k3b causing system freeze/panic

From: Michael Butler <imb_at_protected-networks.net>
Date: Tue, 27 Jul 2010 23:01:09 -0400
I have a custom kernel for my laptop which uses ATA_CAM rather than the
now aging ATA driver ..

In the case that the kernel compilation options KDB and DDB are enabled,
k3b will simply freeze. Without them, I managed to catch this panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0xbfbea376
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc04d96d7
stack pointer           = 0x28:0xe6a92be4
frame pointer           = 0x28:0xe6a92c10
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq15: ata1)
trap number             = 12
panic: page fault
cpuid = 1
Uptime: 3m18s
Physical memory: 3049 MB
Dumping 212 MB: 197 181 165 149 133 117 101 85 69 53 37 21 5

Reading symbols from /boot/modules/vboxdrv.ko...done.
Loaded symbols for /boot/modules/vboxdrv.ko
Reading symbols from /boot/modules/vboxnetflt.ko...done.
Loaded symbols for /boot/modules/vboxnetflt.ko
Reading symbols from /boot/modules/vboxnetadp.ko...done.
Loaded symbols for /boot/modules/vboxnetadp.ko
Reading symbols from /usr/local/modules/fuse.ko...done.
Loaded symbols for /usr/local/modules/fuse.ko
#0  doadump () at pcpu.h:231


231     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt


#0  doadump () at pcpu.h:231


#1  0xc067bbe7 in boot (howto=260) at
/usr/home/imb/svn/head/sys/kern/kern_shutdown.c:416

#2  0xc067bff7 in panic (fmt=0x104 <Address 0x104 out of bounds>) at
/usr/home/imb/svn/head/sys/kern/kern_shutdown.c:590

#3  0xc0998a1a in trap_fatal (frame=0xe6a92ba4, eva=40) at
/usr/home/imb/svn/head/sys/i386/i386/trap.c:945

#4  0xc0998d7f in trap_pfault (frame=0xe6a92ba4, usermode=0,
eva=3216941942) at /usr/home/imb/svn/head/sys/i386/i386/trap.c:858

#5  0xc0999207 in trap (frame=0xe6a92ba4) at
/usr/home/imb/svn/head/sys/i386/i386/trap.c:533

#6  0xc09819ac in calltrap () at
/usr/home/imb/svn/head/sys/i386/i386/exception.s:166

#7  0xc04d96d7 in ata_pio_read (request=0xc7037424, length=18) at
cpufunc.h:217

#8  0xc04dae8f in ata_end_transaction (request=0xc7037424) at
/usr/home/imb/svn/head/sys/dev/ata/ata-lowlevel.c:392

#9  0xc04d70da in ata_interrupt_locked (data=Variable "data" is not
available.

) at /usr/home/imb/svn/head/sys/dev/ata/ata-all.c:548


#10 0xc04d7142 in ata_interrupt (data=0xc64b5400) at
/usr/home/imb/svn/head/sys/dev/ata/ata-all.c:512
#11 0xc065476a in intr_event_execute_handlers (p=0xc618b7f8,
ie=0xc61d3d00) at /usr/home/imb/svn/head/sys/kern/kern_intr.c:1220
#12 0xc0655e8d in ithread_loop (arg=0xc64bb4c0) at
/usr/home/imb/svn/head/sys/kern/kern_intr.c:1233
#13 0xc065236d in fork_exit (callout=0xc0655e27 <ithread_loop>,
arg=0xc64bb4c0, frame=0xe6a92d28) at
/usr/home/imb/svn/head/sys/kern/kern_fork.c:843
#14 0xc0981a24 in fork_trampoline () at
/usr/home/imb/svn/head/sys/i386/i386/exception.s:273

It seems that, since this was an interrupt service of some form,
dropping into KDB isn't working .. however, by the time we get to
ata_pio_read something has gone awry with the buffer address in the
request ..

(kgdb) up 7
(kgdb) info args
request = (struct ata_request *) 0xc7037424
length = 18
(kgdb) print *request
$1 = {dev = 0x0, parent = 0xc6450700, unit = 0, u = {ata = {command = 3
'\003', feature = 0, count = 18, lba = 0}, atapi = {
      ccb =
"\003\020\000\000\022\000\000\000\000\000\000\000\000\000\000", sense =
{error = 0 '\0', segment = 0 '\0', key = 0 '\0', cmd_info = 0,
        sense_length = 0 '\0', cmd_specific_info = 0, asc = 0 '\0', ascq
= 0 '\0', replaceable_unit_code = 0 '\0', specific = 0 '\0', specific1 =
0 '\0',
        specific2 = 0 '\0'}, saved_cmd = 0 '\0'}}, bytecount = 18,
transfersize = 18,
data = 0xbfbea376 <Address 0xbfbea376 out of bounds>, <--------------***
tag = 0, flags = 8,
  dma = 0x0, status = 88 'X', error = 0 '\0', donecount = 0, result = 0,
callback = 0, done = {sema_mtx = {lock_object = {lo_name = 0x0, lo_flags
= 0, lo_data = 0,
        lo_witness = 0x0}, mtx_lock = 0}, sema_cv = {cv_description =
0x0, cv_waiters = 0}, sema_waiters = 0, sema_value = 0}, retries = 0,
timeout = 30,
  callout = {c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
tqe_prev = 0xda0cd670}}, c_time = 227742, c_arg = 0xc7037424,
    c_func = 0xc04dcf74 <ata_timeout>, c_lock = 0xc64b5574, c_flags =
22, c_cpu = 0}, task = {ta_running = 0x0, ta_link = {stqe_next = 0x0},
ta_pending = 0,
    ta_priority = 0, ta_func = 0, ta_context = 0x0}, bio = 0x0, this =
0, composite = 0x0, driver = 0x0, chain = {tqe_next = 0x0, tqe_prev =
0x0}, ccb = 0xc6f7a000}

