netbsd-bugs: kern/10370: cardbus probe croaks in pcmcia_read

Subject: kern/10370: cardbus probe croaks in pcmcia_read_cis()
To: None <gnats-bugs@gnats.netbsd.org>
From: John Kohl <jtk@kolvir.arlington.ma.us>
List: netbsd-bugs
Date: 06/14/2000 20:35:15
>Number:         10370
>Category:       kern
>Synopsis:       cardbus probe croaks in pcmcia_read_cis()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 14 20:36:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     John Kohl
>Release:        NetBSD-current, 2000-06-13
>Organization:
NetBSD Kernel Hackers `R` Us
>Environment:
	
System: NetBSD kolvir.arlington.ma.us 1.4X NetBSD 1.4X (KOLVIR) #4: Sun Apr 9 17:56:09 EDT 2000 jtk@kolvir.arlington.ma.us:/usr/u4/sandbox/src/sys/arch/i386/compile/KOLVIR i386


>Description:
cardbus probes fail on my IBM ThinkPad 600E.
I've got this configured for CardBus related items:
options 	PCIBIOS			# PCI BIOS support
options 	PCIBIOSVERBOSE		# PCI BIOS verbose info
options 	PCIBIOS_INTR_FIXUP	# fixup PCI interrupt routing
options 	PCIBIOS_BUS_FIXUP	# fixup PCI bus numbering
ne*	at pcmcia? function ?		# NE2000-compatible Ethernet
wi*	at pcmcia? function ?		# Lucent WaveLan IEEE (802.11)
xi*	at pcmcia? function ?		# Xircom PCMCIA cards
com*	at pcmcia? function ?		# Modems and serial cards
pcmcom*	at pcmcia? function ?		# PCMCIA multi-port serial cards
com*	at pcmcom? slave ?		# ...and the slave devices

# CardBus bus support
cardbus*	at cardslot?
pcmcia*		at cardslot?

cbb*	at pci? dev? function ?

cardslot*	at cbb?	

I believe it's walking off the end of a mapped page, into unmapped
space.

>How-To-Repeat:
Here's the boot trace (from a serial console).  I've tried it with three
different types of cards (ne0, wi0, xi0), all fail this way.

Copyright (c) 1996, 1997, 1998, 1999, 2000
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 1.4ZD (SAKECB) #1: Wed Jun 14 23:22:34 EDT 2000
    jtk@sake:/usr/users/jtk/src/sys/arch/i386/compile/SAKECB
cpu0: family 6 model 6 step a
cpu0: Intel Pentium II (Celeron) (686-class)
total memory = 127 MB
avail memory = 115 MB
using 1656 buffers containing 6624 KB of memory
BIOS32 rev. 0 found at 0xfd820
PCI BIOS rev. 2.1 found at 0xfd880
pcibios: config mechanism [1][x], special cycles [1][x], last bus 7
PCI IRQ Routing Table rev. 1.0 found at 0xf9e40, size 112 bytes (5 entries)
PCI Interrupt Router at 000:07:0
PCI Exclusive IRQs: 11
--------------------------------------------
  device vendor product pin PIRQ   IRQ stage
--------------------------------------------
000:02:0 0x104c 0xac1d  A   0x00   11  0
000:02:1 0x104c 0xac1d  B   0x01   11  0
000:06:0 0x1013 0x6001  A   0x00   11  0
000:07:2 0x8086 0x7112  D   0x03   11  0
--------------------------------------------
PCI bridge 0: primary 0, secondary 1, subordinate 1
PCI bridge 1: primary 0, secondary 2, subordinate 2
PCI bridge 2: primary 0, secondary 3, subordinate 3
PCI bus #3 is the last bus
mainbus0 (root)
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled
pchb0 at pci0 dev 0 function 0
pchb0: Intel 82443BX Host Bridge/Controller (rev. 0x03)
ppb0 at pci0 dev 1 function 0: Intel 82443BX AGP Interface (rev. 0x03)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga1 at pci1 dev 0 function 0: Neomagic MagicMedia 256AV VGA (rev. 0x12)
wsdisplay0 at vga1
cbb0 at pci0 dev 2 function 0: Texas Instruments PCI1251 PCI-CardBus Bridge (rev. 0x00)
cbb1 at pci0 dev 2 function 1: Texas Instruments PCI1251 PCI-CardBus Bridge (rev. 0x00)
clcs0 at pci0 dev 6 function 0: Cirrus Logic CS4610 SoundFusion Audio Accelerator (rev. 0x01)
clcs0: interrupting at irq 11
clcs0: codec ready timeout
pcib0 at pci0 dev 7 function 0
pcib0: Intel 82371AB PCI-to-ISA Bridge (PIIX4) (rev. 0x02)
pciide0 at pci0 dev 7 function 1: Intel 82371AB IDE controller (PIIX4) (rev. 0x01)
pciide0: bus-master DMA support present
pciide0: primary channel wired to compatibility mode
wd0 at pciide0 channel 0 drive 0: <HITACHI_DK239A-65B>
wd0: drive supports 16-sector pio transfers, lba addressing
wd0: 6149 MB, 13328 cyl, 15 head, 63 sec, 512 bytes/sect x 12594960 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2
pciide0: primary channel interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (using DMA data transfers)
pciide0: secondary channel wired to compatibility mode
atapibus0 at pciide0 channel 1
cd0 at atapibus0 drive 0: <CRN-8241B, 1999/09/04, 1.22> type 5 cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2
pciide0: secondary channel interrupting at irq 15
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 (using DMA data transfers)
uhci0 at pci0 dev 7 function 2: Intel 82371AB USB Host Controller (PIIX4) (rev. 0x01)
uhci0: interrupting at irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
Intel 82371AB Power Management Controller (PIIX4) (miscellaneous bridge, revision 0x02) at pci0 dev 7 function 3 not configured
cbb0: interrupting at irq 11
cbb0: cacheline 0x8 lattimer 0xb0
cbb0: bhlc 0x82a808 lscp 0xb0020200
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cbb1: interrupting at irq 11
cbb1: cacheline 0x8 lattimer 0xb0
cbb1: bhlc 0x82a808 lscp 0xb0030300
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 3 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com0: console
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220-0x237 irq 5 drq 0: dsp v3.02
