From owner-freebsd-bugs@FreeBSD.ORG Wed Oct 20 18:50:22 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F1E416A4CE for ; Wed, 20 Oct 2004 18:50:22 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A8AE43D5D for ; Wed, 20 Oct 2004 18:50:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9KIoMP3095764 for ; Wed, 20 Oct 2004 18:50:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9KIoMrl095763; Wed, 20 Oct 2004 18:50:22 GMT (envelope-from gnats) Resent-Date: Wed, 20 Oct 2004 18:50:22 GMT Resent-Message-Id: <200410201850.i9KIoMrl095763@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Mike Tancsa Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45FC016A4CE for ; Wed, 20 Oct 2004 18:44:58 +0000 (GMT) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id B56C943D41 for ; Wed, 20 Oct 2004 18:44:57 +0000 (GMT) (envelope-from mdtancsa@granite.sentex.ca) Received: from granite.sentex.ca (granite-64.sentex.ca [64.7.153.1]) by smarthost1.sentex.ca (8.13.1/8.13.1) with ESMTP id i9KIivLq071037 for ; Wed, 20 Oct 2004 14:44:57 -0400 (EDT) (envelope-from mdtancsa@granite.sentex.ca) Received: from granite.sentex.ca (localhost [127.0.0.1]) by granite.sentex.ca (8.12.10/8.12.10) with ESMTP id i9KIivrU099355 for ; Wed, 20 Oct 2004 14:44:57 -0400 (EDT) (envelope-from mdtancsa@granite.sentex.ca) Received: (from mdtancsa@localhost) by granite.sentex.ca (8.12.10/8.12.10/Submit) id i9KIirjF099052; Wed, 20 Oct 2004 14:44:53 -0400 (EDT) (envelope-from mdtancsa) Message-Id: <200410201844.i9KIirjF099052@granite.sentex.ca> Date: Wed, 20 Oct 2004 14:44:53 -0400 (EDT) From: Mike Tancsa To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/72935: sio tty and uhid tty (perhaps others) stomp on each other leading to kernel data corruption and a panic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mike Tancsa List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 18:50:22 -0000 >Number: 72935 >Category: kern >Synopsis: sio tty and uhid tty (perhaps others) stomp on each other leading to kernel data corruption and a panic >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 20 18:50:21 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Mike Tancsa >Release: RELENG_4 >Organization: Sentex Communications >Environment: System: FreeBSD station.sentex.ca 4.10-STABLE FreeBSD 4.10-STABLE #19: Wed Oct 20 10:44:23 EDT 2004 root@station.sentex.ca:/usr/obj/usr/src/sys/gas i386 i386,RELENG_4 >Description: In 4-10 STABLE we have been experiencing an intermittent problem / panic when engaging in constant serial I/O and constant usb/uhid device I/O. What happens is that the kernel panics related to data in cfreelist in sys/kern/tty_subr.c The two panics we have seen are panic("clist reservation botch"); in sys/kern/tty_subr.c:103 And panic("free: multiple frees"); in sys/kern/kern_malloc.:632 What we believe might be the problem is that the tty_subr routines rely on spltty() for concurrency. The uhid device (sys/dev/usb/uhid.c) is not of class TTY, but it uses the b_to_q routine within its interrupt handler (uhid_intr), so we believe that uhid_intr will be serviced during some other tty servicing of the cfreelist. The cfreelist within tty_subr is getting corrupted (and/or going to null). We have been able to reproduce the problem in a short period of time, by introducing a delay within cblock_alloc() and cblock_free(). Also we have been able to fix the problem (in concept only) by doing the following in uhid_open int s = splhigh(); tty_imask |= bio_imask; splx( s ); >How-To-Repeat: Do a lot of sio activity (preferably with a PUC card) and UHID activity at the same time. On average, about 3-5 days for a panic. See http://lists.freebsd.org/pipermail/freebsd-stable/2004-October/008964.html >Fix: Possibly, *** uhid.c.orig Wed Oct 20 14:16:05 2004 --- uhid.c Wed Oct 20 14:16:56 2004 *************** *** 411,416 **** --- 411,424 ---- if (sc->sc_dying) return (ENXIO); + /* KDW - test change to force class tty to include uhid */ + { + int s = splhigh(); + tty_imask |= bio_imask; + splx( s ); + } + /* end KDW */ + if (sc->sc_state & UHID_OPEN) return (EBUSY); sc->sc_state |= UHID_OPEN; >Release-Note: >Audit-Trail: >Unformatted: