kern/177020: current panics in _bus_dmamap_load_ccb() with twa driver at boot time.

Shuichi KITAGUCHI ki at
Sat Mar 16 14:00:00 UTC 2013

>Number:         177020
>Category:       kern
>Synopsis:       current panics in _bus_dmamap_load_ccb() with twa driver at boot time.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 16 14:00:00 UTC 2013
>Originator:     Shuichi KITAGUCHI
>Release:        10.0-CURRENT
FreeBSD 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r248230M: Sat Mar 16 19:26:21 JST 2013     root at  amd64
after recent changes of busdma API, CURRENT's twa driver panics at boot time.

panic: _bus_dmamap_load_ccb: Unsupported func code 0
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff800030e4e0
kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff800030e590
panic() at panic+0x156/frame 0xffffff800030e610
_bus_dmamap_load_ccb() at _bus_dmamap_load_ccb+0x1c4/frame 0xffffff800030e660
bus_dmamap_load_ccb() at bus_dmamap_load_ccb+0x91/frame 0xffffff800030e6c0
tw_osli_map_request() at tw_osli_map_request+0x1f8/frame 0xffffff800030e700
twa_action() at twa_action+0x40e/frame 0xffffff800030e740
xpt_run_dev_sendq() at xpt_run_dev_sendq+0x251/frame 0xffffff800030e780
xpt_action_default() at xpt_action_default+0x1048/frame 0xffffff800030e810
xpt_run_dev_allocq() at xpt_run_dev_allocq+0x192/frame 0xffffff800030e850
probedone() at probedone+0x1d62/frame 0xffffff800030ea40
camisr_runqueue() at camisr_runqueue+0x2f3/frame 0xffffff800030ea80
camisr() at camisr+0xdf/frame 0xffffff800030eab0
intr_event_execute_handlers() at intr_event_execute_handlers+0xe2/frame 0xffffff800030eb10
ithread_loop() at ithread_loop+0x12d/frame 0xffffff800030eb80
fork_exit() at fork_exit+0xc6/frame 0xffffff800030ebf0
fork_trampoline() at fork_trampoline+0xe/frame 0xffffff800030ebf0
--- trap 0, rip = 0, rsp = 0xffffff800030ecb0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100034 ]
Stopped at      kdb_enter+0x3e: movq    $0,kdb_why

when PROBE_SUPPORTED_VPD_LIST, tw_osli_execute_scsi() set ccb to req->data and set 255(=sizeof(*vpd_list)) to req->length. Because req->data is re-allocated and not initialized in tw_osli_map_request(), _bus_dmamap_load_ccb() sees req->data as ccb_h and ccb_h->func_code is zero.
Before r246713, csio->data_ptr is set to req->data, csio->dxfer_len is set to req->length, and scsi_req->sgl_entries is set to 1. I suppose these parameters are required by twa_map_load_data_callback().
After attached patch is applied my machine, I do not see panics.

Patch attached with submission follows:

Index: sys/dev/twa/tw_osl_cam.c
--- sys/dev/twa/tw_osl_cam.c	(revision 248230)
+++ sys/dev/twa/tw_osl_cam.c	(working copy)
@@ -273,8 +273,12 @@
-	req->data = ccb;
-	req->length = csio->dxfer_len;
+	if ((ccb_h->flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
+		if ((req->length = csio->dxfer_len)) {
+			req->data = csio->data_ptr;
+			scsi_req->sgl_entries = 1;
+		}
+	}
 	req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 	req->deadline = tw_osl_get_local_time() + (ccb_h->timeout / 1000);
Index: sys/dev/twa/tw_osl_freebsd.c
--- sys/dev/twa/tw_osl_freebsd.c	(revision 248230)
+++ sys/dev/twa/tw_osl_freebsd.c	(working copy)
@@ -1475,7 +1475,7 @@
 		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
 			error = bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
-				req->data, twa_map_load_data_callback, req,
+				req->orig_req, twa_map_load_data_callback, req,
 		} else {


More information about the freebsd-bugs mailing list