port-i386/47907: kernel trap when using EISA with I/O APIC on i386

To: port-i386-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: port-i386/47907: kernel trap when using EISA with I/O APIC on i386
From: m4j0rd0m0%gmail.com@localhost
Date: Fri, 7 Jun 2013 17:30:00 +0000 (UTC)
>Number:         47907
>Category:       port-i386
>Synopsis:       kernel trap when using EISA with I/O APIC on i386
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 07 17:30:00 +0000 2013
>Originator:     Felix Deichmann
>Release:        6.1
>Organization:
>Environment:
NetBSD/i386 6.1 with patch for i386 MP default configuration
>Description:
Kernel traps when using EISA card in i386 MP default configuration #6 machine 
(EISA+PCI) with a corresponding patch. Console log w/trace follows.
This is due to an evil pointer cast in eisa_intr_establish() when I/O APIC is 
used.


NetBSD 6.1 (GENERIC) #1: Wed May 29 19:55:53 CEST 2013
        root@bla:/usr/src/sys/arch/i386/compile/GENERIC
total memory = 127 MB
avail memory = 112 MB
mainbus0 (root)
acpi_probe: failed to initialize tables
mainbus0: Intel MP Specification (Version 1.1)
mainbus0: MP default configuration 6
cpu0 at mainbus0 apid 0cpu0: prelint0 0x700<vector=0x0,delmode=0x7,dest=0x0> 
0x0<target=0x0>
cpu0: prelint1 0x400<vector=0x0,delmode=0x4,dest=0x0> 0x0<target=0x0>
cpu0: timer0 0x10000<vector=0x0,delmode=0x0,masked,dest=0x0> 0x0<target=0x0>
cpu0: pcint0 0x0<vector=0x0,delmode=0x0,dest=0x0> 0x0<target=0x0>
cpu0: lint0 0x700<vector=0x0,delmode=0x7,dest=0x0> 0x0<target=0x0>
cpu0: lint1 0x400<vector=0x0,delmode=0x4,dest=0x0> 0x0<target=0x0>
cpu0: err0 0x10000<vector=0x0,delmode=0x0,masked,dest=0x0> 0x0<target=0x0>
: Intel 586-class, 100MHz, id 0x526
cpu1 at mainbus0 apid 1: Intel 586-class, id 0x2526
ioapic0 at mainbus0 apid 2, virtual wire mode
ioapic0: int0 attached to ExtINT (type 0x3<type=0x3=ExtINT> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int1 attached to eisa0 EISA irq 1 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int2 attached to eisa0 EISA irq 0 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int3 attached to eisa0 EISA irq 3 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int4 attached to eisa0 EISA irq 4 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int5 attached to eisa0 EISA irq 5 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int6 attached to eisa0 EISA irq 6 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int7 attached to eisa0 EISA irq 7 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int8 attached to eisa0 EISA irq 8 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int9 attached to eisa0 EISA irq 9 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int10 attached to eisa0 EISA irq 10 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int11 attached to eisa0 EISA irq 11 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int12 attached to eisa0 EISA irq 12 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int13 attached to eisa0 EISA irq 13 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int14 attached to eisa0 EISA irq 14 (type 0x0<type=0x0> flags 
0x0<pol=0x0,trig=0x0>)
ioapic0: int15 attached to eisa0 EISA irq 15 (type 0x0<type=0x0> flags 
0xd<pol=0x1=Act Hi,trig=0x3=Level>)
local apic: int0 attached to ExtINT (type 0x3<type=0x3=ExtINT> flags 
0x0<pol=0x0,trig=0x0>)
