uhub_disconnect_port ()
#22 0xc020363f in uhub_explore ()
#23 0xc01ff45e in usb_discover ()
#24 0xc01ff192 in usbioctl ()
#25 0xc017e14c in spec_ioctl ()
#26 0xc017dab1 in spec_vnoperate ()
#27 0xc01e914d in ufs_vnoperatespec ()
#28 0xc0178441 in vn_ioctl ()
#29 0xc0157f43 in ioctl ()
#30 0xc02293f2 in syscall ()
#31 0xc021d5c0 in Xint0x80_syscall ()
#32 0x8048655 in ?? ()

It's pretty sure that it is not me doing anything nasty as the calls to
attach and detach are virtually one after the other. Did I miss out on
one of the deregister calls? One too many?

On a sideline: the following is more consistent with the rest of the
code:

Index: cam_queue.c
===================================================================
RCS file: /home/ncvs/src/sys/cam/cam_queue.c,v
retrieving revision 1.3
diff -u -r1.3 cam_queue.c
--- cam_queue.c 1999/04/19 21:26:08     1.3
+++ cam_queue.c 1999/07/05 22:58:55
@@ -136,8 +136,9 @@
                      queue->entries * sizeof(cam_pinfo *));
                free(queue->queue_array, M_DEVBUF);
        }
-       queue->queue_array = new_array-1;
+       queue->queue_array = new_array;
        queue->array_size = new_size;
+       queue->queue_array--;
        return (CAM_REQ_CMP);
 }

Cheers,

Nick




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990706004946.13864A-100000>