kern/122045: [ata][panic] reiniting detached ata channel kills the kernel

soralx at cydem.org soralx at cydem.org
Mon Mar 24 11:20:01 UTC 2008 

>Number:         122045
>Category:       kern
>Synopsis:       [ata][panic] reiniting detached ata channel kills the kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 24 11:20:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     cydem.org!soralx
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD soralx.cydem.org 7.0-STABLE FreeBSD 7.0-STABLE #0: Sun Mar 2 22:35:13 PST 2008 root at soralx.cydem.org:/usr/obj/usr/src/sys/SORALX i386

atapci2 at pci0:0:31:5:    class=0x010185 card=0xb0021458 chip=0x28258086 rev=0x02 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '? ICH8 2 port Serial ATA Storage Controller'
    class      = mass storage
    subclass   = ATA

ata8: <ATA channel 1> on atapci2
ata8: [ITHREAD]

ad16: 152626MB <Seagate ST3160827AS 3.00> at ata8-master SATA150

ATA channel 8:
	Master: ad16 <ST3160827AS/3.00> Serial ATA v1.0
	Slave:       no device present

>Description:

detaching ata8 and then immediately reainiting it results in panic

the problem might not necessarily be in ata subsystem: if I understand anything correctly, the culprit ("_mtx_lock_sleep" at /usr/src/sys/kern/kern_mutex.c:337) can also be observed in another, ata-unrelated case ('http://lists.freebsd.org/pipermail/freebsd-current/2007-May/072838.html')

>From vmcore.0:
-=-=-=-=-=-=-=-=-=-=-8<-=-=-=-=-=-=-=-=-=-=-
<118>Mar 23 17:33:03 soralx kernel: pid 4857 (dd), uid 2 inumber 511182 on /: filesystem full
subdisk16: detached
ad16: detached


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x188
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05c4014
stack pointer           = 0x28:0xe808bb44
frame pointer           = 0x28:0xe808bb5c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 5010 (atacontrol)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 1d2h35m25s
Physical memory: 2030 MB
-=-=-=-=-=-=-=-=-=-=->8-=-=-=-=-=-=-=-=-=-=-

>From `kgdb /boot/kernel/kernel ./vmcore.0`:
-=-=-=-=-=-=-=-=-=-=-8<-=-=-=-=-=-=-=-=-=-=-
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
There is no member named pathname.
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xc05d0407 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc05d06c9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc07e8c2c in trap_fatal (frame=0xe808bb04, eva=392) at /usr/src/sys/i386/i386/trap.c:899
#4  0xc07e8e90 in trap_pfault (frame=0xe808bb04, usermode=0, eva=392) at /usr/src/sys/i386/i386/trap.c:812
#5  0xc07e97e2 in trap (frame=0xe808bb04) at /usr/src/sys/i386/i386/trap.c:490
#6  0xc07d019b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc05c4014 in _mtx_lock_sleep (m=0xc5701d10, tid=3317152960, opts=0, file=0x0, line=0)
    at /usr/src/sys/kern/kern_mutex.c:335
#8  0xc04a2bdb in ata_start (dev=0xc57e4a80) at /usr/src/sys/dev/ata/ata-queue.c:177
#9  0xc0488eff in ata_ioctl (dev=0xc55c4d00, cmd=2147770626, data=0xc64ee5c0 "\b", flag=3, td=0xc5b7bcc0)
    at /usr/src/sys/dev/ata/ata-all.c:375
#10 0xc059cf0a in giant_ioctl (dev=0xc55c4d00, cmd=2147770626, data=0xc64ee5c0 "\b", fflag=3, td=0xc5b7bcc0)
    at /usr/src/sys/kern/kern_conf.c:349
#11 0xc0567afb in devfs_ioctl_f (fp=0xc5811708, com=2147770626, data=0xc64ee5c0, cred=0xc606dc00, td=0xc5b7bcc0)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:494
#12 0xc0604935 in kern_ioctl (td=0xc5b7bcc0, fd=3, com=2147770626, data=0xc64ee5c0 "\b") at file.h:266
#13 0xc0604a94 in ioctl (td=0xc5b7bcc0, uap=0xe808bcfc) at /usr/src/sys/kern/sys_generic.c:570
#14 0xc07e91c9 in syscall (frame=0xe808bd38) at /usr/src/sys/i386/i386/trap.c:1035
#15 0xc07d0200 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
#16 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) list *0xc05c4014
0xc05c4014 is in _mtx_lock_sleep (/usr/src/sys/kern/kern_mutex.c:337).
332                      */
333                     v = m->mtx_lock;
334                     if (v != MTX_UNOWNED) {
335                             owner = (struct thread *)(v & ~MTX_FLAGMASK);
336     #ifdef ADAPTIVE_GIANT
337                             if (TD_IS_RUNNING(owner)) {
338     #else
339                             if (m != &Giant && TD_IS_RUNNING(owner)) {
340     #endif
341                                     if (LOCK_LOG_TEST(&m->lock_object, 0))
-=-=-=-=-=-=-=-=-=-=->8-=-=-=-=-=-=-=-=-=-=-

>How-To-Repeat:
	`atacontrol detach ata8; sleep 4 && atacontrol reinit ata8`
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list