Date: Tue, 25 Nov 2003 22:34:43 +0100 From: Artur Poplawski <artur@szuruburu.neostrada.pl> To: freebsd-current@freebsd.org Subject: Re: pcm(4) related panic Message-ID: <20031125223443.45cdfae3.artur@szuruburu.neostrada.pl> In-Reply-To: <20031125161723.14260206.artur@szuruburu.neostrada.pl> References: <20031125161723.14260206.artur@szuruburu.neostrada.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Artur Poplawski <artur@szuruburu.neostrada.pl> wrote: > Hello, = =20 > = =20 > On a 5.1-RELEASE and 5.2-BETA machines I have been able to cause a panic= =20 > like this: > =20 > (watch out for folded lines; the stack backtrace below is rewritten by > hand from ddb) >=20 > lock order reversal > 1st 0xc22a45ac vm object (vm object) @ /usr/src/sys/vm/swap_pager.c:1323 > 2nd 0xc06c0420 swap_pager swhash (swap_pager swhash) @ \ > /usr/src/sys/vm/swap_pager.c:1838 > 3rd 0xc0c358c4 vm object (vm object) @ /usr/src/sys/vm/uma_core.c:876 > Stack backtrace: > backtrace > witness_lock > _mtx_lock_flags > obj_allock > slab_zalloc > uma_zone_slab > uma_zalloc_internal > uma_zalloc_arg > swp_pager_meta_build > swap_pager_putpages > default_pager_putpages > vm_pageout_flush > vm_pageout_clean > vm_pageout_scan > vm_pageout > fork_exit > fork_trampoline >=20 > Sleeping on "swread" with the following non-sleepable locks held: > exclusive sleep mutex pcm0:play:0 (pcm channel) r =3D 0 (0xc1c3d740) lock= ed @ \ =20 > /usr/src/sys/dev/sound/pcm/dsp.c:146 > panic: sleeping thread (pid 583) owns a non-sleepable lock > syncing disks, buffers remaining... 1410 1410 panic: mi_switch: \=20 > switch in a critical section > Uptime: 1m45s > panic: msleep > Uptime: 1m45s > panic: msleep > Uptime: 1m45s > panic: msleep > Uptime: 1m45s > panic: msleep > [... repeated few more times] > Fatal double fault: > eip =3D 0xc05e3916 > esp =3D 0xc8db8ff4 > ebp =3D 0xc8db9004 > panic: double fault > Uptime: 1m45s > panic: msleep > Uptime: 1m45s=20 > panic: msleep > Uptime: 1m45s > panic: msleep > Uptime: 1m45s > [...] > And the machine suddenly reboots, so there is no coredump. > =20 > eip address points close to: > c05e3910 T sc_vtb_putc > =20 > To reproduce this panic just start some audio player app (like xmms),=20 > and launch countless memory-eating applications (like mozilla ;>). > The machine starts swapping, and it panics.=20 >=20 > % uname -a=20 > FreeBSD kaszanka.domek 5.2-BETA FreeBSD 5.2-BETA #0: Sun Nov 23 01:23:10\= =20 > CET 2003 artur@kaszanka.domek:/usr/obj/usr/src/sys/KASZANKA i386=20 >=20 > dmesg fragments: > CPU: AMD Athlon(tm) XP 2000+ (1666.73-MHz 686-class CPU) > pcm0: <AudioPCI ES1373-B> port 0xec00-0xec3f irq 10 at device 8.0 on pci0= =20 > pcm0: <Cirrus Logic CS4297A AC97 Codec> > rl0: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem \ > 0xdfffff00-0xdfffffff ir > q 10 at device 10.0 on pci0 > miibus0: <MII bus> on rl0 > rlphy0: <RealTek internal media interface> on miibus0 > rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > rl1: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem \ > 0xdffffe00-0xdffffeff ir > q 10 at device 11.0 on pci0 > rlphy1: <RealTek internal media interface> on miibus1 > rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto In the meantime I've managed to get a coredump, by directly calling doadump() from ddb. Results: root@kaszanka:/usr/obj/usr/src/sys/KASZANKA# gdb -k kernel.debug /var/crash= /vmcore.0 GNU gdb 5.2.1 (FreeBSD) =20 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-undermydesk-freebsd"... panic: sleeping thread (pid 568) owns a non-sleepable lock panic messages: --- panic: sleeping thread (pid 568) owns a non-sleepable lock syncing disks, buffers remaining... panic: msleep Dumping 128 MB 16 32 48 64 80 96 112 --- Reading symbols from /usr/obj/usr/src/sys/KASZANKA/modules/usr/src/sys/modu= les/linprocfs/linprocfs.ko.debug...done. Loaded symbols for /usr/obj/usr/src/sys/KASZANKA/modules/usr/src/sys/module= s/linprocfs/linprocfs.ko.debug Reading symbols from /usr/obj/usr/src/sys/KASZANKA/modules/usr/src/sys/modu= les/linux/linux.ko.debug...done. Loaded symbols for /usr/obj/usr/src/sys/KASZANKA/modules/usr/src/sys/module= s/linux/linux.ko.debug Reading symbols from /boot/kernel/netgraph.ko...done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_ether.ko...done. Loaded symbols for /boot/kernel/ng_ether.ko Reading symbols from /boot/kernel/ng_pppoe.ko...done. Loaded symbols for /boot/kernel/ng_pppoe.ko Reading symbols from /boot/kernel/ng_socket.ko...done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/mga.ko...done. Loaded symbols for /boot/kernel/mga.ko #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 240 dumping++; (kgdb) where #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240 #1 0xc04292cd in db_fncall (dummy1=3D0, dummy2=3D0, dummy3=3D0, dummy4=3D0= xc8dba7bc "=E0=D7h=C0") at /usr/src/sys/ddb/db_command.c:548 #2 0xc042906a in db_command (last_cmdp=3D0xc068ce80, cmd_table=3D0x0, aux_= cmd_tablep=3D0xc06480c0, aux_cmd_tablep_end=3D0xc06480c4) at /usr/src/sys/ddb/db_command.c:346 #3 0xc0429178 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472 #4 0xc042beb9 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_trap.= c:73 #5 0xc05f00b3 in kdb_trap (type=3D3, code=3D0, regs=3D0xc8dba8fc) at /usr/= src/sys/i386/i386/db_interface.c:171 #6 0xc05ff9ee in trap (frame=3D {tf_fs =3D 24, tf_es =3D 16, tf_ds =3D 16, tf_edi =3D 0, tf_esi =3D -= 1067253613, tf_ebp =3D -925128376, tf_isp =3D -925128408, tf_ebx =3D 0, tf_= edx =3D 0, tf_ecx =3D 0, tf_eax =3D 18, tf_trapno =3D 3, tf_err =3D 0, tf_e= ip =3D -1067515059, tf_cs =3D 8, tf_eflags =3D 134, tf_esp =3D -1067175921,= tf_ss =3D -1067255602}) at /usr/src/sys/i386/i386/trap.c:580 #7 0xc05f1988 in calltrap () at {standard input}:94 #8 0xc04e76fc in panic (fmt=3D0xc0630093 "msleep") at /usr/src/sys/kern/ke= rn_shutdown.c:534 #9 0xc04ee999 in msleep (ident=3D0xc4461408, mtx=3D0xc06be3a0, priority=3D= 76, wmesg=3D0xc0635f46 "biord", timo=3D0) at /usr/src/sys/kern/kern_synch.c:262 #10 0xc0532dd6 in bwait (bp=3D0xc4461408, pri=3D76 'L', wchan=3D0xc0635f46 = "biord") at /usr/src/sys/kern/vfs_bio.c:3762 #11 0xc0531523 in bufwait (bp=3D0xc4461408) at /usr/src/sys/kern/vfs_bio.c:= 3044 #12 0xc052d066 in breadn (vp=3D0xc1cd3000, blkno=3D0, size=3D0, rablkno=3D0= x0, rabsize=3D0x0, cnt=3D0, cred=3D0x0, bpp=3D0x0) at /usr/src/sys/kern/vfs_bio.c:747 #13 0xc052cd7c in bread (vp=3D0x0, blkno=3D0, size=3D0, cred=3D0x0, bpp=3D0= x0) at /usr/src/sys/kern/vfs_bio.c:682 #14 0xc0590087 in ffs_update (vp=3D0xc1daf104, waitfor=3D0) at /usr/src/sys= /ufs/ffs/ffs_inode.c:108 #15 0xc05a529f in ffs_fsync (ap=3D0xc8dbab68) at /usr/src/sys/ufs/ffs/ffs_v= nops.c:325 #16 0xc05a4334 in ffs_sync (mp=3D0xc1ccc400, waitfor=3D2, cred=3D0xc0f99e80= , td=3D0xc06922c0) at vnode_if.h:627 #17 0xc054236b in sync (td=3D0xc06922c0, uap=3D0x0) at /usr/src/sys/kern/vf= s_syscalls.c:141 #18 0xc04e6f60 in boot (howto=3D256) at /usr/src/sys/kern/kern_shutdown.c:2= 81 #19 0xc04e7767 in panic () at /usr/src/sys/kern/kern_shutdown.c:550 #20 0xc050b4f0 in propagate_priority (td=3D0xc1dc98c0) at /usr/src/sys/kern= /subr_turnstile.c:176 #21 0xc050bf17 in turnstile_wait (ts=3D0xc0f9e1c0, lock=3D0xc1c3d740, owner= =3D0xc1dc98c0) at /usr/src/sys/kern/subr_turnstile.c:509 #22 0xc04de21f in _mtx_lock_sleep (m=3D0xc1c3d740, opts=3D0, file=3D0xc0628= d54 "/usr/src/sys/dev/sound/pcm/channel.c", line=3D440) at /usr/src/sys/kern/kern_mutex.c:476 #23 0xc04dddd7 in _mtx_lock_flags (m=3D0xc1c3d740, opts=3D0, file=3D0xc0628= d54 "/usr/src/sys/dev/sound/pcm/channel.c", line=3D440) at /usr/src/sys/kern/kern_mutex.c:218 #24 0xc049258f in chn_intr (c=3D0xc1c3d740) at /usr/src/sys/dev/sound/pcm/c= hannel.c:440 #25 0xc047d973 in es_intr (p=3D0xc1bee280) at /usr/src/sys/dev/sound/pci/es= 137x.c:469 #26 0xc04d42c2 in ithread_loop (arg=3D0xc0fa3880) at /usr/src/sys/kern/kern= _intr.c:544 #27 0xc04d32d4 in fork_exit (callout=3D0xc04d4150 <ithread_loop>, arg=3D0x0= , frame=3D0x0) at /usr/src/sys/kern/kern_fork.c:793 (kgdb) up 9 #9 0xc04ee999 in msleep (ident=3D0xc4461408, mtx=3D0xc06be3a0, priority=3D= 76, wmesg=3D0xc0635f46 "biord", timo=3D0) at /usr/src/sys/kern/kern_synch.c:262 262 KASSERT(TD_IS_RUNNING(td), ("running but not TDS_RUNNING")); (kgdb) l 257 /* 258 * We're awake from voluntary sleep. 259 */ 260 CTR3(KTR_PROC, "msleep resume: thread %p (pid %d, %s)", td,= p->p_pid, 261 p->p_comm); 262 KASSERT(TD_IS_RUNNING(td), ("running but not TDS_RUNNING")); 263 td->td_flags &=3D ~TDF_SINTR; 264 if (td->td_flags & TDF_TIMEOUT) { 265 td->td_flags &=3D ~TDF_TIMEOUT; 266 if (sig =3D=3D 0) (kgdb) up 1 #10 0xc0532dd6 in bwait (bp=3D0xc4461408, pri=3D76 'L', wchan=3D0xc0635f46 = "biord") at /usr/src/sys/kern/vfs_bio.c:3762 3762 msleep(bp, &bdonelock, pri, wchan, 0); (kgdb) l 3757 void 3758 bwait(struct buf *bp, u_char pri, const char *wchan) 3759 { 3760 mtx_lock(&bdonelock); 3761 while ((bp->b_flags & B_DONE) =3D=3D 0) 3762 msleep(bp, &bdonelock, pri, wchan, 0); 3763 mtx_unlock(&bdonelock); 3764 } 3765 =20 3766 #include "opt_ddb.h" (kgdb) up 8 #18 0xc04e6f60 in boot (howto=3D256) at /usr/src/sys/kern/kern_shutdown.c:2= 81 281 sync(&thread0, NULL); (kgdb) up 2 #20 0xc050b4f0 in propagate_priority (td=3D0xc1dc98c0) at /usr/src/sys/kern= /subr_turnstile.c:176 176 KASSERT(!TD_IS_SLEEPING(td), (kgdb) l 171 * first thread to grab a slock of a sx lock. In t= hat case 172 * it is possible for us to be at SSLEEP or some ot= her 173 * weird state. We should probably just return if = the state 174 * isn't SRUN or SLOCK. 175 */ 176 KASSERT(!TD_IS_SLEEPING(td), 177 ("sleeping thread (pid %d) owns a non-sleepable= lock", 178 td->td_proc->p_pid)); 179 =20 180 /* (kgdb) up 1 #21 0xc050bf17 in turnstile_wait (ts=3D0xc0f9e1c0, lock=3D0xc1c3d740, owner= =3D0xc1dc98c0) at /usr/src/sys/kern/subr_turnstile.c:509 509 propagate_priority(td); (kgdb) l 504 =20 505 /* Save who we are blocked on and switch. */ 506 td->td_blocked =3D ts; 507 td->td_lockname =3D lock->lo_name; 508 TD_SET_LOCK(td); 509 propagate_priority(td); 510 =20 511 if (LOCK_LOG_TEST(lock, 0)) 512 CTR4(KTR_LOCK, "%s: td %p blocked on [%p] %s", __fu= nc__, td, 513 lock, lock->lo_name); (kgdb) up 1 =20 #22 0xc04de21f in _mtx_lock_sleep (m=3D0xc1c3d740, opts=3D0, file=3D0xc0628= d54 "/usr/src/sys/dev/sound/pcm/channel.c", line=3D440) at /usr/src/sys/kern/kern_mutex.c:476 476 turnstile_wait(ts, &m->mtx_object, mtx_owner(m)); (kgdb) l 471 #endif 472 =20 473 /* 474 * Block on the turnstile. 475 */ 476 turnstile_wait(ts, &m->mtx_object, mtx_owner(m)); 477 } 478 =20 479 #ifdef KTR 480 if (cont_logged) { (kgdb) up 1 =20 #23 0xc04dddd7 in _mtx_lock_flags (m=3D0xc1c3d740, opts=3D0, file=3D0xc0628= d54 "/usr/src/sys/dev/sound/pcm/channel.c", line=3D440) at /usr/src/sys/kern/kern_mutex.c:218 218 _get_sleep_lock(m, curthread, opts, file, line); (kgdb) l 213 =20 214 MPASS(curthread !=3D NULL); 215 KASSERT(m->mtx_object.lo_class =3D=3D &lock_class_mtx_sleep, 216 ("mtx_lock() of spin mutex %s @ %s:%d", m->mtx_object.l= o_name, 217 file, line)); 218 _get_sleep_lock(m, curthread, opts, file, line); 219 LOCK_LOG_LOCK("LOCK", &m->mtx_object, opts, m->mtx_recurse,= file, 220 line); 221 WITNESS_LOCK(&m->mtx_object, opts | LOP_EXCLUSIVE, file, li= ne); 222 #ifdef MUTEX_PROFILING (kgdb) up 1 #24 0xc049258f in chn_intr (c=3D0xc1c3d740) at /usr/src/sys/dev/sound/pcm/c= hannel.c:440 440 CHN_LOCK(c); (kgdb) l 435 } 436 =20 437 void 438 chn_intr(struct pcm_channel *c) 439 { 440 CHN_LOCK(c); 441 c->interrupts++; 442 if (c->direction =3D=3D PCMDIR_PLAY) 443 chn_wrintr(c); 444 else (kgdb) up 1 #25 0xc047d973 in es_intr (p=3D0xc1bee280) at /usr/src/sys/dev/sound/pci/es= 137x.c:469 469 if (intsrc & STAT_DAC2) chn_intr(es->pch.channel); (kgdb) l 464 bus_space_write_4(es->st, es->sh, ES1370_REG_SERIAL_CONTROL= , sctrl); 465 bus_space_write_4(es->st, es->sh, ES1370_REG_SERIAL_CONTROL= , es->sctrl); 466 =20 467 if (intsrc & STAT_ADC) chn_intr(es->rch.channel); 468 if (intsrc & STAT_DAC1); 469 if (intsrc & STAT_DAC2) chn_intr(es->pch.channel); 470 } 471 =20 472 /* ES1370 specific */ 473 static int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031125223443.45cdfae3.artur>