tech-kern: Re: kern/19605: Repeatable panic in wi_read

Subject: Re: kern/19605: Repeatable panic in wi_read_bap
To: ITOH Yasufumi <itohy@netbsd.org>
From: David Young <dyoung@ojctech.com>
List: tech-kern
Date: 01/06/2003 01:02:41
You have pointed out an important bug. It may answer more than one PR.
It may also result in improved performance for wi(4).  Good work!

I will produce a patch, soon.

Dave

On Mon, Jan 06, 2003 at 01:23:10PM +0900, ITOH Yasufumi wrote:
> I have similar panic in wi_write_bap.
> In my case, I suspect that this is an off-by-one error.
> 
>     fatal page fault in supervisor mode
>     trap type 6 code 0 eip c015e0d7 cs 8 eflags 10246 cr2 c5f9d000 imask 70
>     panic: trap
>     Begin traceback...
>     _trap() at _trap+0x206
>     --- trap (number 6) ---
>     _wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f
> 
> (complete stack trace is shown below)
> The trap type #6 is a page fault, a bad address reference in kernel.
> 
> The parameter buf=c5f9cea1, buflen=15f and buf + buflen = c5f9d000.
> The buffer is at the the end of a page.
> 
> The fault address is cr2 = c5f9d000, and I think the problem is
> caused by off-by-one failure of
> 
>     sys/dev/ic/wi.c:
>     static int
>     wi_write_bap(struct wi_softc *sc, int id, int off, void *buf, int buflen)
>     {
> 	    ...
> 	    cnt = (buflen + 1) / 2;		/* XXXX this part of code. */
> 	    CSR_WRITE_MULTI_STREAM_2(sc, WI_DATA0, (u_int16_t *)buf, cnt);
> 	    ...
>     }
> 
> If the buflen is odd, this code always accesses one byte after
> the allocated buffer.
> 
> Similar codes are in wi_read_bap(), wi_write_rid() and wi_get_cfg().
> I'm not sure if these are problematic or not.
> 
> 
> Here's the complete stack trace.
> 
> pcmcia0: CIS version PC Card Standard 5.0
> pcmcia0: CIS info: IO DATA, WNB11PCM, Version 01.02, 
> pcmcia0: Manufacturer code 0x28a, product 0x2
> pcmcia0: function 0: network adapter, ccr addr 3e0 mask 1
> pcmcia0: function 0, config table entry 1: I/O card; irq mask ffff; iomask 6, iospace 0-3f; io16 irqpulse irqlevel
> wi0 at pcmcia0 function 0: IO DATA, WNB11PCM, Version 01.02
> wi0: 802.11 address xx:xx:xx:xx:xx:xx
> wi0: using RF:PRISM2 MAC:HFA3841 CARD:HWB3163-SST-flash
> wi0: Intersil Firmware: Primary (0.3.0), Station (0.8.2)
> wi0: supported rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
> fatal page fault in supervisor mode
> trap type 6 code 0 eip c015e0d7 cs 8 eflags 10246 cr2 c5f9d000 imask 70
> panic: trap
> Begin traceback...
> _trap() at _trap+0x206
> --- trap (number 6) ---
> _wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f
> _wi_start(c06f4034,c0685684,5dc,c010a766) at _wi_start+0x39e
> _ether_output(c06f4034,c068ce00,c0685684,c0686420,c06e58c8) at _ether_output+0x56c
> _ip_output(c068ce00,0,c0685680,0,0) at _ip_output+0x52e
> _tcp_output(c06e58c8,afc80,c0115520,c06e58c8) at _tcp_output+0x115f
> _tcp_input(c0701400,14,6,c05baa00,c0701400) at _tcp_input+0x1cf1
> _ip_input(c0701400,4,c0590d20,0) at _ip_input+0x67a
> _ipintr(10,30,10,10,c0412000) at _ipintr+0x7a
> _Xsoftnet() at _Xsoftnet+0x2c
> --- interrupt ---
> _mpidle(c03b5bec,0,c0415f50,c02974bb) at _mpidle
> bpendtsleep(c03b5bec,4,c02974f5,0,0,c029755c,c0415f80,c0297568) at bpendtsleep
> _uvm_scheduler(c0411010,411000,41a000,0,0) at _uvm_scheduler+0x78
> _main(0,0,0,0,0) at _main+0x742
> End traceback...
> syncing disks... fatal page fault in supervisor mode
> trap type 6 code 0 eip c02686c1 cs 8 eflags 10202 cr2 10c imask 0
> panic: trap
> Begin traceback...
> _trap() at _trap+0x206
> --- trap (number 6) ---
> _genfs_putpages(c04156d4,1,1,1,0) at _genfs_putpages+0x2f9
> _ffs_putpages(c04156d4,50,0,c0220103,0) at _ffs_putpages+0x11d
> _VOP_PUTPAGES(c6b0ec30,0,0,0,0,11,c0415750,c01f089f) at _VOP_PUTPAGES+0x49
> _ffs_full_fsync(c04157ec,11,c0415790,c025c76a,0) at _ffs_full_fsync+0x98
> _ffs_fsync(c04157ec,10012,c06ba800,c0264d28,c6b0ec30) at _ffs_fsync+0x3c
> _VOP_FSYNC(c6b0ec30,c0576e80,0,0,0,0,0,c03b5bec) at _VOP_FSYNC+0x58
> _ffs_sync(c0694200,2,c0576e80,c03b5bec) at _ffs_sync+0xcf
> _sys_sync(c03b5bec,0,0,c025e7d4,100) at _sys_sync+0x5a
> _vfs_shutdown(c041592c,1,fff2,c023ec18,c023f274) at _vfs_shutdown+0x6e
> _cpu_reboot(100,0,c0415970,c02b84fa,70) at _cpu_reboot+0x3b
> _panic(c02b8245,c02b81f0,c0415978,2,70) at _panic+0x123
> _trap() at _trap+0x206
> --- trap (number 6) ---
> _wi_write_bap(c06f4000,12b,78,c5f9cea1,15f) at _wi_write_bap+0x7f
> _wi_start(c06f4034,c0685684,5dc,c010a766) at _wi_start+0x39e
> _ether_output(c06f4034,c068ce00,c0685684,c0686420,c06e58c8) at _ether_output+0x56c
> _ip_output(c068ce00,0,c0685680,0,0) at _ip_output+0x52e
> _tcp_output(c06e58c8,afc80,c0115520,c06e58c8) at _tcp_output+0x115f
> _tcp_input(c0701400,14,6,c05baa00,c0701400) at _tcp_input+0x1cf1
> _ip_input(c0701400,4,c0590d20,0) at _ip_input+0x67a
> _ipintr(10,30,10,10,c0412000) at _ipintr+0x7a
> _Xsoftnet() at _Xsoftnet+0x2c
> --- interrupt ---
> _mpidle(c03b5bec,0,c0415f50,c02974bb) at _mpidle
> bpendtsleep(c03b5bec,4,c02974f5,0,0,c029755c,c0415f80,c0297568) at bpendtsleep
> _uvm_scheduler(c0411010,411000,41a000,0,0) at _uvm_scheduler+0x78
> _main(0,0,0,0,0) at _main+0x742
> End traceback...
> 
> dumping to dev 0,1 offset 608565
> dump 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 succeeded
> 
> 
> rebooting...
> 
> -- 
> ITOH Yasufumi

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Engineering from the Right Brain
                        Urbana, IL * (217) 278-3933