NetBSD Problem Report #9257

Received: (qmail 25669 invoked from network); 20 Jan 2000 08:55:11 -0000
Message-Id: <200001200816.JAA04928@asparagus.emsi.priv.at>
Date: Thu, 20 Jan 2000 09:16:42 +0100 (CET)
From: "Martin J. Laubach" <mjl@emsi.priv.at>
Reply-To: mjl@emsi.priv.at
To: gnats-bugs@gnats.netbsd.org
Subject: panic in aha_scsi_cmd()
X-Send-Pr-Version: 3.95

>Number:         9257
>Category:       kern
>Synopsis:       panic in aha_scsi_cmd()
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 20 00:57:00 +0000 2000
>Closed-Date:    
>Last-Modified:  Sat Nov 12 16:00:41 +0000 2005
>Originator:     Martin J. Laubach
>Release:        Current from: Tue Jan 11 07:04:47 CET 2000
>Organization:

>Environment:

System: NetBSD 1.4P (CACTUS) #0: Tue Jan 11 07:04:47 CET 2000
    mjl@asparagus:/home/temp/devel/cvs/src/sys/arch/i386/compile/CACTUS

>Description:
  This may be the same problem that I have reported earlier, the
symptoms are quite similar, however, this time I have been able to
get a crash dump.

  When a bunch of queued up mails is delivered to my machine (about
100 or so), lots of sendmail and procmail processes are started up
which somehow seems to trigger a bug in the fs code.

  The last lines in dmesg are:

	/tmp: optimization changed from TIME to SPACE
	uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2


  The stack traceback is:

(gdb) where
#0  0xf0276d98 in db_last_command ()
#1  0x15cf000 in ?? ()
#2  0xf0213fdb in cpu_reboot (howto=260, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1123
#3  0xf010e5ce in db_reboot_cmd () at ../../../../ddb/db_command.c:582
#4  0xf010e300 in db_command (last_cmdp=0xf0276d98, cmd_table=0xf0276bd8)
    at ../../../../ddb/db_command.c:295
#5  0xf010e45a in db_command_loop () at ../../../../ddb/db_command.c:486
#6  0xf0110b1a in db_trap (type=6, code=0) at ../../../../ddb/db_trap.c:78
#7  0xf0212032 in kdb_trap (type=6, code=0, regs=0xf299fd30)
    at ../../../../arch/i386/i386/db_interface.c:120
#8  0xf0219620 in trap (frame={tf_es = -264503280, tf_ds = -226361328, 
      tf_edi = -226328576, tf_esi = -257953792, tf_ebp = -224789104, 
      tf_ebx = 4, tf_edx = -226328576, tf_ecx = 16384, tf_eax = 31625216, 
      tf_trapno = 6, tf_err = 196608, tf_eip = -266075070, tf_cs = -224854008, 
      tf_eflags = 66070, tf_esp = 0, tf_ss = -264400656, 
      tf_vm86_es = -266200427, tf_vm86_ds = -226328576, 
      tf_vm86_fs = -257953792, tf_vm86_gs = 65536})
    at ../../../../arch/i386/i386/trap.c:298
#9  0xf0100c79 in calltrap ()
#10 0xf01033a4 in aha_scsi_cmd (xs=0xf03d90f0) at ../../../../dev/ic/aha.c:1324
#11 0xf021afcb in scsipi_execute_xs (xs=0xf03d90f0)
    at ../../../../dev/scsipi/scsipi_base.c:688
#12 0xf021bf37 in scsi_scsipi_cmd (sc_link=0xf03c3700, scsipi_cmd=0xf299fe68, 
    cmdlen=6can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
can not access 0xf09ff000, invalid translation (invalid PTE)
, data_addr=0xf09ff000 <Address 0xf09ff000 out of bounds>, 
    datalen=65536, retries=4, timeout=60000, bp=0xf04752e8, flags=4105)
    at ../../../../dev/scsipi/scsi_base.c:125
#13 0xf021d6e7 in sdstart (v=0xf03c6a00) at ../../../../dev/scsipi/sd.c:751
#14 0xf021a9f7 in scsipi_free_xs (xs=0xf03d90f0, flags=1)
    at ../../../../dev/scsipi/scsipi_base.c:173
#15 0xf021af6d in scsipi_done (xs=0xf03d90f0)
    at ../../../../dev/scsipi/scsipi_base.c:644
#16 0xf01028aa in aha_done (sc=0xf03c6c00, ccb=0xf2807214)
    at ../../../../dev/ic/aha.c:787
#17 0xf0102166 in aha_finish_ccbs (sc=0xf03c6c00)
    at ../../../../dev/ic/aha.c:388
#18 0xf0102248 in aha_intr (arg=0xf03c6c00) at ../../../../dev/ic/aha.c:448
#19 0xf0101690 in Xintr11 ()


  In frame #14, xs looks like this:

(gdb) print *xs
$1 = {adapter_q = {tqe_next = 0xdeadbeef, tqe_prev = 0xf03d9168}, device_q = {
    tqe_next = 0xf03d9fe0, tqe_prev = 0xf03c3734}, xs_control = 4105, 
  xs_status = 1, sc_link = 0xf03c3700, retries = 4, timeout = 60000, 
  cmd = 0xf03d9158, cmdlen = 6, data = 0xf123b000 "\035\034", datalen = 5120, 
  resid = 0, error = 0, bp = 0xf0dd2dd0, sense = {scsi_sense = {
      error_code = 0 '\000', segment = 0 '\000', flags = 0 '\000', 
      info = "\000\000\000", extra_len = 0 '\000', 
      cmd_spec_info = "\000\000\000", add_sense_code = 0 '\000', 
      add_sense_code_qual = 0 '\000', fru = 0 '\000', 
      sense_key_spec_1 = 0 '\000', sense_key_spec_2 = 0 '\000', 
      sense_key_spec_3 = 0 '\000', extra_bytes = '\000' <repeats 13 times>}, 
    atapi_sense = 0}, req_sense_length = 0, status = 0 '\000', cmdstore = {
    opcode = 10 '\n', 
    bytes = "\006P(\n\000\000\000\000\000\000\000\000\000\000"}}

  note the DEADBEEF!


  The crash dump is available on request.

>How-To-Repeat:
  Take machine down for some time. Take it up and wait for the queued
Mail to be delivered.

>Fix:
>Release-Note:
>Audit-Trail:

From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: "Martin J. Laubach" <mjl@emsi.priv.at>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/9257: uvm_fault(0xf0295100, 0xf09ff000, 0, 1) -> 2
Date: Thu, 20 Jan 2000 17:44:21 +0100

 On Thu, Jan 20, 2000 at 09:16:42AM +0100, Martin J. Laubach wrote:
 > 
 > >How-To-Repeat:
 >   Take machine down for some time. Take it up and wait for the queued
 > Mail to be delivered.

 Another way to get it is maybe to run the following program on another host.
 Could you try ? (Please adjust variables before running it ! :)

 --
 Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
 --

 #include <ctype.h>
 #include <fcntl.h>
 #include <memory.h>
 #include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <sys/time.h>

 #include <netinet/in.h>

 #include <sys/socket.h>

 char *ehlo = "ehlo antifer.ipv6.lip6.fr\n";
 char *from = "mail from: test@rocha.ipv6.lip6.fr\n";
 char *to = "rcpt to: test@rocha.ipv6.lip6.fr\n";
 char *data = "data\n";
 char *rset = "rset\n";
 char *dot = ".\n";

 char *body = "Subject: test\n"
 "X-mailer: smtptorture\n\n"
 "# tcsh\n"
 "/cordouan:/home/bouyer# /usr/sbin/sendmail -bd -q10m\n"
 "cordouan:/home/bouyer# w\n"
 " 2:39PM  up 2 mins, 4 users, load averages: 0.93, 0.50, 0.21\n"
 " USER    TTY FROM              LOGIN@  IDLE WHAT\n"
 " w: proc size mismatch (26544 total, 688 chunks)\n"
 " cordouan:/home/bouyer# \n";

 void smtp_send(int, char*, int);
 int smtp_receive(int);

 #if 0
 #define DO_WRITE(a,b,c) write((a), (b), (c))
 #else
 #define DO_WRITE(a,b,c) /**/
 #endif

 int
 main(int argc, char **argv)
 {
 	char *server ;
 	u_short port ;
 	int client_socket , sendmail_err;
 	struct hostent *host ;
 	struct sockaddr_in server_sockaddr ;
 	int count;

 	if ( argc != 3 )
 	{
 		fprintf ( stderr , "usage: client host port\n" ) ;
 		exit ( EXIT_FAILURE ) ;
 	}

 	server = argv [ 1 ] ;
 	port = atoi ( argv [ 2 ] ) ;

 	client_socket = socket ( PF_INET , SOCK_STREAM , 0 ) ;
 	if ( client_socket == -1 ) {
 		perror ( "socket" ) ;
 		exit ( EXIT_FAILURE ) ;
 	}

 	host = gethostbyname ( server ) ;
 	if ( host == NULL ) {
 		perror ( "gethostbyname" ) ;
 		exit ( EXIT_FAILURE ) ;
 	}

 	memset ( &server_sockaddr , 0 , sizeof ( server_sockaddr ) ) ;
 	server_sockaddr . sin_family = AF_INET ;
 	server_sockaddr . sin_port = htons ( port ) ;
 	server_sockaddr . sin_addr. s_addr = ** ( u_long ** ) host -> h_addr_list ;

 	if ( connect ( client_socket , ( struct sockaddr * ) &server_sockaddr ,
 		 sizeof ( server_sockaddr ) ) == -1 ) {
 		perror ( "connect" ) ;
 		exit ( EXIT_FAILURE ) ;
 	}


 	sendmail_err = smtp_receive(client_socket);
 	if (sendmail_err != 2) {
 		close(client_socket);
 		exit(1);
 	}
 	smtp_send(client_socket, ehlo, 1);
 	sendmail_err = smtp_receive(client_socket);
 	if (sendmail_err != 2) {
 		close(client_socket);
 		exit(1);
 	}
 #define CHECK_ERR  do {\
 	sendmail_err = smtp_receive(client_socket);\
 	if(sendmail_err == 5) {\
 		printf("error\n");\
 		close(sendmail_err);\
 		exit(1);\
 	}\
 	if(sendmail_err == 4) {\
 		printf("sleeping\n");\
 		sleep(60);\
 		goto reset;\
 	}\
 	} while (0)

 	for (count=1;;count++) {
 		printf("sending mail %d ", count);
 		fflush(stdout);
 		smtp_send(client_socket, from, 1);
 		CHECK_ERR;
 		printf(".");
 		fflush(stdout);
 		smtp_send(client_socket, to, 1);
 		CHECK_ERR;
 		printf(".");
 		fflush(stdout);
 		smtp_send(client_socket, data, 1);
 		CHECK_ERR;
 		printf(".");
 		fflush(stdout);
 		smtp_send(client_socket, body, 0);
 		smtp_send(client_socket, dot, 1);
 		CHECK_ERR;
 		printf("done\n");
 reset:	smtp_send(client_socket, rset, 1);
 		CHECK_ERR;
 	}
 	exit(EXIT_SUCCESS);
 }


 void smtp_send(int fd, char* str, int flags)
 {
 	int bytes;
 again:
 	bytes = write(fd, str, strlen(str));
 	if (bytes == 0) {
 		close(fd);
 		exit(0);
 	}
 	if (bytes == -1) {
 		perror("write");
 		sleep(2);
 		goto again;
 	}
 	DO_WRITE(2, str, strlen(str));
 }

 int smtp_receive(int fd)
 {
 	char readval = 0;
 	char ret;
 	int bytes, again, nbc;

 again:
 	bytes = read(fd, &ret, 1);
 	if (bytes == 0) {
 		close(fd);
 		exit(0);
 	}
 	if (bytes == -1) {
 		perror("read");
 		sleep(2);
 		goto again;
 	}
 	DO_WRITE(2, &ret, 1);
 	ret = ret - 48;
 	nbc = 1;
 	again=0;
 	while (1) {
 again2:
 		bytes = read(fd, &readval, 1);
 		if (bytes == 0) {
 			close(fd);
 			exit(0);
 		}
 		if (bytes == -1) {
 			perror("read");
 			sleep(2);
 			goto again2;
 		}
 		nbc++;
 		if (nbc == 4 && readval=='-')
 			again=1;
 		DO_WRITE(2, &readval, 1);
 		if (readval == '\n') {
 			if(again == 1)
 				goto again;
 			return(ret);
 		}
 	}
 }
>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.