From nobody@FreeBSD.org  Sat Mar 16 13:58:28 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 87EB7828
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 16 Mar 2013 13:58:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 61005F26
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 16 Mar 2013 13:58:28 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r2GDwRm2073384
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 16 Mar 2013 13:58:27 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r2GDwRHK073383;
	Sat, 16 Mar 2013 13:58:27 GMT
	(envelope-from nobody)
Message-Id: <201303161358.r2GDwRHK073383@red.freebsd.org>
Date: Sat, 16 Mar 2013 13:58:27 GMT
From: Shuichi KITAGUCHI <ki@hh.iij4u.or.jp>
To: freebsd-gnats-submit@FreeBSD.org
Subject: current panics in _bus_dmamap_load_ccb() with twa driver at boot time.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         177020
>Category:       kern
>Synopsis:       current panics in _bus_dmamap_load_ccb() with twa driver at boot time.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kib
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 16 14:00:00 UTC 2013
>Closed-Date:    Thu Mar 21 13:09:37 UTC 2013
>Last-Modified:  Tue Jun 18 13:40:02 UTC 2013
>Originator:     Shuichi KITAGUCHI
>Release:        10.0-CURRENT
>Organization:
>Environment:
FreeBSD rhea.k.ysnb.net 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r248230M: Sat Mar 16 19:26:21 JST 2013     root@rhea.k.ysnb.net:/usr/obj/data/rhea/usr/src/sys/RHEA  amd64
>Description:
after recent changes of busdma API, CURRENT's twa driver panics at boot time.

panic: _bus_dmamap_load_ccb: Unsupported func code 0
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff800030e4e0
kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff800030e590
panic() at panic+0x156/frame 0xffffff800030e610
_bus_dmamap_load_ccb() at _bus_dmamap_load_ccb+0x1c4/frame 0xffffff800030e660
bus_dmamap_load_ccb() at bus_dmamap_load_ccb+0x91/frame 0xffffff800030e6c0
tw_osli_map_request() at tw_osli_map_request+0x1f8/frame 0xffffff800030e700
twa_action() at twa_action+0x40e/frame 0xffffff800030e740
xpt_run_dev_sendq() at xpt_run_dev_sendq+0x251/frame 0xffffff800030e780
xpt_action_default() at xpt_action_default+0x1048/frame 0xffffff800030e810
xpt_run_dev_allocq() at xpt_run_dev_allocq+0x192/frame 0xffffff800030e850
probedone() at probedone+0x1d62/frame 0xffffff800030ea40
camisr_runqueue() at camisr_runqueue+0x2f3/frame 0xffffff800030ea80
camisr() at camisr+0xdf/frame 0xffffff800030eab0
intr_event_execute_handlers() at intr_event_execute_handlers+0xe2/frame 0xffffff800030eb10
ithread_loop() at ithread_loop+0x12d/frame 0xffffff800030eb80
fork_exit() at fork_exit+0xc6/frame 0xffffff800030ebf0
fork_trampoline() at fork_trampoline+0xe/frame 0xffffff800030ebf0
--- trap 0, rip = 0, rsp = 0xffffff800030ecb0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100034 ]
Stopped at      kdb_enter+0x3e: movq    $0,kdb_why

when PROBE_SUPPORTED_VPD_LIST, tw_osli_execute_scsi() set ccb to req->data and set 255(=sizeof(*vpd_list)) to req->length. Because req->data is re-allocated and not initialized in tw_osli_map_request(), _bus_dmamap_load_ccb() sees req->data as ccb_h and ccb_h->func_code is zero.
>How-To-Repeat:
boot CURRENT.
>Fix:
Before r246713, csio->data_ptr is set to req->data, csio->dxfer_len is set to req->length, and scsi_req->sgl_entries is set to 1. I suppose these parameters are required by twa_map_load_data_callback().
After attached patch is applied my machine, I do not see panics.


Patch attached with submission follows:

Index: sys/dev/twa/tw_osl_cam.c
===================================================================
--- sys/dev/twa/tw_osl_cam.c	(revision 248230)
+++ sys/dev/twa/tw_osl_cam.c	(working copy)
@@ -273,8 +273,12 @@
 		xpt_done(ccb);
 		return(1);
 	}
-	req->data = ccb;
-	req->length = csio->dxfer_len;
+	if ((ccb_h->flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
+		if ((req->length = csio->dxfer_len)) {
+			req->data = csio->data_ptr;
+			scsi_req->sgl_entries = 1;
+		}
+	}
 	req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 	req->deadline = tw_osl_get_local_time() + (ccb_h->timeout / 1000);
 
Index: sys/dev/twa/tw_osl_freebsd.c
===================================================================
--- sys/dev/twa/tw_osl_freebsd.c	(revision 248230)
+++ sys/dev/twa/tw_osl_freebsd.c	(working copy)
@@ -1475,7 +1475,7 @@
 			mtx_unlock_spin(sc->io_lock);
 		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
 			error = bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
-				req->data, twa_map_load_data_callback, req,
+				req->orig_req, twa_map_load_data_callback, req,
 				BUS_DMA_WAITOK);
 		} else {
 			/*


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kib 
Responsible-Changed-By: avg 
Responsible-Changed-When: Wed Mar 20 10:59:51 UTC 2013 
Responsible-Changed-Why:  
kib might be interested in this one 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177020 

From: Konstantin Belousov <kostikbel@gmail.com>
To: bug-followup@FreeBSD.org, ki@hh.iij4u.or.jp
Cc:  
Subject: Re: kern/177020: current panics in _bus_dmamap_load_ccb() with twa
 driver at boot time.
Date: Wed, 20 Mar 2013 20:18:41 +0200

 --5Q2XQl/uTluQbjdP
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 I think I understand the issue, thank you for the patch.
 I believe that there is a bug still, since when copying is needed,
 the ccb must not be loaded, but the copy buffer. In other words,
 when CAM_DATA_VADDR is detected, the TW_OSLI_REQ_FLAGS_CCB should
 not be set.
 
 Could you, please, test this slight modification of your patch ?
 
 diff --git a/sys/dev/twa/tw_osl_cam.c b/sys/dev/twa/tw_osl_cam.c
 index 9c4de23..67fcae3 100644
 --- a/sys/dev/twa/tw_osl_cam.c
 +++ b/sys/dev/twa/tw_osl_cam.c
 @@ -273,9 +273,13 @@ tw_osli_execute_scsi(struct tw_osli_req_context *req, =
 union ccb *ccb)
  		xpt_done(ccb);
  		return(1);
  	}
 -	req->data =3D ccb;
 -	req->length =3D csio->dxfer_len;
 -	req->flags |=3D TW_OSLI_REQ_FLAGS_CCB;
 +	if ((ccb_h->flags & CAM_DATA_MASK) =3D=3D CAM_DATA_VADDR) {
 +		if ((req->length =3D csio->dxfer_len) !=3D 0) {
 +			req->data =3D csio->data_ptr;
 +			scsi_req->sgl_entries =3D 1;
 +		}
 +	} else
 +		req->flags |=3D TW_OSLI_REQ_FLAGS_CCB;
  	req->deadline =3D tw_osl_get_local_time() + (ccb_h->timeout / 1000);
 =20
  	/*
 diff --git a/sys/dev/twa/tw_osl_freebsd.c b/sys/dev/twa/tw_osl_freebsd.c
 index 2956df6..b2284f8 100644
 --- a/sys/dev/twa/tw_osl_freebsd.c
 +++ b/sys/dev/twa/tw_osl_freebsd.c
 @@ -1475,7 +1475,7 @@ tw_osli_map_request(struct tw_osli_req_context *req)
  			mtx_unlock_spin(sc->io_lock);
  		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
  			error =3D bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
 -				req->data, twa_map_load_data_callback, req,
 +				req->orig_req, twa_map_load_data_callback, req,
  				BUS_DMA_WAITOK);
  		} else {
  			/*
 
 --5Q2XQl/uTluQbjdP
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (FreeBSD)
 
 iQIcBAEBAgAGBQJRSf2AAAoJEJDCuSvBvK1BWgoP/0gN+se92STEybASIYv/GMWM
 2lH4jmVW528RhRipaOtP3Cwjydo1IZjKoxBGUMLNQzTH9WFFce1sZ1eT7DODtaKR
 tDA3dze3rpxyMOu+TFOeI4l/r6EnARDqtAGVw7MAQO1xVB1+UztG4TpYxHGrFARB
 8wdMSLI/1+0qKW6LMCG9gNBgc6mNTu7jwTVAzS2IIGuquqSWgC4nmPumCiKJY1d9
 BRi1HCnBUVD0E4WcS1RGP0f20SQ2wxcY1E3Hh5WypWIamZPasEGzunQXxNOzVRPF
 dOgPLVfAAWI/TNdiud9knF0Zt607D3sD3hG706RETTjiJLGRufqB5NIQjFM1CQXN
 Rx77InbF65Vhcu8Da3L5lxRYPv1xIXD3UbuR8N+yQ98paaT4ZzXFm84cSEPEhSMv
 dBRdff4vv7ln8U7e0kKgj8jwgz5Kc5LI1ONIWJEnt/LuYWCFrlv4vEtNNRTWkoXt
 QMYYvBwkxJmEFoyKo97E9mLstyMoeI0sjKDosYqX4yi1AM/zUHS6jcAUStbl+k9w
 TpmefWbyKXF8ckaB0NKyHgap12T2W3z26oyBsIPHQcXBBv9zlDS+CUjdV/xffzyo
 wd+NETOaMIJvTGLhBwLVww9ShnTeec7xwntpaSvjSxqHZHyVx1uK7e1ma6aAaj1Q
 /rzoZuJNPVdzIw5QjVNL
 =xInW
 -----END PGP SIGNATURE-----
 
