Date: Sun, 21 Feb 1999 21:30:03 -0800 (PST) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86 Message-ID: <199902220530.VAA46299@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/10166; it has been noted by GNATS.
From: Bruce Evans <bde@zeta.org.au>
To: bde@zeta.org.au, hgoldste@bbs.mpcs.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Mon, 22 Feb 1999 16:24:53 +1100
>db> trace
>random_poll(f0571000,f2899ca8,f0191b67,0,10) at random_poll+0xef3
>random_poll(0,10,2ed,2ed,20) at random_poll+0xe6a
>Xfastintr4(f2899cd4,80000000,283,f2899cd4,f2899cdc) at Xfastintr4+0x17
`trace' (in all elf kernels?) is still broken.
>...
>(kgdb) frame 12
>#12 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
> at ../../i386/isa/sio.c:1385
>1385 tp = com_addr(unit)->tp;
>(kgdb) l
>1380 if (mynor & CONTROL_MASK)
>1381 return (ENODEV);
>1382 unit = MINOR_TO_UNIT(mynor);
>1383 if (com_addr(unit)->gone)
>1384 return (ENODEV);
>1385 tp = com_addr(unit)->tp;
>1386 return ((*linesw[tp->t_line].l_read)(tp, uio, flag));
>1387 }
>1388
>1389 static int
>(kgdb) print *unit
>Cannot access memory at address 0x7610776.
>(kgdb) print unit
>$9 = 123799414
`unit' is out of bounds. The caller seems to have passed a bad `dev'.
Unfortunately, the value for `dev' is not visible in the debugging output
for any of the callers.
>(kgdb) print tp
>$10 = (struct tty *) 0x7610776
>(kgdb) frame 13
>#13 0xf0154603 in spec_read (ap=0xf2899ef8)
> at ../../miscfs/specfs/spec_vnops.c:278
>278 error = (*cdevsw[major(vp->v_rdev)]->d_read)
>(kgdb) print *vp
>$11 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0,
> v_lastr = 0, v_id = 151, v_mount = 0xf0586e00, v_op = 0xf057e800,
> v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
> le_next = 0xf286ca40, le_prev = 0xf286c828}, v_cleanblkhd = {
> tqh_first = 0x0, tqh_last = 0xf286c9b0}, v_dirtyblkhd = {tqh_first = 0x0,
> tqh_last = 0xf286c9b8}, v_synclist = {le_next = 0x0, le_prev = 0x0},
> v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900,
> vu_socket = 0xf056d900, vu_specinfo = 0xf056d900,
^^^^^^^^^^^ this points to a struct
containing the device number
> vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0,
> v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
> lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf05a6f00,
> v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591640,
> tqh_last = 0xf0591650}, v_dd = 0xf286c980, v_ddid = 0, v_pollinfo = {
> vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0},
> vpi_events = 0, vpi_revents = 0}}
Device numbers are checked at open() time. Apparently, v_un or *vu_specinfo
was corrupted between open() and read().
Bruce
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902220530.VAA46299>