Date: Tue, 24 Jul 2001 15:00:04 -0700 (PDT) From: Ed Alley <alley1@llnl.gov> To: freebsd-hackers@freebsd.org Subject: Kernel panic reading non-fixated CD Message-ID: <200107242200.f6OM04g00517@jordan.llnl.gov>
next in thread | raw e-mail | index | archive | help
RE: Kernel panic reading a non-fixated CD
I am running FreeBSD 4.3 with an IDE HP cd-writer 9500 series.
I have been successfully making CD's unsing burncd since
I installed it.
However, I mistakenly tried to mount a CD which I failed to fixate
and I got a kernel panic. I was able to de-bug the kernel code
and found out where the problem is. I have included a patch
which works for me and would like to hear whether it is
sufficient or what I should do next.
I found out through my investigations into this that the
ATAPI interface isn't followed closely by manufactures.
For instance before we installed this HP CDRW we had installed
a Yamaha CDRW which displayed other problems (among them is
that it won't fixate using burncd under FreeBSD). In addition
my CDROM on my home computer which is running FreeBSD 4.2 doesn't
cause a panic when I try to mount a non-fixated CD it just refuses
to do it. So ATAPI of one manufacturer is not ATAPI of another.
The problem with what I am doing is that most (if not everybody)
reading this will not have my hardware configuration to test this
problem on. So I have included part of my gdb session below so
you can see how I came up with my patch.
So here is the panic message that I get when I try to mount the
non-fixated CD; you can see that it is a page fault:
(kgdb) symbol-file kernel.debug
Reading symbols from kernel.debug...done.
(kgdb) exec-file /var/crash.gdb/kernel.0
(kgdb) core-file /var/crash.gdb/vmcore.0
IdlePTD 2711552
initial pcb at 221800
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xc0d96000
fault code = supervisor write, page not present
instruction pointer = 0x8:0xc01b6c2e
stack pointer = 0x10:0xc0206f10
frame pointer = 0x10:0xc0206f20
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = bio
trap number = 12
panic: page fault
Here is the trace of the corpse:
(kgdb) where
#0 dumpsys () at ../../kern/kern_shutdown.c:469
#1 0xc01389c3 in boot (howto=256) at ../../kern/kern_shutdown.c:309
#2 0xc0138d40 in poweroff_wait (junk=0xc01ff28f, howto=0)
at ../../kern/kern_shutdown.c:556
#3 0xc01d68f1 in trap_fatal (frame=0xc0206ed0, eva=3235471360)
at ../../i386/i386/trap.c:951
#4 0xc01d65c9 in trap_pfault (frame=0xc0206ed0, usermode=0, eva=3235471360)
at ../../i386/i386/trap.c:844
#5 0xc01d61af in trap (frame={tf_fs = -65520, tf_es = -973537264,
tf_ds = 6488080, tf_edi = -1059495936, tf_esi = 32768,
tf_ebp = -1071616224, tf_isp = -1071616260, tf_ebx = -1059685120,
tf_edx = 368, tf_ecx = 7168, tf_eax = -1060624128, tf_trapno = 12,
tf_err = 2, tf_eip = -1071944658, tf_cs = 8, tf_eflags = 66054,
tf_esp = -1063045216, tf_ss = -1059685120}) at ../../i386/i386/trap.c:443
#6 0xc01b6c2e in atapi_read (request=0xc0d67d00, length=32768)
at machine/cpufunc.h:222
#7 0xc01b66cb in atapi_interrupt (request=0xc0d67d00)
at ../../dev/ata/atapi-all.c:391
#8 0xc01afcee in ata_intr (data=0xc0c82900) at ../../dev/ata/ata-all.c:1154
(kgdb)
The routine atapi_read() is where the error occured. By poking around
I discovered that the bytecount request was enormous:
print request->bytecount
$1 = 4294934528
(kgdb) x/x &request->bytecount
0xc0d67d18: 0xffff8000
x/d &request->bytecount
0xc0d67d18: -32768
(kgdb)
So you can see that 32768 was subtracted off of an unsigned zero!
If the first request was for bytecount zero then atapi_read()
will read nothing but subtract size = 32768 from bytecount before
returning. Since bytecount is unsigned this causes the roll over
to a big number. The next call then attempts to read a bytecount
of over 4G.
My patch is very simple:
In atapi-all.c in routine atapi_interrupt() for case
ATAPI_P_READ I cast bytecount to a long and check
for zero or negative. If it is zero or negative I
write an error message and break out. This avoids
atapi_read() and returns with and error message.
The patch must be executed in /usr/src/sys/dev/ata as:
patch -p < patch.file
Patch file:
*** atapi-all.c.orig Tue Jul 24 13:21:03 2001
--- atapi-all.c Tue Jul 24 13:28:45 2001
***************
*** 382,387 ****
--- 382,393 ----
return ATA_OP_CONTINUES;
case ATAPI_P_READ:
+ if ((long)request->bytecount <= 0) {
+ printf("%s: %s trying to read with bytecount = %d\n",
+ atp->devname, atapi_cmd2str(atp->cmd),
+ (long)request->bytecount);
+ break;
+ }
if (!(request->flags & ATPR_F_READ)) {
request->result = inb(atp->controller->ioaddr + ATA_ERROR);
printf("%s: %s trying to read on write buffer\n",
Thank-you in anticipation for your comments. I am a newbie at kernel
debugging, so if I have done anything stupid please go easy on me. :)
Ed Alley
wea@llnl.gov
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107242200.f6OM04g00517>