NetBSD Problem Report #19564

Received: (qmail 11011 invoked by uid 605); 26 Dec 2002 04:54:22 -0000
Message-Id: <200212260454.gBQ4sI118104@mail.tenjin.org>
Date: Thu, 26 Dec 2002 13:54:18 +0900 (JST)
From: kawamoto@tenjin.org
Sender: gnats-bugs-owner@netbsd.org
Reply-To: kawamoto@tenjin.org
To: gnats-bugs@gnats.netbsd.org
Cc: kawamoto@tenjin.org
Subject: kernel panic with wsconsctl -m
X-Send-Pr-Version: 3.95

>Number:         19564
>Category:       kern
>Synopsis:       kernel panic with wsconsctl -m
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          analyzed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 26 04:55:00 +0000 2002
>Closed-Date:    
>Last-Modified:  Fri May 23 17:17:48 +0000 2003
>Originator:     KAWAMOTO Yosihisa
>Release:        NetBSD 1.6K (Dec 22 2002)
>Organization:
	tenjin.org
>Environment:
System: NetBSD tenjin 1.6K NetBSD 1.6K (SALLY) #127: Thu Dec 26 05:01:12 JST 2002 kawamoto@linus.ics.es.osaka-u.ac.jp:/usr/src/sys/arch/i386/compile/SALLY i386
Architecture: i386
Machine: i386
>Description:
	With wsmoused or X window system, kernel does panic as follows:
		# sh /etc/rc.d/wsmoused start
		Starting wsmoused.
		# wsconsctl -m -a
		type=ps2
		# (I move mouse and see the kernel messages on console)
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		wsmouse_input: evar->q=NULL
		# sh /etc/rc.d/wsmoused stop
		Stopping wsmoused.
		Waiting for PIDS: 322panic: free: addr 0x0 not within kmem_map
		Stopped in pid 322 (wsmoused) at        cpu_Debugger+0x4:      leave
		db> tr
		cpu_Debugger(0,c08f1138,d2fdda5c,c031d4bb,c08f1200) at cpu_Debugger+0x4
		panic(c03cf860,0,0,0,c08f1138) at panic+0xad
		free(0,2,d303dd30,c031b8e0,c08f1100) at free+0x29
		wsevent_fini(c08f1138,0,d303dd60,c031b870,c08f1100) at wsevent_fini+0x17
		wsmuxclose(4100,5,2000,d29a8784,d2fdda5c) atwsmuxclose+0x4c
		spec_close(d303ddfc,30002,d2fdda5c,c02ddd03,d2fdda5c) at spec_close+0x178
		...
		syscall_plain(2b,2b,2b,2b,0) at syscall_plain+0xa7
		db> sync
		syncing disks... done

	Real mouse drivers are follows:
		# dmesg | egrep '(mouse|ms)'
		pms0 at pckbc0 (aux slot)
		wsmouse0 at pms0 mux 0
		ums0 at uhidev1: 3 buttons and Z dir.
		wsmouse1 at ums0 mux 0

>How-To-Repeat:
	As above.
>Fix:
	I don't know.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->jmmv 
Responsible-Changed-By: gmcgarry 
Responsible-Changed-When: Sun May 4 01:40:59 UTC 2003 
Responsible-Changed-Why:  
Bug introduced with wsmoused changes.  Can you deal with it Julio? 
State-Changed-From-To: open->analyzed 
State-Changed-By: jmmv 
State-Changed-When: Mon May 5 19:17:27 UTC 2003 
State-Changed-Why:  
This bug wasn't introduced with wsmoused;  it just shows it. 

wsmoused uses (by default) /dev/wsmouse to read from the mouse; this device 
is controlled by wsmux and is redirected to the appropiate attached wsmouse* 
device.  In contrast, wsconsctl opens /dev/wsmouse0, bypassing wsmux and 
using the wsmouse driver directly. 

Let's analyze the code in the kernel.  open()'s and close()'s are handled 
in different places depending if you used /dev/wsmouse or /dev/wsmouse[0-9] 
(i.e., wsmux and wsmouse respectively).  If the device is open through wsmux, 
wsmouse won't notice it, and the open reference count won't be incremented, 
thus when closed (wsconsctl finishes while wsmoused is running) the kernel 
enters an unconsistent state. 

If you configure wsmoused to use /dev/wsmouse0, then everything works fine 
because the reference count is handled properly. 

This problem also affects wskbd, as it can be opened through wsmux too. 

The panic does not happen any more (nor all those error messages), although 
wsmoused stops working. 
Responsible-Changed-From-To: jmmv->kern-bug-people 
Responsible-Changed-By: jmmv 
Responsible-Changed-When: Fri May 23 17:17:05 UTC 2003 
Responsible-Changed-Why:  
I don't feel qualified enough to fix this right now.  Sorry. 
>Unformatted:

Home	PR Database Search