Bug 220972

Summary: stable/11: panic in scsi_pass.c/passsendccb: page not present
Product: Base System Reporter: Eugene Grosbein <eugen>
Component: kernAssignee: freebsd-scsi (Nobody) <scsi>
Status: New ---    
Severity: Affects Only Me CC: cem
Priority: ---    
Version: 11.0-STABLE   
Hardware: Any   
OS: Any   

Description Eugene Grosbein freebsd_committer freebsd_triage 2017-07-24 17:31:37 UTC 
My mSATA SSD module (ada1) died and now kernel panices if I start smartd. I managed to obtain crashdump for debugging kernel. kgdb session follows:

Script started on Tue Jul 25 00:25:08 2017
Command: kgdb kernel.debug /var/crash/vmcore.6
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
stack backtrace:
#0 0xffffffff80a13560 at witness_debugger+0x70
#1 0xffffffff80a1498e at witness_warn+0x45e
#2 0xffffffff80e4d363 at trap_pfault+0x53
#3 0xffffffff80e4cb0e at trap+0x29e
#4 0xffffffff80e30a61 at calltrap+0x8
#5 0xffffffff8033879a at passsendccb+0x6a
#6 0xffffffff80337896 at passdoioctl+0x3c6
#7 0xffffffff803370b2 at passioctl+0x22
#8 0xffffffff80879188 at devfs_ioctl_f+0x138
#9 0xffffffff80a190c4 at kern_ioctl+0x2c4
#10 0xffffffff80a18d8f at sys_ioctl+0x16f
#11 0xffffffff80e4dd2a at amd64_syscall+0x53a
#12 0xffffffff80e30d4b at Xfast_syscall+0xfb


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xa
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80e4b1b1
stack pointer           = 0x28:0xfffffe04675ee670
frame pointer           = 0x28:0xfffffe04675ee670
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1028 (smartd)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe04675ee250
vpanic() at vpanic+0x186/frame 0xfffffe04675ee2d0
panic() at panic+0x43/frame 0xfffffe04675ee330
trap_fatal() at trap_fatal+0x322/frame 0xfffffe04675ee380
trap_pfault() at trap_pfault+0x62/frame 0xfffffe04675ee3e0
trap() at trap+0x29e/frame 0xfffffe04675ee5a0
calltrap() at calltrap+0x8/frame 0xfffffe04675ee5a0
--- trap 0xc, rip = 0xffffffff80e4b1b1, rsp = 0xfffffe04675ee670, rbp = 0xfffffe04675ee670 ---
copyin() at copyin+0x41/frame 0xfffffe04675ee670
passsendccb() at passsendccb+0x6a/frame 0xfffffe04675ee6f0
passdoioctl() at passdoioctl+0x3c6/frame 0xfffffe04675ee7a0
passioctl() at passioctl+0x22/frame 0xfffffe04675ee7e0
devfs_ioctl_f() at devfs_ioctl_f+0x138/frame 0xfffffe04675ee840
kern_ioctl() at kern_ioctl+0x2c4/frame 0xfffffe04675ee8a0
sys_ioctl() at sys_ioctl+0x16f/frame 0xfffffe04675ee980
amd64_syscall() at amd64_syscall+0x53a/frame 0xfffffe04675eeab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe04675eeab0
--- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80174c18a, rsp = 0x7fffffff0308, rbp = 0x7fffffff0900 ---
Uptime: 1m51s
Dumping 739 out of 16285 MB: (CTRL-C to abort) ..3%..11%..22%..31%..42%..52%..61%..72%..81%..91%

Reading symbols from /boot/modules/geom_journal.ko...done.
Loaded symbols for /boot/modules/geom_journal.ko
Reading symbols from /boot/modules/nvidia-modeset.ko...done.
Loaded symbols for /boot/modules/nvidia-modeset.ko
Reading symbols from /boot/modules/nvidia.ko...done.
Loaded symbols for /boot/modules/nvidia.ko
Reading symbols from /boot/modules/vboxdrv.ko...done.
Loaded symbols for /boot/modules/vboxdrv.ko
Reading symbols from /boot/modules/vboxnetflt.ko...done.
Loaded symbols for /boot/modules/vboxnetflt.ko
Reading symbols from /boot/modules/vboxnetadp.ko...done.
Loaded symbols for /boot/modules/vboxnetadp.ko
#0  doadump (textdump=1) at pcpu.h:222
222             __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:222
#1  0xffffffff809b27ee in kern_reboot (howto=260) at /home/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff809b2e30 in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /home/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff809b2e73 in panic (fmt=<value optimized out>) at /home/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80e4d302 in trap_fatal (frame=0xfffffe04675ee5b0, eva=10) at /home/src/sys/amd64/amd64/trap.c:801
#5  0xffffffff80e4d372 in trap_pfault (frame=0xfffffe04675ee5b0, usermode=0) at pcpu.h:222
#6  0xffffffff80e4cb0e in trap (frame=0xfffffe04675ee5b0) at /home/src/sys/amd64/amd64/trap.c:421
#7  0xffffffff80e30a61 in calltrap () at /home/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff80e4b1b1 in copyin () at /home/src/sys/amd64/amd64/support.S:304
#9  0xffffffff8033879a in passsendccb (periph=0xfffff8000cfe6d00, ccb=0xfffff8005f6bf000, inccb=0xfffff8000efd8800) at /home/src/sys/cam/scsi/scsi_pass.c:2172
#10 0xffffffff80337896 in passdoioctl (dev=<value optimized out>, cmd=<value optimized out>, addr=0xfffff8000efd8800 "", flag=<value optimized out>, 
    td=<value optimized out>) at /home/src/sys/cam/scsi/scsi_pass.c:1823
#11 0xffffffff803370b2 in passioctl (dev=0xfffff8000cfc5800, cmd=3303020802, addr=0xfffff8000efd8800 "", flag=3, td=0xfffff8000e00a000)
    at /home/src/sys/cam/scsi/scsi_pass.c:1751
#12 0xffffffff80879188 in devfs_ioctl_f (fp=0xfffff8000e2a2870, com=3303020802, data=0xfffff8000efd8800, cred=0xfffff8000ed81e00, td=0xfffff8000e00a000)
    at /home/src/sys/fs/devfs/devfs_vnops.c:791
#13 0xffffffff80a190c4 in kern_ioctl (td=<value optimized out>, fd=<value optimized out>, com=<value optimized out>, data=<value optimized out>) at file.h:323
#14 0xffffffff80a18d8f in sys_ioctl (td=<value optimized out>, uap=0xfffff8000e00a538) at /home/src/sys/kern/sys_generic.c:745
#15 0xffffffff80e4dd2a in amd64_syscall (td=0xfffff8000e00a000, traced=0) at subr_syscall.c:131
#16 0xffffffff80e30d4b in Xfast_syscall () at /home/src/sys/amd64/amd64/exception.S:396
#17 0x000000080174c18a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) frame 9
#9  0xffffffff8033879a in passsendccb (periph=0xfffff8000cfe6d00, ccb=0xfffff8005f6bf000, inccb=0xfffff8000efd8800) at /home/src/sys/cam/scsi/scsi_pass.c:2172
2172                    error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd, ccb->csio.cdb_len);
(kgdb) p ccb->csio.cdb_len
$1 = 32 ' '
(kgdb) p ccb->csio.cdb_io.cdb_ptr
$2 = (u_int8_t *) 0xa <Address 0xa out of bounds>
(kgdb)