From owner-freebsd-bugs Sun Feb 21 21:30: 9 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E27110E5F for ; Sun, 21 Feb 1999 21:30:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id VAA46299; Sun, 21 Feb 1999 21:30:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Date: Sun, 21 Feb 1999 21:30:03 -0800 (PST) Message-Id: <199902220530.VAA46299@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Bruce Evans Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86 Reply-To: Bruce Evans Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR kern/10166; it has been noted by GNATS. From: Bruce Evans To: bde@zeta.org.au, hgoldste@bbs.mpcs.com Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86 Date: Mon, 22 Feb 1999 16:24:53 +1100 >db> trace >random_poll(f0571000,f2899ca8,f0191b67,0,10) at random_poll+0xef3 >random_poll(0,10,2ed,2ed,20) at random_poll+0xe6a >Xfastintr4(f2899cd4,80000000,283,f2899cd4,f2899cdc) at Xfastintr4+0x17 `trace' (in all elf kernels?) is still broken. >... >(kgdb) frame 12 >#12 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088) > at ../../i386/isa/sio.c:1385 >1385 tp = com_addr(unit)->tp; >(kgdb) l >1380 if (mynor & CONTROL_MASK) >1381 return (ENODEV); >1382 unit = MINOR_TO_UNIT(mynor); >1383 if (com_addr(unit)->gone) >1384 return (ENODEV); >1385 tp = com_addr(unit)->tp; >1386 return ((*linesw[tp->t_line].l_read)(tp, uio, flag)); >1387 } >1388 >1389 static int >(kgdb) print *unit >Cannot access memory at address 0x7610776. >(kgdb) print unit >$9 = 123799414 `unit' is out of bounds. The caller seems to have passed a bad `dev'. Unfortunately, the value for `dev' is not visible in the debugging output for any of the callers. >(kgdb) print tp >$10 = (struct tty *) 0x7610776 >(kgdb) frame 13 >#13 0xf0154603 in spec_read (ap=0xf2899ef8) > at ../../miscfs/specfs/spec_vnops.c:278 >278 error = (*cdevsw[major(vp->v_rdev)]->d_read) >(kgdb) print *vp >$11 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, > v_lastr = 0, v_id = 151, v_mount = 0xf0586e00, v_op = 0xf057e800, > v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = { > le_next = 0xf286ca40, le_prev = 0xf286c828}, v_cleanblkhd = { > tqh_first = 0x0, tqh_last = 0xf286c9b0}, v_dirtyblkhd = {tqh_first = 0x0, > tqh_last = 0xf286c9b8}, v_synclist = {le_next = 0x0, le_prev = 0x0}, > v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900, > vu_socket = 0xf056d900, vu_specinfo = 0xf056d900, ^^^^^^^^^^^ this points to a struct containing the device number > vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, > v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = { > lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf05a6f00, > v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591640, > tqh_last = 0xf0591650}, v_dd = 0xf286c980, v_ddid = 0, v_pollinfo = { > vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0}, > vpi_events = 0, vpi_revents = 0}} Device numbers are checked at open() time. Apparently, v_un or *vu_specinfo was corrupted between open() and read(). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message