On Tue, Feb 22, 2011 at 15:21 +0000, emeric boit wrote:
> Stuart,
>
> Thanks for your response, but this patch doesn't resolve the problem.
> With the OpenBSD 4.9 snapshot (Jan. 2011) the problem is the same :
> uvm_fault(0xffffffff80cef780, 0xffff80001b6fe000, 0, 1) -> e
> kernel: page
> fault trap, code=0
> Stopped at mpi_reply+0xd0: movq 0x10(%r13),%rdx
> ddb{0}>
>
> ddb{0}> trace
> mpi_reply() at mpi_reply+0xd0
> mpi_intr() at
> mpi_intr+0x20
> Xintr_ioapic_level18() at Xintr_ioapic_level18+0xec
> ---
> interrupt ---
> Bad frame pointer:
> 0xffff80001942dac0
> end trace frame:
> 0xffff80001942dac0, count: -3
> Xspllower+0xe:
> ddb{0}>
>
>
> I thinks the bug is in
> this file : /usr/src/sys/dev/ic/mpi.c
>
> Regards,
> Emeric.
>
lets prove a theory:
Index: dev/ic/mpi.c
===================================================================
RCS file: /home/cvs/src/sys/dev/ic/mpi.c,v
retrieving revision 1.165
diff -u -p -r1.165 mpi.c
--- dev/ic/mpi.c 24 Sep 2010 01:27:11 -0000 1.165
+++ dev/ic/mpi.c 22 Feb 2011 15:38:19 -0000
@@ -914,6 +914,10 @@ mpi_reply(struct mpi_softc *sc, u_int32_
reply_dva = (reg & MPI_REPLY_QUEUE_ADDRESS_MASK) << 1;
i = (reply_dva - (u_int32_t)MPI_DMA_DVA(sc->sc_replies)) /
MPI_REPLY_SIZE;
+ if (i < 0 || i > sc->sc_repq)
+ panic("%s: choked on reg %#x dva %#x map %#x",
+ DEVNAME(sc), reg, reply_dva,
+ (u_int32_t)MPI_DMA_DVA(sc->sc_replies));
rcb = &sc->sc_rcbs[i];
bus_dmamap_sync(sc->sc_dmat,
