Re: GPF: xpt_done_process got invalid ccb_h->path->bus pointer

From: Warner Losh <imp_at_bsdimp.com>
Date: Thu, 25 Mar 2021 09:31:03 -0600
I see a similar crash rarely on machines that have a stutter in their
link... any idea if you can recreate it with USB and umass? I haven't been
able to reproduce it at will, though.

Warner

On Thu, Mar 25, 2021, 7:55 AM Tai-hwa Liang <atliang_at_gmail.com> wrote:

> -CURRENT as of 24cd2796cf10211964be8a2cb3ea3e161adea746
>
> This race can be triggered on a host with 1394 enclosure attached by
> using the following loop:
>   while true; do
>     kldload sbp; kldunload sbp
>   done
>
> Fatal trap 9: general protection fault while in kernel mode
> cpuid = 13; apic id = 0d
> instruction pointer     = 0x20:0xffffffff8038be3a
> stack pointer           = 0x28:0xfffffe0269e07b30
> frame pointer           = 0x28:0xfffffe0269e07b60
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 41 (doneq0)
> trap number             = 9
> panic: general protection fault
> cpuid = 13
> time = 1616639524
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
> 0xfffffe0269e07840
> vpanic() at vpanic+0x181/frame 0xfffffe0269e07890
> panic() at panic+0x43/frame 0xfffffe0269e078f0
> trap_fatal() at trap_fatal+0x387/frame 0xfffffe0269e07950
> trap() at trap+0xa4/frame 0xfffffe0269e07a60
> calltrap() at calltrap+0x8/frame 0xfffffe0269e07a60
> --- trap 0x9, rip = 0xffffffff8038be3a, rsp = 0xfffffe0269e07b30, rbp
> = 0xfffffe0269e07b60 ---
> xpt_done_process() at xpt_done_process+0x12a/frame 0xfffffe0269e07b60
> xpt_done_td() at xpt_done_td+0xf5/frame 0xfffffe0269e07bb0
> fork_exit() at fork_exit+0x80/frame 0xfffffe0269e07bf0
> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0269e07bf0
> --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
> KDB: enter: panic
>
> __curthread () at /home/freebsd-current/sys/amd64/include/pcpu_aux.h:55
> 55              __asm("movq %%gs:%P1,%0" : "=r" (td) : "n"
> (offsetof(struct pcpu,
> (kgdb) where
> #0  __curthread () at /home/freebsd-current/sys/amd64/include/pcpu_aux.h:55
> #1  doadump (textdump=textdump_at_entry=0) at
> /home/freebsd-current/sys/kern/kern_shutdown.c:399
> #2  0xffffffff804c7d2a in db_dump (dummy=<optimized out>,
> dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
> /home/freebsd-current/sys/ddb/db_command.c:575
> #3  0xffffffff804c7aee in db_command (last_cmdp=<optimized out>,
> cmd_table=<optimized out>, dopager=dopager_at_entry=1) at
> /home/freebsd-current/sys/ddb/db_command.c:482
> #4  0xffffffff804c782d in db_command_loop () at
> /home/freebsd-current/sys/ddb/db_command.c:535
> #5  0xffffffff804cafb6 in db_trap (type=<optimized out>,
> code=<optimized out>) at /home/freebsd-current/sys/ddb/db_main.c:270
> #6  0xffffffff80c5c754 in kdb_trap (type=type_at_entry=3,
> code=code_at_entry=0, tf=<optimized out>, tf_at_entry=0xfffffe0269e07770) at
> /home/freebsd-current/sys/kern/subr_kdb.c:727
> #7  0xffffffff810bf97e in trap (frame=0xfffffe0269e07770) at
> /home/freebsd-current/sys/amd64/amd64/trap.c:576
> #8  <signal handler called>
> #9  kdb_enter (why=0xffffffff812b664a "panic", msg=<optimized out>) at
> /home/freebsd-current/sys/kern/subr_kdb.c:506
