Date: Tue, 7 Oct 2008 17:15:57 GMT From: K Zhu <klapperzhu@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/127927: isp(4) target driver crashes kernel when set up dma for CTIO2 Message-ID: <200810071715.m97HFvLG046366@www.freebsd.org> Resent-Message-ID: <200810071720.m97HK12T019187@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127927
>Category: i386
>Synopsis: isp(4) target driver crashes kernel when set up dma for CTIO2
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 07 17:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: K Zhu
>Release: FreeBSD 7.0-RELEASE #3
>Organization:
nimin
>Environment:
FreeBSD dell 7.0-RELEASE FreeBSD 7.0-RELEASE #3: Tue Oct 7 08:46:10 UTC 2008 root@dell:/usr/obj/usr/src/sys/GENERIC i386
isp0: <Qlogic ISP 2312 PCI FC-AL Adapter> port 0x5000-0x50ff mem 0xdc000000-0xdc000fff irq 16 at device 4.0 on pci4
isp0: [ITHREAD]
isp0: Board Type 2312, Chip Revision 0x1, loaded F/W Revision 3.3.19
isp0: invalid NVRAM header
isp0: invalid NVRAM header
(targbh2:isp0:0:-1:-1): Target Mode Enabled
isp0: target notify code 0x1007
isp0: target notify code 0x1008
(noperiph:isp0:0:0:0): now enabled for target mode
(xpt0:isp0:0:0:0): debugging flags now 20
(targ0:isp0:0:0:0): Sending inline ccb 0x4 (0xbfbfdb50)
(targ0:isp0:0:0:0): sendccb 0xc3db4200
(targ0:isp0:0:0:0): targreturnccb 0xc3db4200
cam_debug: targfreeccb descr 0xc3be7b20 and
cam_debug: freeing ccb 0xc3db4200
(targ0:isp0:0:0:0): targdone 0xc3e5b700
(targ0:isp0:0:0:0): targread
(targ0:isp0:0:0:0): targread ccb 0xc3e5b700 (0x815c200)
(targ0:isp0:0:0:0): targreturnccb 0xc3e5b700
cam_debug: targfreeccb descr 0xc3e588c0 and
cam_debug: freeing ccb 0xc3e5b700
(targ0:isp0:0:0:0): Sending queued ccb 0x933 (0x815e0c0)
(targ0:isp0:0:0:0): targstart 0xc30db800
(targ0:isp0:0:0:0): sendccb 0xc30db800
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x4
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc3d134c9
stack pointer = 0x28:0xd637b910
frame pointer = 0x28:0xd637b964
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 36339 (scsi_target)
[thread pid 36339 tid 100198 ]
Stopped at isp_pci_dmasetup+0x399: movl 0x4(%eax),%eax
db> bt
Tracing pid 36339 tid 100198 td 0xc3bb7460
isp_pci_dmasetup(c3d90000,c30db800,d637b9d0,d637ba18,1,...) at isp_pci_dmasetup+0x399
isp_action(c3b03080,c30db800,c393cd14,d637ba68,c046e1fa,...) at isp_action+0x10b2
xpt_run_dev_sendq(c30d7248,c30db800,c3db3600,d637bab8,c0816a3e,...) at xpt_run_dev_sendq+0x18e
xpt_action(c30db800,c30db800,c305d8e0,c3db3600,c30db800,...) at xpt_action+0x68e
targsendccb(c0b61440,c30db800,d637bb18,c3b18d80,0,...) at targsendccb+0x9e
targstart(c3b18d80,c30db800,1,c30d7234,c3b18d80,...) at targstart+0x112
xpt_run_dev_allocq(c3b18d80,1,815e0c0,0,c3d90090,...) at xpt_run_dev_allocq+0xd2
targwrite(c3dbc500,d637bc54,0,c075a1d4,c3cd7678,...) at targwrite+0x148
giant_write(c3dbc500,d637bc54,0,0,c0bd8260,...) at giant_write+0x5d
devfs_write_f(c3af576c,d637bc54,c3db6100,0,c3bb7460,...) at devfs_write_f+0x72
dofilewrite(d637bc54,ffffffff,ffffffff,0,c3af576c,...) at dofilewrite+0x84
kern_writev(c3bb7460,4,d637bc54,d637bc74,1,...) at kern_writev+0x58
write(c3bb7460,d637bcf8,c,d637bd38,c,...) at write+0x50
syscall(d637bd38) at syscall+0x207
Xint0x80_syscall() at Xint0x80_syscall+0x20
--- syscall (4, FreeBSD ELF32, write), eip = 0x2816f6f3, esp = 0xbfbf8a1c, ebp = 0xbfbf8a38 ---
db>
>Description:
crash happens when isp(4) target driver is responding to "SCSI inquiry (0x12)" from initiator.
the isp(4) target driver is assembling an CTIO2 IOCB which includes
"FreeBSD Emulated Disk 0.1" and send to initiator.
Since it's a data transfer, it calls isp_pci_dmasetup() to set up DMA.
Inside this function, it calls --->bus_dmamap_load()<--- and crash happens inside it.
>How-To-Repeat:
follow link here: http://www.root.org/~nate/freebsd/scsi/README.targ
you need to have 2 PCs, each with one QLA23XX HBA on PCI slot.
One PC for initiator, another for target.
Also on target machine, when issue "./scsi_target -d bus:tgt:0 test_file",
use "camcontrol devlist -v" to find which bus your target isp is on. And always use 0 for tgt.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810071715.m97HFvLG046366>