Bug 195853 - During removing device entry of a powered off tape drive camcontrol devlist causes page fault
Summary: During removing device entry of a powered off tape drive camcontrol devlist c...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.4-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-10 15:09 UTC by longwitz
Modified: 2018-02-24 00:03 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description longwitz 2014-12-10 15:09:03 UTC
On a system running FreeBSD 8.4-STABLE r273833 (amd64) a tape tape drive was powered off. A little time later the command "camcontrol devlist" lets the system crash with page fault:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
(sa1:mpt0:0:10:0): removing device entry


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xa0
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff803c63a7
stack pointer           = 0x28:0xffffff8245b3adc0
frame pointer           = 0x28:0xffffff8245b3ae00
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 76133 (camcontrol)
Dumping 1399 out of 8181 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91%

Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from /boot/kernel/geom_journal.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_journal.ko
Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_mirror.ko
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:266
266             if (textdump_pending)
Loading gdb init file /home/crash/.gdbinit ...
set height 100 ...
source gdb6 (and gdb6.i386) ...
source mygdb6 ...
Working directory /home/crash.
(kgdb) where
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:266
#1  0xffffffff80201c8c in db_fncall (dummy1=<value optimized out>, dummy2=<value optimized out>, dummy3=<value optimized out>,
    dummy4=<value optimized out>) at /usr/src/sys/ddb/db_command.c:548
#2  0xffffffff80201f3d in db_command (last_cmdp=0xffffffff808a16c0, cmd_table=<value optimized out>, dopager=0) at /usr/src/sys/ddb/db_command.c:445
#3  0xffffffff802065f3 in db_script_exec (scriptname=0xffffffff806770be "kdb.enter.default", warnifnotfound=0) at /usr/src/sys/ddb/db_script.c:302
#4  0xffffffff802066ee in db_script_kdbenter (eventname=<value optimized out>) at /usr/src/sys/ddb/db_script.c:325
#5  0xffffffff802042d4 in db_trap (type=<value optimized out>, code=<value optimized out>) at /usr/src/sys/ddb/db_main.c:230
#6  0xffffffff80444901 in kdb_trap (type=12, code=0, tf=0xffffff8245b3ad10) at /usr/src/sys/kern/subr_kdb.c:654
#7  0xffffffff805f8d4d in trap_fatal (frame=0xffffff8245b3ad10, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:844
#8  0xffffffff805f90ff in trap_pfault (frame=0xffffff8245b3ad10, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:765
#9  0xffffffff805f95b2 in trap (frame=0xffffff8245b3ad10) at /usr/src/sys/amd64/amd64/trap.c:457
#10 0xffffffff805df1a8 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228
#11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938
#12 0xffffffff803c6779 in destroy_dev (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:959
#13 0xffffffff801ac9a3 in sacleanup (periph=0xffffff0141d0d300) at /usr/src/sys/cam/scsi/scsi_sa.c:1389
#14 0xffffffff8017f00a in camperiphfree (periph=0xffffff0141d0d300) at /usr/src/sys/cam/cam_periph.c:572
#15 0xffffffff80181d78 in xptperiphtraverse (device=<value optimized out>, start_periph=0xffffff0141d0d300,
    tr_func=0xffffffff801821f0 <xptedtperiphfunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2164
#16 0xffffffff801830bc in xptdevicetraverse (target=<value optimized out>, start_device=<value optimized out>,
    tr_func=0xffffffff80184930 <xptedtdevicefunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2097
#17 0xffffffff80181529 in xpttargettraverse (bus=<value optimized out>, start_target=<value optimized out>,
    tr_func=0xffffffff80183130 <xptedttargetfunc>, arg=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:2065
#18 0xffffffff8018161e in xptbustraverse (start_bus=<value optimized out>, tr_func=0xffffffff801823c0 <xptedtbusfunc>, arg=0xffffff013a68f800)
    at /usr/src/sys/cam/cam_xpt.c:2000
#19 0xffffffff801881ad in xpt_action_default (start_ccb=0xffffff013a68f800) at /usr/src/sys/cam/cam_xpt.c:1798
#20 0xffffffff8018600f in xptioctl (dev=<value optimized out>, cmd=<value optimized out>, addr=0xffffff013a68f800 "", flag=<value optimized out>,
    td=<value optimized out>) at /usr/src/sys/cam/cam_xpt.c:586
#21 0xffffffff803828db in devfs_ioctl_f (fp=0xffffff00bd631be0, com=3299349762, data=<value optimized out>, cred=<value optimized out>,
    td=0xffffff01009978e0) at /usr/src/sys/fs/devfs/devfs_vnops.c:700
#22 0xffffffff804571f2 in kern_ioctl (td=<value optimized out>, fd=<value optimized out>, com=3299349762, data=0xffffff013a68f800 "") at file.h:277
#23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679
#24 0xffffffff805f81df in amd64_syscall (td=0xffffff01009978e0, traced=0) at subr_syscall.c:114
#25 0xffffffff805df49c in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387
#26 0x0000000180a8478c in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) f 23
#23 0xffffffff8045742d in ioctl (td=0xffffff01009978e0, uap=0xffffff8245b3bbb0) at /usr/src/sys/kern/sys_generic.c:679
679             error = kern_ioctl(td, uap->fd, com, data);
(kgdb) x/8sb td->td_proc->p_args
0xffffff00024b8180:      "\001"
0xffffff00024b8182:      ""
0xffffff00024b8183:      ""
0xffffff00024b8184:      "\023"
0xffffff00024b8186:      ""
0xffffff00024b8187:      ""
0xffffff00024b8188:      "camcontrol"
0xffffff00024b8193:      "devlist"
(kgdb) f 11
#11 0xffffffff803c63a7 in destroy_devl (dev=0xffffff013e73a600) at /usr/src/sys/kern/kern_conf.c:938
938                     if (LIST_EMPTY(&csw->d_devs)) {
(kgdb) list
933             if (!(dev->si_flags & SI_ALIAS)) {
934                     /* Remove from cdevsw list */
935                     LIST_REMOVE(dev, si_list);
936
937                     /* If cdevsw has no more struct cdev *'s, clean it */
938                     if (LIST_EMPTY(&csw->d_devs)) {
939                             fini_cdevsw(csw);
940                             wakeup(&csw->d_devs);
941                     }
942             }
(kgdb) p *dev
$1 = {__si_reserved = 0x0, si_flags = 0, si_atime = {tv_sec = 1417519453, tv_nsec = 0}, si_ctime = {tv_sec = 1417519453, tv_nsec = 0}, si_mtime = {
    tv_sec = 1417519453, tv_nsec = 0}, si_uid = 0, si_gid = 5, si_mode = 432, si_cred = 0x0, si_drv0 = 16, si_refcount = 2, si_list = {
    le_next = 0xffffff009aaaac00, le_prev = 0xffffff0062982460}, si_clone = {le_next = 0x0, le_prev = 0x0}, si_children = {lh_first = 0x0},
  si_siblings = {le_next = 0x0, le_prev = 0x0}, si_parent = 0x0, si_name = 0xffffff013e73a6e0 "sa1.ctl", si_drv1 = 0x0, si_drv2 = 0x0,
  si_devsw = 0x0, si_iosize_max = 0, si_usecount = 0, si_threadcount = 0, __si_u = {__sid_snapdata = 0x0},
  __si_namebuf = "sa1.ctl", '\0' <repeats 56 times>}
(kgdb) p &csw
$2 = (struct cdevsw **) 0xffffff8245b3ade0
(kgdb) p csw
$3 = (struct cdevsw *) 0x0

I can give more information from the crash dump.
Comment 1 commit-hook freebsd_committer freebsd_triage 2015-03-23 19:20:48 UTC
A commit references this bug:

Author: cy
Date: Mon Mar 23 19:20:16 UTC 2015
New revision: 382026
URL: https://svnweb.freebsd.org/changeset/ports/382026

Log:
  Convert to sample. This also fixes PR/198583.

  PR:		195853

Changes:
  head/sysutils/syslog-ng34/Makefile
  head/sysutils/syslog-ng34/pkg-plist
Comment 2 Glen Barber freebsd_committer freebsd_triage 2015-07-08 18:32:20 UTC
To originators/assignees of this PR:

A commit to the tree references this PR, however the PR is still in a non-closed state.

Please review this PR and close as appropriate, or if closing the PR requires a merge to stable/10, please let re@ know as soon as possible.

Thank you.

Glen
Comment 3 Glen Barber freebsd_committer freebsd_triage 2015-07-14 19:00:32 UTC
Feedback from the originator suggests the commit referencing this PR referenced the wrong PR.