From owner-freebsd-bugs Mon Sep 18 12:50:11 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 40D7337B423 for ; Mon, 18 Sep 2000 12:50:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id MAA24597; Mon, 18 Sep 2000 12:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id CA51837B423; Mon, 18 Sep 2000 12:46:35 -0700 (PDT) Message-Id: <20000918194635.CA51837B423@hub.freebsd.org> Date: Mon, 18 Sep 2000 12:46:35 -0700 (PDT) From: mtaira@logicaleffect.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/21363: Panic in pcm/channel.c when running RealPlayer Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 21363 >Category: kern >Synopsis: Panic in pcm/channel.c when running RealPlayer >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Sep 18 12:50:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Masanori Taira >Release: FreeBSD 4.1-STABLE i386 >Organization: >Environment: FreeBSD Babylon.Babylonia 4.1-STABLE FreeBSD 4.1-STABLE #13: Sun Sep 17 13:20:42 JST 2000 taira@Babylon.Babylonia:/mntfree/usr/REL3-src/sys/compile/Babylon i386 part of dmesg: sbc0: at port 0x220-0x22f,0x330-0x331,0x388-0x38b irq 5 drq 1,3 on isa0 sbc0: setting card to irq 5, drq 1, 3 pcm0: on sbc0 unknown0: at port 0x201 on isa0 >Description: Kernel panics at times when looking at movie with RealPlayer. RealPlayer's preference "Disable 16-bit sound(use 8-bit only)" is checked. (I don't know whether this has anything to do with the panic.) Panic occurs at /sys/dev/sound/pcm/channel.c:buf_clear(). I think that it is a cause to do word write for byte buffer. > p = (u_int16_t *)(b->buf + b->fp); > while (length > 1) { > *p++ = data; > length -= 2; > i += 2; > if (i >= b->bufsize) { > p = (u_int16_t *)b->buf; > i = 0; > } > } 'b->buf' is pointer to byte buffer. Here is the panic messages and crash dump trace: ----- Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc0870000 fault code = supervisor write, page not present instruction pointer = 0x8:0xc02318cc stack pointer = 0x10:0xc3044d2c frame pointer = 0x10:0xc3044d34 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 639 (rvplayer) interrupt mask = tty trap number = 12 panic: page fault ----- #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 302 dumppcb.pcb_cr3 = rcr3(); (kgdb) where #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 #1 0xc0147fb0 in poweroff_wait (junk=0xc029e02f, howto=-1024762976) at ../../kern/kern_shutdown.c:552 #2 0xc02645f9 in trap_fatal (frame=0xc3044cec, eva=3230072832) at ../../i386/i386/trap.c:951 #3 0xc02642d1 in trap_pfault (frame=0xc3044cec, usermode=0, eva=3230072832) at ../../i386/i386/trap.c:844 #4 0xc0263e8b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -1065829568, tf_esi = -1065829476, tf_ebp = -1023128268, tf_isp = -1023128296, tf_ebx = 43, tf_edx = 131071, tf_ecx = 32896, tf_eax = -1064894465, tf_trapno = 12, tf_err = 2, tf_eip = -1071441716, tf_cs = 8, tf_eflags = 66050, tf_esp = -1065829476, tf_ss = 533}) at ../../i386/i386/trap.c:443 #5 0xc02318cc in buf_clear (b=0xc078bb9c, fmt=8, length=533) at ../../dev/sound/pcm/channel.c:884 #6 0xc0230ef3 in chn_wrfeed (c=0xc078bb00) at ../../dev/sound/pcm/channel.c:285 #7 0xc0230ffe in chn_wrfeed2nd (c=0xc078bb00, buf=0xc3044edc) at ../../dev/sound/pcm/channel.c:336 #8 0xc02311b2 in chn_write (c=0xc078bb00, buf=0xc3044edc) at ../../dev/sound/pcm/channel.c:476 #9 0xc0232544 in dsp_write (d=0xc0792400, chan=0, buf=0xc3044edc, flag=8323089) at ../../dev/sound/pcm/dsp.c:197 #10 0xc02344d9 in sndwrite (i_dev=0xc0794a00, buf=0xc3044edc, flag=8323089) at ../../dev/sound/pcm/sound.c:359 #11 0xc017d0cd in spec_write (ap=0xc3044e6c) at ../../miscfs/specfs/spec_vnops.c:281 #12 0xc020f950 in ufsspec_write (ap=0xc3044e6c) at ../../ufs/ufs/ufs_vnops.c:1855 #13 0xc020fe05 in ufs_vnoperatespec (ap=0xc3044e6c) at ../../ufs/ufs/ufs_vnops.c:2303 #14 0xc01795d8 in vn_write (fp=0xc083ab00, uio=0xc3044edc, cred=0xc084db00, flags=0, p=0xc2eb5ba0) at vnode_if.h:363 #15 0xc01553e5 in dofilewrite (p=0xc2eb5ba0, fp=0xc083ab00, fd=5, buf=0x81a13ac, nbyte=533, offset=-1, flags=0) at ../../sys/file.h:159 #16 0xc01552cb in write (p=0xc2eb5ba0, uap=0xc3044f80) at ../../kern/sys_generic.c:310 #17 0xc02648a5 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 135926584, tf_esi = 533, tf_ebp = -1077939908, tf_isp = -1023127596, tf_ebx = 5, tf_edx = 533, tf_ecx = 135926700, tf_eax = 4, tf_trapno = 0, tf_err = 2, tf_eip = 674101540, tf_cs = 31, tf_eflags = 518, tf_esp = -1077939912, tf_ss = 47}) at ../../i386/i386/trap.c:1150 #18 0xc02591b5 in Xint0x80_syscall () >How-To-Repeat: Run RealPlayer. (However, a panic does not always occur.) RealPlayer's preference "Disable 16-bit sound(use 8-bit only)" is checked. (I don't know whether this has anything to do with the panic.) >Fix: I did patch as follows temporarily. *** /sys/dev/sound/pcm/channel.c Sun Aug 27 00:23:43 2000 --- channel.c Tue Sep 19 04:31:09 2000 *************** *** 882,890 **** i = b->fp; p = (u_int16_t *)(b->buf + b->fp); while (length > 1) { ! *p++ = data; ! length -= 2; ! i += 2; if (i >= b->bufsize) { p = (u_int16_t *)b->buf; i = 0; --- 882,898 ---- i = b->fp; p = (u_int16_t *)(b->buf + b->fp); while (length > 1) { ! if (i+2 > b->bufsize) { ! *(u_int8_t *)p = (u_int8_t)data; ! p = (u_int16_t *)b->buf; ! *((u_int8_t *)p)++ = (u_int8_t)(data>>8); ! length -= 2; ! i = 1; ! } else { ! *p++ = data; ! length -= 2; ! i += 2; ! } if (i >= b->bufsize) { p = (u_int16_t *)b->buf; i = 0; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message