audio0 at sb0: half duplex, mmap, independent
midi0 at sb0: SB MIDI UART
opl0 at sb0: model OPL3
midi1 at opl0: SB Yamaha OPL3
pcppi0 at isa0 port 0x61
midi2 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
isapnp0: no ISA Plug 'n Play devices found
apm0 at mainbus0: Power Management spec V1.2
biomask efcd netmask efcd ttymask ffcf
uvm_fault(0xc02ff2a0, 0xc992f000, 0, 1) -> 1
kernel: page fault trap, code=0
Stopped in cardslot1 at pcmcia_scan_cis+0x1a6:  movb             0(%eax,%ecx,1),
%al
db> t
pcmcia_scan_cis(c05edc00,c0267464,c992bed0,ffffffff,0) at pcmcia_scan_cis+0x1a6
pcmcia_read_cis(c05edc00,c05ddaac,c05db800,c05db800,ffffffff) at pcmcia_read_cis
+0x9c
pcmcia_card_attach(c05edc00) at pcmcia_card_attach+0x27
cardslot_event_thread(c05db800) at cardslot_event_thread+0x1ed
db> print $eax
    1000
db> print $ecx
c992e000
db> x/x $ecx+$eax
0xc992f000:uvm_fault(0xc02ff2a0, 0xc992f000, 0, 1) -> 1
     kernel: page fault trap, code=0
Faulted in DDB; continuing...
db> x/x $ecx+$eax-4
0xc992effc:     0
db> x/i,32 pcmcia_scan_cis+0x1a6
pcmcia_scan_cis+0x1a6:  movb             0(%eax,%ecx,1),%al
pcmcia_scan_cis+0x1a9:  movzbl  %eax,%ecx
pcmcia_scan_cis+0x1ac:  movl    %ecx,0xffffffd0(%ebp)
pcmcia_scan_cis+0x1af:  testl   %ecx,%ecx
pcmcia_scan_cis+0x1b1:  jnz     pcmcia_scan_cis+0x1d0
pcmcia_scan_cis+0x1b3:  cmpl    $0,pcmciacis_debug
pcmcia_scan_cis+0x1ba:  jz      pcmcia_scan_cis+0x1c9
pcmcia_scan_cis+0x1bc:  pushl   $0xc02c53ef
pcmcia_scan_cis+0x1c1:  call    printf
pcmcia_scan_cis+0x1c6:  addl    $0x4,%esp
pcmcia_scan_cis+0x1c9:  incl    0xffffffdc(%ebp)
pcmcia_scan_cis+0x1cc:  jmp     pcmcia_scan_cis+0x188
pcmcia_scan_cis+0x1ce:  movl    %esi,%esi
pcmcia_scan_cis+0x1d0:  cmpl    $0xff,%ecx
pcmcia_scan_cis+0x1d6:  jnz     pcmcia_scan_cis+0x214
pcmcia_scan_cis+0x1d8:  cmpl    $0,pcmciacis_debug
pcmcia_scan_cis+0x1df:  jz      pcmcia_scan_cis+0x1ee
pcmcia_scan_cis+0x1e1:  pushl   $0xc02c5400
pcmcia_scan_cis+0x1e6:  call    printf
pcmcia_scan_cis+0x1eb:  addl    $0x4,%esp
pcmcia_scan_cis+0x1ee:  movl          0x10(%ebp),%edx
pcmcia_scan_cis+0x1f1:  pushl   %edx
pcmcia_scan_cis+0x1f2:  movl    0xfffffddc(%ebp),%eax
pcmcia_scan_cis+0x1f8:  pushl   %eax
pcmcia_scan_cis+0x1f9:  movl           0xc(%ebp),%edx
pcmcia_scan_cis+0x1fc:  call    *%edx
pcmcia_scan_cis+0x1fe:  movl    %eax,%ecx
pcmcia_scan_cis+0x200:  addl    $0x8,%esp
pcmcia_scan_cis+0x203:  testl   %ecx,%ecx
pcmcia_scan_cis+0x205:  jnz     pcmcia_scan_cis+0xe4
pcmcia_scan_cis+0x20b:  incl    0xffffffdc(%ebp)
pcmcia_scan_cis+0x20e:  jmp     pcmcia_scan_cis+0xb08
pcmcia_scan_cis+0x213:  nop
pcmcia_scan_cis+0x214:  cmpl    $0,0xffffffe0(%ebp)
pcmcia_scan_cis+0x218:  jnz     pcmcia_scan_cis+0x228
pcmcia_scan_cis+0x21a:  movl    0xffffffdc(%ebp),%edx
pcmcia_scan_cis+0x21d:  incl    %edx
pcmcia_scan_cis+0x21e:  imull   0xffffffd8(%ebp),%edx
pcmcia_scan_cis+0x222:  addl    0xffffffe4(%ebp),%edx
pcmcia_scan_cis+0x225:  inb     %dx,%al
pcmcia_scan_cis+0x226:  jmp     pcmcia_scan_cis+0x236
pcmcia_scan_cis+0x228:  movl    0xffffffdc(%ebp),%eax
pcmcia_scan_cis+0x22b:  incl    %eax
pcmcia_scan_cis+0x22c:  imull   0xffffffd8(%ebp),%eax
pcmcia_scan_cis+0x230:  movl    0xffffffe4(%ebp),%ecx
pcmcia_scan_cis+0x233:  movb             0(%eax,%ecx,1),%al
pcmcia_scan_cis+0x236:  movzbl  %eax,%ecx
pcmcia_scan_cis+0x239:  movl    %ecx,0xffffffd4(%ebp)
pcmcia_scan_cis+0x23c:  movl    0xffffffd0(%ebp),%ebx
pcmcia_scan_cis+0x23f:  leal    0xfffffffa(%ebx),%ecx
db> x/s 0xc02c53ef
thisfunc.80+0x15af:     CISTPL_NONE\012 00\012

>Fix:
	
>Release-Note:
>Audit-Trail:
>Unformatted: