From owner-freebsd-bugs@FreeBSD.ORG  Mon Oct 20 14:20:17 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53E9C16A4B3
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 20 Oct 2003 14:20:17 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4820943F85
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 20 Oct 2003 14:20:14 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9KLKEFY024968
	for <freebsd-bugs@freefall.freebsd.org>;
	Mon, 20 Oct 2003 14:20:14 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9KLKES0024967;
	Mon, 20 Oct 2003 14:20:14 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Mon, 20 Oct 2003 14:20:14 -0700 (PDT)
Resent-Message-Id: <200310202120.h9KLKES0024967@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Harold Gutch <logix@foobar.franken.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B80516A4C0
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 20 Oct 2003 14:11:21 -0700 (PDT)
Received: from hub-r.franken.de (hub-r.franken.de [194.94.249.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D570643F75
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 20 Oct 2003 14:11:14 -0700 (PDT)
	(envelope-from logix@foobar.franken.de)
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
	by hub-r.franken.de (8.11.6/8.11.6) with ESMTP id h9KLBCo09319
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 20 Oct 2003 23:11:12 +0200
Received: from foobar.franken.de (localhost [127.0.0.1])
	by foobar.franken.de (8.12.9/8.12.9) with ESMTP id h9KLBBlb011682
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 20 Oct 2003 23:11:11 +0200 (CEST)
	(envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.12.9p1/8.12.9/Submit) id h9KLAwmk011681;
	Mon, 20 Oct 2003 23:10:58 +0200 (CEST)
	(envelope-from logix)
Message-Id: <200310202110.h9KLAwmk011681@foobar.franken.de>
Date: Mon, 20 Oct 2003 23:10:58 +0200 (CEST)
From: Harold Gutch <logix@foobar.franken.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/58305: WITNESS + INVARIANTS + "camcontrol devlist" = panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Harold Gutch <logix@foobar.franken.de>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2003 21:20:17 -0000


>Number:         58305
>Category:       kern
>Synopsis:       WITNESS + INVARIANTS + "camcontrol devlist" = panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 20 14:20:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Harold Gutch
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD outside.gutch.net 5.1-CURRENT FreeBSD 5.1-CURRENT #4: Mon Oct 20 22:19:12 CEST 2003     logix@outside.gutch.net:/usr/obj/usr/src/sys/OUTSIDE  i386

No SCSI, one ATAPI CDRW, using atapicam.

>Description:

When running "camcontrol devlist" on a -CURRENT kernel from about 9 hours
ago (Oct 20, ~12:00 UTC) with INVARIANT_SUPPORT, INVARIANTS, WITNESS and
WITNESS_SKIPSKIN, I get a panic:

panic: vmapbuf
Debugger("panic")
Stopped at      Debugger+0x54:  xchgl   %ebx,in_Debugger.0
db> where
Debugger(c068bbbe,c06ecec0,c0692054,caac07ec,100) at Debugger+0x54
panic(c0692054,1,c069185a,e6e,0) at panic+0xd5
vmapbuf(c28dc798,0,c0676925,270,1) at vmapbuf+0x18e
cam_periph_mapmem(c0df4c00,caac08a0,0,caac08a4,c051a0c3) at cam_periph_mapmem+0x291
xptioctl(c164de00,c2601502,c0df4c00,3,c1823130) at xptioctl+0x26a
spec_ioctl(caac0b7c,caac0c28,c05590b1,caac0b7c,c04e977d) at spec_ioctl+0x19e
spec_vnoperate(caac0b7c,c04e977d,c06ee5a0,1,c06d6560) at spec_vnoperate+0x18
vn_ioctl(c1692220,c2601502,c0df4c00,c164f800,c1823130) at vn_ioctl+0x1a1
ioctl(c1823130,caac0d10,c06a2c0a,3ed,3) at ioctl+0x475
syscall(2f,2f,2f,bfbff814,0) at syscall+0x2c0
Xint0x80_syscall() at Xint0x80_syscall+0x1d
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x805463b, esp = 0xbfbff5ec, ebp = 0xbfbff9e8 ---

And then, in kgdb
panic: vmapbuf
panic: from debugger
Uptime: 59s
Dumping 64 MB
 16 32 48
---
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240             dumping++;
(kgdb) where             
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1  0xc04f308c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:372
#2  0xc04f3417 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3  0xc0440752 in db_panic () at /usr/src/sys/ddb/db_command.c:450
#4  0xc04406b2 in db_command (last_cmdp=0xc06d7cc0, cmd_table=0x0, 
    aux_cmd_tablep=0xc06a79b0, aux_cmd_tablep_end=0xc06a79b4)
    at /usr/src/sys/ddb/db_command.c:346
#5  0xc04407f5 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472
#6  0xc04437f5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#7  0xc063d67c in kdb_trap (type=3, code=0, regs=0xca80f764)
    at /usr/src/sys/i386/i386/db_interface.c:171
#8  0xc064e4aa in trap (frame=
#9  0xc063f068 in calltrap () at {standard input}:102
#10 0xc04f33a5 in panic (fmt=0xc0692054 "vmapbuf")
    at /usr/src/sys/kern/kern_shutdown.c:534
#11 0xc053fd0e in vmapbuf (bp=0xc28dc798) at /usr/src/sys/kern/vfs_bio.c:3729
#12 0xc042e221 in cam_periph_mapmem (ccb=0x0, mapinfo=0xca80f8a0)
    at /usr/src/sys/cam/cam_periph.c:652
#13 0xc04303da in xptioctl (dev=0x0, cmd=3244684288, addr=0xca80f8a0 "", 
    flag=3, td=0xc1677be0) at /usr/src/sys/cam/cam_xpt.c:1132
#14 0xc04b86de in spec_ioctl (ap=0xca80fb7c)
    at /usr/src/sys/fs/specfs/spec_vnops.c:351
#15 0xc04b7cc8 in spec_vnoperate (ap=0x0)
    at /usr/src/sys/fs/specfs/spec_vnops.c:122
#16 0xc05590b1 in vn_ioctl (fp=0xc16933fc, com=3261076738, data=0xc165f400, 
    active_cred=0xc1849b00, td=0xc1677be0) at vnode_if.h:503
#17 0xc051bdf5 in ioctl (td=0xc1677be0, uap=0xca80fd10)
    at /usr/src/sys/sys/file.h:261
#18 0xc064ee10 in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077938156, tf_esi = 0, tf_ebp = -1077937688, tf_isp = -897516172, tf_ebx = 134651066, tf_edx = 0, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 134563387, tf_cs = 31, tf_eflags = 518, tf_esp = -1077938708, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1009
#19 0xc063f0bd in Xint0x80_syscall () at {standard input}:144
---Can't read userspace from dump, or kernel process---

(kgdb) up 11
#11 0xc053fd0e in vmapbuf (bp=0xc28dc798) at /usr/src/sys/kern/vfs_bio.c:3729
3729                    panic("vmapbuf: mapped more than MAXPHYS");
(kgdb) list
3724                    if (m == NULL)
3725                            goto retry;
3726                    bp->b_pages[pidx] = m;
3727            }
3728            if (pidx > btoc(MAXPHYS))
3729                    panic("vmapbuf: mapped more than MAXPHYS");
3730            pmap_qenter((vm_offset_t)bp->b_saveaddr, bp->b_pages, pidx);
3731
3732            kva = bp->b_saveaddr;
3733            bp->b_npages = pidx;
(kgdb) print pidx
$1 = -897517408
(kgdb) print *bp
$3 = {b_io = {bio_cmd = 1, bio_dev = 0xc162d600, bio_disk = 0x0, 
    bio_offset = 30445568, bio_bcount = 12288, bio_data = 0x807b000---Can't read userspace from dump, or kernel process---


With INVARIANT_SUPPORT and INVARIANTS but without WITNESS, I don't get a
panic, but rather a freeze when running "camcontrol devlist".  A break on
the serial console brings me to ddb then:

panic: vmapbuf
Debugger("panic")
Stopped at      Debugger+0x54:  xchgl   %ebx,in_Debugger.0
db> where
Debugger(c06881b8,c06e7260,c068ce6f,ca80f7f4,100) at Debugger+0x54
panic(c068ce6f,1,c068c675,e6e,0) at panic+0xd5
vmapbuf(c28dc798,0,c0672f05,270,1) at vmapbuf+0x18e
cam_periph_mapmem(c165f400,ca80f8a8,c1676be0,ca80f894,c0540228) at cam_periph_mapmem+0x291
xptioctl(c165ab00,c2601502,c165f400,3,c1676be0) at xptioctl+0x26a
spec_ioctl(ca80fb7c,ca80fc28,c0555931,ca80fb7c,217) at spec_ioctl+0x14c
spec_vnoperate(ca80fb7c,217,c06e55a0,3ac,c06d0900) at spec_vnoperate+0x18
vn_ioctl(c1693f24,c2601502,c165f400,c184aa80,c1676be0) at vn_ioctl+0x1a1
ioctl(c1676be0,ca80fd10,c069da52,3ed,3) at ioctl+0x475
syscall(2f,2f,2f,bfbff814,0) at syscall+0x2c0
Xint0x80_syscall() at Xint0x80_syscall+0x1d
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x805463b, esp = 0xbfbff5ec, ebp = 0xbfbff9e8 ---
db> 

>How-To-Repeat:

Add INVARIANT_SUPPORT, INVARIANTS, WITNESS and WITNESS_SKIPSKIN to your
kernelconfig and run "camcontrol devlist".

>Fix:

None known.
>Release-Note:
>Audit-Trail:
>Unformatted: