[laptop-discuss] Re: Re: cardbus/firewire panic

vincent wang Fri, 30 Dec 2005 14:42:11 +0800

Douglas Atique wrote:

>Whereas in snv_28 it usually panicked/froze on removal, in S10 1/06 it panics 
>on insertion. Here is the stack and registers (more info on attached messages 
>file):
>
>[b]Dec 25 11:13:24 deepblue genunix: [ID 335743 kern.notice] BAD TRAP: type=e 
>(#pf Page fault) rp=d1f97cec addr=18 occurred in module "scsa1394" due to a 
>NULL pointer dereference
>Dec 25 11:13:24 deepblue unix: [ID 100000 kern.notice] 
>Dec 25 11:13:24 deepblue unix: [ID 839527 kern.notice] sched: 
>Dec 25 11:13:24 deepblue unix: [ID 753105 kern.notice] #pf Page fault
>Dec 25 11:13:24 deepblue unix: [ID 532287 kern.notice] Bad kernel fault at 
>addr=0x18
>Dec 25 11:13:24 deepblue unix: [ID 243837 kern.notice] pid=0, pc=0xf7c5dcbf, 
>sp=0xde1fdb18, eflags=0x10246
>Dec 25 11:13:24 deepblue unix: [ID 211416 kern.notice] cr0: 
>8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6d8<xmme,fxsr,pge,mce,pse,de>
>Dec 25 11:13:24 deepblue unix: [ID 936844 kern.notice] cr2: 18 cr3: 6527000
>Dec 25 11:13:24 deepblue unix: [ID 537610 kern.notice]          gs: d10c01b0  
>fs: d10c0000  es:      160  ds:      160
>Dec 25 11:13:24 deepblue unix: [ID 537610 kern.notice]         edi: de1fd9ac 
>esi:        0 ebp: d1f97d48 esp: d1f97d1c
>Dec 25 11:13:24 deepblue unix: [ID 537610 kern.notice]         ebx:       2a 
>edx: de1fda38 ecx:      200 eax:        0
>Dec 25 11:13:24 deepblue unix: [ID 537610 kern.notice]         trp:        e 
>err:        0 eip: f7c5dcbf  cs:      158
>Dec 25 11:13:24 deepblue unix: [ID 717149 kern.notice]         efl:    10246 
>usp: de1fdb18  ss: de1fd9ac
>Dec 25 11:13:24 deepblue unix: [ID 100000 kern.notice] 
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97c4c unix:die+a7 
>(e, d1f97cec, 18, 0)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97cd8 
>unix:trap+fc8 (d1f97cec, 18, 0)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97cec 
>unix:cmntrap+83 ()
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97d48 
>scsa1394:scsa1394_cmd_fill_cdb_rbc+171 (d10d8b40, de1fd9ac)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97d60 
>scsa1394:scsa1394_cmd_fill_cdb+43 (d10d8b40, de1fd9ac)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97d84 
>scsa1394:scsa1394_scsi_start+ce (de1fdb18, de1fdb14)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97da4 
>scsi:scsi_transport+29 (de1fdb14)
>Dec 25 11:13:24 deepblue genunix: [ID 353471 kern.notice] d1f97dc8 
>scsi:scsi_watch_thread+208 (0, 0)[/b]
>
>  
>
bash-3.00# uname -a
SunOS opglab-21-199 5.10 Generic_118844-26 i86pc i386 i86pc
bash-3.00# mdb -k
Loading modules: [ unix krtld genunix specfs dtrace ufs ip sctp usba 
uhci s1394 random fctl nca lofs nfs audiosup sppp crypto ptm ipc logindmux ]
 > scsa1394_cmd_fill_cdb_rbc+171::dis
scsa1394_cmd_fill_cdb_rbc+0x16e:movl   -0xc(%ebp),%eax
scsa1394_cmd_fill_cdb_rbc+0x171:movl   0x18(%eax),%eax


We panic at scsa1394_cmd_fill_cdb_rbc+0x171:movl   0x18(%eax),%eax.
%eax is NULL and we're trying to access its offset 0x18. This 
corresponds to On10U1 source
usr/src/uts/common/io/1394/targets/scsa1394/hba.c:line 1916 (in 
scsa1394_cmd_fill_cdb_rbc())
        sz = SCSA1394_CDRW_BLKSZ(bp->b_bcount, len);

To further prove this, we may check if b_bcount is at offset 0x18 of bp:
 > ::offsetof struct buf b_bcount
offsetof (struct buf, b_bcount) = 0x18

After comparing the S10U1 source and the ONNV source, I found this is 
bug6260568. It
has been fixed on Aug. 2, 2005:
bash-2.05b$ sccs prs scsa1394/hba.c
...
D 1.6 05/08/02 09:01:21 artem 7 6       00058/00026/02472
MRs:
COMMENTS:
6239895 scsa1394: panic seen when doing a cp -r to a mounted hard drive
6260568 scsa1394 panics kernel when attempting to access firewire disk
6271950 scsa1394 support for vold hotplug
6273456 panic seen when restarting vold on an SB2500 with a firewire disk
...
------- hba.c -------
*** 1946,1954 ****
        case SCMD_WRITE_LONG:
                lba = SCSA1394_LBA_10BYTE(pkt);
                len = SCSA1394_LEN_10BYTE(pkt);
!               sz = SCSA1394_CDRW_BLKSZ(bp->b_bcount, len); <= *Panic*
!               if (SCSA1394_VALID_CDRW_BLKSZ(sz)) {
!                       blk_size = sz;
                }
                break;
        case SCMD_READ_CD:
--- 1954,1965 ----
        case SCMD_WRITE_LONG:
                lba = SCSA1394_LBA_10BYTE(pkt);
                len = SCSA1394_LEN_10BYTE(pkt);
!               if ((lp->l_dtype_orig == DTYPE_RODIRECT) &&
!                   (bp != NULL) && (len != 0)) { <===*No panic any more*
!                       sz = SCSA1394_CDRW_BLKSZ(bp->b_bcount, len);
!                       if (SCSA1394_VALID_CDRW_BLKSZ(sz)) {
!                               blk_size = sz;
!                       }
                }
                break;
        case SCMD_READ_CD:

So this is not a problem anymore.
I remember you have another panic on card removal.
What does it look like?

Regards,
Vincent.

[laptop-discuss] Re: Re: cardbus/firewire panic

Reply via email to