Date: Mon, 24 Feb 2003 18:32:18 +0100 From: janepet <janepet@online.no> To: freebsd-current@freebsd.org Subject: The audio device drivers panics if I try to open /dev/dsp0.1 with flags O_RDWR Message-ID: <3E5FD8ED@epostleser.online.no>
next in thread | raw e-mail | index | archive | help
I have found an repeatable bug in the pcm device driver.
How to repeat:
Try opening /dev/dsp0.1 with flags O_RDWR and the kernel panics immediately.
I've included source code of the program I used.
Why the problem occurs:
The _mtx_unlock(...) macro is called with a NULL (0x0) pointer from the
CHN_UNLOCK(...) macro in /usr/src/sys/dev/pcm/channel.h. This is because the
mutex pointer passed to CHN_UNLOCK(...) is a NULL pointer. (See gdb output).
It looks like the mutex is destroyed twice. Probably because the program is
trying to open the device with read+write. Since this is a call from
userland, I think the open syscall to the device should return an error code
instead of causing a panic.
Fix:
If the device isn't designed to support read+write something like this should
be added to the code:
if (flags & O_RDWR)
return <ERROR_CODE>;
dmesg:
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0-RELEASE #0: Wed Jan 29 18:50:05 CET 2003
root@challenger.sky.dom:/usr/obj/usr/src/sys/SMALLKERN_DEBUG
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0450000.
Timecounter "i8254" frequency 1193182 Hz
Timecounter "TSC" frequency 62501253 Hz
CPU: Overdrive Pentium/P54T Overdrive (62.50-MHz 586-class CPU)
Origin = "GenuineIntel" Id = 0x1531 Stepping = 1
Features=0x13f<FPU,VME,DE,PSE,TSC,MSR,CX8>
real memory = 20971520 (20 MB)
avail memory = 15908864 (15 MB)
Intel Pentium detected, installing workaround for F00F bug
Initializing GEOMetry subsystem
VESA: v1.2, 512k memory, flags:0x0, mode table:0xc03d3974 (1000014)
VESA: Cirrus Logic GD-54xx VGA
npx0: <math processor> on motherboard
npx0: INT 16 interface
isa0: <ISA bus> on motherboard
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
ata0 at port 0x3f6,0x1f0-0x1f7 irq 14 on isa0
ata1 at port 0x376,0x170-0x177 irq 15 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Generic PS/2 mouse, device ID 0
ed0 at port 0x280-0x29f iomem 0xd8000 irq 10 on isa0
ed0: address 00:50:bf:4c:21:a8, type NE2000 (16 bit)
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port
0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
speaker0: <PC speaker> on isa0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sbc0: <Creative SB16/SB32> at port 0x388-0x38b,0x330-0x331,0x220-0x22f irq 5
drq 5,1 on isa0
pcm0: <SB16 DSP 4.13> on sbc0
ata2: <Generic ESDI/IDE/ATA controller> at port 0x3ee-0x3ef,0x1e8-0x1ef irq 11
on isa0
Timecounters tick every 1.000 msec
ad0: 4126MB <ST34311A> [8944/15/63] at ata0-master BIOSPIO
Mounting root from ufs:/dev/ad0s1a
WARNING: / was not properly dismounted
ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to
deny, logging disabled
pid 778 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 790 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 799 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 811 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 818 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 826 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 836 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 858 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 865 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 1101 (convertdb), uid 0: exited on signal 11 (core dumped)
pid 2078 (lacnic), uid 0: exited on signal 11 (core dumped)
pid 4692 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 4695 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9113 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9126 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9134 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9138 (getlocation), uid 1000: exited on signal 11 (core dumped)
arp: 10.53.4.10 moved from 00:10:dc:89:61:1e to 07:00:07:00:07:00 on ed0
GDB output:
Script started on Mon Feb 24 17:10:09 2003
moonwalker.root# gdb -k /usr/ [K [K [K [Kboot/kernel/kernel.debug -c
/var/crash/vmcore.1
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: bwrite: buffer is not busy???
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x20
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc01e2767
stack pointer = 0x10:0xc38f692c
frame pointer = 0x10:0xc38f694c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 483 (wrspk)
trap number = 12
panic: page fault
syncing disks, buffers remaining... panic: bwrite: buffer is not busy???
