[Bug 195853] New: During removing device entry of a powered off tape drive camcontrol devlist causes page fault
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Dec 10 15:09:03 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195853
Bug ID: 195853
Summary: During removing device entry of a powered off tape
drive camcontrol devlist causes page fault
Product: Base System
Version: 8.4-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: longwitz at incore.de
On a system running FreeBSD 8.4-STABLE r273833 (amd64) a tape tape drive was
powered off. A little time later the command "camcontrol devlist" lets the
system crash with page fault:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Unread portion of the kernel message buffer:
(sa1:mpt0:0:10:0): removing device entry
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xa0
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff803c63a7
stack pointer = 0x28:0xffffff8245b3adc0
frame pointer = 0x28:0xffffff8245b3ae00
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 76133 (camcontrol)
Dumping 1399 out of 8181 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91%
Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from
/boot/kernel/geom_journal.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_journal.ko
Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from
/boot/kernel/geom_mirror.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_mirror.ko
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266
266 if (textdump_pending)
Loading gdb init file /home/crash/.gdbinit ...
set height 100 ...
source gdb6 (and gdb6.i386) ...
source mygdb6 ...
Working directory /home/crash.
(kgdb) where
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:266
#1 0xffffffff80201c8c in db_fncall (dummy1=<value optimized out>,
dummy2=<value optimized out>, dummy3=<value optimized out>,
dummy4=<value optimized out>) at /usr/src/sys/ddb/db_command.c:548
#2 0xffffffff80201f3d in db_command (last_cmdp=0xffffffff808a16c0,
cmd_table=<value optimized out>, dopager=0) at
/usr/src/sys/ddb/db_command.c:445
#3 0xffffffff802065f3 in db_script_exec (scriptname=0xffffffff806770be
"kdb.enter.default", warnifnotfound=0) at /usr/src/sys/ddb/db_script.c:302
#4 0xffffffff802066ee in db_script_kdbenter (eventname=<value optimized out>)
at /usr/src/sys/ddb/db_script.c:325
#5 0xffffffff802042d4 in db_trap (type=<value optimized out>, code=<value
optimized out>) at /usr/src/sys/ddb/db_main.c:230
#6 0xffffffff80444901 in kdb_trap (type=12, code=0, tf=0xffffff8245b3ad10) at
/usr/src/sys/kern/subr_kdb.c:654
#7 0xffffffff805f8d4d in trap_fatal (frame=0xffffff8245b3ad10, eva=<value
optimized out>) at /usr/src/sys/amd64/amd64/trap.c:844
#8 0xffffffff805f90ff in trap_pfault (frame=0xffffff8245b3ad10, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:765
#9 0xffffffff805f95b2 in trap (frame=0xffffff8245b3ad10) at
/usr/src/sys/amd64/amd64/trap.c:457
#10 0xffffffff805df1a8 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:228
#11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at
/usr/src/sys/kern/kern_conf.c:938
#12 0xffffffff803c6779 in destroy_dev (dev=0xffffff013e73a600) at
/usr/src/sys/kern/kern_conf.c:959
#13 0xffffffff801ac9a3 in sacleanup (periph=0xffffff0141d0d300) at
/usr/src/sys/cam/scsi/scsi_sa.c:1389
#14 0xffffffff8017f00a in camperiphfree (periph=0xffffff0141d0d300) at
/usr/src/sys/cam/cam_periph.c:572
#15 0xffffffff80181d78 in xptperiphtraverse (device=<value optimized out>,
start_periph=0xffffff0141d0d300,
tr_func=0xffffffff801821f0 <xptedtperiphfunc>, arg=0xffffff013a68f800) at
/usr/src/sys/cam/cam_xpt.c:2164
#16 0xffffffff801830bc in xptdevicetraverse (target=<value optimized out>,
start_device=<value optimized out>,
tr_func=0xffffffff80184930 <xptedtdevicefunc>, arg=0xffffff013a68f800) at
/usr/src/sys/cam/cam_xpt.c:2097
#17 0xffffffff80181529 in xpttargettraverse (bus=<value optimized out>,
start_target=<value optimized out>,
tr_func=0xffffffff80183130 <xptedttargetfunc>, arg=0xffffff013a68f800) at
/usr/src/sys/cam/cam_xpt.c:2065
#18 0xffffffff8018161e in xptbustraverse (start_bus=<value optimized out>,
tr_func=0xffffffff801823c0 <xptedtbusfunc>, arg=0xffffff013a68f800)
at /usr/src/sys/cam/cam_xpt.c:2000
#19 0xffffffff801881ad in xpt_action_default (start_ccb=0xffffff013a68f800) at
/usr/src/sys/cam/cam_xpt.c:1798
#20 0xffffffff8018600f in xptioctl (dev=<value optimized out>, cmd=<value
optimized out>, addr=0xffffff013a68f800 "", flag=<value optimized out>,
td=<value optimized out>) at /usr/src/sys/cam/cam_xpt.c:586
#21 0xffffffff803828db in devfs_ioctl_f (fp=0xffffff00bd631be0, com=3299349762,
data=<value optimized out>, cred=<value optimized out>,
td=0xffffff01009978e0) at /usr/src/sys/fs/devfs/devfs_vnops.c:700
#22 0xffffffff804571f2 in kern_ioctl (td=<value optimized out>, fd=<value
optimized out>, com=3299349762, data=0xffffff013a68f800 "") at file.h:277
#23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0)
at /usr/src/sys/kern/sys_generic.c:679
#24 0xffffffff805f81df in amd64_syscall (td=0xffffff01009978e0, traced=0) at
subr_syscall.c:114
#25 0xffffffff805df49c in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:387
#26 0x0000000180a8478c in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) f 23
#23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0)
at /usr/src/sys/kern/sys_generic.c:679
679 error = kern_ioctl(td, uap->fd, com, data);
(kgdb) x/8sb td->td_proc->p_args
0xffffff00024b8180: "\001"
0xffffff00024b8182: ""
0xffffff00024b8183: ""
0xffffff00024b8184: "\023"
0xffffff00024b8186: ""
0xffffff00024b8187: ""
0xffffff00024b8188: "camcontrol"
0xffffff00024b8193: "devlist"
(kgdb) f 11
#11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at
/usr/src/sys/kern/kern_conf.c:938
938 if (LIST_EMPTY(&csw->d_devs)) {
(kgdb) list
933 if (!(dev->si_flags & SI_ALIAS)) {
934 /* Remove from cdevsw list */
935 LIST_REMOVE(dev, si_list);
936
937 /* If cdevsw has no more struct cdev *'s, clean it */
938 if (LIST_EMPTY(&csw->d_devs)) {
939 fini_cdevsw(csw);
940 wakeup(&csw->d_devs);
941 }
942 }
(kgdb) p *dev
$1 = {__si_reserved = 0x0, si_flags = 0, si_atime = {tv_sec = 1417519453,
tv_nsec = 0}, si_ctime = {tv_sec = 1417519453, tv_nsec = 0}, si_mtime = {
tv_sec = 1417519453, tv_nsec = 0}, si_uid = 0, si_gid = 5, si_mode = 432,
si_cred = 0x0, si_drv0 = 16, si_refcount = 2, si_list = {
le_next = 0xffffff009aaaac00, le_prev = 0xffffff0062982460}, si_clone =
{le_next = 0x0, le_prev = 0x0}, si_children = {lh_first = 0x0},
si_siblings = {le_next = 0x0, le_prev = 0x0}, si_parent = 0x0, si_name =
0xffffff013e73a6e0 "sa1.ctl", si_drv1 = 0x0, si_drv2 = 0x0,
si_devsw = 0x0, si_iosize_max = 0, si_usecount = 0, si_threadcount = 0,
__si_u = {__sid_snapdata = 0x0},
__si_namebuf = "sa1.ctl", '\0' <repeats 56 times>}
(kgdb) p &csw
$2 = (struct cdevsw **) 0xffffff8245b3ade0
(kgdb) p csw
$3 = (struct cdevsw *) 0x0
I can give more information from the crash dump.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list