From nobody@FreeBSD.org Tue Oct 7 17:15:58 2008 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 234111065699 for ; Tue, 7 Oct 2008 17:15:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 11C4E8FC1E for ; Tue, 7 Oct 2008 17:15:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m97HFvVF046367 for ; Tue, 7 Oct 2008 17:15:57 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id m97HFvLG046366; Tue, 7 Oct 2008 17:15:57 GMT (envelope-from nobody) Message-Id: <200810071715.m97HFvLG046366@www.freebsd.org> Date: Tue, 7 Oct 2008 17:15:57 GMT From: K Zhu To: freebsd-gnats-submit@FreeBSD.org Subject: isp(4) target driver crashes kernel when set up dma for CTIO2 X-Send-Pr-Version: www-3.1 X-GNATS-Notify: >Number: 127927 >Category: kern >Synopsis: [isp] isp(4) target driver crashes kernel when set up dma for CTIO2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-scsi >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 07 17:20:01 UTC 2008 >Closed-Date: >Last-Modified: Sun Nov 09 02:44:07 UTC 2008 >Originator: K Zhu >Release: FreeBSD 7.0-RELEASE #3 >Organization: nimin >Environment: FreeBSD dell 7.0-RELEASE FreeBSD 7.0-RELEASE #3: Tue Oct 7 08:46:10 UTC 2008 root@dell:/usr/obj/usr/src/sys/GENERIC i386 isp0: port 0x5000-0x50ff mem 0xdc000000-0xdc000fff irq 16 at device 4.0 on pci4 isp0: [ITHREAD] isp0: Board Type 2312, Chip Revision 0x1, loaded F/W Revision 3.3.19 isp0: invalid NVRAM header isp0: invalid NVRAM header (targbh2:isp0:0:-1:-1): Target Mode Enabled isp0: target notify code 0x1007 isp0: target notify code 0x1008 (noperiph:isp0:0:0:0): now enabled for target mode (xpt0:isp0:0:0:0): debugging flags now 20 (targ0:isp0:0:0:0): Sending inline ccb 0x4 (0xbfbfdb50) (targ0:isp0:0:0:0): sendccb 0xc3db4200 (targ0:isp0:0:0:0): targreturnccb 0xc3db4200 cam_debug: targfreeccb descr 0xc3be7b20 and cam_debug: freeing ccb 0xc3db4200 (targ0:isp0:0:0:0): targdone 0xc3e5b700 (targ0:isp0:0:0:0): targread (targ0:isp0:0:0:0): targread ccb 0xc3e5b700 (0x815c200) (targ0:isp0:0:0:0): targreturnccb 0xc3e5b700 cam_debug: targfreeccb descr 0xc3e588c0 and cam_debug: freeing ccb 0xc3e5b700 (targ0:isp0:0:0:0): Sending queued ccb 0x933 (0x815e0c0) (targ0:isp0:0:0:0): targstart 0xc30db800 (targ0:isp0:0:0:0): sendccb 0xc30db800 Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x4 fault code = supervisor read, page not present instruction pointer = 0x20:0xc3d134c9 stack pointer = 0x28:0xd637b910 frame pointer = 0x28:0xd637b964 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 36339 (scsi_target) [thread pid 36339 tid 100198 ] Stopped at isp_pci_dmasetup+0x399: movl 0x4(%eax),%eax db> bt Tracing pid 36339 tid 100198 td 0xc3bb7460 isp_pci_dmasetup(c3d90000,c30db800,d637b9d0,d637ba18,1,...) at isp_pci_dmasetup+0x399 isp_action(c3b03080,c30db800,c393cd14,d637ba68,c046e1fa,...) at isp_action+0x10b2 xpt_run_dev_sendq(c30d7248,c30db800,c3db3600,d637bab8,c0816a3e,...) at xpt_run_dev_sendq+0x18e xpt_action(c30db800,c30db800,c305d8e0,c3db3600,c30db800,...) at xpt_action+0x68e targsendccb(c0b61440,c30db800,d637bb18,c3b18d80,0,...) at targsendccb+0x9e targstart(c3b18d80,c30db800,1,c30d7234,c3b18d80,...) at targstart+0x112 xpt_run_dev_allocq(c3b18d80,1,815e0c0,0,c3d90090,...) at xpt_run_dev_allocq+0xd2 targwrite(c3dbc500,d637bc54,0,c075a1d4,c3cd7678,...) at targwrite+0x148 giant_write(c3dbc500,d637bc54,0,0,c0bd8260,...) at giant_write+0x5d devfs_write_f(c3af576c,d637bc54,c3db6100,0,c3bb7460,...) at devfs_write_f+0x72 dofilewrite(d637bc54,ffffffff,ffffffff,0,c3af576c,...) at dofilewrite+0x84 kern_writev(c3bb7460,4,d637bc54,d637bc74,1,...) at kern_writev+0x58 write(c3bb7460,d637bcf8,c,d637bd38,c,...) at write+0x50 syscall(d637bd38) at syscall+0x207 Xint0x80_syscall() at Xint0x80_syscall+0x20 --- syscall (4, FreeBSD ELF32, write), eip = 0x2816f6f3, esp = 0xbfbf8a1c, ebp = 0xbfbf8a38 --- db> >Description: crash happens when isp(4) target driver is responding to "SCSI inquiry (0x12)" from initiator. the isp(4) target driver is assembling an CTIO2 IOCB which includes "FreeBSD Emulated Disk 0.1" and send to initiator. Since it's a data transfer, it calls isp_pci_dmasetup() to set up DMA. Inside this function, it calls --->bus_dmamap_load()<--- and crash happens inside it. >How-To-Repeat: follow link here: http://www.root.org/~nate/freebsd/scsi/README.targ you need to have 2 PCs, each with one QLA23XX HBA on PCI slot. One PC for initiator, another for target. Also on target machine, when issue "./scsi_target -d bus:tgt:0 test_file", use "camcontrol devlist -v" to find which bus your target isp is on. And always use 0 for tgt. >Fix: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-i386->freebsd-scsi Responsible-Changed-By: remko Responsible-Changed-When: Tue Oct 7 17:24:34 UTC 2008 Responsible-Changed-Why: Over to maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=127927 >Unformatted: