Date: Sun, 29 Jul 2001 14:01:50 +0200 (CEST) From: "Karel J. Bosschaart" <karelj@wop21.wop.wtb.tue.nl> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/29295: use of mmap in cp(1) can cause a panic when reading from CD Message-ID: <200107291201.f6TC1op73665@wop21.wop.wtb.tue.nl>
next in thread | raw e-mail | index | archive | help
>Number: 29295
>Category: bin
>Synopsis: use of mmap in cp(1) can cause a panic when reading from CD
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 29 05:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Karel J. Bosschaart
>Release: FreeBSD 4.3-STABLE i386
>Organization:
TU/e
>Environment:
System: FreeBSD babyflame.wop.wtb.tue.nl 4.3-STABLE FreeBSD 4.3-STABLE #14: Fri Jul 27 23:13:35 CEST 2001 karelj@babyflame.wop.wtb.tue.nl:/usr/src/sys/compile/KAYJAY i386
Copyright (c) 1992-2001 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.3-STABLE #14: Fri Jul 27 23:13:35 CEST 2001
karelj@babyflame.wop.wtb.tue.nl:/usr/src/sys/compile/KAYJAY
Timecounter "i8254" frequency 1193182 Hz
CPU: AMD-K6(tm) 3D processor (300.68-MHz 586-class CPU)
Origin = "AuthenticAMD" Id = 0x580 Stepping = 0
Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX>
AMD Features=0x80000800<SYSCALL,3DNow!>
real memory = 67092480 (65520K bytes)
avail memory = 61603840 (60160K bytes)
Preloaded elf kernel "kernel" at 0xc03ab000.
md0: Malloc disk
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <AcerLabs M1541 (Aladdin-V) PCI host bridge> on motherboard
pci0: <PCI bus> on pcib0
pcib1: <AcerLabs M5243 PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <Matrox MGA G200 AGP graphics accelerator> at 0.0 irq 11
alpm0: <AcerLabs M15x3 Power Management Unit> at device 3.0 on pci0
alpm0: driver is using old-style compatibility shims
isab0: <AcerLabs M1533 portable PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
ed0: <NE2000 PCI Ethernet (RealTek 8029)> port 0xd800-0xd81f irq 10 at device 9.0 on pci0
ed0: address 00:00:b4:b7:fa:55, type NE2000 (16 bit)
atapci0: <AcerLabs Aladdin ATA33 controller> port 0xd400-0xd40f irq 0 at device 15.0 on pci0
ata0: at 0x1f0 irq 14 on atapci0
smbus0: <System Management Bus> on alsmb0
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model IntelliMouse Explorer, device ID 4
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sbc0: <Creative ViBRA16X> at port 0x220-0x22f,0x330-0x331,0x388-0x38b irq 5 drq 1,3 on isa0
pcm0: <SB16 DSP 4.16 (ViBRA16X)> on sbc0
ata0-master: DMA limited to UDMA33, non-ATA66 compliant cable
ad0: 19541MB <Maxtor 52049H3> [39704/16/63] at ata0-master UDMA33
acd0: CDROM <CD-ROM 36X/AKU> at ata0-slave using PIO4
Mounting root from ufs:/dev/ad0s1a
cd9660: Joliet Extension (Level 3)
acd0: READ_BIG - ILLEGAL REQUEST asc=64 ascq=00 error=04
vm_fault: pager read error, pid 309 (cp)
acd0: READ_BIG - ILLEGAL REQUEST asc=64 ascq=00 error=04
vm_fault: pager read error, pid 366 (cp)
acd0: READ_BIG - ILLEGAL REQUEST asc=64 ascq=00 error=04
vm_fault: pager read error, pid 372 (cp)
>Description:
A significant percentage of CDROMs that I burnt with mkisofs/cdrecord
contains one or more files that I cannot cp(1) from CD to harddisk. I'm
getting a 'Bad Address'. However, it is possible to access those files with
other programs such as cat(1). When it is attempted to cp(1) the particular
file(s) after having used cat(1) on them, a panic on 4.x and 5.0 immediately
follows. On 3.x (versions after 1998-11-14, when use of mmap was introduced
http://www.freebsd.org/cgi/cvsweb.cgi/src/bin/cp/Makefile?only_with_tag=RELENG_3_1_0_RELEASE )
I didn't get an immediate panic, but the machine paniced shortly after issuing
the shutdown command.
