Re: Latest -current panic in uaudio_detach() / bus_dmamem_free()

Hans Petter Selasky Sun, 22 Jun 2014 20:17:25 -0700

On 06/23/14 04:46, Alexander Kabaev wrote:

On Mon, 23 Jun 2014 06:04:20 +0400
Andrey Chernov <a...@freebsd.org> wrote:

Always happens at shutdown after all buffers are synced, see
screenshot: http://i.imgur.com/8WXTMPj.png

--
http://ache.vniz.net/


Hi Andrey,

there's not to much to go on from the screenshoot alone and one would
expect more details on the crash from people with your experience :)

Please provide us with the information on the actual audio hardware
you are using, preferably in form of a dmesg output. This revision is
your culpit:
  http://svnweb.freebsd.org/changeset/base/267581 and I have strong
  suspicion that restoring the NULL check on dmatag in the chunk below
  will cure your crash.


Backtrace here:


> usbconfig -d 0.4 reset
> uaudio0: at uhub1, port 2, addr 4 (disconnected)
>
> vm_fault(0xc0661400, 0, 1, 0) -> 1
> Fatal kernel mode data abort: 'Translation Fault (P)'
> trapframe: 0xd28b8b58
> FSR=00000017, FAR=0000002c, spsr=60000113
> r0 =00000000, r1 =c1b35000, r2 =00000000, r3 =00000000
> r4 =c1a24000, r5 =00000000, r6 =c1b3338c, r7 =c172e150
> r8 =c1b35000, r9 =00000000, r10=c162a400, r11=d28b8bd0
> r12=c1bc9ad4, ssp=d28b8ba8, slr=c1b9855c, pc =c048fa3c
>
> [ thread pid 14 tid 100037 ]
> Stopped at      bus_dmamem_free+0x10:   ldr     r0, [r9, #0x02c]
> db> bt

> Tracing pid 14 tid 100037 td 0xc1712960
> db_trace_self() at db_trace_self
>          pc = 0xc0492958  lr = 0xc0130f38 (db_stack_trace+0xf4)
>          sp = 0xd28b8860  fp = 0xd28b8878
>         r10 = 0xc0660180
> db_stack_trace() at db_stack_trace+0xf4
>          pc = 0xc0130f38  lr = 0xc01308a8 (db_command+0x270)
>          sp = 0xd28b8880  fp = 0xd28b8920
>          r4 = 0x00000000  r5 = 0x00000000
>          r6 = 0x00000000
> db_command() at db_command+0x270
>          pc = 0xc01308a8  lr = 0xc013060c (db_command_loop+0x60)
>          sp = 0xd28b8928  fp = 0xd28b8938
>          r4 = 0xc04d2192  r5 = 0xc04ec76c
>          r6 = 0xc066016c  r7 = 0xc058b540
>          r8 = 0xc0656294  r9 = 0xc0656290
>         r10 = 0x00000001
> db_command_loop() at db_command_loop+0x60
>          pc = 0xc013060c  lr = 0xc0132fd4 (db_trap+0xd8)
>          sp = 0xd28b8940  fp = 0xd28b8a60
>          r4 = 0x00000000  r5 = 0xc0660178
>          r6 = 0xc06562c0
> db_trap() at db_trap+0xd8
>          pc = 0xc0132fd4  lr = 0xc028efbc (kdb_trap+0xbc)
>          sp = 0xd28b8a68  fp = 0xd28b8a88
>          r4 = 0x00000000  r5 = 0x00000017
>          r6 = 0xc06562c0  r7 = 0xc058b540
> kdb_trap() at kdb_trap+0xbc
>          pc = 0xc028efbc  lr = 0xc04a5194 (dab_fatal+0x174)
>          sp = 0xd28b8a90  fp = 0xd28b8aa8
>          r4 = 0xd28b8b58  r5 = 0x00000017
>          r6 = 0x600001d3  r7 = 0x0000002c
>          r8 = 0xd28b8b58  r9 = 0x00000013
>         r10 = 0x00000001
> dab_fatal() at dab_fatal+0x174
>          pc = 0xc04a5194  lr = 0xc04a4f4c (data_abort_handler+0x3e8)
>          sp = 0xd28b8ab0  fp = 0xd28b8b50
>          r4 = 0xc16be3cc  r5 = 0xc1712960
>          r6 = 0xd28b8eb0  r7 = 0x00000000
> data_abort_handler() at data_abort_handler+0x3e8
>          pc = 0xc04a4f4c  lr = 0xc04944d4 (exception_exit)
>          sp = 0xd28b8b58  fp = 0xd28b8bd0
>          r4 = 0xc1a24000  r5 = 0x00000000
>          r6 = 0xc1b3338c  r7 = 0xc172e150
>          r8 = 0xc1b35000  r9 = 0x00000000
>         r10 = 0xc162a400
> exception_exit() at exception_exit
>          pc = 0xc04944d4  lr = 0xc1b9855c (sndbuf_free+0x80)
>          sp = 0xd28b8ba8  fp = 0xd28b8bd0
>          r0 = 0x00000000  r1 = 0xc1b35000
>          r2 = 0x00000000  r3 = 0x00000000
>          r4 = 0xc1a24000  r5 = 0x00000000
>          r6 = 0xc1b3338c  r7 = 0xc172e150
>          r8 = 0xc1b35000  r9 = 0x00000000
>         r10 = 0xc162a400 r12 = 0xc1bc9ad4
> bus_dmamem_free() at bus_dmamem_free+0x10
>          pc = 0xc048fa3c  lr = 0xc1b984c4 (sndbuf_destroy+0x14)
>          sp = 0xd28b8bd8  fp = 0xd28b8be0
>          r4 = 0xc162ae00  r5 = 0xc1a24000
>          r6 = 0xd28b8bd0  r7 = 0xc1b9855c
>          r8 = 0x00000000  r9 = 0xc1a24000
> Unknown entry: 0
> sndbuf_destroy() at sndbuf_destroy+0x14
>          pc = 0xc1b984c4  lr = 0xc1b984c4 (sndbuf_destroy+0x14)
>          sp = 0xd28b8bd8  fp = 0xd28b8be0
> Unable to unwind into user mode

Please fix ASAP. Should be trivial to reproduce. Possibly a double free.In case of USB audio sndbuf_destroy() should not free any bus dmamem orknow about busdma, because all of this is done by the USB stack!


--HPS

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Latest -current panic in uaudio_detach() / bus_dmamem_free()

Reply via email to