 --5Q2XQl/uTluQbjdP--

From: Shuichi KITAGUCHI <ki@hh.iij4u.or.jp>
To: kostikbel@gmail.com
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/177020: current panics in _bus_dmamap_load_ccb() with twa
 driver at boot time.
Date: Thu, 21 Mar 2013 20:48:42 +0900 (JST)

 Hi,
 
 My machine work fine with this patch.
 Thanks for modifing patch!
 
 
 > I think I understand the issue, thank you for the patch.
 > I believe that there is a bug still, since when copying is needed,
 > the ccb must not be loaded, but the copy buffer. In other words,
 > when CAM_DATA_VADDR is detected, the TW_OSLI_REQ_FLAGS_CCB should
 > not be set.
 > 
 > Could you, please, test this slight modification of your patch ?
 > 
 > diff --git a/sys/dev/twa/tw_osl_cam.c b/sys/dev/twa/tw_osl_cam.c
 > index 9c4de23..67fcae3 100644
 > --- a/sys/dev/twa/tw_osl_cam.c
 > +++ b/sys/dev/twa/tw_osl_cam.c
 > @@ -273,9 +273,13 @@ tw_osli_execute_scsi(struct tw_osli_req_context *req, union ccb *ccb)
 >  		xpt_done(ccb);
 >  		return(1);
 >  	}
 > -	req->data = ccb;
 > -	req->length = csio->dxfer_len;
 > -	req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 > +	if ((ccb_h->flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
 > +		if ((req->length = csio->dxfer_len) != 0) {
 > +			req->data = csio->data_ptr;
 > +			scsi_req->sgl_entries = 1;
 > +		}
 > +	} else
 > +		req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 >  	req->deadline = tw_osl_get_local_time() + (ccb_h->timeout / 1000);
 >  
 >  	/*
 > diff --git a/sys/dev/twa/tw_osl_freebsd.c b/sys/dev/twa/tw_osl_freebsd.c
 > index 2956df6..b2284f8 100644
 > --- a/sys/dev/twa/tw_osl_freebsd.c
 > +++ b/sys/dev/twa/tw_osl_freebsd.c
 > @@ -1475,7 +1475,7 @@ tw_osli_map_request(struct tw_osli_req_context *req)
 >  			mtx_unlock_spin(sc->io_lock);
 >  		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
 >  			error = bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
 > -				req->data, twa_map_load_data_callback, req,
 > +				req->orig_req, twa_map_load_data_callback, req,
 >  				BUS_DMA_WAITOK);
 >  		} else {
 >  			/*
State-Changed-From-To: open->closed 
State-Changed-By: kib 
State-Changed-When: Thu Mar 21 13:09:14 UTC 2013 
State-Changed-Why:  
Patch committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177020 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177020: commit references a PR
Date: Thu, 21 Mar 2013 13:06:36 +0000 (UTC)

 Author: kib
 Date: Thu Mar 21 13:06:28 2013
 New Revision: 248583
 URL: http://svnweb.freebsd.org/changeset/base/248583
 
 Log:
   Fix twa(4) after the r246713.  The driver copies data around to
   satisfy some alignment restrictions.  Do not set TW_OSLI_REQ_FLAGS_CCB
   flag for mapped data, pass the csio->data_ptr in the req->data.
   
   Do not put the ccb pointer into req->data ever, ccb is stored in
   req->orig_req already.
   
   Submitted by:	Shuichi KITAGUCHI <ki@hh.iij4u.or.jp>
   PR:	kern/177020
 
 Modified:
   head/sys/dev/twa/tw_osl_cam.c
   head/sys/dev/twa/tw_osl_freebsd.c
 
 Modified: head/sys/dev/twa/tw_osl_cam.c
 ==============================================================================
 --- head/sys/dev/twa/tw_osl_cam.c	Thu Mar 21 13:02:43 2013	(r248582)
 +++ head/sys/dev/twa/tw_osl_cam.c	Thu Mar 21 13:06:28 2013	(r248583)
 @@ -273,9 +273,13 @@ tw_osli_execute_scsi(struct tw_osli_req_
  		xpt_done(ccb);
  		return(1);
  	}
 -	req->data = ccb;
 -	req->length = csio->dxfer_len;
 -	req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 +	if ((ccb_h->flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
 +		if ((req->length = csio->dxfer_len) != 0) {
 +			req->data = csio->data_ptr;
 +			scsi_req->sgl_entries = 1;
 +		}
 +	} else
 +		req->flags |= TW_OSLI_REQ_FLAGS_CCB;
  	req->deadline = tw_osl_get_local_time() + (ccb_h->timeout / 1000);
  
  	/*
 
 Modified: head/sys/dev/twa/tw_osl_freebsd.c
 ==============================================================================
 --- head/sys/dev/twa/tw_osl_freebsd.c	Thu Mar 21 13:02:43 2013	(r248582)
 +++ head/sys/dev/twa/tw_osl_freebsd.c	Thu Mar 21 13:06:28 2013	(r248583)
 @@ -1475,7 +1475,7 @@ tw_osli_map_request(struct tw_osli_req_c
  			mtx_unlock_spin(sc->io_lock);
  		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
  			error = bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
 -				req->data, twa_map_load_data_callback, req,
 +				req->orig_req, twa_map_load_data_callback, req,
  				BUS_DMA_WAITOK);
  		} else {
  			/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177020: commit references a PR
Date: Tue, 18 Jun 2013 13:38:19 +0000 (UTC)

 Author: mav
 Date: Tue Jun 18 13:38:10 2013
 New Revision: 251938
 URL: http://svnweb.freebsd.org/changeset/base/251938
 
 Log:
   MFC r248583 (by kib):
   Fix twa(4) after the r246713.  The driver copies data around to
   satisfy some alignment restrictions.  Do not set TW_OSLI_REQ_FLAGS_CCB
   flag for mapped data, pass the csio->data_ptr in the req->data.
   
   Do not put the ccb pointer into req->data ever, ccb is stored in
   req->orig_req already.
   
   Submitted by:	Shuichi KITAGUCHI <ki@hh.iij4u.or.jp>
   PR:		kern/177020
 
 Modified:
   stable/9/sys/dev/twa/tw_osl_cam.c
   stable/9/sys/dev/twa/tw_osl_freebsd.c
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/dev/   (props changed)
 
 Modified: stable/9/sys/dev/twa/tw_osl_cam.c
 ==============================================================================
 --- stable/9/sys/dev/twa/tw_osl_cam.c	Tue Jun 18 13:36:15 2013	(r251937)
 +++ stable/9/sys/dev/twa/tw_osl_cam.c	Tue Jun 18 13:38:10 2013	(r251938)
 @@ -273,9 +273,13 @@ tw_osli_execute_scsi(struct tw_osli_req_
  		xpt_done(ccb);
  		return(1);
  	}
 -	req->data = ccb;
 -	req->length = csio->dxfer_len;
 -	req->flags |= TW_OSLI_REQ_FLAGS_CCB;
 +	if ((ccb_h->flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
 +		if ((req->length = csio->dxfer_len) != 0) {
 +			req->data = csio->data_ptr;
 +			scsi_req->sgl_entries = 1;
 +		}
 +	} else
 +		req->flags |= TW_OSLI_REQ_FLAGS_CCB;
  	req->deadline = tw_osl_get_local_time() + (ccb_h->timeout / 1000);
  
  	/*
 
 Modified: stable/9/sys/dev/twa/tw_osl_freebsd.c
 ==============================================================================
 --- stable/9/sys/dev/twa/tw_osl_freebsd.c	Tue Jun 18 13:36:15 2013	(r251937)
 +++ stable/9/sys/dev/twa/tw_osl_freebsd.c	Tue Jun 18 13:38:10 2013	(r251938)
 @@ -1475,7 +1475,7 @@ tw_osli_map_request(struct tw_osli_req_c
  			mtx_unlock_spin(sc->io_lock);
  		} else if (req->flags & TW_OSLI_REQ_FLAGS_CCB) {
  			error = bus_dmamap_load_ccb(sc->dma_tag, req->dma_map,
 -				req->data, twa_map_load_data_callback, req,
 +				req->orig_req, twa_map_load_data_callback, req,
  				BUS_DMA_WAITOK);
  		} else {
  			/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
