Date: Mon, 22 Feb 1999 10:50:02 -0800 (PST) From: Howard Goldstein <hgoldste@bbs.mpcs.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86 Message-ID: <199902221850.KAA99527@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/10166; it has been noted by GNATS.
From: Howard Goldstein <hgoldste@bbs.mpcs.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Mon, 22 Feb 1999 13:46:08 -0500 (EST)
Bruce Evans writes:
> >(kgdb) print *unit
> >Cannot access memory at address 0x7610776.
> >(kgdb) print unit
> >$9 = 123799414
>
> `unit' is out of bounds. The caller seems to have passed a bad `dev'.
> Unfortunately, the value for `dev' is not visible in the debugging output
> for any of the callers.
...
Here it is:
Fatal trkernel trap 12 with interrupts disabled
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x76107fa
fault code = supervisor read, page not present
instruction pointer = 0x8:0xf01a7bc3
stack pointer = 0x10:0xf2899c48
frame pointer = 0x10:0xf2899c6c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 50 (vdusrvr)
interrupt mask = tty
kernel: type 12 trap, code=0
Stopped at random_poll+0xef3: testb $0x1,0x84(%eax)
db> gdb
Next trap will enter GDB remote protocol mode
db> cont
kernel trap 12 with interrupts disabled
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x76107fa
fault code = supervisor read, page not present
instruction pointer = 0x8:0xf01a7bc3
stack pointer = 0x10:0xf2899c48
frame pointer = 0x10:0xf2899c6c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 50 (vdusrvr)
interrupt mask = tty
$T0b08:c37b1af0;05:6c9c89f2;04:489c89f2;#1c
# gdb -k kernel
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd),
Copyright 1996 Free Software Foundation, Inc...
(kgdb) help remote
Send a command to the remote monitor.
(kgdb) target remote /dev/cuaa1
Remote debugging using /dev/cuaa1
0xf01a7bc3 in siointr1 (com=0xf0571000) at ../../i386/isa/sio.c:1545
1545 if (com->tp == NULL
(kgdb) where
#0 0xf01a7bc3 in siointr1 (com=0xf0571000) at ../../i386/isa/sio.c:1545
#1 0xf01a7b3a in siointr (unit=0) at ../../i386/isa/sio.c:1465
#2 0xf0191b67 in Xfastintr4 ()
#3 0xf01a90a0 in siocnputc (dev=7171, c=97) at ../../i386/isa/sio.c:2739
#4 0xf01900fe in cnputc (c=97) at ../../i386/i386/cons.c:413
#5 0xf013183f in putchar (c=97, arg=0xf2899d78) at ../../kern/subr_prf.c:309
#6 0xf01319ad in kvprintf (fmt=0xf01bea34 "p %d: %s while in %s mode\n",
func=0xf01317a8 <putchar>, arg=0xf2899d78, radix=10, ap=0xf2899d8c "\f")
at ../../kern/subr_prf.c:462
#7 0xf013172d in printf (
fmt=0xf01bea29 "\n\nFatal trap %d: %s while in %s mode\n")
at ../../kern/subr_prf.c:262
#8 0xf019d1e8 in trap_fatal (frame=0xf2899e0c, eva=123799498)
at ../../i386/i386/trap.c:858
#9 0xf019d157 in trap_pfault (frame=0xf2899e0c, usermode=0, eva=123799498)
at ../../i386/i386/trap.c:835
#10 0xf019cdb6 in trap (frame={tf_es = 16, tf_ds = -225902576,
tf_edi = -226047616, tf_esi = -226016768, tf_ebp = -225862072,
tf_isp = -225862092, tf_ebx = -225861896, tf_edx = 128,
tf_ecx = -262743808, tf_eax = 123799414, tf_trapno = 12, tf_err = 0,
tf_eip = -266700265, tf_cs = -226033656, tf_eflags = 66118,
tf_esp = -225861972, tf_ss = -267041277}) at ../../i386/i386/trap.c:437
#11 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
---Type <return> to continue, or q <return> to quit---bt
at ../../i386/isa/sio.c:1385
#12 0xf0154603 in spec_read (ap=0xf2899ef8)
at ../../miscfs/specfs/spec_vnops.c:278
#13 0xf01740dc in ufsspec_read (ap=0xf2899ef8)
at ../../ufs/ufs/ufs_vnops.c:1811
#14 0xf017464d in ufs_vnoperatespec (ap=0xf2899ef8)
at ../../ufs/ufs/ufs_vnops.c:2312
#15 0xf0150c01 in vn_read (fp=0xf0591680, uio=0xf2899f34, cred=0xf0403900)
at vnode_if.h:303
01 in vn_read (fp=0xf0591680, uio=0xf2899f34, cred=0xf0403900)
at vnode_if.h:303
#16 0xf0133911 in read (p=0xf2874200, uap=0xf2899f84)
at ../../kern/sys_generic.c:121
#17 0xf019d687 in syscall (frame={tf_es = -266731481, tf_ds = -262733785,
tf_edi = 153120, tf_esi = -272642920, tf_ebp = -272638696,
tf_isp = -225861676, tf_ebx = -1, tf_edx = 671417344,
tf_ecx = -272642868, tf_eax = 3, tf_trapno = 0, tf_err = 2,
tf_eip = 134516144, tf_cs = 31, tf_eflags = 582, tf_esp = -272642972,
tf_ss = 39}) at ../../i386/i386/trap.c:1100
#18 0xf019174c in Xint0x80_syscall ()
#19 0x80487e1 in ?? ()
#20 0x80480e9 in ?? ()
(kgdb) frame 11
#11 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
at ../../i386/isa/sio.c:1385
1385 tp = com_addr(unit)->tp;
(kgdb) print *unit
Cannot access memory at address 0x7610776.
ok that looks like before
frame 12
#12 0xf0154603 in spec_read (ap=0xf2899ef8)
at ../../miscfs/specfs/spec_vnops.c:278
278 error = (*cdevsw[major(vp->v_rdev)]->d_read)
(kgdb) print *vp
$1 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0,
v_lastr = 0, v_id = 151, v_mount = 0xf0586e00, v_op = 0xf057e800,
v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
le_next = 0xf286ca40, le_prev = 0xf286c828}, v_cleanblkhd = {
tqh_first = 0x0, tqh_last = 0xf286c9b0}, v_dirtyblkhd = {tqh_first = 0x0,
tqh_last = 0xf286c9b8}, v_synclist = {le_next = 0x0, le_prev = 0x0},
v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900,
vu_socket = 0xf056d900, vu_specinfo = 0xf056d900,
vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0,
v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf05a6f00,
v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591640,
tqh_last = 0xf0591650}, v_dd = 0xf286c980, v_ddid = 0, v_pollinfo = {
vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0},
vpi_events = 0, vpi_revents = 0}}
(kgdb) print *vp->v_un.vu_specinfo
$4 = {si_hashchain = 0xf037a95c, si_specnext = 0x0, si_mountpoint = 0x0,
si_rdev = 7296, si_blksize = 1946171776}
(kgdb) print *vp->v_mount
$5 = {mnt_list = {cqe_next = 0xf0586600, cqe_prev = 0xf037a87c},
mnt_op = 0xf01caa68, mnt_vfc = 0xf01caa9c, mnt_vnodecovered = 0x0,
mnt_syncer = 0x0, mnt_vnodelist = {lh_first = 0xf28a78c0}, mnt_lock = {
lk_interlock = {lock_data = 0}, lk_flags = 16777216, lk_sharecount = 0,
lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 20,
lk_wmesg = 0xf01b7059 "vfslock", lk_timo = 0, lk_lockholder = -1},
mnt_flag = 20480, mnt_kern_flag = 0, mnt_maxsymlinklen = 60, mnt_stat = {
f_spare2 = 0, f_bsize = 1024, f_iosize = 8192, f_blocks = 1511,
f_bfree = 526, f_bavail = 526, f_files = 446, f_ffree = 117, f_fsid = {
val = {65280, 303871774}}, f_owner = 0, f_type = 1, f_flags = 20480,
f_syncwrites = 32, f_asyncwrites = 57,
f_fstypename = "mfs", '\000' <repeats 12 times>,
f_mntonname = "/", '\000' <repeats 88 times>,
f_mntfromname = "root_device", '\000' <repeats 78 times>},
mnt_data = 0xf0586c00, mnt_time = 919707008}
(kgdb) print *vp->v_op
$6 = (int (*)()) 0xf0148250 <vop_panic>
(kgdb) frame 16
#16 0xf0133911 in read (p=0xf2874200, uap=0xf2899f84)
at ../../kern/sys_generic.c:121
121 if ((error = (*fp->f_ops->fo_read)(fp, &auio, fp->f_cred)))
(kgdb) print *fp->f_ops->fo_read
Cannot access memory at address 0x7610813.
(kgdb) print *fp->f_ops
Cannot access memory at address 0x7610813.
(kgdb) print *fp
Cannot access memory at address 0x76107ff.
(kgdb) frame 17
#17 0xf019d687 in syscall (frame={tf_es = -266731481, tf_ds = -262733785,
tf_edi = 153120, tf_esi = -272642920, tf_ebp = -272638696,
tf_isp = -225861676, tf_ebx = -1, tf_edx = 671417344,
tf_ecx = -272642868, tf_eax = 3, tf_trapno = 0, tf_err = 2,
tf_eip = 134516144, tf_cs = 31, tf_eflags = 582, tf_esp = -272642972,
tf_ss = 39}) at ../../i386/i386/trap.c:1100
1100 error = (*callp->sy_call)(p, args);
(kgdb) l
1095 p->p_retval[0] = 0;
1096 p->p_retval[1] = frame.tf_edx;
1097
1098 STOPEVENT(p, S_SCE, callp->sy_narg);
1099
1100 error = (*callp->sy_call)(p, args);
1101
1102 switch (error) {
1103
1104 case 0:
(kgdb) print *callp->sy_call
$7 = {int ()} 0xf013387c <read>
(kgdb) print *p
$8 = {p_procq = {tqe_next = 0xf037a3f4, tqe_prev = 0x0}, p_list = {
le_next = 0xf2874360, le_prev = 0xf28740a8}, p_cred = 0xf056d980,
p_fd = 0xf05a5380, p_stats = 0xf2898214, p_limit = 0xf058f200,
p_upages_obj = 0xf0370b04, p_procsig = 0xf056d960, p_flag = 16390,
p_stat = 2 '\002', p_pad1 = "\000\000", p_pid = 50, p_hash = {
le_next = 0xf2874d00, le_prev = 0xf056fe88}, p_pglist = {le_next = 0x0,
le_prev = 0xf28740dc}, p_pptr = 0xf2874360, p_sibling = {le_next = 0x0,
le_prev = 0xf28740e8}, p_children = {lh_first = 0x0}, p_ithandle = {
callout = 0xf116c428}, p_oppid = 0, p_dupfd = 0, p_vmspace = 0xf2877a00,
p_estcpu = 36, p_cpticks = 18, p_pctcpu = 169, p_wchan = 0x0,
p_wmesg = 0xf01b5bec "select", p_swtime = 566, p_slptime = 0, p_realtimer = {
it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0,
tv_usec = 0}}, p_runtime = 20292918, p_switchtime = {tv_sec = 578,
tv_usec = 235806}, p_uticks = 1373, p_sticks = 1168, p_iticks = 18,
p_traceflag = 0, p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf286cc80,
p_lock = 0 '\000', p_oncpu = 0 '\000', p_lastcpu = 0 '\000',
p_pad2 = 0 '\000', p_locks = 0, p_simple_locks = 0, p_stops = 0,
p_stype = 0, p_step = 0 '\000', p_pfsflags = 0 '\000', p_pad3 = "\000",
p_retval = {0, 671417344}, p_sigiolst = {slh_first = 0x0}, p_sigparent = 0,
p_oldsigmask = 0, p_sig = 0, p_code = 0, p_sigmask = 0, p_priority = 59 ';',
p_usrpri = 59 ';', p_nice = 0 '\000',
p_comm = "vdusrvr\000r\000\000\000\000\000\000\000", p_pgrp = 0xf056da00,
p_sysent = 0xf01c4cd4, p_rtprio = {type = 1, prio = 0}, p_addr = 0xf2898000,
---Type <return> to continue, or q <return> to quit---
p_md = {md_regs = 0xf2899fac}, p_xstat = 0, p_acflag = 0, p_ru = 0x0,
p_nthreads = 0, p_aioinfo = 0x0, p_wakeup = 0, p_peers = 0x0,
p_leader = 0xf2874200, p_asleep = {as_priority = 0, as_timo = 0}}
(kgdb) print *args
$9 = 1
(kgdb) print args
$10 = {1, -272642920, 4096, 0, 134570036, 11, -272643060, -266787087}
(kgdb)
For what it's worth this is supposed to be a read() of up to 4096 bytes
from a raw /dev/cuaa0 (after a select).
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902221850.KAA99527>