OpenSolaris

Printable Version Enter a New Search
Bug ID 6478019
Synopsis panic in common_specvp() while opening lx branded zone audio device
State 10-Fix Delivered (Fix available in build)
Category:Subcategory kernel:brandz
Keywords
Responsible Engineer Edward Pilatowicz
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_56
Fixed In snv_56
Release Fixed solaris_nevada(snv_56)
Related Bugs 6456451
Submit Date 4-October-2006
Last Update Date 25-January-2007
Description 
while testing out the beta version of skype on my desktop my machine panicked.
---8<---
> ::status
debugging crash dump vmcore.5 (64-bit) from mcescher
operating system: 5.11 onnv-gate:2006-10-02 (i86pc)
panic message:
BAD TRAP: type=d (#gp General protection) rp=fffffe800165d8a0 addr=8d80740
dump content: kernel pages and pages from PID 18000
> $c
common_specvp+0x11(deadbeefdeadbeef)
ldi_close+0x4d(fffffe81fae38b08, 1, ffffffff835b6e18)
lxa_state_close+0x9d(fffffea0703466a8)
lxa_open+0x29b(fffffe800165dba8, 3, 2, ffffffffbe47b5a0)
dev_open+0x3f(fffffe800165dba8, 3, 2, ffffffffbe47b5a0)
spec_open+0x473(fffffe800165dca0, 3, ffffffffbe47b5a0)
fop_open+0x8d(fffffe800165dca0, 3, ffffffffbe47b5a0)
vn_openat+0x48c(fe0943a0, 0, 3, 0, fffffe800165de28, 0)
copen+0x2e3(ffd19553, fe0943a0, 3, 0)
open32+0x2b(fe0943a0, 2, 0)
sys_syscall32+0x1ff()
---8<---
the core file can be found here:
	/net/mcescher.eng/export/crash/6478019
this bug was introduced in the last code review change made to lx_audio.c
before integration.  basically, code was added to lxa_dev_open() to close
the input device if opening the output device failed.  the problem with this
code is that it was unnecessary.  if lxa_dev_open() returns an error than
lxa_state_close() is invoked which closes up any opened devices.  so with
this code we were trying to close the same device twice.  here's are the
two frees on one ldi handle:
---8<---
> $C1
fffffe800165d9b0 common_specvp+0x11(deadbeefdeadbeef)
fffffe800165da00 ldi_close+0x4d(fffffe81fae38b08, 1, ffffffff835b6e18)
fffffe800165da40 lxa_state_close+0x9d(fffffea0703466a8)
fffffe800165db30 lxa_open+0x29b(fffffe800165dba8, 3, 2, ffffffffbe47b5a0)
fffffe800165db60 dev_open+0x3f(fffffe800165dba8, 3, 2, ffffffffbe47b5a0)
fffffe800165dc00 spec_open+0x473(fffffe800165dca0, 3, ffffffffbe47b5a0)
fffffe800165dc60 fop_open+0x8d(fffffe800165dca0, 3, ffffffffbe47b5a0)
fffffe800165ddc0 vn_openat+0x48c(fe0943a0, 0, 3, 0, fffffe800165de28, 0, 12, 0)
fffffe800165de80 copen+0x2e3(ffd19553, fe0943a0, 3, 0)
fffffe800165deb0 open32+0x2b(fe0943a0, 2, 0)
fffffe800165df00 sys_syscall32+0x1ff()
> fffffe81fae38b08::whatis
fffffe81fae38b08 is fffffe81fae38b08+0, bufctl fffffe9f57796368 freed from
> fffffe9f57796368::bufctl -v
            ADDR          BUFADDR        TIMESTAMP           THREAD
                            CACHE          LASTLOG         CONTENTS
fffffe9f57796368 fffffe81fae38b08     628d15983001 fffffe814ac79880
                 ffffffff8003c008 ffffffff80ec0540 ffffffff820f59a0
                 kmem_cache_free_debug+0x131
                 kmem_cache_free+0x4e
                 kmem_free+0x142
                 handle_release+0xdb
                 ldi_close+0xf1
                 lxa_dev_open+0x1f4
                 lxa_open+0xf7
                 dev_open+0x3f
                 spec_open+0x473
                 fop_open+0x8d
                 vn_openat+0x48c
                 copen+0x2e3
                 open32+0x2b
---8<---
Work Around 
N/A
Comments 
N/A