page fault panic tracked down (selwakeuppri())

Don Lewis truckman at
Sun Jan 4 22:58:18 PST 2004

On  4 Jan, Stefan Ehmann wrote:

> panic: bad bufsize
> #0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
> #1  0xc04e5198 in boot (howto=256) at
> /usr/src/sys/kern/kern_shutdown.c:372
> #2  0xc04e5527 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
> #3  0xc07ec648 in feed_vchan_s16 () from /boot/kernel/snd_pcm.ko
> #4  0xc07e2c6d in sndbuf_feed () from /boot/kernel/snd_pcm.ko
> #5  0xc07e3225 in chn_wrfeed () from /boot/kernel/snd_pcm.ko
> #6  0xc07e327c in chn_wrintr () from /boot/kernel/snd_pcm.ko
> #7  0xc07e3990 in chn_intr () from /boot/kernel/snd_pcm.ko
> #8  0xc07fca2f in csa_intr () from /boot/kernel/snd_csa.ko
> #9  0xc07fb724 in csa_intr () from /boot/kernel/snd_csa.ko
> #10 0xc04d1692 in ithread_loop (arg=0xc1737b00)
>     at /usr/src/sys/kern/kern_intr.c:544
> #11 0xc04d0684 in fork_exit (callout=0xc04d1500 <ithread_loop>, arg=0x0,
>     frame=0x0) at /usr/src/sys/kern/kern_fork.c:796

Since you mentioned that the panics tend to happen when switching
between songs, I wonder if chn_wrintr() is getting called while the
channel is being closed to flush the sound buffer.  Because the channel
mutex is locked across the call to chn_flush() in dsp_close(), any sound
interrupts that happen during this time will be deferred until after the
channel mutex is released at the end of dsp_close().  There are various
places in the code the re-allocate the buffers and it looks like it
might be possible for the feed_vchan_s16() to use stale buffer pointers,
but it is very difficult to follow this code.

I wonder if the proper fix would be for chn_intr() to bail out if the
CHN_F_RUNNING flag is not set ...

More information about the freebsd-current mailing list