>How-To-Repeat:
Mount a CDROM that contains troublesome files (I could make an ISO available
if that would be useful). Attempting to cp(1) such a file gives 'Bad
Address'. When preceding the cp(1) command with cat(1), which successfully
transfers the file, the machine panics (typical crash dump shown below
with gdb).
I reproduced the problem on four different FreeBSD machines, two of them
with IDE CD drives, two of them with SCSI CD drives. However, I also found
a machine (IDE CD drive) that did *not* have the problem, so I suspect there
are also hardware aspects involved.
babyflame# gdb -k
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
(kgdb) symbol-file kernel.debug
Reading symbols from kernel.debug...done.
(kgdb) exec-file /home/karelj/crash/kernel.0
(kgdb) core-file /home/karelj/crash/vmcore.0
IdlePTD 3973120
initial pcb at 329b40
panicstr: vm_page_free: freeing wired page
panic messages:
---
panic: vm_page_free: freeing wired page
syncing disks... 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47
giving up on 15 buffers
Uptime: 2m21s
dumping to dev #ad/0x20001, offset 139296
dump ata0: resetting devices .. done
63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
---
#0 dumpsys () at ../../kern/kern_shutdown.c:472
472 if (dumping++) {
(kgdb) bt
#0 dumpsys () at ../../kern/kern_shutdown.c:472
#1 0xc015c6ff in boot (howto=256) at ../../kern/kern_shutdown.c:312
#2 0xc015cacc in poweroff_wait (junk=0xc02cb440, howto=4)
at ../../kern/kern_shutdown.c:580
#3 0xc023b47e in vm_page_free_toq (m=0xc04f5988) at ../../vm/vm_page.c:1108
#4 0xc0233b75 in vm_fault (map=0xc567b200, vaddr=674942976, fault_type=1 '\001',
fault_flags=0) at ../../vm/vm_page.h:527
#5 0xc0296faa in trap_pfault (frame=0xc6119c9c, usermode=0, eva=674942976)
at ../../i386/i386/trap.c:824
#6 0xc0296bd3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
tf_edi = -1030774784, tf_esi = 674942976, tf_ebp = -971924072,
tf_isp = -971924280, tf_ebx = 1469, tf_edx = 674944445, tf_ecx = 1469,
tf_eax = -971931648, tf_trapno = 12, tf_err = 0, tf_eip = -1071031472,
tf_cs = 8, tf_eflags = 2163206, tf_esp = -60801, tf_ss = -65536})
at ../../i386/i386/trap.c:443
#7 0xc0295b50 in fastmove ()
#8 0xc0295a9e in i586_copyin ()
#9 0xc022a449 in ffs_write (ap=0xc6119e68) at ../../ufs/ufs/ufs_readwrite.c:510
#10 0xc0190552 in vn_write (fp=0xc09b0980, uio=0xc6119ed8, cred=0xc09ab700, flags=0,
p=0xc610e920) at vnode_if.h:363
#11 0xc016ae29 in dofilewrite (p=0xc610e920, fp=0xc09b0980, fd=4, buf=0x28057000,
nbyte=3499453, offset=-1, flags=0) at ../../sys/file.h:162
#12 0xc016ace2 in write (p=0xc610e920, uap=0xc6119f80)
at ../../kern/sys_generic.c:329
#13 0xc02975e9 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
tf_edi = 671444992, tf_esi = 671444992, tf_ebp = -1077937708,
tf_isp = -971923500, tf_ebx = 3499453, tf_edx = 134660480, tf_ecx = 2,
tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = 134561112, tf_cs = 31,
tf_eflags = 659, tf_esp = -1077937768, tf_ss = 47})
at ../../i386/i386/trap.c:1150
#14 0xc0288d25 in Xint0x80_syscall ()
#15 0x8048979 in ?? ()
#16 0x804850e in ?? ()
#17 0x8048135 in ?? ()
(kgdb)
>Fix:
I worked around by removing
"CFLAGS+= -W -DVM_AND_BUFFER_CACHE_SYNCHRONIZED"
from /usr/src/bin/cp/Makefile and recompile/reinstall.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107291201.f6TC1op73665>