NetBSD Problem Report #51746
From www@NetBSD.org Mon Dec 26 21:41:47 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 831F67A287
for <gnats-bugs@gnats.NetBSD.org>; Mon, 26 Dec 2016 21:41:47 +0000 (UTC)
Message-Id: <20161226214146.5AABC7A34B@mollari.NetBSD.org>
Date: Mon, 26 Dec 2016 21:41:46 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: Panics from audio
X-Send-Pr-Version: www-1.0
>Number: 51746
>Category: kern
>Synopsis: Panics from audio
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: nat
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Dec 26 21:45:00 +0000 2016
>Closed-Date: Sun Feb 26 02:00:11 +0000 2017
>Last-Modified: Sun Feb 26 02:00:11 +0000 2017
>Originator: coypu
>Release: NetBSD 7.99.52
>Organization:
>Environment:
NetBSD box 7.99.52 NetBSD 7.99.52 (GENERIC) #3: Sun Dec 25 12:52:45 IST 2016 fly@box:/home/fly/gcc3/sys/arch/amd64/compile/GENERIC amd64
>Description:
No coredump because those stopped working for me.
My pile of backtraces over time:
uvm_fault(0xfffffe838444c738, 0x2000, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff80648ade cs 8 rflags 10202 cr2 24a8 ilevel 8 rsp fffffe811dcbeba0
curlwp 0xfffffe8469ff68e0 pid 1455.870 lowest kstack 0xfffffe811dcbb2c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
trap() at netbsd:trap+0xc76
--- trap (number 6) ---
audio_write() at netbsd:audio_write+0x173
audiowrite() at netbsd:audiowrite+0x5a
spec_write() at netbsd:spec_write+0xb2
VOP_WRITE() at netbsd:VOP_WRITE+0x37
vn_write() at netbsd:vn_write+0xec
dofilewrite() at netbsd:dofilewrite+0x97
sys_write() at netbsd:sys_write+0x5f
syscall() at netbsd:syscall+0x1df
--- syscall (number 4) ---
7ce9cee3ca2a:
cpu0: End traceback...
WARNING: SPL NOT LOWERED ON SYSCALL 1 4 EXIT 3ef0e000 7
netbsd:trap+0xc4b
--- trap (number 6) ---
audio_ioctl() at netbsd:audio_ioctl+0x4bf
audioioctl() at netbsd:audioioctl+0xcd
VOP_IOCTL() at netbsd:VOP_IOCTL+0x3b
vn_ioctl() at netbsd:vn_ioctl+0xa6
sys_ioctl() at netbsd:sys_ioctl+0x101
syscall() at netbsd:syscall+0x15b
--- syscall (number 54) ---
74fd3e900b3a:
cpu8: End traceback...
uvm_fault(0xfffffe8124749750, 0x2000, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff8064589b cs 8 rflags 10202 cr2 24a8 ilevel 8 rsp fffffe813057cba0
curlwp 0xfffffe8469fa84c0 pid 887.411 lowest kstack 0xfffffe81305792c0
trap type 6 code 0 rip ffffffff80648c08 cs 8 rflags 13202 cr2 64000003f8 ilevel 0 rsp fffffe80017deba0
curlwp 0xfffffe824c752940 pid 12099.1573 lowest kstack 0xfffffe80017db2c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
trap() at netbsd:trap+0xc76
--- trap (number 6) ---
audio_write() at netbsd:audio_write+0x29d
audiowrite() at netbsd:audiowrite+0x5a
spec_write() at netbsd:spec_write+0xb2
VOP_WRITE() at netbsd:VOP_WRITE+0x37
vn_write() at netbsd:vn_write+0xec
dofilewrite() at netbsd:dofilewrite+0x97
sys_write() at netbsd:sys_write+0x5f
syscall() at netbsd:syscall+0x1df
--- syscall (number 4) ---
7f7ff6c3ca2a:
cpu0: End traceback...
uvm_fault(0xfffffe8403ab65c8, 0x0, 2) -> e
fatal page fault in supervisor mode
trap type 6 code 2 rip ffffffff8084c9ad cs 8 rflags 10286 cr2 c4 ilevel 8 rsp fffffe811de74b10
curlwp 0xfffffe83c31aeb20 pid 28137.1 lowest kstack 0xfffffe811de712c0
You get the point.
>How-To-Repeat:
Play audio.
Presumably play audio opening & closing the channel repeatedly, which happens "naturally" when playing from firefox.
>Fix:
>Release-Note:
>Audit-Trail:
From: "Nathanial Sloss" <nat@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51746 CVS commit: src/sys/dev
Date: Sat, 14 Jan 2017 20:05:38 +0000
Module Name: src
Committed By: nat
Date: Sat Jan 14 20:05:38 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Increment sc_opens only after channel is set up.
