tech-kern: Re: kern/19605: Repeatable panic in wi_read

Subject: Re: kern/19605: Repeatable panic in wi_read_bap
To: None <stixpjr@ozemail.com.au, tech-kern@netbsd.org>
From: ITOH Yasufumi <itohy@netbsd.org>
List: tech-kern
Date: 01/06/2003 13:23:10
I have similar panic in wi_write_bap.
In my case, I suspect that this is an off-by-one error.

    fatal page fault in supervisor mode
    trap type 6 code 0 eip c015e0d7 cs 8 eflags 10246 cr2 c5f9d000 imask 70
    panic: trap
    Begin traceback...
    _trap() at _trap+0x206
    --- trap (number 6) ---
    _wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f

(complete stack trace is shown below)
The trap type #6 is a page fault, a bad address reference in kernel.

The parameter buf=c5f9cea1, buflen=15f and buf + buflen = c5f9d000.
The buffer is at the the end of a page.

The fault address is cr2 = c5f9d000, and I think the problem is
caused by off-by-one failure of

    sys/dev/ic/wi.c:
    static int
    wi_write_bap(struct wi_softc *sc, int id, int off, void *buf, int buflen)
    {
	    ...
	    cnt = (buflen + 1) / 2;		/* XXXX this part of code. */
	    CSR_WRITE_MULTI_STREAM_2(sc, WI_DATA0, (u_int16_t *)buf, cnt);
	    ...
    }

If the buflen is odd, this code always accesses one byte after
the allocated buffer.

Similar codes are in wi_read_bap(), wi_write_rid() and wi_get_cfg().
I'm not sure if these are problematic or not.


Here's the complete stack trace.

pcmcia0: CIS version PC Card Standard 5.0
pcmcia0: CIS info: IO DATA, WNB11PCM, Version 01.02, 
pcmcia0: Manufacturer code 0x28a, product 0x2
pcmcia0: function 0: network adapter, ccr addr 3e0 mask 1
pcmcia0: function 0, config table entry 1: I/O card; irq mask ffff; iomask 6, iospace 0-3f; io16 irqpulse irqlevel
wi0 at pcmcia0 function 0: IO DATA, WNB11PCM, Version 01.02
wi0: 802.11 address xx:xx:xx:xx:xx:xx
wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163-SST-flash
wi0: Intersil Firmware: Primary (0.3.0), Station (0.8.2)
wi0: supported rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
fatal page fault in supervisor mode
trap type 6 code 0 eip c015e0d7 cs 8 eflags 10246 cr2 c5f9d000 imask 70
panic: trap
Begin traceback...
_trap() at _trap+0x206
--- trap (number 6) ---
_wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f
_wi_start(c06f4034,c0685684,5dc,c010a766) at _wi_start+0x39e
_ether_output(c06f4034,c068ce00,c0685684,c0686420,c06e58c8) at _ether_output+0x56c
_ip_output(c068ce00,0,c0685680,0,0) at _ip_output+0x52e
_tcp_output(c06e58c8,afc80,c0115520,c06e58c8) at _tcp_output+0x115f
_tcp_input(c0701400,14,6,c05baa00,c0701400) at _tcp_input+0x1cf1
_ip_input(c0701400,4,c0590d20,0) at _ip_input+0x67a
_ipintr(10,30,10,10,c0412000) at _ipintr+0x7a
_Xsoftnet() at _Xsoftnet+0x2c
--- interrupt ---
_mpidle(c03b5bec,0,c0415f50,c02974bb) at _mpidle
bpendtsleep(c03b5bec,4,c02974f5,0,0,c029755c,c0415f80,c0297568) at bpendtsleep
_uvm_scheduler(c0411010,411000,41a000,0,0) at _uvm_scheduler+0x78
_main(0,0,0,0,0) at _main+0x742
End traceback...
syncing disks... fatal page fault in supervisor mode
trap type 6 code 0 eip c02686c1 cs 8 eflags 10202 cr2 10c imask 0
panic: trap
Begin traceback...
_trap() at _trap+0x206
--- trap (number 6) ---
_genfs_putpages(c04156d4,1,1,1,0) at _genfs_putpages+0x2f9
_ffs_putpages(c04156d4,50,0,c0220103,0) at _ffs_putpages+0x11d
_VOP_PUTPAGES(c6b0ec30,0,0,0,0,11,c0415750,c01f089f) at _VOP_PUTPAGES+0x49
_ffs_full_fsync(c04157ec,11,c0415790,c025c76a,0) at _ffs_full_fsync+0x98
_ffs_fsync(c04157ec,10012,c06ba800,c0264d28,c6b0ec30) at _ffs_fsync+0x3c
_VOP_FSYNC(c6b0ec30,c0576e80,0,0,0,0,0,c03b5bec) at _VOP_FSYNC+0x58
_ffs_sync(c0694200,2,c0576e80,c03b5bec) at _ffs_sync+0xcf
_sys_sync(c03b5bec,0,0,c025e7d4,100) at _sys_sync+0x5a
_vfs_shutdown(c041592c,1,fff2,c023ec18,c023f274) at _vfs_shutdown+0x6e
_cpu_reboot(100,0,c0415970,c02b84fa,70) at _cpu_reboot+0x3b
_panic(c02b8245,c02b81f0,c0415978,2,70) at _panic+0x123
_trap() at _trap+0x206
--- trap (number 6) ---
_wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f
_wi_start(c06f4034,c0685684,5dc,c010a766) at _wi_start+0x39e
_ether_output(c06f4034,c068ce00,c0685684,c0686420,c06e58c8) at _ether_output+0x56c
_ip_output(c068ce00,0,c0685680,0,0) at _ip_output+0x52e
_tcp_output(c06e58c8,afc80,c0115520,c06e58c8) at _tcp_output+0x115f
_tcp_input(c0701400,14,6,c05baa00,c0701400) at _tcp_input+0x1cf1
_ip_input(c0701400,4,c0590d20,0) at _ip_input+0x67a
_ipintr(10,30,10,10,c0412000) at _ipintr+0x7a
_Xsoftnet() at _Xsoftnet+0x2c
--- interrupt ---
_mpidle(c03b5bec,0,c0415f50,c02974bb) at _mpidle
bpendtsleep(c03b5bec,4,c02974f5,0,0,c029755c,c0415f80,c0297568) at bpendtsleep
_uvm_scheduler(c0411010,411000,41a000,0,0) at _uvm_scheduler+0x78
_main(0,0,0,0,0) at _main+0x742
End traceback...

dumping to dev 0,1 offset 608565
dump 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 succeeded


rebooting...

-- 
ITOH Yasufumi