> #10 0xffffffff80c0faf2 in vpanic (fmt=<optimized out>, ap=<optimized
> out>, ap_at_entry=0xfffffe0269e078d0) at
> /home/freebsd-current/sys/kern/kern_shutdown.c:907
> #11 0xffffffff80c0f883 in panic (fmt=0xffffffff81e9a738 <cnputs_mtx>
> "\202;'\201\377\377\377\377") at
> /home/freebsd-current/sys/kern/kern_shutdown.c:843
> #12 0xffffffff810bfdd7 in trap_fatal (frame=0xfffffe0269e07a70, eva=0)
> at /home/freebsd-current/sys/amd64/amd64/trap.c:915
> #13 0xffffffff810bf264 in trap (frame=0xfffffe0269e07a70) at
> /home/freebsd-current/sys/amd64/amd64/trap.c:212
> #14 <signal handler called>
> #15 xpt_done_process (ccb_h=0xfffff80102f2f000) at
> /home/freebsd-current/sys/cam/cam_xpt.c:5419
> #16 0xffffffff8038e0f5 in xpt_done_td
> (arg=arg_at_entry=0xffffffff81bc4980 <cam_doneqs>) at
> /home/freebsd-current/sys/cam/cam_xpt.c:5544
> #17 0xffffffff80bc9a60 in fork_exit (callout=0xffffffff8038e000
> <xpt_done_td>, arg=0xffffffff81bc4980 <cam_doneqs>,
> frame=0xfffffe0269e07c00)
>     at /home/freebsd-current/sys/kern/kern_fork.c:1077
> #18 <signal handler called>
> (kgdb) up 15
> #15 xpt_done_process (ccb_h=0xfffff80102f2f000) at
> /home/freebsd-current/sys/cam/cam_xpt.c:5419
> 5419                    sim = ccb_h->path->bus->sim;
> (kgdb) print *ccb_h
> $1 = {pinfo = {priority = 1, generation = 11, index = -3}, xpt_links =
> {le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe =
> {tqe_next = 0x0, tqe_prev = 0x0}, stqe = {
>       stqe_next = 0x0}}, sim_links = {le = {le_next = 0x0, le_prev =
> 0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0},
> stqe = {stqe_next = 0x0}}, periph_links = {le = {
>       le_next = 0xffffffffffffffff, le_prev = 0xffffffffffffffff}, sle
> = {sle_next = 0xffffffffffffffff}, tqe = {tqe_next =
> 0xffffffffffffffff, tqe_prev = 0xffffffffffffffff}, stqe = {
>       stqe_next = 0xffffffffffffffff}}, retry_count = 0, cbfcnp =
> 0xffffffff826fdfe0 <sbp_cam_scan_lun>, func_code = XPT_SCAN_LUN,
> status = 1, path = 0xfffff820d9c10fa0, path_id = 6,
>   target_id = 0, target_lun = 0, flags = 2048, xflags = 0, periph_priv
> = {entries = {{ptr = 0x0, field = 0, bytes =
> "\000\000\000\000\000\000\000"}, {ptr = 0x0, field = 0,
>         bytes = "\000\000\000\000\000\000\000"}}, bytes = '\000'
> <repeats 15 times>}, sim_priv = {entries = {{ptr = 0xfffff820d9d8dd80,
> field = 18446735418710351232,
>         bytes = "\200\335\330\331 \370\377\377"}, {ptr = 0x0, field =
> 0, bytes = "\000\000\000\000\000\000\000"}}, bytes = "\200\335\330\331
> \370\377\377\000\000\000\000\000\000\000"},
>   qos = {etime = 0x0, sim_data = 0, periph_data = 1050626691830},
> timeout = 0, softtimeout = {tv_sec = 0, tv_usec = 0}}
> (kgdb) print *ccb_h->path
> $2 = {periph = 0xdeadc0dedeadc0de, bus = 0xdeadc0dedeadc0de, target =
> 0xdeadc0dedeadc0de, device = 0xffffffff81a49810 <M_CAMPATH>}
> (kgdb) print *ccb_h->path->bus
>  access memory at address 0xdeadc0dedeadc0de
>
>   Not sure how we ended up with device pointer appears to be valid
> whilst the others are 0xdeadc0dedeadc0de.
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>
Received on Thu Mar 25 2021 - 14:31:18 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC