Date: Sun, 19 Mar 2006 21:23:29 -0500 From: "Matt Emmerton" <matt@compar.com> To: <stable@freebsd.org> Subject: Re: 6.0-REL problems with ISA ed0 and ancient hardware Message-ID: <004001c64bc5$474bd370$1200a8c0@gsicomp.on.ca> References: <000c01c64b72$321d6520$1200a8c0@gsicomp.on.ca> <20060319174831.GA3270@xor.obsecurity.org> <001701c64b9d$94b44a70$1200a8c0@gsicomp.on.ca> <20060319214542.GA7164@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sun, Mar 19, 2006 at 04:39:19PM -0500, Matt Emmerton wrote:
> On Sun, Mar 19, 2006 at 11:28:45AM -0500, Matt Emmerton wrote:
> > [ Asked on -questions on Friday; re-asking now on -stable without
> > cross-post]
> >
> > I recently upgraded a 4.11-REL machine to 6.0-REL and have run into some
> > snags. While the installation from CD went fine, after configuring and
> > enabling my ed0 NIC, bad things start to happen.
> >
> > FWIW, this machine is an ancient (hardware circa 1991, BIOS circa 1994)
> > dual-Pentium 133 MHz machine, with EISA/PCI and onboard SCSI.
> >
> > So far I can reliably reproduce two panics, one appears to be a ed
driver
> > bug (based on reports of similar panics with different NICs, notably
nge)
> > and one is a filesystem corruption problem.
> >
> > Here's the process that I go through to reliably reproduce both
problems.
> > 1) Boot machine in multi-user mode
> > 2) After ifconfig ed0, machine panics with a trap 12 in ithread_loop.
> > 3) In debugger, reset (or panic to get vmcore)
The panic doesn't happen during the ifconfig -- it happens shortly after
"hostname" is run.
The details of this panic are in the attached typescript output.
>From what I can see, it looks like the stack is smashed hence ih is bogus,
so we fail on the deref.
Regards,
--
Matt Emmerton
[-- Attachment #2 --]
root@gabby# kgdb /boot/kernel.failsafe/kernel.debug vmcore.3*
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x7
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc04a9214
stack pointer = 0x28:0xc4e79cf4
frame pointer = 0x28:0xc4e79d10
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 21 (irq10: ed0)
panic: from debugger
Uptime: 27s
Dumping 47 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 47MB (12032 pages) 32 16
#0 doadump () at pcpu.h:165
165 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) where
#0 doadump () at pcpu.h:165
#1 0xc04bdd1f in boot (howto=260) at /usr2/src/sys/kern/kern_shutdown.c:399
#2 0xc04bdfe8 in panic (fmt=0xc05fd370 "from debugger")
at /usr2/src/sys/kern/kern_shutdown.c:555
#3 0xc043d1a9 in db_panic (addr=-1068854764, have_addr=0, count=-1,
modif=0xc4e79b20 "") at /usr2/src/sys/ddb/db_command.c:438
#4 0xc043d140 in db_command (last_cmdp=0xc064bc24, cmd_table=0x0,
aux_cmd_tablep=0xc061d38c, aux_cmd_tablep_end=0xc061d390)
at /usr2/src/sys/ddb/db_command.c:350
#5 0xc043d208 in db_command_loop () at /usr2/src/sys/ddb/db_command.c:458
#6 0xc043ee15 in db_trap (type=12, code=0) at /usr2/src/sys/ddb/db_main.c:221
#7 0xc04d6393 in kdb_trap (type=12, code=0, tf=0xc4e79cb4)
at /usr2/src/sys/kern/subr_kdb.c:473
#8 0xc05e6718 in trap_fatal (frame=0xc4e79cb4, eva=7)
at /usr2/src/sys/i386/i386/trap.c:822
#9 0xc05e6487 in trap_pfault (frame=0xc4e79cb4, usermode=0, eva=7)
at /usr2/src/sys/i386/i386/trap.c:742
#10 0xc05e6081 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -1059735424, tf_esi = 4, tf_ebp = -991453936, tf_isp = -991453984, tf_ebx = -1, tf_edx = -1059700352, tf_ecx = 4, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip = -1068854764, tf_cs = 32, tf_eflags = 66178, tf_esp = 0, tf_ss = -1059702212})
at /usr2/src/sys/i386/i386/trap.c:432
#11 0xc05d5cda in calltrap () at /usr2/src/sys/i386/i386/exception.s:139
#12 0xc04a9214 in ithread_loop (arg=0xc0d5b880)
at /usr2/src/sys/kern/kern_intr.c:548
#13 0xc04a8498 in fork_exit (callout=0xc04a90b8 <ithread_loop>,
arg=0xc0d5b880, frame=0xc4e79d38) at /usr2/src/sys/kern/kern_fork.c:789
#14 0xc05d5d3c in fork_trampoline ()
at /usr2/src/sys/i386/i386/exception.s:208
(kgdb) up 12
#12 0xc04a9214 in ithread_loop (arg=0xc0d5b880)
at /usr2/src/sys/kern/kern_intr.c:548
548 if ((ih->ih_flags & IH_MPSAFE) == 0)
(kgdb) print ih
$1 = (struct intrhand *) 0xffffffff
(kgdb) print ithd
$2 = (struct ithd *) 0xc0d5b880
(kgdb) print *ithd
$3 = {it_lock = {mtx_object = {lo_class = 0xc062ef04,
lo_name = 0xc06059cd "ithread", lo_type = 0xc06059cd "ithread",
lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0},
lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, it_td = 0xc0d64180,
it_list = {le_next = 0x0, le_prev = 0x0}, it_handlers = {
tqh_first = 0xc0dce800, tqh_last = 0xc0dce818}, it_interrupted = 0x0,
it_disable = 0xc05d98b0 <ioapic_disable_source>,
it_enable = 0xc05d9814 <ioapic_enable_source>, it_md = 0x0, it_flags = 0,
it_need = 0, it_vector = 3235208480,
it_name = "irq10:", '\0' <repeats 13 times>}
(kgdb) print *ithd->it_handlers->tqh_first
$6 = {ih_handler = 0xc04567dc <edintr>, ih_argument = 0xc0d55200,
ih_flags = -2147483646, ih_name = 0xc0dcd080 "ed0",
ih_ithread = 0xc0d5b880, ih_need = 0, ih_next = {tqe_next = 0x0,
tqe_prev = 0xc0d5b8b0}, ih_pri = 16 '\020'}
(kgdb) quit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004001c64bc5$474bd370$1200a8c0>