NetBSD Problem Report #47907
From www@NetBSD.org Fri Jun 7 17:26:47 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0433771A0E
for <gnats-bugs@gnats.NetBSD.org>; Fri, 7 Jun 2013 17:26:47 +0000 (UTC)
Message-Id: <20130607172645.2603171BB7@mollari.NetBSD.org>
Date: Fri, 7 Jun 2013 17:26:45 +0000 (UTC)
From: m4j0rd0m0@gmail.com
Reply-To: m4j0rd0m0@gmail.com
To: gnats-bugs@NetBSD.org
Subject: kernel trap when using EISA with I/O APIC on i386
X-Send-Pr-Version: www-1.0
>Number: 47907
>Category: port-i386
>Synopsis: kernel trap when using EISA with I/O APIC on i386
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-i386-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jun 07 17:30:00 +0000 2013
>Closed-Date: Fri Jul 05 06:42:35 +0000 2013
>Last-Modified: Fri Jul 05 06:42:35 +0000 2013
>Originator: Felix Deichmann
>Release: 6.1
>Organization:
>Environment:
NetBSD/i386 6.1 with patch for i386 MP default configuration
>Description:
Kernel traps when using EISA card in i386 MP default configuration #6 machine (EISA+PCI) with a corresponding patch. Console log w/trace follows.
This is due to an evil pointer cast in eisa_intr_establish() when I/O APIC is used.
NetBSD 6.1 (GENERIC) #1: Wed May 29 19:55:53 CEST 2013
root@bla:/usr/src/sys/arch/i386/compile/GENERIC
total memory = 127 MB
avail memory = 112 MB
mainbus0 (root)
acpi_probe: failed to initialize tables
mainbus0: Intel MP Specification (Version 1.1)
mainbus0: MP default configuration 6
cpu0 at mainbus0 apid 0cpu0: prelint0 0x700<vector=0x0,delmode=0x7,dest=0x0> 0x0<target=0x0>
cpu0: prelint1 0x400<vector=0x0,delmode=0x4,dest=0x0> 0x0<target=0x0>
cpu0: timer0 0x10000<vector=0x0,delmode=0x0,masked,dest=0x0> 0x0<target=0x0>
cpu0: pcint0 0x0<vector=0x0,delmode=0x0,dest=0x0> 0x0<target=0x0>
cpu0: lint0 0x700<vector=0x0,delmode=0x7,dest=0x0> 0x0<target=0x0>
cpu0: lint1 0x400<vector=0x0,delmode=0x4,dest=0x0> 0x0<target=0x0>
cpu0: err0 0x10000<vector=0x0,delmode=0x0,masked,dest=0x0> 0x0<target=0x0>
: Intel 586-class, 100MHz, id 0x526
cpu1 at mainbus0 apid 1: Intel 586-class, id 0x2526
ioapic0 at mainbus0 apid 2, virtual wire mode
ioapic0: int0 attached to ExtINT (type 0x3<type=0x3=ExtINT> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int1 attached to eisa0 EISA irq 1 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int2 attached to eisa0 EISA irq 0 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int3 attached to eisa0 EISA irq 3 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int4 attached to eisa0 EISA irq 4 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int5 attached to eisa0 EISA irq 5 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int6 attached to eisa0 EISA irq 6 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int7 attached to eisa0 EISA irq 7 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int8 attached to eisa0 EISA irq 8 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int9 attached to eisa0 EISA irq 9 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int10 attached to eisa0 EISA irq 10 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int11 attached to eisa0 EISA irq 11 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int12 attached to eisa0 EISA irq 12 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int13 attached to eisa0 EISA irq 13 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int14 attached to eisa0 EISA irq 14 (type 0x0<type=0x0> flags 0x0<pol=0x0,trig=0x0>)
ioapic0: int15 attached to eisa0 EISA irq 15 (type 0x0<type=0x0> flags 0xd<pol=0x1=Act Hi,trig=0x3=Level>)
local apic: int0 attached to ExtINT (type 0x3<type=0x3=ExtINT> flags 0x0<pol=0x0,trig=0x0>)
local apic: int1 attached to NMI (type 0x1<type=0x1=NMI> flags 0x0<pol=0x0,trig=0x0>)
pci0 at mainbus0 bus 0: configuration mode 2
pchb0 at pci0 dev 0 function 0: vendor 0x8086 product 0x04a3 (rev. 0x11)
pceb0 at pci0 dev 1 function 0
pceb0: vendor 0x8086 product 0x0482 (rev. 0x05)
pciide0 at pci0 dev 2 function 0: vendor 0x1042 product 0x1000 (rev. 0x01)
pciide0: I/O access disabled at device
epic0 at pci0 dev 15 function 0: SMC 83c170 Fast Ethernet (rev. 0x08)
ioapic0: int15 0x8060<vector=0x60,delmode=0x0,level,dest=0x0> 0x0<target=0x0>
epic0: interrupting at ioapic0 pin 15
epic0: SMC9432TX, Ethernet address 00:e0:29:xx:xx:xx
qsphy0 at epic0 phy 3: QS6612 10/100 media interface, rev. 1
qsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
eisa0 at pceb0
ahc1 at eisa0 slot 3: Adaptec AHA-274x SCSI
uvm_fault(0xc0c8d9e0, 0, 1) -> 0xe
uvm_fault(0xc0c8d9e0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c07dea95 cs 8 eflags 10246 cr2 0 ilevel 8
kernel: supervisor trap page fault, code=0
Stopped in pid 0.1 (system) at netbsd:trap+0x6e0: movzbl 0(%eax),%edx
db{0}> trace
trap() at netbsd:trap+0x6e0
--- trap (number 6) ---
?(b,c114a1f0,b,2,6,c0147de8,c1234c00,0,c1234c00,c0c4c0fc) at 0
eisa_intr_establish(0,10020b0b,2,6,c0147de8,c1234c00,0,b,c0bd5fa0,c0b2a3fb) at netbsd:eisa_intr_establish+0x7a
ahc_eisa_attach(c1229ac0,c1229940,c0de0ab8,c1229940,3,c0bd5fa0,0,c0de0ae8,c02b9455,c1229ac0) at netbsd:ahc_eisa_attach+0x271
config_attach_loc(c1229ac0,c0bc47a8,c0de0ab0,c0de0ab8,c02b9514,c077e89e,c0bd9220,c0bd5fc0,c1229ac0,10) at netbsd:config_attach_loc+0x1a5
eisaattach(c11bb180,c1229ac0,c0de0b44,c1229ac0,c11bb180,c0de0b44,0,c0de0b2c,c077f3f1,c11bb180) at netbsd:eisaattach+0x1b3
config_attach_loc(c11bb180,c0bc6e60,0,c0de0b44,c02b97f4,0,c0de0b60,c065b596,c11bb180,c0b24bf7) at netbsd:config_attach_loc+0x1a5
config_found_ia(c11bb180,c0b24bf7,c0de0b44,c02b97f4,0,c0bd5fa0,c0bd5fc0,c0bd9220,0,c0c3bcbc) at netbsd:config_found_ia+0x36
pceb_callback(c11bb180,2,c11bb480,c11bb480,c0bc7ce8,c0b3c2a1,c0de0ba4,c077f1d9,c11bbc00,c11bb480) at netbsd:pceb_callback+0x4f
config_process_deferred(c11bbc00,c11bb480,c0de0be0,c11bb480,c0b24bc0,c114d080,c11bbc00,c0de0bc4,c077f3f1,c11bbc00) at netbsd:config_process_deferred+0x44
config_attach_loc(c11bbc00,c0bc5dc8,0,c0de0be0,c0662ab4,0,c0de0c1c,c05a2b80,c11bbc00,c0b24bc0) at netbsd:config_attach_loc+0x1c7
config_found_ia(c11bbc00,c0b24bc0,c0de0be0,c0662ab4,c0de0be0,c0bd5fa0,c0bd5fa0,c0bd5fc0,c0c375e0,0) at netbsd:config_found_ia+0x36
mainbus_rescan(c11bbc00,c0b24bc0,0,c11bbc00,c11d8de0,c0ba3703,c0b92ef7,c0de0c60,c05292fb,c11d8de0) at netbsd:mainbus_rescan+0x246
mainbus_attach(0,c11bbc00,0,c11bbc00,0,c0b23e8c,de6000,c0de0cc4,c077f271,0) at netbsd:mainbus_attach+0xfc
config_attach_loc(0,c0bc5db0,0,0,0,c0de0ce4,c077f2b5,0,c0bc5db0,0) at netbsd:config_attach_loc+0x1a5
config_attach(0,c0bc5db0,0,0,1986,c0c73680,c0de0cf8,c01ef90a,c0b23e8c,0) at netbsd:config_attach+0x2e
config_rootfound(c0b23e8c,0,1986,c0de0d40,c04bbc5d,c0b69b02,6,3,0,0) at netbsd:config_rootfound+0x42
cpu_configure(c0b69b02,6,3,0,0,0,0,0,0,0) at netbsd:cpu_configure+0x2a
main(0,0,0,0,0,0,0,0,0,0) at netbsd:main+0x29f
>How-To-Repeat:
Boot a kernel with support for i386 MP default configurations on such a machine with default configuration 6 (integrated APICs, EISA+PCI) and with an Adaptec AHA-2740/42W EISA card, SMP enabled...
Any other EISA card might trigger the same problem in this machine when using SMP (i. e. the I/O APIC).
Any other machine with EISA hardware and IRQs routed via I/O APIC might also be affected.
>Fix:
A fix for src/sys/arch/i386/eisa/eisa_machdep.c Rev. 1.37 (removes some trailing whitespace, too) follows. Tested and works on mentioned system above.
aprint_error() is replaced by aprint_normal(), as this is a mere c&p from a current src/sys/arch/x86/pci/pci_intr_machdep.c, and I don't want to decide which one is right.
--- eisa_machdep_rev_1_37.c 2013-06-04 12:45:55.000000000 +0200
+++ eisa_machdep.c 2013-06-04 14:03:59.000000000 +0200
@@ -106,7 +106,7 @@
eisa_attach_hook(device_t parent, device_t self,
struct eisabus_attach_args *eba)
{
- extern int eisa_has_been_seen;
+ extern int eisa_has_been_seen;
/*
* Notify others that might need to know that the EISA bus
@@ -176,7 +176,6 @@
snprintf(irqstr, sizeof(irqstr), "irq %d", ih);
#endif
return (irqstr);
-
}
const struct evcnt *
@@ -193,18 +192,22 @@
{
int pin, irq;
struct pic *pic;
+#if NIOAPIC > 0
+ struct ioapic_softc *ioapic;
+#endif
pic = &i8259_pic;
pin = irq = ih;
#if NIOAPIC > 0
if (ih & APIC_INT_VIA_APIC) {
- pic = (struct pic *)ioapic_find(APIC_IRQ_APIC(ih));
- if (pic == NULL) {
- aprint_error("eisa_intr_establish: bad ioapic %d\n",
+ ioapic = ioapic_find(APIC_IRQ_APIC(ih));
+ if (ioapic == NULL) {
+ aprint_normal("eisa_intr_establish: bad ioapic %d\n",
APIC_IRQ_APIC(ih));
return NULL;
}
+ pic = &ioapic->sc_pic;
pin = APIC_IRQ_PIN(ih);
irq = APIC_IRQ_LEGACY_IRQ(ih);
if (irq < 0 || irq >= NUM_LEGACY_IRQS)
>Release-Note:
>Audit-Trail:
From: Felix Deichmann <m4j0rd0m0@gmail.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/47907: kernel trap when using EISA with I/O APIC on
i386
Date: Mon, 10 Jun 2013 23:24:33 +0200
Got a report from a user with an ASUS PCI/E-P54NP4 mainboard (dual
Pentium, EISA+PCI, not MP default configuration this time) who gets the
same kernel trap with NetBSD 6.1 when using an EISA AHA-2742W with SMP
enabled.
The fix is obvious and presented in this PR, so it would be great to see
it committed. Thanks.
State-Changed-From-To: open->feedback
State-Changed-By: uebayasi@NetBSD.org
State-Changed-When: Sun, 23 Jun 2013 00:57:37 +0000
State-Changed-Why:
Committed. Pullup to netbsd-6 being requested too. Thanks for the report!
State-Changed-From-To: feedback->closed
State-Changed-By: uebayasi@NetBSD.org
State-Changed-When: Fri, 05 Jul 2013 06:42:35 +0000
State-Changed-Why:
Already fixed & pullup request sent.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home