reporting since this past summer. (I think Daniel O'Conner was the first.)
The problem appears to have been something like this:
- cdda2wav by default passes in a buffer that is close to the 128K MAXPHYS
limit.
- many times, the buffer is not page aligned
- vmapbuf() truncates the address, so that it is page aligned
- that causes the total size of the buffer to be greater than MAXPHYS,
which of course is a bad thing.
Here's a quote from the PR (kern/9067):
==================
In particular, note bp->b_bufsize = 0x0001f950 and bp->b_data = 0xf2219960
(which does not start on a page boundary). vunmapbuf() loops through all
the pages without any difficulty until addr reaches 0xf2239000, and then
the panic occurs. This seems to indicate that we are exceeding MAXPHYS
since we actually started from the middle of a page (the data is being
transfered to a non page aligned location).
To complete the description, note that the system call originates from
ReadCddaMMC12() (in scsi_cmds.c of cdda2wav) with a request to read 55
audio sectors of 2352 bytes (which is calculated to fall under MAXPHYS).
This in turn ends up calling scsi_send() (in scsi-bsd.c) which calls
cam_fill_csio() and cam_send_ccb(). This results in a CAMIOCOMMAND ioctl
with a ccb function code of XPT_SCSI_IO.
==================
The fix is to change the size check in cam_periph_mapmem() so that it is
like the one in minphys(). In particular, it is something like:
if ((buffer_length + (buf_ptr & PAGE_MASK)) > MAXPHYS)
buffer is too big
My fix is based on the one in the PR, but I cleaned up a fair number of
things in cam_periph_mapmem(). The checks for each buffer to be mapped
are now in a separate loop from the actual mapping operation. With the new
arrangement, we don't have to bother with unmapping any previously mapped
buffers if one of the checks fails.
Many thanks to James Liu for tracking this down. I'd appreciate it if some
vm-savvy folks would look this over. I believe this fix is correct, but I
could be wrong.
PR: kern/9067 (also, kern/8112)
Reviewed by: gibbs
Submitted by: "James T. Liu" <jtliu@phlebas.rockefeller.edu>
adjusted related casts to match (only in the kernel in this commit).
The pointer was only wanted in one place in kern_exec.c. Applications
should use the kern.ps_strings sysctl instead of PS_STRINGS, so they
shouldn't notice this change.
across the kernel -> application interface, and for the one sysctl where
they were passed and actually used (kern.ps_strings), the applications
want addresses represented as u_longs anyway (the other sysctl that
passed them, kern.usrstack, has never been used).
Agreed to by: dfr, phk
as well as several functional additions.
(1) dot3 MIB support.
(2) if_media selection method support.
(3) bridge support.
(4) new boards support. Supported boards are as follows.
[PC/AT]
* Fujitsu FMV-180 series
* Allied-Telesis RE2000 series
* Allied-Telesyn AT1700 series
* Gateway Communications G/Ether series
* UB networks Access/PC ISA series
* TDK/LANX LAC-AX series
* ICL EtherTeam16i series
* RATOC REX-5586/5587
[PC-98]
* Allied-Telesis RE1000 series
* Allied-Telesis RE1000Plus/ME1500 series
* Contec C-NET(9N)E series
* Contec C-NET(98)P2 series
* UB networks Access/PC N98C+ series
* TDK/LANX LAC-98 series(not tested)
Submitted by: seki@sysrap.cs.fujitsu.co.jp (Masahiro Sekiguchi) and
chi@bd.mbn.or.jp (Chiharu Shibata)
in rev.1.30 (just before FreeBSD-1.1R) to almost match corresponding
breakage in FreeBSD-1.x's diskerr(). FreeBSD-2.x's diskerr() never
had the breakage.
in target mode, but we are not completing the command.
Use a template of allowed bus arbitration phases to selectively and
dynamically enable/disable initiator or target (re)selection.
Properly handle timeouts for target role transactions - just go to the
bus free state and report the error to the peripheral driver.
Checkpoint support for the XPT_ABORT_CCB function code. This currently
handles the accept tio and immediate notify ccb types, but does not
handle the continue target I/O or SCSI I/O ccb types. This is enough
to handle dynamic target enable/disable events.
Clean up the SCSI reset code so that we perform at most 1 SCSI bus
reset at initialization, the reset requested by the XPT layer.
level so they can be reclaimed before attempting to disable our lun.
Correctly free descriptors. Add periph locking and spl protection
around open and close.
pointed this out, but I've not seen a manifestation of this.
o Check against 0x00 as well as 0xff for geometry register, as some clone
cards don't return 0xff. Vadim Mikhailov pointed this out in PR
8743 for his Dell SCSI Array controller working in AHA-1540
emulation mode. Note that this test is likely to go away in the
future in favor of a better one Justin has recommended.
memory address space rather than IO space.. reflect this when looking for the
interface revision register.
If this is not true for them all then we probably need some smarter code.