Uptime: 3m37s
Dumping 20 MB
ata0: resetting devices ..
done
16
---
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:232
232 /usr/src/sys/kern/kern_shutdown.c: No such file or directory.
in /usr/src/sys/kern/kern_shutdown.c
(kgdb) where
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:232
#1 0xc01eafd1 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:364
#2 0xc01eb1e3 in panic () at /usr/src/sys/kern/kern_shutdown.c:517
#3 0xc02294b2 in bwrite (bp=0xc13a0540) at /usr/src/sys/kern/vfs_bio.c:796
#4 0xc022aa6e in vfs_bio_awrite (bp=0xc1c4e6a8)
at /usr/src/sys/kern/vfs_bio.c:1643
#5 0xc01b6b37 in spec_fsync (ap=0xc38f6754)
at /usr/src/sys/fs/specfs/spec_vnops.c:462
#6 0xc01b60a8 in spec_vnoperate (ap=0x0)
at /usr/src/sys/fs/specfs/spec_vnops.c:126
#7 0xc02cdc1d in ffs_sync (mp=0xc1109400, waitfor=2, cred=0xc08e0f00,
td=0xc03854a0) at vnode_if.h:612
#8 0xc023c20b in sync (td=0xc03854a0, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:138
#9 0xc01eac42 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:273
#10 0xc01eb1e3 in panic () at /usr/src/sys/kern/kern_shutdown.c:517
#11 0xc031d36e in trap_fatal (frame=0xc13a0540, eva=0)
at /usr/src/sys/i386/i386/trap.c:844
#12 0xc031d082 in trap_pfault (frame=0xc38f68ec, usermode=0, eva=32)
at /usr/src/sys/i386/i386/trap.c:758
#13 0xc031cc4d in trap (frame=
{tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1053162176, tf_esi = 0,
tf_ebp = -1014011572, tf_isp = -1014011624, tf_ebx = -1055657216, tf_edx =
-1053162176, tf_ecx = -1055657216, tf_eax = 1, tf_trapno = 12, tf_err = 0,
tf_eip = -1071765657, tf_cs = 8, tf_eflags = 66050, tf_esp = -1070031360,
tf_ss = 0})
at /usr/src/sys/i386/i386/trap.c:445
#14 0xc030dd98 in calltrap () at {standard input}:98
#15 0xc01e235f in _mtx_unlock_flags (m=0x0, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:405
#16 0xc019d588 in dsp_open (i_dev=0x0, flags=3, mode=8192, td=0xc13a0540)
at /usr/src/sys/dev/sound/pcm/dsp.c:296
#17 0xc01b62c8 in spec_open (ap=0xc38f6a5c)
at /usr/src/sys/fs/specfs/spec_vnops.c:208
#18 0xc01b60a8 in spec_vnoperate (ap=0x0)
at /usr/src/sys/fs/specfs/spec_vnops.c:126
#19 0xc02436ba in vn_open_cred (ndp=0xc38f6bd8, flagp=0xc38f6cd8, cmode=0,
cred=0xc13bc780) at vnode_if.h:213
#20 0xc02432b9 in vn_open (ndp=0x0, flagp=0x0, cmode=0)
at /usr/src/sys/kern/vfs_vnops.c:91
---Type <return> to continue, or q <return> to quit---
#21 0xc023cea0 in kern_open (td=0xc13a0540, path=0x0, pathseg=UIO_USERSPACE,
flags=3, mode=0) at /usr/src/sys/kern/vfs_syscalls.c:664
#22 0xc023cd30 in open (td=0x0, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:627
#23 0xc031d62e in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077937100, tf_esi =
-1077937088, tf_ebp = -1077937140, tf_isp = -1014010508, tf_ebx = 2, tf_edx =
134515572, tf_ecx = 671407648, tf_eax = 5, tf_trapno = 12, tf_err = 2, tf_eip
= 671807859, tf_cs = 31, tf_eflags = 642, tf_esp = -1077937716, tf_ss = 47})
at /usr/src/sys/i386/i386/trap.c:1033
#24 0xc030dded in Xint0x80_syscall () at {standard input}:140
---Can't read userspace from dump, or kernel process---
(kgdb) up 14
#14 0xc030dd98 in calltrap () at {standard input}:98
98 {standard input}: No such file or directory.
in {standard input}
Current language: auto; currently asm
(kgdb) up
#15 0xc01e235f in _mtx_unlock_flags (m=0x0, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:405
405 /usr/src/sys/kern/kern_mutex.c: No such file or directory.
in /usr/src/sys/kern/kern_mutex.c
Current language: auto; currently c
(kgdb) up
#16 0xc019d588 in dsp_open (i_dev=0x0, flags=3, mode=8192, td=0xc13a0540)
at /usr/src/sys/dev/sound/pcm/dsp.c:296
296 /usr/src/sys/dev/sound/pcm/dsp.c: No such file or directory.
in /usr/src/sys/dev/sound/pcm/dsp.c
(kgdb) print rdch
$1 = (struct pcm_channel *) 0xc13a0540
(kgdb) print rdch->lock
$2 = (struct mtx *) 0x0
(kgdb) print rdch->refcount
$3 = -1053167600
(kgdb) quit
moonwalker.root# uname -a
FreeBSD moonwalker.sky.dom 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Wed Jan 29
18:50:05 CET 2003
root@challenger.sky.dom:/usr/obj/usr/src/sys/SMALLKERN_DEBUG i386
moonwalker.root# exit
exit
Script done on Mon Feb 24 17:31:08 2003
Jan-Espen Pettersen
Mon Feb 24 18:31:32 CET 2003
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E5FD8ED>