Subject: port-vax/25307: Raw disk I/O broken on VAXstation 3100/m30, causes panic
To: None <gnats-bugs@gnats.NetBSD.org>
From: Anders Hjalmarsson <hjalmar@hjalmar.to>
List: netbsd-bugs
Date: 04/25/2004 02:21:38
>Number: 25307
>Category: port-vax
>Synopsis: Raw disk I/O broken on VAXstation 3100/m30, causes panic
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: port-vax-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Apr 25 00:22:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Anders Hjalmarsson
>Release: NetBSD 2.0C
>Organization:
unorganized
>Environment:
System: NetBSD 2.0C NetBSD 2.0C (VS3100_30-$Revision: 1.118 $) #7: Sat Apr 24 23:14:34 UTC 2004 hjalmar@simh-vax.hjalmar.to:/var/obj/config/vax/compile/VS3100_30 vax
Architecture: vax
Machine: vax
>Description:
Raw disk I/O broken on VAXstation 3100/m30, causes panic
This probably affects all vaxen attching si at vsbus and
maybe those with hdc at vsbus.
Partial dmesg:
si0 at vsbus0 csr 0x200c0080 vec 770 ipl 14 maskbit 1
si0: NCR5380, SCSI ID 6
scsibus0 at si0: 8 targets, 8 luns per target
scsibus0: waiting 2 seconds for devices to settle...
sd0 at scsibus0 target 0 lun 0: <DEC, RZ24 (C) DEC, 211B> disk fixed
sd0: drive offline
sd0: async, 8-bit transfers
sd1 at scsibus0 target 2 lun 0: <DEC, RZ24 (C) DEC, 211B> disk fixed
sd1: drive offline
sd1: async, 8-bit transfers
>How-To-Repeat:
# dd if=/dev/rsd0c bs=8k count=1 of=/dev/null
panic: trap: access fault: addr 800c09e2 code 8087d000
Stopped at netbsd:trap+0x1ab: bbc $2, 75(r7), trap+0x1bd
db> bt
panic: trap: access fault: addr 800defa1 code 10
Stopped at netbsd:trap+0x1ab: bbc $2, 75(r7), trap+0x1bd
# dd if=/dev/zero bs=8k count=1 of=/dev/rsd0b
panic: Segv in kernel mode: pc 800c0afc addr 89ded000
Stopped in pid 9.1 (dd) at netbsd:trap+0x2c2: movl $2, -52(fp)
db>
db> bt
panic: Segv in kernel mode: pc %x addr %x
Stack traceback :
0x82dd9930: trap+0x2c2(0x82dd9a04)
0x82dd9a04: trap type=0x8 code=0x89ded000 pc=0x800c0afc psl=0xd50000
0x82dd99d0: vsbus_copyfromproc+0xc4(0x802a6960,0x26000,0x82582000,0x2000)
0x82dd9a50: si_dma_go+0x2b(0x81013000)
0x82dd9a90: vsbus_dma_intr+0x36(void)
0x82dd9ab4: vsbus_dma_start+0x25(0x810135d8)
0x82dd9acc: si_dma_start+0x1e(0x81013000)
0x82dd9ae8: ncr5380_data_xfer+0xd9(0x81013000,0)
0x82dd9b04: ncr5380_machine+0xdf(0x81013000)
0x82dd9b2c: ncr5380_sched+0x240(0x81013000)
0x82dd9b60: ncr5380_scsipi_request+0x12e(0x81013064,0,0x802b2000)
0x82dd9b94: scsipi_run_queue+0x11b(0x81013064)
0x82dd9bd0: scsipi_execute_xs+0x1b7(0x802b2000)
0x82dd9c04: scsi_scsipi_cmd+0xd6(0x8103ee00,0x82dd9cd4,0x6,0x26000,0x2000,0x4,0x
ea60,0x802b3e88,0x22009)
0x82dd9c38: scsipi_command+0x5c(0x8103ee00,0x82dd9cd4,0x6,0x26000,0x2000,0x4,0xe
a60,0x802b3e88,0x22009)
0x82dd9c8c: sdstart+0x1ad(0x8103ee00)
0x82dd9ce8: sdstrategy+0x217(0x802b3e88)
0x82dd9d20: physio+0x194(0x800d24b2,0,0x3b01,0,0x800d292e,0x82dd9eb8)
0x82dd9d64: sdwrite+0x1f(0x3b01,0x82dd9eb8,0x1)
0x82dd9dac: spec_write+0xc2(0x82dd9e50)
0x82dd9e00: ufsspec_write+0x33(0x82dd9e50)
0x82dd9e34: vn_write+0x11d(0x802ed0a8,0x802ed0d0,0x82dd9eb8,0x80ff8e80,0x1)
0x82dd9e64: dofilewrite+0x73(0x802a6960,0x4,0x802ed0a8,0x26000,0x2000,0x802ed0d0
,0x1,0x82dd9f58)
0x82dd9ed8: sys_write+0x60(0x802ad2e8,0x82dd9f60,0x82dd9f58)
0x82dd9f20: syscall+0xdc(0x82dd9fb4)
db>
>Fix:
The problem is in vsbus_copyfromproc and vsbus_copytoproc.
The conversion to physical address uses the virtual address instead
of the virtual page (See pmap.c:vaddrtopte for a typical correct
conversion).
Also, vsbus_copyfromproc uses "to" instead of "from" in the conversion.
Index: vsbus.c
===================================================================
RCS file: /cvsroot/src/sys/arch/vax/vsa/vsbus.c,v
retrieving revision 1.44
diff -u -r1.44 vsbus.c
--- vsbus.c 2003/07/15 02:15:07 1.44
+++ vsbus.c 2004/04/24 23:51:23
@@ -311,10 +311,16 @@
bcopy(from, to, len);
return;
}
- if ((long)to & 0x40000000)
- pte = &p->p_vmspace->vm_map.pmap->pm_p1br[((long)to & ~0x40000000)];
+
+#ifdef DIAGNOSTIC
+ if (p == NULL)
+ panic("vsbus_copytoproc: no proc");
+#endif
+
+ if ((vaddr_t)to & 0x40000000)
+ pte = &p->p_vmspace->vm_map.pmap->pm_p1br[vax_btop((vaddr_t)to & ~0x40000000)];
else
- pte = &p->p_vmspace->vm_map.pmap->pm_p0br[(long)to];
+ pte = &p->p_vmspace->vm_map.pmap->pm_p0br[vax_btop((vaddr_t)to)];
if ((vaddr_t)to & PGOFSET) {
int cz = round_page((vaddr_t)to) - (vaddr_t)to;
@@ -345,10 +351,16 @@
bcopy(from, to, len);
return;
}
- if ((long)to & 0x40000000)
- pte = &p->p_vmspace->vm_map.pmap->pm_p1br[((long)to & ~0x40000000)];
+
+#ifdef DIAGNOSTIC
+ if (p == NULL)
+ panic("vsbus_copyfromproc: no proc");
+#endif
+
+ if ((vaddr_t)from & 0x40000000)
+ pte = &p->p_vmspace->vm_map.pmap->pm_p1br[vax_btop((vaddr_t)from & ~0x40000000)];
else
- pte = &p->p_vmspace->vm_map.pmap->pm_p0br[(long)to];
+ pte = &p->p_vmspace->vm_map.pmap->pm_p0br[vax_btop((vaddr_t)from)];
if ((vaddr_t)from & PGOFSET) {
int cz = round_page((vaddr_t)from) - (vaddr_t)from;
>Release-Note:
>Audit-Trail:
>Unformatted:
NetBSD current from a few days ago