Date: Sat, 13 May 1995 05:55:56 +1000 From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs@freefall.cdrom.com, hsu@cs.hut.fi Subject: Re: i386/395: CRITICAL PROBLEM: spl functions implemented incorrectly Message-ID: <199505121955.FAA02157@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>At least two of bugs reported by me were just like this
>s = splsomething();
>if (foo) {
> ... something, which does verifyably not modify foo ...
> if (foo->bar) /* foo is NULL or garbage here, generating kernel
> page fault. */
>}
>splx(s);
>ie. variable getting modified while it is assumed to keep its value. I
>think one of these reports was the FreeBSD 1.1.5.1 "print nfs server foo is
>alive again through NULL pointer", other was something under 2.*-current,
>can't remember which one (there are probably several open ones for me in
>GNATS, with stack traces and later ones with some kgdb wanderarounds).
There seems to be only one relevant one:
>>Number: 378
>>Category: kern
>>Synopsis: (apparently) bounce buffer code gets used on 32bit bus
>...
>Fatal trap 12: page fault while in kernel mode
>fault virtual address = 0xa0
>fault code = supervisor read, page not present
>instruction pointer
>...
>panic: vm_bounce_page_free: invalid bounce buffer
>...
>#12 0xf01147c3 in panic (...)
>#13 0xf01ba964 in vm_bounce_page_free (...)
>#14 0xf01baf00 in vm_bounce_free (...)
>#15 0xf0126ee3 in biodone (...)
>#16 0xf0185184 in scsi_done (...)
>#17 0xf01bdedb in bt_done (...)
>...
>Reading in symbols for ../../i386/i386/vm_machdep.c...done.
>#13 0xf01ba964 in vm_bounce_page_free (pa=0x00fd8000, count=1) (../../i386/i386/vm_machdep.c line 169)
>(kgdb) list
>164 if( pa == bouncepa[index])
>165 break;
>166 }
>167
>168 if( index == bouncepages)
>169 panic("vm_bounce_page_free: invalid bounce buffer");
>170
>171 allocindex = index / BITS_IN_UNSIGNED;
>172 bit = index % BITS_IN_UNSIGNED;
>173
>(kgdb) print index
>$18 = 0
>(kgdb) print bouncepages
>$19 = 128
Everything seems reasonable except this. gdb says that index is nowhere
near bouncepages.
>...
>(kgdb) print mynouncepa
>No symbol "mynouncepa" in current context.
>(kgdb) print mybouncepa
>$21 = 0x00fd8000
>(kgdb) print *mybouncepa
>Cannot read memory: address 0xfd8000 out of bounds.
>(kgdb) up
Oops. It would help to know if the buffer was found at index 0.
> bounce buffer code shouldn't be called in this machine,
>doesn't it say "enabling bounce buffer code" in boot on those which
>need it?
The bt driver always sets SDEV_BOUNCE :-(.
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199505121955.FAA02157>