sound/pcm/* bugs (was: Re: page fault panic tracked down
(selwakeuppri()) - really sound/pcm/*)
Don Lewis
truckman at FreeBSD.org
Wed Jan 14 04:45:34 PST 2004
On 14 Jan, Stefan Ehmann wrote:
> On Wed, 2004-01-14 at 07:16, Don Lewis wrote:
>> I stared at the code some more and cranked out another patch. I think
>> the problem is in chn_setblocksize(). In the case of the csa driver,
>> blksz is hardwired to 2048. If the client of one of the vchans attempts
>> to set blksz to something smaller than that, the vchan will notify its
>> parent, which will call chn_setblocksize() with smaller requested value.
>> chn_setblocksize() will resize its bufsoft to the smaller size, but
>> bufhard will stay at 2048. This will trigger the buffer overflow in
>> feed_vchan_s16().
>>
>> The following patch changes chn_setblocksize() to resize bufsoft after
>> bufhard so that their bufsz values match. It would also be possible to
>> modify the code to resize bufsoft to the larger of the the bufhard bufsz
>> or the requested value, but I don't see any advantage to this. I don't
>> think that the code will do the right thing if a vchan is configured
>> with a smaller bufsz than its parent since the vchan won't be able to
>> fill the parent buffer each time it is polled, but at least this should
>> get rid of the buffer overflow.
>>
>> I'm tempted to go ahead and commit the CHN_LOCKASSERT() and KASSERT() ->
>> panic() changes so that I don't have to carry them around anymore.
>
> No luck - again...
>
> panic: mutex pcm0:fake not owned at
> /usr/src/sys/dev/sound/pcm/channel.c:834
>
> at boottime
I suspect something new got built with INVARIANTS and a working
CHN_LOCKASSERT() for the first time. Try adding a call to CHN_LOCK()
after the call to chn_lockinit() in chn_init() and a call to
CHN_UNLOCK() just after the out: label. These got deleted in rev 1.85,
though the CHN_UNLOCK() call was in the wrong place in 1.84.
More information about the freebsd-current
mailing list