Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Mar 2006 21:23:29 -0500
From:      "Matt Emmerton" <matt@compar.com>
To:        <stable@freebsd.org>
Subject:   Re: 6.0-REL problems with ISA ed0 and ancient hardware 
Message-ID:  <004001c64bc5$474bd370$1200a8c0@gsicomp.on.ca>
References:  <000c01c64b72$321d6520$1200a8c0@gsicomp.on.ca> <20060319174831.GA3270@xor.obsecurity.org> <001701c64b9d$94b44a70$1200a8c0@gsicomp.on.ca> <20060319214542.GA7164@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.

------=_NextPart_000_003D_01C64B9B.5DDAEB00
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

On Sun, Mar 19, 2006 at 04:39:19PM -0500, Matt Emmerton wrote:
> On Sun, Mar 19, 2006 at 11:28:45AM -0500, Matt Emmerton wrote:
> > [ Asked on -questions on Friday; re-asking now on -stable without
> > cross-post]
> >
> > I recently upgraded a 4.11-REL machine to 6.0-REL and have run into some
> > snags.  While the installation from CD went fine, after configuring and
> > enabling my ed0 NIC, bad things start to happen.
> >
> > FWIW, this machine is an ancient (hardware circa 1991, BIOS circa 1994)
> > dual-Pentium 133 MHz machine, with EISA/PCI and onboard SCSI.
> >
> > So far I can reliably reproduce two panics, one appears to be a ed
driver
> > bug (based on reports of similar panics with different NICs, notably
nge)
> > and one is a filesystem corruption problem.
> >
> > Here's the process that I go through to reliably reproduce both
problems.
> > 1) Boot machine in multi-user mode
> > 2) After ifconfig ed0, machine panics with a trap 12 in ithread_loop.
> > 3) In debugger, reset (or panic to get vmcore)

The panic doesn't happen during the ifconfig -- it happens shortly after
"hostname" is run.

The details of this panic are in the attached typescript output.

>From what I can see, it looks like the stack is smashed hence ih is bogus,
so we fail on the deref.

Regards,
--
Matt Emmerton

------=_NextPart_000_003D_01C64B9B.5DDAEB00
Content-Type: application/octet-stream;
	name="typescript-panic-ed"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="typescript-panic-ed"

root@gabby# kgdb /boot/kernel.failsafe/kernel.debug vmcore.3*
[GDB will not be able to debug user-mode threads: =
/usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you =
are
welcome to change it and/or distribute copies of it under certain =
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for =
details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address	=3D 0x7
fault code		=3D supervisor read, page not present
instruction pointer	=3D 0x20:0xc04a9214
stack pointer	        =3D 0x28:0xc4e79cf4
frame pointer	        =3D 0x28:0xc4e79d10
code segment		=3D base 0x0, limit 0xfffff, type 0x1b
			=3D DPL 0, pres 1, def32 1, gran 1
processor eflags	=3D interrupt enabled, resume, IOPL =3D 0
current process		=3D 21 (irq10: ed0)
panic: from debugger
Uptime: 27s
Dumping 47 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 47MB (12032 pages) 32 16