local apic: int1 attached to NMI (type 0x1<type=0x1=NMI> flags 
0x0<pol=0x0,trig=0x0>)
pci0 at mainbus0 bus 0: configuration mode 2
pchb0 at pci0 dev 0 function 0: vendor 0x8086 product 0x04a3 (rev. 0x11)
pceb0 at pci0 dev 1 function 0
pceb0: vendor 0x8086 product 0x0482 (rev. 0x05)
pciide0 at pci0 dev 2 function 0: vendor 0x1042 product 0x1000 (rev. 0x01)
pciide0: I/O access disabled at device
epic0 at pci0 dev 15 function 0: SMC 83c170 Fast Ethernet (rev. 0x08)
ioapic0: int15 0x8060<vector=0x60,delmode=0x0,level,dest=0x0> 0x0<target=0x0>
epic0: interrupting at ioapic0 pin 15
epic0: SMC9432TX, Ethernet address 00:e0:29:xx:xx:xx
qsphy0 at epic0 phy 3: QS6612 10/100 media interface, rev. 1
qsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
eisa0 at pceb0
ahc1 at eisa0 slot 3: Adaptec AHA-274x SCSI
uvm_fault(0xc0c8d9e0, 0, 1) -> 0xe
uvm_fault(0xc0c8d9e0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c07dea95 cs 8 eflags 10246 cr2 0 ilevel 8
kernel: supervisor trap page fault, code=0
Stopped in pid 0.1 (system) at  netbsd:trap+0x6e0:      movzbl  0(%eax),%edx
db{0}> trace
trap() at netbsd:trap+0x6e0
--- trap (number 6) ---
?(b,c114a1f0,b,2,6,c0147de8,c1234c00,0,c1234c00,c0c4c0fc) at 0
eisa_intr_establish(0,10020b0b,2,6,c0147de8,c1234c00,0,b,c0bd5fa0,c0b2a3fb) at 
netbsd:eisa_intr_establish+0x7a
ahc_eisa_attach(c1229ac0,c1229940,c0de0ab8,c1229940,3,c0bd5fa0,0,c0de0ae8,c02b9455,c1229ac0)
 at netbsd:ahc_eisa_attach+0x271
config_attach_loc(c1229ac0,c0bc47a8,c0de0ab0,c0de0ab8,c02b9514,c077e89e,c0bd9220,c0bd5fc0,c1229ac0,10)
 at netbsd:config_attach_loc+0x1a5
eisaattach(c11bb180,c1229ac0,c0de0b44,c1229ac0,c11bb180,c0de0b44,0,c0de0b2c,c077f3f1,c11bb180)
 at netbsd:eisaattach+0x1b3
config_attach_loc(c11bb180,c0bc6e60,0,c0de0b44,c02b97f4,0,c0de0b60,c065b596,c11bb180,c0b24bf7)
 at netbsd:config_attach_loc+0x1a5
config_found_ia(c11bb180,c0b24bf7,c0de0b44,c02b97f4,0,c0bd5fa0,c0bd5fc0,c0bd9220,0,c0c3bcbc)
 at netbsd:config_found_ia+0x36
pceb_callback(c11bb180,2,c11bb480,c11bb480,c0bc7ce8,c0b3c2a1,c0de0ba4,c077f1d9,c11bbc00,c11bb480)
 at netbsd:pceb_callback+0x4f
config_process_deferred(c11bbc00,c11bb480,c0de0be0,c11bb480,c0b24bc0,c114d080,c11bbc00,c0de0bc4,c077f3f1,c11bbc00)
 at netbsd:config_process_deferred+0x44
config_attach_loc(c11bbc00,c0bc5dc8,0,c0de0be0,c0662ab4,0,c0de0c1c,c05a2b80,c11bbc00,c0b24bc0)
 at netbsd:config_attach_loc+0x1c7
config_found_ia(c11bbc00,c0b24bc0,c0de0be0,c0662ab4,c0de0be0,c0bd5fa0,c0bd5fa0,c0bd5fc0,c0c375e0,0)
 at netbsd:config_found_ia+0x36
mainbus_rescan(c11bbc00,c0b24bc0,0,c11bbc00,c11d8de0,c0ba3703,c0b92ef7,c0de0c60,c05292fb,c11d8de0)
 at netbsd:mainbus_rescan+0x246
mainbus_attach(0,c11bbc00,0,c11bbc00,0,c0b23e8c,de6000,c0de0cc4,c077f271,0) at 
netbsd:mainbus_attach+0xfc
config_attach_loc(0,c0bc5db0,0,0,0,c0de0ce4,c077f2b5,0,c0bc5db0,0) at 
netbsd:config_attach_loc+0x1a5
config_attach(0,c0bc5db0,0,0,1986,c0c73680,c0de0cf8,c01ef90a,c0b23e8c,0) at 
netbsd:config_attach+0x2e
config_rootfound(c0b23e8c,0,1986,c0de0d40,c04bbc5d,c0b69b02,6,3,0,0) at 
netbsd:config_rootfound+0x42
cpu_configure(c0b69b02,6,3,0,0,0,0,0,0,0) at netbsd:cpu_configure+0x2a
main(0,0,0,0,0,0,0,0,0,0) at netbsd:main+0x29f
>How-To-Repeat:
Boot a kernel with support for i386 MP default configurations on such a machine 
with default configuration 6 (integrated APICs, EISA+PCI) and with an Adaptec 
AHA-2740/42W EISA card, SMP enabled...

