netbsd-bugs: port-vax/25307: Raw disk I/O broken on VAXstation 3100/m30, causes panic

Subject: port-vax/25307: Raw disk I/O broken on VAXstation 3100/m30, causes panic
To: None <gnats-bugs@gnats.NetBSD.org>
From: Anders Hjalmarsson <hjalmar@hjalmar.to>
List: netbsd-bugs
Date: 04/25/2004 02:21:38
>Number:         25307
>Category:       port-vax
>Synopsis:       Raw disk I/O broken on VAXstation 3100/m30, causes panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    port-vax-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 25 00:22:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Anders Hjalmarsson
>Release:        NetBSD 2.0C
>Organization:
unorganized
>Environment:
System: NetBSD  2.0C NetBSD 2.0C (VS3100_30-$Revision: 1.118 $) #7: Sat Apr 24 23:14:34 UTC 2004  hjalmar@simh-vax.hjalmar.to:/var/obj/config/vax/compile/VS3100_30 vax
Architecture: vax
Machine: vax
>Description:
	Raw disk I/O broken on VAXstation 3100/m30, causes panic
	This probably affects all vaxen attching si at vsbus and
	maybe those with hdc at vsbus.


Partial dmesg:

si0 at vsbus0 csr 0x200c0080 vec 770 ipl 14 maskbit 1
si0: NCR5380, SCSI ID 6
scsibus0 at si0: 8 targets, 8 luns per target

scsibus0: waiting 2 seconds for devices to settle...
sd0 at scsibus0 target 0 lun 0: <DEC, RZ24     (C) DEC, 211B> disk fixed
sd0: drive offline
sd0: async, 8-bit transfers
sd1 at scsibus0 target 2 lun 0: <DEC, RZ24     (C) DEC, 211B> disk fixed
sd1: drive offline
sd1: async, 8-bit transfers


>How-To-Repeat:

# dd if=/dev/rsd0c bs=8k count=1 of=/dev/null
panic: trap: access fault: addr 800c09e2 code 8087d000
Stopped at      netbsd:trap+0x1ab:      bbc     $2, 75(r7), trap+0x1bd
db> bt
panic: trap: access fault: addr 800defa1 code 10
Stopped at      netbsd:trap+0x1ab:      bbc     $2, 75(r7), trap+0x1bd




# dd if=/dev/zero bs=8k count=1 of=/dev/rsd0b
panic: Segv in kernel mode: pc 800c0afc addr 89ded000
Stopped in pid 9.1 (dd) at      netbsd:trap+0x2c2:      movl    $2, -52(fp)
db> 
db> bt
panic: Segv in kernel mode: pc %x addr %x
Stack traceback :
0x82dd9930: trap+0x2c2(0x82dd9a04)
0x82dd9a04: trap type=0x8 code=0x89ded000 pc=0x800c0afc psl=0xd50000
0x82dd99d0: vsbus_copyfromproc+0xc4(0x802a6960,0x26000,0x82582000,0x2000)
0x82dd9a50: si_dma_go+0x2b(0x81013000)
0x82dd9a90: vsbus_dma_intr+0x36(void)
0x82dd9ab4: vsbus_dma_start+0x25(0x810135d8)
0x82dd9acc: si_dma_start+0x1e(0x81013000)
0x82dd9ae8: ncr5380_data_xfer+0xd9(0x81013000,0)
0x82dd9b04: ncr5380_machine+0xdf(0x81013000)
0x82dd9b2c: ncr5380_sched+0x240(0x81013000)
0x82dd9b60: ncr5380_scsipi_request+0x12e(0x81013064,0,0x802b2000)
0x82dd9b94: scsipi_run_queue+0x11b(0x81013064)
0x82dd9bd0: scsipi_execute_xs+0x1b7(0x802b2000)
0x82dd9c04: scsi_scsipi_cmd+0xd6(0x8103ee00,0x82dd9cd4,0x6,0x26000,0x2000,0x4,0x
ea60,0x802b3e88,0x22009)
0x82dd9c38: scsipi_command+0x5c(0x8103ee00,0x82dd9cd4,0x6,0x26000,0x2000,0x4,0xe
a60,0x802b3e88,0x22009)
0x82dd9c8c: sdstart+0x1ad(0x8103ee00)
0x82dd9ce8: sdstrategy+0x217(0x802b3e88)
0x82dd9d20: physio+0x194(0x800d24b2,0,0x3b01,0,0x800d292e,0x82dd9eb8)
0x82dd9d64: sdwrite+0x1f(0x3b01,0x82dd9eb8,0x1)
0x82dd9dac: spec_write+0xc2(0x82dd9e50)
0x82dd9e00: ufsspec_write+0x33(0x82dd9e50)
0x82dd9e34: vn_write+0x11d(0x802ed0a8,0x802ed0d0,0x82dd9eb8,0x80ff8e80,0x1)
0x82dd9e64: dofilewrite+0x73(0x802a6960,0x4,0x802ed0a8,0x26000,0x2000,0x802ed0d0
,0x1,0x82dd9f58)
0x82dd9ed8: sys_write+0x60(0x802ad2e8,0x82dd9f60,0x82dd9f58)
0x82dd9f20: syscall+0xdc(0x82dd9fb4)
db> 

>Fix:
	The problem is in vsbus_copyfromproc and vsbus_copytoproc.
	The conversion to physical address uses the virtual address instead
	of the virtual page (See pmap.c:vaddrtopte for a typical correct
	conversion).
	Also, vsbus_copyfromproc uses "to" instead of "from" in the conversion.

Index: vsbus.c
===================================================================
RCS file: /cvsroot/src/sys/arch/vax/vsa/vsbus.c,v
retrieving revision 1.44
diff -u -r1.44 vsbus.c
--- vsbus.c	2003/07/15 02:15:07	1.44
+++ vsbus.c	2004/04/24 23:51:23
@@ -311,10 +311,16 @@
 		bcopy(from, to, len);
 		return;
 	}
-	if ((long)to & 0x40000000)
-		pte = &p->p_vmspace->vm_map.pmap->pm_p1br[((long)to & ~0x40000000)];
+
+#ifdef DIAGNOSTIC
+	if (p == NULL)
+		panic("vsbus_copytoproc: no proc");
+#endif
+
+	if ((vaddr_t)to & 0x40000000)
+		pte = &p->p_vmspace->vm_map.pmap->pm_p1br[vax_btop((vaddr_t)to & ~0x40000000)];
 	else
-		pte = &p->p_vmspace->vm_map.pmap->pm_p0br[(long)to];
+		pte = &p->p_vmspace->vm_map.pmap->pm_p0br[vax_btop((vaddr_t)to)];
 	if ((vaddr_t)to & PGOFSET) {
 		int cz = round_page((vaddr_t)to) - (vaddr_t)to;
 
@@ -345,10 +351,16 @@
 		bcopy(from, to, len);
 		return;
 	}
-	if ((long)to & 0x40000000)
-		pte = &p->p_vmspace->vm_map.pmap->pm_p1br[((long)to & ~0x40000000)];
+
+#ifdef DIAGNOSTIC
+	if (p == NULL)
+		panic("vsbus_copyfromproc: no proc");
+#endif
+
+	if ((vaddr_t)from & 0x40000000)
+		pte = &p->p_vmspace->vm_map.pmap->pm_p1br[vax_btop((vaddr_t)from & ~0x40000000)];
 	else
-		pte = &p->p_vmspace->vm_map.pmap->pm_p0br[(long)to];
+		pte = &p->p_vmspace->vm_map.pmap->pm_p0br[vax_btop((vaddr_t)from)];
 	if ((vaddr_t)from & PGOFSET) {
 		int cz = round_page((vaddr_t)from) - (vaddr_t)from;
 
>Release-Note:
>Audit-Trail:
>Unformatted:
 	NetBSD current from a few days ago