Date: Wed, 15 Oct 2003 08:18:54 -0400 From: David Sze <dsze@alumni.uwaterloo.ca> To: Nate Lawson <nate@root.org> Cc: freebsd-scsi@freebsd.org Subject: Re: Dell PowerEdge 1750 and mpt Message-ID: <6.0.0.22.2.20031015080310.03ac9b88@mail.distrust.net> In-Reply-To: <20031014232543.S32978@root.org> References: <6.0.0.22.2.20031014232154.03a0b990@mail.distrust.net> <20031014232543.S32978@root.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:30 PM 14/10/2003 -0700, Nate Lawson wrote this to All:
>On Tue, 14 Oct 2003, David Sze wrote:
> > #7 0x80174507 in mpt_action (sim=0x923867c0, ccb=0x961a0000) at
> > ../../dev/mpt/mpt_freebsd.c:1311
> > #8 0x801215ce in xpt_action (start_ccb=0x961a0000) at
> ../../cam/cam_xpt.c:2949
> > #9 0x80125e35 in cam_periph_runccb (ccb=0x961a0000, error_routine=0,
> > camflags=CAM_FLAG_NONE, sense_flags=17, ds=0x92a92a80)
> > at ../../cam/cam_periph.c:822
> > #10 0x80129cd0 in passsendccb (periph=0x92a90f00, ccb=0x961a0000,
> > inccb=0x93bb7400) at ../../cam/scsi/scsi_pass.c:797
> > #11 0x80129bfc in passioctl (dev=0x92a90980, cmd=3261076482,
> > addr=0x93bb7400 "\001", flag=3, p=0xd244a400)
> > at ../../cam/scsi/scsi_pass.c:714
> > #12 0x801c5b62 in spec_ioctl (ap=0xdb3ebde0) at
> > ../../miscfs/specfs/spec_vnops.c:306
> > #13 0x801c588d in spec_vnoperate (ap=0xdb3ebde0) at
> > ../../miscfs/specfs/spec_vnops.c:119
> > #14 0x80209349 in ufs_vnoperatespec (ap=0xdb3ebde0) at
> > ../../ufs/ufs/ufs_vnops.c:2394
> > #15 0x801c2107 in vn_ioctl (fp=0x9633eb40, com=3261076482, data=0x93bb7400
> > "\001", p=0xd244a400) at vnode_if.h:429
> > #16 0x8019ba1e in ioctl (p=0xd244a400, uap=0xdb3ebf80) at
> ../../sys/file.h:178
> > #17 0x8024a96d in syscall2 (frame={tf_fs = 135725103, tf_es = 47, tf_ds =
> > 2143223855, tf_edi = 136306688, tf_esi = 2143283856,
> > tf_ebp = 2143284464, tf_isp = -616644652, tf_ebx = 2143283952,
> > tf_edx = 0, tf_ecx = 0, tf_eax = 54, tf_trapno = 12,
> > tf_err = 2, tf_eip = 135190204, tf_cs = 31, tf_eflags = 531, tf_esp
> > = 2143283780, tf_ss = 47}) at ../../i386/i386/trap.c:1175
> > #18 0x8023805b in Xint0x80_syscall ()
> > cannot read proc at 0
> > (kgdb)
>
>This shows that an invalid CCB is being passed through the pass(4) driver.
The application talks to pass(4) to periodically retrieve the serial
numbers of all devices on the bus (the code is basically copied from
"camcontrol inquiry -S", plus some code to enumerate the bus). So that is
consistent with how often we are seeing the crashes. I'll go over the code
to make sure there are no blatant errors on my part. The only puzzling
thing is that the same code runs flawlessly on a variety of similar
hardware, some machines also with mpt(4), but mostly ahc(4) and ahd(4)
controllers.
> > pass3 at mpt0 bus 0 target 6 lun 0
> > pass3: <PE/PV 1x3 SCSI BP 1.1> Fixed Processor SCSI-2 device
> > pass3: 3.300MB/s transfers
>
>This is the device you're trying to talk to. I'm really suspicious your
>program is sending a garbage pointer in the CCB to the pass(4) driver. On
>the above core, please send the output of "fr 7" and then "print *ccb".
(kgdb) fr 7
#7 0x80174507 in mpt_action (sim=0x923867c0, ccb=0x961a0000) at
../../dev/mpt/mpt_freebsd.c:1311
1311 if (mpt_read_cfg_page(mpt, tgt,
&tmp.Header)) {
(kgdb) print *ccb
$1 = {ccb_h = {pinfo = {priority = 1, generation = 99533, index = -1},
xpt_links = {le = {le_next = 0x0, le_prev = 0x0}, sle = {
sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}, stqe =
{stqe_next = 0x0}}, sim_links = {le = {le_next = 0x0,
le_prev = 0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
tqe_prev = 0x0}, stqe = {stqe_next = 0x0}}, periph_links = {
le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe =
{tqe_next = 0x0, tqe_prev = 0x0}, stqe = {
stqe_next = 0x0}}, retry_count = 4, cbfcnp = 0x80129a94
<passdone>, func_code = XPT_GET_TRAN_SETTINGS, status = 0,
path = 0x92494620, path_id = 0, target_id = 0, target_lun = 0, flags =
0, periph_priv = {entries = {{ptr = 0x1, field = 1,
bytes = "\001\000\000"}, {ptr = 0x9f270e28, field = 2670136872,
bytes = "(\016'\237"}},
bytes = "\001\000\000\000(\016'\237"}, sim_priv = {entries = {{ptr =
0x92382c00, field = 2453154816, bytes = "\000,8\222"}, {
ptr = 0x0, field = 0, bytes = "\000\000\000"}}, bytes =
"\000,8\222\000\000\000"}, timeout = 60000, timeout_ch = {
callout = 0x0}}, csio = {ccb_h = {pinfo = {priority = 1, generation
= 99533, index = -1}, xpt_links = {le = {le_next = 0x0,
le_prev = 0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
tqe_prev = 0x0}, stqe = {stqe_next = 0x0}}, sim_links = {
le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe =
{tqe_next = 0x0, tqe_prev = 0x0}, stqe = {
stqe_next = 0x0}}, periph_links = {le = {le_next = 0x0, le_prev
= 0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
tqe_prev = 0x0}, stqe = {stqe_next = 0x0}}, retry_count = 4,
cbfcnp = 0x80129a94 <passdone>,
func_code = XPT_GET_TRAN_SETTINGS, status = 0, path = 0x92494620,
path_id = 0, target_id = 0, target_lun = 0, flags = 0,
periph_priv = {entries = {{ptr = 0x1, field = 1, bytes =
"\001\000\000"}, {ptr = 0x9f270e28, field = 2670136872,
bytes = "(\016'\237"}}, bytes = "\001\000\000\000(\016'\237"},
sim_priv = {entries = {{ptr = 0x92382c00,
field = 2453154816, bytes = "\000,8\222"}, {ptr = 0x0, field =
0, bytes = "\000\000\000"}},
bytes = "\000,8\222\000\000\000"}, timeout = 60000, timeout_ch =
{callout = 0x0}}, next_ccb = 0x0, req_map = 0x1cannot read proc at 0
(kgdb)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031015080310.03ac9b88>