From owner-freebsd-current  Mon Feb 24  9:32:29 2003
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 026D037B401
	for <freebsd-current@freebsd.org>; Mon, 24 Feb 2003 09:32:23 -0800 (PST)
Received: from mail47.fg.online.no (mail47-s.fg.online.no [148.122.161.47])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4DA1443F93
	for <freebsd-current@freebsd.org>; Mon, 24 Feb 2003 09:32:21 -0800 (PST)
	(envelope-from janepet@online.no)
Received: from epostleser.online.no (epostleser13.frisurf.no [148.122.3.21])
	by mail47.fg.online.no (8.9.3/8.9.3) with ESMTP id SAA08605
	for <freebsd-current@freebsd.org>; Mon, 24 Feb 2003 18:32:18 +0100 (MET)
X-WebMail-UserID:  janepet@online.no
Date: Mon, 24 Feb 2003 18:32:18 +0100
From: janepet <janepet@online.no>
To: freebsd-current@freebsd.org
X-EXP32-SerialNo: 50000140
Subject: The audio device drivers panics if I try to open /dev/dsp0.1 with flags O_RDWR
Message-ID: <3E5FD8ED@epostleser.online.no>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: InterChange (Hydra) SMTP v3.62
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

I have found an repeatable bug in the pcm device driver.

How to repeat:
Try opening /dev/dsp0.1 with flags O_RDWR and the kernel panics immediately.
I've included source code of the program I used.

Why the problem occurs:
The _mtx_unlock(...) macro is called with a NULL (0x0) pointer from the
CHN_UNLOCK(...) macro in /usr/src/sys/dev/pcm/channel.h. This is because the
mutex pointer passed to CHN_UNLOCK(...) is a NULL pointer. (See gdb output).
It looks like the mutex is destroyed twice. Probably because the program is
trying to open the device with read+write. Since this is a call from
userland, I think the open syscall to the device should return an error code
instead of causing a panic.

Fix:
If the device isn't designed to support read+write something like this should 
be added to the code:

if (flags & O_RDWR)
  return <ERROR_CODE>;

dmesg:

Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.0-RELEASE #0: Wed Jan 29 18:50:05 CET 2003
    root@challenger.sky.dom:/usr/obj/usr/src/sys/SMALLKERN_DEBUG
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0450000.
Timecounter "i8254"  frequency 1193182 Hz
Timecounter "TSC"  frequency 62501253 Hz
CPU: Overdrive Pentium/P54T Overdrive (62.50-MHz 586-class CPU)
  Origin = "GenuineIntel"  Id = 0x1531  Stepping = 1
  Features=0x13f<FPU,VME,DE,PSE,TSC,MSR,CX8>
real memory  = 20971520 (20 MB)
avail memory = 15908864 (15 MB)
Intel Pentium detected, installing workaround for F00F bug
Initializing GEOMetry subsystem
VESA: v1.2, 512k memory, flags:0x0, mode table:0xc03d3974 (1000014)
VESA: Cirrus Logic GD-54xx VGA
npx0: <math processor> on motherboard
npx0: INT 16 interface
isa0: <ISA bus> on motherboard
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
ata0 at port 0x3f6,0x1f0-0x1f7 irq 14 on isa0
ata1 at port 0x376,0x170-0x177 irq 15 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model Generic PS/2 mouse, device ID 0
ed0 at port 0x280-0x29f iomem 0xd8000 irq 10 on isa0
ed0: address 00:50:bf:4c:21:a8, type NE2000 (16 bit)
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 
0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
speaker0: <PC speaker> on isa0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sbc0: <Creative SB16/SB32> at port 0x388-0x38b,0x330-0x331,0x220-0x22f irq 5 
drq 5,1 on isa0
pcm0: <SB16 DSP 4.13> on sbc0
ata2: <Generic ESDI/IDE/ATA controller> at port 0x3ee-0x3ef,0x1e8-0x1ef irq 11 
on isa0
Timecounters tick every 1.000 msec
ad0: 4126MB <ST34311A> [8944/15/63] at ata0-master BIOSPIO
Mounting root from ufs:/dev/ad0s1a
WARNING: / was not properly dismounted
ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to 
deny, logging disabled
pid 778 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 790 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 799 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 811 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 818 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 826 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 836 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 858 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 865 (convertdb), uid 0: exited on signal 10 (core dumped)
pid 1101 (convertdb), uid 0: exited on signal 11 (core dumped)
pid 2078 (lacnic), uid 0: exited on signal 11 (core dumped)
pid 4692 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 4695 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9113 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9126 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9134 (getlocation), uid 1000: exited on signal 11 (core dumped)
pid 9138 (getlocation), uid 1000: exited on signal 11 (core dumped)
arp: 10.53.4.10 moved from 00:10:dc:89:61:1e to 07:00:07:00:07:00 on ed0



GDB output:
Script started on Mon Feb 24 17:10:09 2003
moonwalker.root# gdb -k /usr/  [K  [K  [K  [Kboot/kernel/kernel.debug -c
/var/crash/vmcore.1

GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: bwrite: buffer is not busy???
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0x20
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc01e2767
stack pointer	        = 0x10:0xc38f692c
frame pointer	        = 0x10:0xc38f694c
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 483 (wrspk)
trap number		= 12
panic: page fault

syncing disks, buffers remaining... panic: bwrite: buffer is not busy???
Uptime: 3m37s
Dumping 20 MB
ata0: resetting devices ..
done
 16
---
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:232
232	/usr/src/sys/kern/kern_shutdown.c: No such file or directory.
	in /usr/src/sys/kern/kern_shutdown.c
(kgdb) where
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:232
#1  0xc01eafd1 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:364
#2  0xc01eb1e3 in panic () at /usr/src/sys/kern/kern_shutdown.c:517
#3  0xc02294b2 in bwrite (bp=0xc13a0540) at /usr/src/sys/kern/vfs_bio.c:796
#4  0xc022aa6e in vfs_bio_awrite (bp=0xc1c4e6a8)
    at /usr/src/sys/kern/vfs_bio.c:1643
#5  0xc01b6b37 in spec_fsync (ap=0xc38f6754)
    at /usr/src/sys/fs/specfs/spec_vnops.c:462
#6  0xc01b60a8 in spec_vnoperate (ap=0x0)
    at /usr/src/sys/fs/specfs/spec_vnops.c:126
#7  0xc02cdc1d in ffs_sync (mp=0xc1109400, waitfor=2, cred=0xc08e0f00,
    td=0xc03854a0) at vnode_if.h:612
#8  0xc023c20b in sync (td=0xc03854a0, uap=0x0)
    at /usr/src/sys/kern/vfs_syscalls.c:138
#9  0xc01eac42 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:273
#10 0xc01eb1e3 in panic () at /usr/src/sys/kern/kern_shutdown.c:517
#11 0xc031d36e in trap_fatal (frame=0xc13a0540, eva=0)
    at /usr/src/sys/i386/i386/trap.c:844
#12 0xc031d082 in trap_pfault (frame=0xc38f68ec, usermode=0, eva=32)
    at /usr/src/sys/i386/i386/trap.c:758
#13 0xc031cc4d in trap (frame=
      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1053162176, tf_esi = 0,
tf_ebp = -1014011572, tf_isp = -1014011624, tf_ebx = -1055657216, tf_edx =
-1053162176, tf_ecx = -1055657216, tf_eax = 1, tf_trapno = 12, tf_err = 0,
tf_eip = -1071765657, tf_cs = 8, tf_eflags = 66050, tf_esp = -1070031360,
tf_ss = 0})
    at /usr/src/sys/i386/i386/trap.c:445
#14 0xc030dd98 in calltrap () at {standard input}:98
#15 0xc01e235f in _mtx_unlock_flags (m=0x0, opts=0, file=0x0, line=0)
    at /usr/src/sys/kern/kern_mutex.c:405
#16 0xc019d588 in dsp_open (i_dev=0x0, flags=3, mode=8192, td=0xc13a0540)
    at /usr/src/sys/dev/sound/pcm/dsp.c:296
#17 0xc01b62c8 in spec_open (ap=0xc38f6a5c)
    at /usr/src/sys/fs/specfs/spec_vnops.c:208
#18 0xc01b60a8 in spec_vnoperate (ap=0x0)
    at /usr/src/sys/fs/specfs/spec_vnops.c:126
#19 0xc02436ba in vn_open_cred (ndp=0xc38f6bd8, flagp=0xc38f6cd8, cmode=0,
    cred=0xc13bc780) at vnode_if.h:213
#20 0xc02432b9 in vn_open (ndp=0x0, flagp=0x0, cmode=0)
    at /usr/src/sys/kern/vfs_vnops.c:91
---Type <return> to continue, or q <return> to quit---
#21 0xc023cea0 in kern_open (td=0xc13a0540, path=0x0, pathseg=UIO_USERSPACE,
    flags=3, mode=0) at /usr/src/sys/kern/vfs_syscalls.c:664
#22 0xc023cd30 in open (td=0x0, uap=0x0)
    at /usr/src/sys/kern/vfs_syscalls.c:627
#23 0xc031d62e in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077937100, tf_esi =
-1077937088, tf_ebp = -1077937140, tf_isp = -1014010508, tf_ebx = 2, tf_edx =
134515572, tf_ecx = 671407648, tf_eax = 5, tf_trapno = 12, tf_err = 2, tf_eip
= 671807859, tf_cs = 31, tf_eflags = 642, tf_esp = -1077937716, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1033
#24 0xc030dded in Xint0x80_syscall () at {standard input}:140
---Can't read userspace from dump, or kernel process---

(kgdb) up 14
#14 0xc030dd98 in calltrap () at {standard input}:98
98	{standard input}: No such file or directory.
	in {standard input}
Current language:  auto; currently asm
(kgdb) up
#15 0xc01e235f in _mtx_unlock_flags (m=0x0, opts=0, file=0x0, line=0)
    at /usr/src/sys/kern/kern_mutex.c:405
405	/usr/src/sys/kern/kern_mutex.c: No such file or directory.
	in /usr/src/sys/kern/kern_mutex.c
Current language:  auto; currently c
(kgdb) up
#16 0xc019d588 in dsp_open (i_dev=0x0, flags=3, mode=8192, td=0xc13a0540)
    at /usr/src/sys/dev/sound/pcm/dsp.c:296
296	/usr/src/sys/dev/sound/pcm/dsp.c: No such file or directory.
	in /usr/src/sys/dev/sound/pcm/dsp.c
(kgdb) print rdch
$1 = (struct pcm_channel *) 0xc13a0540
(kgdb) print rdch->lock
$2 = (struct mtx *) 0x0
(kgdb) print rdch->refcount
$3 = -1053167600
(kgdb) quit
moonwalker.root# uname -a

FreeBSD moonwalker.sky.dom 5.0-RELEASE FreeBSD 5.0-RELEASE #0: Wed Jan 29
18:50:05 CET 2003
root@challenger.sky.dom:/usr/obj/usr/src/sys/SMALLKERN_DEBUG  i386
moonwalker.root# exit

exit

Script done on Mon Feb 24 17:31:08 2003


Jan-Espen Pettersen
Mon Feb 24 18:31:32 CET 2003


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message