netbsd-bugs: port-sparc/14845: SS5 accessing MAGMA LC2+1Sp panics kernel w/data fault

Subject: port-sparc/14845: SS5 accessing MAGMA LC2+1Sp panics kernel w/data fault
To: None <gnats-bugs@gnats.netbsd.org>
From: John D. Baker <jdbaker@blkbox.com>
List: netbsd-bugs
Date: 12/05/2001 02:13:55
>Number:         14845
>Category:       port-sparc
>Synopsis:       SS5 accessing MAGMA LC2+1Sp panics kernel w/data fault
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-sparc-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 05 00:04:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     John D. Baker
>Release:        NetBSD 1.5.2
>Organization:
Network Byte Order
>Environment:
System: NetBSD pizza 1.5.2 NetBSD 1.5.2 (PIZZA) #0: Wed Dec 5 01:00:00 CST 2001 root@pizza:/usr/src/sys/arch/sparc/compile/PIZZA sparc

>Description:

SPARCstation 5 with MAGMA LC2+1Sp card as noted in boot messages below.
Custom kernel is used to provide more debugging information.

Using the 'cu' utility to access a serial port on the MAGMA card causes
a kernel panic as noted in the "How to Repeat" section.  Same happens
if 'ttyflags' operates on a MAGMA-resident port defined in /etc/ttys.

NetBSD 1.5.2 (PIZZA) #0: Wed Dec  5 01:00:00 CST 2001
    root@pizza:/usr/src/sys/arch/sparc/compile/PIZZA
total memory = 65124 KB
avail memory = 57080 KB
using 839 buffers containing 3356 KB of memory
bootpath: /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@3,0
mainbus0 (root): SUNW,SPARCstation-5
cpu0 at mainbus0: MB86904 @ 85 MHz, on-chip FPU
cpu0: 16K instruction (32 b/l), 8K data (16 b/l): cache enabled
obio0 at mainbus0
clock0 at obio0 slot 0 offset 0x200000: mk48t08 (eeprom)
timer0 at obio0 slot 0 offset 0xd00000 delay constant 40
zs0 at obio0 slot 0 offset 0x100000 level 12 softpri 6
zstty0 at zs0 channel 0 (console i/o)
zstty1 at zs0 channel 1
zs1 at obio0 slot 0 offset 0x0 level 12 softpri 6
kbd0 at zs1 channel 0
ms0 at zs1 channel 1
slavioconfig at obio0 slot 0 offset 0x800000 not configured
auxreg0 at obio0 slot 0 offset 0x900000
power0 at obio0 slot 0 offset 0x910000 level 2
fdc0 at obio0 slot 0 offset 0x400000 level 11: no drives attached
iommu0 at mainbus0 addr 0x10000000: version 0x4/0x0, page-size 4096, range 64MB
sbus0 at iommu0: clock = 21.250 MHz
dma0 at sbus0 slot 5 offset 0x8400000: rev 2
esp0 at dma0 slot 5 offset 0x8800000 level 4: ESP200, 40MHz, SCSI ID 7
scsibus0 at esp0: 8 targets, 8 luns per target
bpp0 at sbus0 slot 5 offset 0xc800000 level 2 (ipl 3): rev 2
ledma0 at sbus0 slot 5 offset 0x8400010: rev 2
le0 at ledma0 slot 5 offset 0x8c00000 level 6: address 08:00:20:73:3f:c0
le0: 8 receive buffers, 2 transmit buffers
audiocs0 at sbus0 slot 4 offset 0xc000000 level 9: CS4231A
audio0 at audiocs0: full duplex
power-management at sbus0 slot 4 offset 0xa000000 not configured
dma1 at sbus0 slot 1 offset 0x81000: rev esc
esp1 at dma1 slot 1 offset 0x80000 level 3 (ipl 5): ESP200, 40MHz, SCSI ID 7
scsibus1 at esp1: 8 targets, 8 luns per target
lebuffer0 at sbus0 slot 1 offset 0x40000: 128K memory
le1 at lebuffer0 slot 1 offset 0x60000 level 4 (ipl 7): address 08:00:20:73:3f:c0
le1: 64 receive buffers, 16 transmit buffers
qec0 at sbus0 slot 2 offset 0x20000: 128K memory
be0 at qec0 slot 0 offset 0x0 level 4 (ipl 7) rev 1 address 08:00:20:73:3f:c0
on-board transceiver at be0: 10baseT, 100baseTX, auto
magma: matched `MAGMA_Sp'
magma: magma_prom `MAGMA,21_Sp'
magma: intlevels `2 7 8 9'
magma: chiprev `E'
magma: clock `64'
magma0 at sbus0 slot 3 offset 0x0 level 9 addr 0xf046e300 softpri 6: Magma LC 2+1 Sp
magma0 attach CD1400 0 addr 0xfe09a000 rev 48 clock 25Mhz
mtty0 at magma0 addr 0xf047a400: 2 ttys
mbpp0 at magma0 addr 0xf046e200: 1 port
scsibus0: waiting 2 seconds for devices to settle...
probe(esp0:1:0): max sync rate 10.00MB/s
sd0 at scsibus0 target 1 lun 0: <SEAGATE, ST5660N  SUN0535, 0644> SCSI2 0/direct fixed
sd0: 520 MB, 3002 cyl, 4 head, 88 sec, 512 bytes/sect x 1065664 sectors
probe(esp0:2:0): max sync rate 10.00MB/s
sd1 at scsibus0 target 2 lun 0: <SEAGATE, ST32550W SUN2.1G, 0416> SCSI2 0/direct fixed
sd1: 2048 MB, 3511 cyl, 11 head, 108 sec, 512 bytes/sect x 4194995 sectors
probe(esp0:3:0): max sync rate 10.00MB/s
sd2 at scsibus0 target 3 lun 0: <QUANTUM, EMPIRE_1080S, 1220> SCSI2 0/direct fixed
sd2: 1029 MB, 2874 cyl, 8 head, 91 sec, 512 bytes/sect x 2109376 sectors
probe(esp0:4:0): max sync rate 10.00MB/s
sd3 at scsibus0 target 4 lun 0: <CWS ORB2, -SE U ID 4, D29> SCSI2 0/direct removable
sd3: 2103 MB, 534 cyl, 128 head, 63 sec, 512 bytes/sect x 4307184 sectors
cd0 at scsibus0 target 6 lun 0: <SONY, CD-ROM CDU-541, 2.6a> SCSI2 5/cdrom removable
scsibus1: waiting 2 seconds for devices to settle...
root on sd2a dumps on sd2b
mountroot: trying coda...
mountroot: trying msdos...
mountroot: trying cd9660...
mountroot: trying lfs...
mountroot: trying nfs...
mountroot: trying ffs...
root file system type: ffs
init: copying out path `/sbin/init' 11


>How-To-Repeat:

On freshly installed system, create the MAGMA device files:

# cd /dev
# ./MAKEDEV magma0
# chmod a+rw tty0?
# cd

Use 'cu' to open a serial port to a modem:

# cu -l /dev/tty00 -s 38400       
Connected.

At this point, a modem on the serial port shows that DTR has been
asserted.  A single key on the console terminal is typed, producing
the following:

data fault: pc=0xf001e188 addr=0x8 sfsr=326<PERR=0,LVL=3,AT=1,FT=1,FAV,OW>
panic: kernel fault
Stopped in cu at        cpu_Debugger+0x4:       jmpl            [%o7 + 0x8], %g0

db> trace
mem_access_fault4m(0x0, 0x326, 0x8, 0xf0234a18, 0xf01aa2e8, 0x400) at mem_access
_fault4m+0x310
memfault_sun4m(0x0, 0x0, 0x0, 0x0, 0xf0087c60, 0xffffffff) at memfault_sun4m+0x1
4c
cs4231_intr(0xf046e500, 0xf001e0e0, 0xf045f100, 0xf00816d0, 0x0, 0x1) at cs4231_
intr+0x18
sparc_interrupt44c(0x1, 0x20000010, 0x0, 0xf04c6380, 0x1, 0xf007ec84) at sparc_i
nterrupt44c+0x170
dofilewrite(0x0, 0x3, 0xf491b428, 0x1, 0x1, 0xf491b448) at dofilewrite+0x8c
sys_write(0xf4904d40, 0xf4a36f28, 0xf4a36f20, 0xf005a264, 0x1, 0xf007eb5c) at sy
s_write+0x90
syscall(0x4, 0xf4a36fb0, 0x0, 0x3, 0x1, 0xf491b058) at syscall+0x1f8
_syscall(0x3, 0xeffff8f7, 0x1, 0xf0002000, 0xe0000000, 0xf4916910) at _syscall+0
x120
db> ps
 PID             PPID       PGRP        UID S   FLAGS          COMMAND    WAIT
 310              309        309          0 3   0x186               cu   ttyin
>Fix:

Not a fix, but some observations.  The existing driver hard-codes the
value of "clock" to 25 (in MHz) instead of reading it from the device
properties.  This may have been sufficient for older MAGMA cards, but
not for recent-production units which have a 64MHz clock.


>Release-Note:
>Audit-Trail:
>Unformatted:
 X-send-pr-version: 3.95
 
 >309              191        309          0 7  0x4106               cu
  191                1        191          0 3  0x4086              csh   pause
  189                1        189          0 3    0x84             cron nanosle
  186                1        186          0 3    0x84            inetd   pause
  104                1        104          0 2    0x84          syslogd
  4                  0          0          0 3 0x20204          ioflush  syncer
  3                  0          0          0 3 0x20204           reaper  reaper
  2                  0          0          0 3 0x20204       pagedaemon daemon_
  1                  0          1          0 3  0x4084             init    wait
  0                 -1          0          0 3 0x20204          swapper schedul
 db> 
 
 
 Also, if entrys for the MAGMA serial ports /dev/tty0? exist in /etc/ttys,
 the system will crash in the same manner when 'ttyflags -a' is run during
 boot.
 
 The problem has been observed with NetBSD 1.5, 1.5.2, the 20011111 snapshot
 (1.5Y?) and with OpenBSD 2.8, 2.9, and 3.0.  All panic the kernel in the
 same fashion.
 
 Tests under Solaris 8 on the same machine, with the driver from MAGMA,
 operate correctly, so the hardware is not at fault.