Any other EISA card might trigger the same problem in this machine when using 
SMP (i. e. the I/O APIC).

Any other machine with EISA hardware and IRQs routed via I/O APIC might also be 
affected.
>Fix:
A fix for src/sys/arch/i386/eisa/eisa_machdep.c Rev. 1.37 (removes some 
trailing whitespace, too) follows. Tested and works on mentioned system above.
aprint_error() is replaced by aprint_normal(), as this is a mere c&p from a 
current src/sys/arch/x86/pci/pci_intr_machdep.c, and I don't want to decide 
which one is right.


--- eisa_machdep_rev_1_37.c     2013-06-04 12:45:55.000000000 +0200
+++ eisa_machdep.c      2013-06-04 14:03:59.000000000 +0200
@@ -106,7 +106,7 @@
 eisa_attach_hook(device_t parent, device_t self,
     struct eisabus_attach_args *eba)
 {
-       extern int eisa_has_been_seen; 
+       extern int eisa_has_been_seen;
 
        /*
         * Notify others that might need to know that the EISA bus
@@ -176,7 +176,6 @@
        snprintf(irqstr, sizeof(irqstr), "irq %d", ih);
 #endif
        return (irqstr);
-       
 }
 
 const struct evcnt *
@@ -193,18 +192,22 @@
 {
        int pin, irq;
        struct pic *pic;
+#if NIOAPIC > 0
+       struct ioapic_softc *ioapic;
+#endif
 
        pic = &i8259_pic;
        pin = irq = ih;
 
 #if NIOAPIC > 0
        if (ih & APIC_INT_VIA_APIC) {
-               pic = (struct pic *)ioapic_find(APIC_IRQ_APIC(ih));
-               if (pic == NULL) {
-                       aprint_error("eisa_intr_establish: bad ioapic %d\n",
+               ioapic = ioapic_find(APIC_IRQ_APIC(ih));
+               if (ioapic == NULL) {
+                       aprint_normal("eisa_intr_establish: bad ioapic %d\n",
                            APIC_IRQ_APIC(ih));
                        return NULL;
                }
+               pic = &ioapic->sc_pic;
                pin = APIC_IRQ_PIN(ih);
                irq = APIC_IRQ_LEGACY_IRQ(ih);
                if (irq < 0 || irq >= NUM_LEGACY_IRQS)
Prev by Date: port-evbmips/47904: Segfault in pthread_getspecific()
Next by Date: Re: bin/47888: make(1) mishandles empty() inside loops
Previous by Thread: port-evbmips/47904: Segfault in pthread_getspecific()
Next by Thread: Re: port-i386/47907: kernel trap when using EISA with I/O APIC on i386
Indexes:
Home | Main Index | Thread Index | Old Index