From owner-freebsd-current@freebsd.org Sun Oct 21 09:07:27 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6690AFE5DAA for ; Sun, 21 Oct 2018 09:07:27 +0000 (UTC) (envelope-from hps@selasky.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 2BFC183524 for ; Sun, 21 Oct 2018 09:07:27 +0000 (UTC) (envelope-from hps@selasky.org) Received: by mailman.ysv.freebsd.org (Postfix) id E2986FE5D9A; Sun, 21 Oct 2018 09:07:26 +0000 (UTC) Delivered-To: current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C140FFE5D93 for ; Sun, 21 Oct 2018 09:07:26 +0000 (UTC) (envelope-from hps@selasky.org) Received: from mail.turbocat.net (turbocat.net [IPv6:2a01:4f8:c17:6c4b::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 45D278351D for ; Sun, 21 Oct 2018 09:07:25 +0000 (UTC) (envelope-from hps@selasky.org) Received: from hps2016.home.selasky.org (unknown [178.17.145.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 6413E2600F9; Sun, 21 Oct 2018 11:07:24 +0200 (CEST) Subject: Re: Page fault in midi/sequencer.c To: Peter Holm , current@freebsd.org References: <20181020165604.GA4946@x2.osted.lan> From: Hans Petter Selasky Message-ID: <612cae90-cd82-6ade-ad9a-349d32965d88@selasky.org> Date: Sun, 21 Oct 2018 11:06:54 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.0.1 MIME-Version: 1.0 In-Reply-To: <20181020165604.GA4946@x2.osted.lan> Content-Type: multipart/mixed; boundary="------------7DA408B79955E35972546159" Content-Language: en-US X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2018 09:07:27 -0000 This is a multi-part message in MIME format. --------------7DA408B79955E35972546159 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 10/20/18 6:56 PM, Peter Holm wrote: > I can trigger this on 13.0-CURRENT r339445 with a non-root test program: > > Calling uiomove() with the following non-sleepable locks held: > exclusive sleep mutex seqflq (seqflq) r = 0 (0xfffff80003860c08) locked @ dev/sound/midi/sequencer.c:952 > stack backtrace: > #0 0xffffffff80bfe263 at witness_debugger+0x73 > #1 0xffffffff80bff1b8 at witness_warn+0x448 > #2 0xffffffff80bf6a91 at uiomove_faultflag+0x71 > #3 0xffffffff809439e6 at mseq_write+0x4c6 > #4 0xffffffff80a4f725 at devfs_write_f+0x185 > #5 0xffffffff80c02a87 at dofilewrite+0x97 > #6 0xffffffff80c0287f at kern_pwritev+0x5f > #7 0xffffffff80c0277d at sys_pwrite+0x8d > #8 0xffffffff81070af7 at amd64_syscall+0x2a7 > #9 0xffffffff8104a4ad at fast_syscall_common+0x101 > Kernel page fault with the following non-sleepable locks held: > exclusive sleep mutex seqflq (seqflq) r = 0 (0xfffff80003860c08) locked @ dev/sound/midi/sequencer.c:952 > stack backtrace: > #0 0xffffffff80bfe263 at witness_debugger+0x73 > #1 0xffffffff80bff1b8 at witness_warn+0x448 > #2 0xffffffff810700d3 at trap_pfault+0x53 > #3 0xffffffff8106f70a at trap+0x2ba > #4 0xffffffff81049bc5 at calltrap+0x8 > #5 0xffffffff80bf6b42 at uiomove_faultflag+0x122 > #6 0xffffffff809439e6 at mseq_write+0x4c6 > #7 0xffffffff80a4f725 at devfs_write_f+0x185 > #8 0xffffffff80c02a87 at dofilewrite+0x97 > #9 0xffffffff80c0287f at kern_pwritev+0x5f > #10 0xffffffff80c0277d at sys_pwrite+0x8d > #11 0xffffffff81070af7 at amd64_syscall+0x2a7 > #12 0xffffffff8104a4ad at fast_syscall_common+0x101 > > > Fatal trap 12: page fault while in kernel mode > cpuid = 4; apic id = 04 > fault virtual address = 0x20ea6b > fault code = supervisor read data, page not present > instruction pointer = 0x20:0xffffffff8106d32d > stack pointer = 0x28:0xfffffe00a844a660 > frame pointer = 0x28:0xfffffe00a844a660 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 2356 (xxx) > [ thread pid 2356 tid 100278 ] > Stopped at copyin_nosmap_erms+0xdd: movl (%rsi),%edx > db> > Hi, Can you test the attached patch? --HPS --------------7DA408B79955E35972546159 Content-Type: text/x-patch; name="seq.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="seq.diff" Index: sys/dev/sound/midi/sequencer.c =================================================================== --- sys/dev/sound/midi/sequencer.c (revision 339376) +++ sys/dev/sound/midi/sequencer.c (working copy) @@ -921,7 +921,9 @@ SEQ_DEBUG(8, printf("midiread: uiomove cc=%d\n", used)); MIDIQ_DEQ(scp->in_q, buf, used); + mtx_unlock(&scp->seq_lock); retval = uiomove(buf, used, uio); + mtx_lock(&scp->seq_lock); if (retval) goto err1; } @@ -996,7 +998,9 @@ retval = ENXIO; goto err0; } + mtx_unlock(&scp->seq_lock); retval = uiomove(event, used, uio); + mtx_lock(&scp->seq_lock); if (retval) goto err0; @@ -1034,7 +1038,9 @@ SEQ_DEBUG(2, printf("seq_write: SEQ_FULLSIZE flusing buffer.\n")); while (uio->uio_resid > 0) { + mtx_unlock(&scp->seq_lock); retval = uiomove(event, EV_SZ, uio); + mtx_lock(&scp->seq_lock); if (retval) goto err0; @@ -1045,6 +1051,7 @@ } retval = EINVAL; if (ev_code >= 128) { + int error; /* * Some sort of an extended event. The size is eight @@ -1054,7 +1061,10 @@ SEQ_DEBUG(2, printf("seq_write: invalid level two event %x.\n", ev_code)); goto err0; } - if (uiomove((caddr_t)&event[4], 4, uio)) { + mtx_unlock(&scp->seq_lock); + error = uiomove((caddr_t)&event[4], 4, uio); + mtx_lock(&scp->seq_lock); + if (error) { SEQ_DEBUG(2, printf("seq_write: user memory mangled?\n")); goto err0; --------------7DA408B79955E35972546159--