netbsd-bugs: kern/9257: uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2

Subject: kern/9257: uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2
To: None <gnats-bugs@gnats.netbsd.org>
From: Martin J. Laubach <mjl@emsi.priv.at>
List: netbsd-bugs
Date: 01/20/2000 00:57:42
>Number:         9257
>Category:       kern
>Synopsis:       Crash: uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 20 00:57:00 2000
>Last-Modified:
>Originator:     Martin J. Laubach
>Organization:
	
>Release:        Current from: Tue Jan 11 07:04:47 CET 2000
>Environment:
	
System: NetBSD 1.4P (CACTUS) #0: Tue Jan 11 07:04:47 CET 2000
    mjl@asparagus:/home/temp/devel/cvs/src/sys/arch/i386/compile/CACTUS

>Description:
  This may be the same problem that I have reported earlier, the
symptoms are quite similar, however, this time I have been able to
get a crash dump.

  When a bunch of queued up mails is delivered to my machine (about
100 or so), lots of sendmail and procmail processes are started up
which somehow seems to trigger a bug in the fs code.

  The last lines in dmesg are:

	/tmp: optimization changed from TIME to SPACE
	uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2


  The stack traceback is:

(gdb) where
#0  0xf0276d98 in db_last_command ()
#1  0x15cf000 in ?? ()
#2  0xf0213fdb in cpu_reboot (howto=260, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1123
#3  0xf010e5ce in db_reboot_cmd () at ../../../../ddb/db_command.c:582
#4  0xf010e300 in db_command (last_cmdp=0xf0276d98, cmd_table=0xf0276bd8)
    at ../../../../ddb/db_command.c:295
#5  0xf010e45a in db_command_loop () at ../../../../ddb/db_command.c:486
#6  0xf0110b1a in db_trap (type=6, code=0) at ../../../../ddb/db_trap.c:78
#7  0xf0212032 in kdb_trap (type=6, code=0, regs=0xf299fd30)
    at ../../../../arch/i386/i386/db_interface.c:120
#8  0xf0219620 in trap (frame={tf_es = -264503280, tf_ds = -226361328, 
      tf_edi = -226328576, tf_esi = -257953792, tf_ebp = -224789104, 
      tf_ebx = 4, tf_edx = -226328576, tf_ecx = 16384, tf_eax = 31625216, 
      tf_trapno = 6, tf_err = 196608, tf_eip = -266075070, tf_cs = -224854008, 
      tf_eflags = 66070, tf_esp = 0, tf_ss = -264400656, 
      tf_vm86_es = -266200427, tf_vm86_ds = -226328576, 
      tf_vm86_fs = -257953792, tf_vm86_gs = 65536})
    at ../../../../arch/i386/i386/trap.c:298
#9  0xf0100c79 in calltrap ()
#10 0xf01033a4 in aha_scsi_cmd (xs=0xf03d90f0) at ../../../../dev/ic/aha.c:1324
#11 0xf021afcb in scsipi_execute_xs (xs=0xf03d90f0)
    at ../../../../dev/scsipi/scsipi_base.c:688
#12 0xf021bf37 in scsi_scsipi_cmd (sc_link=0xf03c3700, scsipi_cmd=0xf299fe68, 
    cmdlen=6can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
, data_addr=0xf09ff000 <Address 0xf09ff000 out of bounds>, 
    datalen=65536, retries=4, timeout=60000, bp=0xf04752e8, flags=4105)
    at ../../../../dev/scsipi/scsi_base.c:125
#13 0xf021d6e7 in sdstart (v=0xf03c6a00) at ../../../../dev/scsipi/sd.c:751
#14 0xf021a9f7 in scsipi_free_xs (xs=0xf03d90f0, flags=1)
    at ../../../../dev/scsipi/scsipi_base.c:173
#15 0xf021af6d in scsipi_done (xs=0xf03d90f0)
    at ../../../../dev/scsipi/scsipi_base.c:644
#16 0xf01028aa in aha_done (sc=0xf03c6c00, ccb=0xf2807214)
    at ../../../../dev/ic/aha.c:787
#17 0xf0102166 in aha_finish_ccbs (sc=0xf03c6c00)
    at ../../../../dev/ic/aha.c:388
#18 0xf0102248 in aha_intr (arg=0xf03c6c00) at ../../../../dev/ic/aha.c:448
#19 0xf0101690 in Xintr11 ()


  In frame #14, xs looks like this:

(gdb) print *xs
$1 = {adapter_q = {tqe_next = 0xdeadbeef, tqe_prev = 0xf03d9168}, device_q = {
    tqe_next = 0xf03d9fe0, tqe_prev = 0xf03c3734}, xs_control = 4105, 
  xs_status = 1, sc_link = 0xf03c3700, retries = 4, timeout = 60000, 
  cmd = 0xf03d9158, cmdlen = 6, data = 0xf123b000 "\035\034", datalen = 5120, 
  resid = 0, error = 0, bp = 0xf0dd2dd0, sense = {scsi_sense = {
      error_code = 0 '\000', segment = 0 '\000', flags = 0 '\000', 
      info = "\000\000\000", extra_len = 0 '\000', 
      cmd_spec_info = "\000\000\000", add_sense_code = 0 '\000', 
      add_sense_code_qual = 0 '\000', fru = 0 '\000', 
      sense_key_spec_1 = 0 '\000', sense_key_spec_2 = 0 '\000', 
      sense_key_spec_3 = 0 '\000', extra_bytes = '\000' <repeats 13 times>}, 
    atapi_sense = 0}, req_sense_length = 0, status = 0 '\000', cmdstore = {
    opcode = 10 '\n', 
    bytes = "\006P(\n\000\000\000\000\000\000\000\000\000\000"}}

  note the DEADBEEF!


  The crash dump is available on request.

>How-To-Repeat:
  Take machine down for some time. Take it up and wait for the queued
Mail to be delivered.

>Fix:
>Audit-Trail:
>Unformatted: