Subject: Page fault in PTE area fails in copyout
Index: sys/i386/i386/trap.c FreeBSD-1.0.2
Description:
Reading files of several megabytes into Emacs, or many small
files all at once, would fail with "IO error - bad address".
Repeat-By:
The bug can be exercised by a test program that malloc()'s
a 5MB chunk of memory, and then, without accessing the memory
first, filling it with data from a file using read().
(I read 64k chunks from /dev/wd0d into successive 64k regions
of the 5MB chunk.) The read() will fail with EFAULT at the first
virtual address boundary that is a multiple of 0x400000.
Fix:
The problem was code in sys/i386/i386/trap.c that tries to
figure out what kind of trap occurred and to handle it appropriately.
It was interpreting any page fault with virtual address
>= vm->vm_maxsaddr as being a user stack segment fault.
In fact, addresses >= USRSTACK are in the user structure/PTE area,
and if they are handled as stack faults, the proper PTE will
not be paged in when it is supposed to be. This situation comes
up in copyout() and copyoutstr(), if PTE's are accessed for the
first time ever. The page fault on accessing the nonexistent PTE
is mishandled as a stack fault, and then the fault that occurs on
the subsequent access to the page itself causes copyout to fail
with EFAULT.
From: Geoff Rehmet <g89r4222@braae.ru.ac.za>
Description:
On bootup, probe of wd drives fails (CP30104), and kernel panics
- cannot mount root
It appears that the device probe just times out.
Increasing the timeout back to its old value fixes the problem.
Repeat-By:
SUP FreBSD-current, Find a CP30104 ..... (ok ok ok)
Basically - Soren's changes barf my disk.
---
From: sos@login.dkuug.dk (S|ren Schmidt)
Subject: IDE-disk hangs - solution/patches NetBSD/FreeBSD
Summary: fixes for lost interrupts with IDE disks
Keywords: hanging-disk, IDE-disk, lost-interrupt
Due to "popular" demand I'm posting these patches to NetBSD/FreeBSD
instead of mailing them around the world :-)
As many have found out there is a problem when using IDE disks on
FreeBSD. Following is a patch that fixes the problem with lost intterrupts.
Both fixes is based on a patch posted here some month ago by
Stefan Behrens?? (sorry I've lost the original article). But anyway it
works (for me :-).
Basically it does a timeout on lost interrupts, starting the operation
again and logging and error message on the console.
It additionally makes the allready present while loop timeouts
independent of CPU speed, and adds minor numbers for easy access to
dos partitions.
* change all splnet's to splimp's
*
* Revision 2.13 1993/11/22 10:53:52 davidg
* patch to add support for SMC8216 (Elite-Ultra) boards
* from Glen H. Lowe
*
* Revision 2.12 1993/11/07 18:04:13 davidg
* fix from Garrett Wollman:
* add a return(0) at the end of ed_probe so that if the various device
* specific probes fail that we just don't fall of the end of the function.
Change movl %es: -2(reg) to use a subl $2,reg when fixing up the IDT
entries for bdb. This seems to be the best way to go.
Some day soon #ifdef BDB all of Bruces debugger code.
when the machine panics.
i386/i386/locore.s:
1) got rid of most .set directives that were being used like
#define's, and replaced them with appropriate #define's in
the appropriate header files (accessed via genassym).
2) added comments to header inclusions and global definitions,
and global variables
3) replaced some hardcoded constants with cpp defines (such as
PDESIZE and others)
4) aligned all comments to the same column to make them easier to
read
5) moved macro definitions for ENTRY, ALIGN, NOP, etc. to
/sys/i386/include/asmacros.h
6) added #ifdef BDE_DEBUGGER around all of Bruce's debugger code
7) added new global '_KERNend' to store last location+1 of kernel
8) cleaned up zeroing of bss so that only bss is zeroed
9) fix zeroing of page tables so that it really does zero them all
- not just if they follow the bss.
10) rewrote page table initialization code so that 1) works correctly
and 2) write protects the kernel text by default
11) properly initialize the kernel page directory, upages, p0stack PT,
and page tables. The previous scheme was more than a bit
screwy.
12) change allocation of virtual area of IO hole so that it is
fixed at KERNBASE + 0xa0000. The previous scheme put it
right after the kernel page tables and then later expected
it to be at KERNBASE +0xa0000
13) change multiple bogus settings of user read/write of various
areas of kernel VM - including the IO hole; we should never
be accessing the IO hole in user mode through the kernel
page tables
14) split kernel support routines such as bcopy, bzero, copyin,
copyout, etc. into a seperate file 'support.s'
15) split swtch and related routines into a seperate 'swtch.s'
16) split routines related to traps, syscalls, and interrupts
into a seperate file 'exception.s'
17) remove some unused global variables from locore that got
inserted by Garrett when he pulled them out of some .h
files.
i386/isa/icu.s:
1) clean up global variable declarations
2) move in declaration of astpending and netisr
i386/i386/pmap.c:
1) fix calculation of virtual_avail. It previously was calculated
to be right in the middle of the kernel page tables - not
a good place to start allocating kernel VM.
2) properly allocate kernel page dir/tables etc out of kernel map
- previously only took out 2 pages.
i386/i386/machdep.c:
1) modify boot() to print a warning that the system will reboot in
PANIC_REBOOT_WAIT_TIME amount of seconds, and let the user
abort with a key on the console. The machine will wait for
ever if a key is typed before the reboot. The default is
15 seconds, but can be set to 0 to mean don't wait at all,
-1 to mean wait forever, or any positive value to wait for
that many seconds.
2) print "Rebooting..." just before doing it.
kern/subr_prf.c:
1) remove PANICWAIT as it is deprecated by the change to machdep.c
i386/i386/trap.c:
1) add table of trap type strings and use it to print a real trap/
panic message rather than just a number. Lot's of work to
be done here, but this is the first step. Symbolic traceback
is in the TODO.
i386/i386/Makefile.i386:
1) add support in to build support.s, exception.s and swtch.s
...and various changes to various header files to make all of the
above happen.
if something changes which doesn't affect it, locore doesn't have to get
rebuilt. This is at the cost of a genassym and a cmp in every compile,
until someone can figure out how to make `make' smarter itself.
pccons or syscons usage. Modified comment in LINT for FAT_CURSOR.
Now the FAT_CURSOR can be controlled over the option, instead of hacking
syscons.c and pccons.c.
the stack area and not memory above VM_MAXUSER_ADDRESS.
That way, copyout and friends now work for pages whose page table entries
have not yet been allocated/been paged out.
machines (now 20% of all memory after the first 3MB). This is necessary
in order for 4MB machine to be able to rebuild the entire source tree
and not run out of physical memory because of fixed memory requirements
of processes and kernel VM.
set when extended translation is turned on, thus we need to do the mailbox
unlock command no matter what value is in the extended bios flag byte as
the other extensions (ie, > 2 drive support) cause the same problems.
The code has been changed to ALWAYS unlock the mailbox interface on ALL
1542C class boards.
called once when card is attached. Solved problem with driver
getting hosed when a reset takes place.
Removed init_block array -- now part of malloced memory. No more
static declarations left.
Added code so that debug ioctl actually does something.
ifconfig is0 debug will now switch on debugging code.
Other general cleanups.
since make depend wasn't picking up any new dependencies. However, due
to a bug in the old code, the original dependencies weren't being used, so
this version is better than the original and the lastest version.
(And is more readable as well)
* Novell probe changed to be invasive because of too many complaints
* about some clone boards not being reset properly and thus not
* found on a warmboot. Yuck.
*
* Revision 2.10 1993/10/23 04:07:12 davidg
* increment output errors if the device times out (done via watchdog)
*
* Revision 2.9 1993/10/23 04:01:45 davidg
* increment input error counter if a packet with a bad length is
* detected.
(rick@snowhite.cis.uoguelph.ca). I am currently using it with a Microsoft
InPort busmouse, under FreeBSD Epsilon. I hadn't planned on supporting it,
but I have patched it a few times, and I guess this is now the de facto
reference version, so send me any problems or improvements.
- Gene Stark
stark@cs.sunysb.edu
October 9, 1993
Date: Tue, 19 Oct 1993 02:22:41 -40962758 (WST)
As the subject line says:
I can;t believe this typo is still here.
Has NOBODY used the isa_dmastart() routine for 16bit DMA?
I know I just hit the dma regs directly for the AHA1542,
and it appears that either everybody else does as well, or
they only use 8bit DMA (e.g. floppy)
Editors Note:
The definition of DMA2_CHN was incorrectly using IO_DMA1!