(kgdb) up 2
#9  0xc04d70da in ata_interrupt_locked (data=Variable "data" is not
available.
) at /usr/home/imb/svn/head/sys/dev/ata/ata-all.c:548
548             if (ch->hw.end_transaction(request) == ATA_OP_FINISHED) {
Current language:  auto; currently c

(kgdb) print *ch
$3 = {dev = 0xc6450700, unit = 1, attached = 1, r_io = {{res =
0xc62d8ac0, offset = 0}, {res = 0xc62d8ac0, offset = 1}, {res =
0xc62d8ac0, offset = 2}, {
      res = 0xc62d8ac0, offset = 3}, {res = 0xc62d8ac0, offset = 4},
{res = 0xc62d8ac0, offset = 5}, {res = 0xc62d8ac0, offset = 6}, {res =
0xc62d8ac0,
      offset = 7}, {res = 0xc62d8ac0, offset = 1}, {res = 0xc62d8ac0,
offset = 2}, {res = 0xc62d8ac0, offset = 7}, {res = 0xc62d8a40, offset =
0}, {
      res = 0xc62d8a40, offset = 0}, {res = 0x0, offset = 0}, {res =
0x0, offset = 0}, {res = 0x0, offset = 0}, {res = 0x0, offset = 0}, {res
= 0xc62d89c0,
      offset = 8}, {res = 0xc62d89c0, offset = 9}, {res = 0xc62d89c0,
offset = 10}, {res = 0xc62d89c0, offset = 11}, {res = 0xc62d89c0, offset
= 12}, {
      res = 0xc62d8ac0, offset = 0}, {res = 0x0, offset = 0}}, r_irq =
0xc64b9980, ih = 0xc64b9680, hw = {softreset = 0, pm_read = 0, pm_write
= 0,
    status = 0xc04de2df <ata_pci_status>, begin_transaction = 0xc04d97f5
<ata_begin_transaction>, end_transaction = 0xc04daaa3
<ata_end_transaction>,
    command = 0xc04daf52 <ata_generic_command>, tf_read = 0xc04d9fe8
<ata_tf_read>, tf_write = 0xc04d9bb6 <ata_tf_write>}, dma = {dmatag =
0xc6450b00,
    work_tag = 0xc6450b80, work_map = 0x0, work = 0xe6a8d000 "",
work_bus = 19914752, dma_slots = 1, slot = {{status = 4 '\004', sg_tag =
0xc6450c00, sg_map = 0x0,
        sg = 0xe6a8f000, sg_bus = 19922944, data_tag = 0xc6450c80,
data_map = 0xc64b96c0}}, alignment = 2, boundary = 65536, segsize =
65536, max_iosize = 131072,
    max_address = 4294967295, flags = 0, alloc = 0xc04d90cf
<ata_dmaalloc>, free = 0xc04d8fc6 <ata_dmafree>, setprd = 0xc04d8a35
<ata_dmasetprd>,
    load = 0xc04d8e1a <ata_dmaload>, unload = 0xc04d8d95
<ata_dmaunload>, start = 0xc04de555 <ata_pci_dmastart>, stop =
0xc04de4c5 <ata_pci_dmastop>,
    reset = 0xc04de416 <ata_pci_dmareset>}, flags = 0, pm_level = 0,
devices = 65536, state_mtx = {lock_object = {lo_name = 0xc0a02025 "ATA
state lock",
      lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock =
3325225728}, state = 1, queue_mtx = {lock_object = {lo_name = 0xc0a02034
"ATA queue lock",
      lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock =
4}, ata_queue = {tqh_first = 0x0, tqh_last = 0xc64b55a0}, freezepoint =
0x0,
  running = 0xc7037424, conntask = {ta_running = 0x0, ta_link =
{stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xc04d73d6
<ata_conn_event>,
    ta_context = 0xc6450700}, sim = 0xc6450d80, path = 0xc64bb470, user
= {{revision = 0, mode = 0, bytecount = 131072, atapi = 0} <repeats 16
times>}, curr = {{
      revision = 0, mode = 66, bytecount = 65534, atapi = 12}, {revision
= 0, mode = 0, bytecount = 131072, atapi = 0} <repeats 15 times>}}

 .. so both the state and queue locks are held .. any hints on how to
identify what's broken?

	imb
Received on Wed Jul 28 2010 - 01:01:15 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:05 UTC