It should help PR kern/51746: Panics from audio.
To generate a diff of this commit:
cvs rdiff -u -r1.289 -r1.290 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: kern-bug-people->nat
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Tue, 17 Jan 2017 01:18:55 +0000
Responsible-Changed-Why:
I'll take this.
From: "Nathanial Sloss" <nat@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51746 CVS commit: src/sys/dev
Date: Sat, 21 Jan 2017 22:54:11 +0000
Module Name: src
Committed By: nat
Date: Sat Jan 21 22:54:11 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Don't release/reacquire thread lock during open in setup_[p/r]filters.
This can lead to panics and/or unpredictable behaviour.
Found by maya@
Addresses PR kern/51746.
To generate a diff of this commit:
cvs rdiff -u -r1.292 -r1.293 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: nat@NetBSD.org
State-Changed-When: Mon, 23 Jan 2017 21:30:55 +0000
State-Changed-Why:
Changes have been committed that address this PR.
From: coypu@SDF.ORG
To: gnats-bugs@NetBSD.org
Cc: nat@NetBSD.org
Subject: Re: kern/51746 (Panics from audio)
Date: Mon, 23 Jan 2017 21:59:25 +0000
It's holding up well so far, thanks for the fix!
(I'm not 100% sure yet, but if it turns out to be false,
I'll file it separately)
State-Changed-From-To: feedback->closed
State-Changed-By: nat@NetBSD.org
State-Changed-When: Mon, 23 Jan 2017 22:23:15 +0000
State-Changed-Why:
Submitter has confirmed it has been fixed. Thanks.
State-Changed-From-To: closed->open
State-Changed-By: maya@NetBSD.org
State-Changed-When: Fri, 03 Feb 2017 07:44:20 +0000
State-Changed-Why:
Still happening
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/51746 (Panics from audio)
Date: Fri, 3 Feb 2017 07:47:36 +0000
New backtraces.
Kernel:
NetBSD box 7.99.59 NetBSD 7.99.59 (GENERIC) #5: Wed Feb 1 07:54:05 IST 2017 fly@box:/usr/amd64/sys/arch/amd64/compile/GENERIC amd64
fatal integer divide fault in supervisor mode
trap type 8 code 0 rip ffffffff80650892 cs 8 rflags 10246 cr2 72b104ef8020 ilevel 0 rsp fffffe811dfbbbd0
curlwp 0xfffffe843c90b4e0 pid 361.695 lowest kstack 0xfffffe811dfb82c0
panic: trap
cpu4: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
audioioctl() at netbsd:audioioctl+0xcd
VOP_IOCTL() at netbsd:VOP_IOCTL+0x3b
vn_ioctl() at netbsd:vn_ioctl+0xa6
sys_ioctl() at netbsd:sys_ioctl+0x101
syscall() at netbsd:syscall+0x1d2
--- syscall (number 54) ---
72b16a0f189a:
cpu4: End traceback...
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff8065085f cs 8 rflags 10217 cr2 44a0 ilevel 8 rsp fffffe811df53bd0
curlwp 0xfffffe83203f9a00 pid 780.217 lowest kstack 0xfffffe811df502c0
panic: trap
cpu4: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
audioioctl() at netbsd:audioioctl+0xcd
VOP_IOCTL() at netbsd:VOP_IOCTL+0x3b
vn_ioctl() at netbsd:vn_ioctl+0xa6
sys_ioctl() at netbsd:sys_ioctl+0x101
syscall() at netbsd:syscall+0x1d2
--- syscall (number 54) ---
70589e0f189a:
cpu4: End traceback...
uvm_fault(0xfffffe838b3c0e78, 0x4000, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff8064c02b cs 8 rflags 10202 cr2 44a8 ilevel 8 rsp fffffe811dd87ba0
curlwp 0xfffffe8345781a20 pid 780.242 lowest kstack 0xfffffe811dd842c0
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/51746 (Panics from audio)
Date: Fri, 3 Feb 2017 08:36:54 +0000
audio_ioctl+0xcd is audio.c:1616
1611 case AUDIOCTL_DEVICE:
1612 device_active(sc->dev, DVA_SYSTEM);
1613 if (IOCGROUP(cmd) == IOCGROUP(AUDIO_MIXER_READ))
1614 error = mixer_ioctl(sc, cmd, addr, flag, l);
1615 else
1616 error = audio_ioctl(dev, sc, cmd, addr, flag, l);
1617 break;
page fault:
(gdb) x/i 0xffffffff8065085f
0xffffffff8065085f <audio_ioctl+1053>: mov 0x20(%rax),%rbx
(gdb) list *(audio_ioctl+1053)
0xffffffff8065085f is in audio_ioctl (/usr/src/sys/dev/audio.c:2856).
2851 ao = (struct audio_offset *)addr;
2852 mutex_enter(sc->sc_intr_lock);
2853 /* figure out where next DMA will start */
2854 stamp = vc->sc_pustream == &vc->sc_mpr.s
2855 ? vc->sc_mpr.stamp : vc->sc_mpr.fstamp;
2856 offs = vc->sc_pustream->outp - vc->sc_pustream->start
2857 + vc->sc_mpr.blksize;
2858 mutex_exit(sc->sc_intr_lock);
2859 ao->samples = stamp;
2860 ao->deltablks =
zero division:
(gdb) x/i 0xffffffff80650892
0xffffffff80650892 <audio_ioctl+1104>: div %rcx
(gdb) list *(audio_ioctl+1104)
0xffffffff80650892 is in audio_ioctl (/usr/src/sys/dev/audio.c:2860).
2855 ? vc->sc_mpr.stamp : vc->sc_mpr.fstamp;
2856 offs = vc->sc_pustream->outp - vc->sc_pustream->start
2857 + vc->sc_mpr.blksize;
2858 mutex_exit(sc->sc_intr_lock);
2859 ao->samples = stamp;
2860 ao->deltablks =
2861 (stamp / vc->sc_mpr.blksize) -
2862 (vc->sc_mpr.stamp_last / vc->sc_mpr.blksize);
2863 vc->sc_mpr.stamp_last = stamp;
2864 if (vc->sc_pustream->start + offs >= vc->sc_pustream->end)
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/51746 (Panics from audio)
Date: Fri, 3 Feb 2017 11:41:36 +0000
hmm, maybe no safe?
2022 mutex_exit(sc->sc_lock);
2023 audio_free_ring(sc, &vc->sc_mpr);
Not sure if sc_mpr.something the right problem one.
audio_ioctl has sc_lock & sc_intr_lock held at the
fault.
From: "Nathanial Sloss" <nat@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51746 CVS commit: src/sys/dev
Date: Tue, 7 Feb 2017 02:05:27 +0000
Module Name: src
Committed By: nat
Date: Tue Feb 7 02:05:27 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Ensure the vc block size is set before call to set defaults.
It should address PR kern/51746 Panics from audio.
To generate a diff of this commit:
cvs rdiff -u -r1.300 -r1.301 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/51746 (Panics from audio)
Date: Sun, 19 Feb 2017 23:33:19 +0000
Unfortunately...
NetBSD box 7.99.60 NetBSD 7.99.60 (GENERIC) #1: Fri Feb 17 12:54:49 IST 2017 fly@box:/usr/amd64/sys/arch/amd64/compile/GENERIC amd64
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff80754ac5 cs 8 rflags 10246 cr2 0 ilevel 0 rsp fffffe811df9fc30
curlwp 0xfffffe847b6a4080 pid 28791.100 lowest kstack 0xfffffe811df9c2c0
panic: trap
cpu8: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
audio_write() at netbsd:audio_write+0x253
audiowrite() at netbsd:audiowrite+0x6f
dofilewrite() at netbsd:dofilewrite+0x97
sys_write() at netbsd:sys_write+0x5f
syscall() at netbsd:syscall+0x1d2
--- syscall (number 4) ---
7a4b4123dcda:
cpu8: End traceback...
dumping to dev 0,1 (offset=8, size=4150224):
dump
(gdb) list *(audio_write+0x253)
0xffffffff8074f112 is in audio_write (/usr/src/sys/dev/audio.c:2854).
2849 if (vc->sc_npfilters > 0) {
2850 filter = vc->sc_pfilters[0];
2851 filter->set_fetcher(filter, &ufetcher.base);
2852 fetcher = &vc->sc_pfilters[vc->sc_npfilters - 1]->base;
2853 cc = cb->blksize * 2;
2854 error = fetcher->fetch_to(sc, fetcher, &stream, cc);
2855 if (error != 0) {
2856 fetcher = &ufetcher.base;
2857 cc = vc->sc_pustream->end -
2858 vc->sc_pustream->start;
From: "Nathanial Sloss" <nat@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51746 CVS commit: src/sys/dev
Date: Tue, 21 Feb 2017 20:23:37 +0000
Module Name: src
Committed By: nat
Date: Tue Feb 21 20:23:37 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Ensure we still have a virtual channel after sleeping on sc_lock.
Addresses PR kern/51746: Panics from audio.
To generate a diff of this commit:
cvs rdiff -u -r1.306 -r1.307 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 26 Feb 2017 02:00:11 +0000
State-Changed-Why:
Not going to test further changes, I'm running the old audio code. let's hope it's fixed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home