Re: memory corruption/panic solved ("FAILURE - ATAPI_IDENTIFY no interrupt")
From: Nate Lawson (nate_at_root.org)
Date: 08/02/04
- Previous message: Scott Long: "Re: memory corruption/panic solved ("FAILURE - ATAPI_IDENTIFY no interrupt")"
- Maybe in reply to: Brian Fundakowski Feldman: "Re: memory corruption/panic solved ("FAILURE - ATAPI_IDENTIFY no interrupt")"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 01 Aug 2004 23:21:20 -0700 To: Søren Schmidt <sos@DeepCore.dk>
Søren Schmidt wrote:
> Nate Lawson wrote:
>
>> I've tracked down the source of the memory corruption in -current that
>> results when booting with various CD and DVD drives (especially the ones
>> that come with Thinkpads including T23, R32, T41, etc.) The panic is
>> obvious when running with INVARIANTS ("memory modified after free") but
>> not so obvious in other configurations. For instance, without
>> INVARIANTS, part of the rt_info structure is corrupted on my wireless
>> card, resulting in a panic during ifconfig on boot. This is likely the
>> source of other problems, including phk's ACPI panic (again, only
>> triggered when booting with the CD drive in the bay.)
>
> OK, first thanks for digging into this!
The other major bug I'm hunting is the EISA probe hanging. I want 5.3
to be reliable.
>> The root problem is that ata_timeout() fires and calls ata_pio_read()
>> which overwrites 512 bytes random memory. There are actually two bugs
>> here that overwrite memory. The code path is as follows:
>>
>> 1. ata runs an IDENTIFY command on each drive. It reaches this stack:
>>
>> ata_getparam()
>> ata_identify_devices()
>> ata_boot_attach()
>>
>> 2. ata_getparam() allocates a request and runs it:
>> ata_alloc_request()
>> loop on retries (2 max)
>> fill out an immediate read request for 512 bytes (DEV_BSIZE)
>> *** Bug 1: transfersize is 512 bytes but sizeof(struct ata_request) is
>> much less (~80 bytes).
>> ata_queue_request() starts the request and arms a timeout
>
> Its correct to allocate via ata_alloc_request, the data is *not* put
> into the request, but into another memory area (atadev->param) so this
> is not a bug.
You're correct. Sorry for reading this wrong. I earlier made a note to
check the size of atadev->param and mistakenly checked
sizeof(ata_request). The params are indeed the right size (512 bytes)
and the size in ata.h is noted in 16 bit half words. You might want a
CTASSERT that DEV_BSIZE == sizeof(ata_params).
-Nate
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Scott Long: "Re: memory corruption/panic solved ("FAILURE - ATAPI_IDENTIFY no interrupt")"
- Maybe in reply to: Brian Fundakowski Feldman: "Re: memory corruption/panic solved ("FAILURE - ATAPI_IDENTIFY no interrupt")"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
