Date: Wed, 25 Jul 2001 23:00:02 -0700 (PDT) From: wea@llnl.gov To: freebsd-bugs@FreeBSD.org Subject: Re: kern/29203: Kernel panic reading a non-fixated CD Message-ID: <200107260600.f6Q602N29687@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR kern/29203; it has been noted by GNATS.
From: wea@llnl.gov
To: FreeBSD-gnats-submit@freebsd.org
Cc: wea@llnl.gov
Subject: Re: kern/29203: Kernel panic reading a non-fixated CD
Date: Wed, 25 Jul 2001 22:51:40 -0700 (PDT)
>Submitter-Id: current-users
>Originator: Ed Alley
>Organization: Lawrence Livermore National Lab.
>Confidential: no
>Synopsis: Kernel panics when mounting non-fixated CD
>Severity: non-critical
>Priority: low
>Category: kern
>Class: change-request
>Release: FreeBSD 4.3-RELEASE i386
>Environment:
System: FreeBSD jordan.llnl.gov 4.3-RELEASE #0: Tue Jul 24 13:38:25 PDT 2001 wea@llnl.gov: /usr/src/sys/compile/JORDAN.5.ipfw i386
>Description:
RE: PR kern/29203
I am running FreeBSD 4.3 with an IDE HP cd-writer 9500 series.
I appologize if this is a double submit but I never got a
reply from gnats concerning my second submission. This may
have been due to a corrupted subject line which didn't have
the RE: in it.
By looking at code I have discovered that the bytecount should
never exceed the maximum size of an signed integer! This can be
seen in the file atapi-all.c and the routine atapi_queue_cmd()
that queues up the atapi requests. The bytecount is passed
through the argument list of atapi_queue_cmd() as the variable
count which is typed as an int! Therefore, my concern about
bytecount being limited to 2G was unfounded. On my machine
ints and longs are both 32 bits. So limiting bytecount to
2G is correct.
The page fault was triggered by atapi_read() when it tried to
read a bytecount = 0xffff8000 which is larger that 2G. It is
curious that when we convert the hex to a signed long we
get -32768 which is -2^(15) where ^ means power. According
to <machine/limits.h> on my machine this is the value of
the smallest short. If the hardware returns short integers
and it thinks that -0 = 0x8000 this may be the problem
since 0x8000 would get sign extended for int32 so the
argument count would be equal to -32768 and then bytecount
would get set to 0xffff8000. (I'm speculating here since
I don't know how the hardware works.)
(In view of the above discussion perhaps a better place for a
patch is in atapi_queue_cmd(): a simple test on the sign of
count would suffice. I'll look at this also.)
I have previously submitted a patch to avoid the panic that
resulted after I tried to mount a non-fixated iso 9660 CD
previously burned with my CD writer. The previous patch had
the problem that it tested every ATAPI read for a large bytecount
including IDE disk reads. The patch below only tests CD reads,
and hence, only applies the 2G limit to these.
>How-To-Repeat:
Unless you have my hardware configuration you can't repeat
the error. However, I don't doubt that other CDRWs may
do something similar.
>Fix:
The patch has been changed: It now tests the bytecount
only for the case of reading a CD. This eliminates
the problem of limiting the bytecount to 2G for disk reads.
It now only does this for CDs.
Note: I have tried to print out a meaningful message
and also tried to get the atapi error mechanism to
say something meaningful, but I was not too successful.
If someone can improve this I would be grateful.
Also note: It may be better to do this in atapi_queue_cmd().
The patch must be installed in /usr/src/sys/dev/ata as:
patch -p < patch.file
Here is the patch:
*** atapi-all.c.orig Tue Jul 24 13:21:03 2001
--- atapi-all.c Wed Jul 25 16:03:47 2001
***************
*** 382,387 ****
--- 382,397 ----
return ATA_OP_CONTINUES;
case ATAPI_P_READ:
+ if (ATP_PARAM->device_type == ATAPI_TYPE_CDROM) {
+ if ((long)request->bytecount < 0) {
+ printf("%s: %s trying to read CD with bytecount = %lu\n",
+ atp->devname, atapi_cmd2str(atp->cmd),
+ (unsigned long)request->bytecount);
+ request->result =
+ ATAPI_E_ILI | ATAPI_SK_ILLEGAL_REQUEST;
+ break;
+ }
+ }
if (!(request->flags & ATPR_F_READ)) {
request->result = inb(atp->controller->ioaddr + ATA_ERROR);
printf("%s: %s trying to read on write buffer\n",
End of patch.
Thank-you in anticipation of your comments.
Ed
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107260600.f6Q602N29687>