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) where
#0  doadump () at pcpu.h:165
#1  0xc04bdd1f in boot (howto=3D260) at =
/usr2/src/sys/kern/kern_shutdown.c:399
#2  0xc04bdfe8 in panic (fmt=3D0xc05fd370 "from debugger")
    at /usr2/src/sys/kern/kern_shutdown.c:555
#3  0xc043d1a9 in db_panic (addr=3D-1068854764, have_addr=3D0, =
count=3D-1,=20
    modif=3D0xc4e79b20 "") at /usr2/src/sys/ddb/db_command.c:438
#4  0xc043d140 in db_command (last_cmdp=3D0xc064bc24, cmd_table=3D0x0,=20
    aux_cmd_tablep=3D0xc061d38c, aux_cmd_tablep_end=3D0xc061d390)
    at /usr2/src/sys/ddb/db_command.c:350
#5  0xc043d208 in db_command_loop () at =
/usr2/src/sys/ddb/db_command.c:458
#6  0xc043ee15 in db_trap (type=3D12, code=3D0) at =
/usr2/src/sys/ddb/db_main.c:221
#7  0xc04d6393 in kdb_trap (type=3D12, code=3D0, tf=3D0xc4e79cb4)
    at /usr2/src/sys/kern/subr_kdb.c:473
#8  0xc05e6718 in trap_fatal (frame=3D0xc4e79cb4, eva=3D7)
    at /usr2/src/sys/i386/i386/trap.c:822
#9  0xc05e6487 in trap_pfault (frame=3D0xc4e79cb4, usermode=3D0, =
eva=3D7)
    at /usr2/src/sys/i386/i386/trap.c:742
#10 0xc05e6081 in trap (frame=3D
      {tf_fs =3D 8, tf_es =3D 40, tf_ds =3D 40, tf_edi =3D -1059735424, =
tf_esi =3D 4, tf_ebp =3D -991453936, tf_isp =3D -991453984, tf_ebx =3D =
-1, tf_edx =3D -1059700352, tf_ecx =3D 4, tf_eax =3D 1, tf_trapno =3D =
12, tf_err =3D 0, tf_eip =3D -1068854764, tf_cs =3D 32, tf_eflags =3D =
66178, tf_esp =3D 0, tf_ss =3D -1059702212})
    at /usr2/src/sys/i386/i386/trap.c:432
#11 0xc05d5cda in calltrap () at /usr2/src/sys/i386/i386/exception.s:139
#12 0xc04a9214 in ithread_loop (arg=3D0xc0d5b880)
    at /usr2/src/sys/kern/kern_intr.c:548
#13 0xc04a8498 in fork_exit (callout=3D0xc04a90b8 <ithread_loop>,=20
    arg=3D0xc0d5b880, frame=3D0xc4e79d38) at =
/usr2/src/sys/kern/kern_fork.c:789
#14 0xc05d5d3c in fork_trampoline ()
    at /usr2/src/sys/i386/i386/exception.s:208
(kgdb) up 12
#12 0xc04a9214 in ithread_loop (arg=3D0xc0d5b880)
    at /usr2/src/sys/kern/kern_intr.c:548
548					if ((ih->ih_flags & IH_MPSAFE) =3D=3D 0)
(kgdb) print ih
$1 =3D (struct intrhand *) 0xffffffff
(kgdb) print ithd
$2 =3D (struct ithd *) 0xc0d5b880
(kgdb) print *ithd
$3 =3D {it_lock =3D {mtx_object =3D {lo_class =3D 0xc062ef04,=20
      lo_name =3D 0xc06059cd "ithread", lo_type =3D 0xc06059cd =
"ithread",=20
      lo_flags =3D 196608, lo_list =3D {tqe_next =3D 0x0, tqe_prev =3D =
0x0},=20
      lo_witness =3D 0x0}, mtx_lock =3D 4, mtx_recurse =3D 0}, it_td =3D =
0xc0d64180,=20
  it_list =3D {le_next =3D 0x0, le_prev =3D 0x0}, it_handlers =3D {
    tqh_first =3D 0xc0dce800, tqh_last =3D 0xc0dce818}, it_interrupted =
=3D 0x0,=20
  it_disable =3D 0xc05d98b0 <ioapic_disable_source>,=20
  it_enable =3D 0xc05d9814 <ioapic_enable_source>, it_md =3D 0x0, =
it_flags =3D 0,=20
  it_need =3D 0, it_vector =3D 3235208480,=20
  it_name =3D "irq10:", '\0' <repeats 13 times>}
(kgdb) print *ithd->it_handlers->tqh_first
$6 =3D {ih_handler =3D 0xc04567dc <edintr>, ih_argument =3D 0xc0d55200,=20
  ih_flags =3D -2147483646, ih_name =3D 0xc0dcd080 "ed0",=20
  ih_ithread =3D 0xc0d5b880, ih_need =3D 0, ih_next =3D {tqe_next =3D =
0x0,=20
    tqe_prev =3D 0xc0d5b8b0}, ih_pri =3D 16 '\020'}
(kgdb) quit

------=_NextPart_000_003D_01C64B9B.5DDAEB00--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004001c64bc5$474bd370$1200a8c0>