From nobody@FreeBSD.org  Mon Jan 24 12:30:23 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B531B106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 24 Jan 2011 12:30:23 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 98A7E8FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 24 Jan 2011 12:30:23 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p0OCUNii040365
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 24 Jan 2011 12:30:23 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p0OCUNqn040364;
	Mon, 24 Jan 2011 12:30:23 GMT
	(envelope-from nobody)
Message-Id: <201101241230.p0OCUNqn040364@red.freebsd.org>
Date: Mon, 24 Jan 2011 12:30:23 GMT
From: Vladislav Movchan <vladislav.movchan@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [sound][snd_emu10kx][patch] Fix data type overflow (signed/unsigned mismatch) in args of bus_dma_tag_create
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         154259
>Category:       kern
>Synopsis:       [sound][snd_emu10kx][patch] Fix data type overflow (signed/unsigned mismatch) in args of bus_dma_tag_create
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-multimedia
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 24 12:40:10 UTC 2011
>Closed-Date:    Sat Feb 12 14:29:18 UTC 2011
>Last-Modified:  Sat Feb 12 14:29:18 UTC 2011
>Originator:     Vladislav Movchan
>Release:        FreeBSD 9.0-CURRENT r217756 amd64
>Organization:
>Environment:
FreeBSD ground 9.0-CURRENT FreeBSD 9.0-CURRENT #5 r217756: Sun Jan 23 21:25:58 EET 2011     user@ground:/usr/obj/usr/src/sys/Mephistophelis  amd64
>Description:
If you use snd_emu10k1 or snd_emu10kx drivers on amd64 system there is a chance that you hear high frequency noise / buzz instead of sound. It is much higher probability to reproduce this problem if you use any of drivers mentioned above as separate kernel modules loaded at the end of boot process, then if you compile this devices into kernel.

This problem was mentioned several times in mail lists (but without solution):
http://lists.freebsd.org/pipermail/freebsd-multimedia/2010-April/010928.html
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057687.html

This problem caused by data type overflow (signed/unsigned mismatch) in one of arguments of bus_dma_tag_create() during data type conversion:
lowaddr argument set as "1 << 31" and because of "1" is signed (by default) "1 << 31" (10000000000000000000000000000000 in binary) become 18446744071562067968 (1111111111111111111111111111111110000000000000000000000000000000 in binary) when it is converted to bus_addr_t data type (what is typedef-ed to uint64_t).

As result address range (for DMA) will not be limited to 0-2Gb (only range that hardware is possible to address), and when driver will be forced to use addresses higher than 2Gb you hear noise instead of sound. 

If you are using snd_emu10kx and selected "Boot FreeBSD with verbose logging" in loader prompt, then you are able to see wrong mappings in logs:

Jan 23 22:37:28 ground kernel: emu10kx: setmap (43390000, 1000), nseg=1, error=0
Jan 23 22:37:28 ground kernel: emu10kx: setmap (119cf0000, 1000), nseg=1, error=0
Jan 23 22:37:28 ground kernel: emu10kx: setmap (12f3d0000, 1000), nseg=1, error=0
Jan 23 22:37:28 ground kernel: emu10kx: setmap (be830000, 1000), nseg=1, error=0

Second, third and fourth lines shows mappings above 2Gb, what should not happened.


PS: I suppose it is necessary to have more than 2 Gb of ram installed on amd64 machine to be able to reproduce this problem (I have 6Gb on test system).

Also I was not able to reproduce original problem on i386 with 4Gb of ram installed. Looks like it is related to amd64 only.

This problem is related to snd_emu10k1 and snd_emu10kx drivers. Problem was reproduced by me and fix was tested for both drivers.
>How-To-Repeat:
Use snd_emu10k1 or snd_emu10kx as module, load it at the end of boot process. If you are still able play music correctly - do 

kldunload  /boot/kernel/snd_emu10kx.ko;
kldload /boot/kernel/snd_emu10kx.ko;
mpg123 test.mp3;

several iterations of kldunload / kldload usually enough to hear high frequency noise instead of music.
>Fix:
Attached patch fixed this problem for me (both drivers tested)

Patch attached with submission follows:

Index: sys/dev/sound/pci/emu10k1.c
===================================================================
--- sys/dev/sound/pci/emu10k1.c	(revision 217774)
+++ sys/dev/sound/pci/emu10k1.c	(working copy)
@@ -2017,7 +2017,7 @@
 
 	if (bus_dma_tag_create(/*parent*/bus_get_dma_tag(dev), /*alignment*/2,
 		/*boundary*/0,
-		/*lowaddr*/1 << 31, /* can only access 0-2gb */
+		/*lowaddr*/1u << 31, /* can only access 0-2gb */
 		/*highaddr*/BUS_SPACE_MAXADDR,
 		/*filter*/NULL, /*filterarg*/NULL,
 		/*maxsize*/sc->bufsz, /*nsegments*/1, /*maxsegz*/0x3ffff,
Index: sys/dev/sound/pci/emu10kx.c
===================================================================
--- sys/dev/sound/pci/emu10kx.c	(revision 217774)
+++ sys/dev/sound/pci/emu10kx.c	(working copy)
@@ -2700,7 +2700,7 @@
 
 	if (bus_dma_tag_create( /* parent */ bus_get_dma_tag(sc->dev),
 	     /* alignment */ 2, /* boundary */ 0,
-	     /* lowaddr */ 1 << 31,	/* can only access 0-2gb */
+	     /* lowaddr */ 1u << 31,	/* can only access 0-2gb */
 	     /* highaddr */ BUS_SPACE_MAXADDR,
 	     /* filter */ NULL, /* filterarg */ NULL,
 	     /* maxsize */ EMU_MAX_BUFSZ, /* nsegments */ 1, /* maxsegz */ 0x3ffff,


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-multimedia 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jan 26 11:08:37 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154259 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154259: commit references a PR
Date: Wed,  9 Feb 2011 11:29:09 +0000 (UTC)

 Author: marius
 Date: Wed Feb  9 11:28:57 2011
 New Revision: 218478
 URL: http://svn.freebsd.org/changeset/base/218478
 
 Log:
   Correct signedness and off-by-one issues in parameters used for DMA tag
   creation.
   
   PR:		154259
   Submitted by:	Vladislav Movchan (partially)
   MFC after:	3 days
 
 Modified:
   head/sys/dev/sound/pci/emu10k1.c
   head/sys/dev/sound/pci/emu10kx.c
 
 Modified: head/sys/dev/sound/pci/emu10k1.c
 ==============================================================================
 --- head/sys/dev/sound/pci/emu10k1.c	Wed Feb  9 10:06:31 2011	(r218477)
 +++ head/sys/dev/sound/pci/emu10k1.c	Wed Feb  9 11:28:57 2011	(r218478)
 @@ -2017,7 +2017,7 @@ emu_pci_attach(device_t dev)
  
  	if (bus_dma_tag_create(/*parent*/bus_get_dma_tag(dev), /*alignment*/2,
  		/*boundary*/0,
 -		/*lowaddr*/1 << 31, /* can only access 0-2gb */
 +		/*lowaddr*/(1U << 31) - 1, /* can only access 0-2gb */
  		/*highaddr*/BUS_SPACE_MAXADDR,
  		/*filter*/NULL, /*filterarg*/NULL,
  		/*maxsize*/sc->bufsz, /*nsegments*/1, /*maxsegz*/0x3ffff,
 
 Modified: head/sys/dev/sound/pci/emu10kx.c
 ==============================================================================
 --- head/sys/dev/sound/pci/emu10kx.c	Wed Feb  9 10:06:31 2011	(r218477)
 +++ head/sys/dev/sound/pci/emu10kx.c	Wed Feb  9 11:28:57 2011	(r218478)
 @@ -2700,7 +2700,7 @@ emu_init(struct emu_sc_info *sc)
  
  	if (bus_dma_tag_create( /* parent */ bus_get_dma_tag(sc->dev),
  	     /* alignment */ 2, /* boundary */ 0,
 -	     /* lowaddr */ 1 << 31,	/* can only access 0-2gb */
 +	     /* lowaddr */ (1U << 31) - 1,	/* can only access 0-2gb */
  	     /* highaddr */ BUS_SPACE_MAXADDR,
  	     /* filter */ NULL, /* filterarg */ NULL,
  	     /* maxsize */ EMU_MAX_BUFSZ, /* nsegments */ 1, /* maxsegz */ 0x3ffff,
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154259: commit references a PR
Date: Sat, 12 Feb 2011 13:41:12 +0000 (UTC)

 Author: marius
 Date: Sat Feb 12 13:41:00 2011
 New Revision: 218606
 URL: http://svn.freebsd.org/changeset/base/218606
 
 Log:
   MFC: r218478
   
   Correct signedness and off-by-one issues in parameters used for DMA tag
   creation.
   
   PR:		154259
   Submitted by:	Vladislav Movchan (partially)
 
 Modified:
   stable/8/sys/dev/sound/pci/emu10k1.c
   stable/8/sys/dev/sound/pci/emu10kx.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/dev/sound/pci/emu10k1.c
 ==============================================================================
 --- stable/8/sys/dev/sound/pci/emu10k1.c	Sat Feb 12 13:28:50 2011	(r218605)
 +++ stable/8/sys/dev/sound/pci/emu10k1.c	Sat Feb 12 13:41:00 2011	(r218606)
 @@ -2017,7 +2017,7 @@ emu_pci_attach(device_t dev)
  
  	if (bus_dma_tag_create(/*parent*/bus_get_dma_tag(dev), /*alignment*/2,
  		/*boundary*/0,
 -		/*lowaddr*/1 << 31, /* can only access 0-2gb */
 +		/*lowaddr*/(1U << 31) - 1, /* can only access 0-2gb */
  		/*highaddr*/BUS_SPACE_MAXADDR,
  		/*filter*/NULL, /*filterarg*/NULL,
  		/*maxsize*/sc->bufsz, /*nsegments*/1, /*maxsegz*/0x3ffff,
 
 Modified: stable/8/sys/dev/sound/pci/emu10kx.c
 ==============================================================================
 --- stable/8/sys/dev/sound/pci/emu10kx.c	Sat Feb 12 13:28:50 2011	(r218605)
 +++ stable/8/sys/dev/sound/pci/emu10kx.c	Sat Feb 12 13:41:00 2011	(r218606)
 @@ -2700,7 +2700,7 @@ emu_init(struct emu_sc_info *sc)
  
  	if (bus_dma_tag_create( /* parent */ bus_get_dma_tag(sc->dev),
  	     /* alignment */ 2, /* boundary */ 0,
 -	     /* lowaddr */ 1 << 31,	/* can only access 0-2gb */
 +	     /* lowaddr */ (1U << 31) - 1,	/* can only access 0-2gb */
  	     /* highaddr */ BUS_SPACE_MAXADDR,
  	     /* filter */ NULL, /* filterarg */ NULL,
  	     /* maxsize */ EMU_MAX_BUFSZ, /* nsegments */ 1, /* maxsegz */ 0x3ffff,
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154259: commit references a PR
Date: Sat, 12 Feb 2011 13:41:12 +0000 (UTC)

 Author: marius
 Date: Sat Feb 12 13:41:02 2011
 New Revision: 218607
 URL: http://svn.freebsd.org/changeset/base/218607
 
 Log:
   MFC: r218478
   
   Correct signedness and off-by-one issues in parameters used for DMA tag
   creation.
   
   PR:		154259
   Submitted by:	Vladislav Movchan (partially)
 
 Modified:
   stable/7/sys/dev/sound/pci/emu10k1.c
   stable/7/sys/dev/sound/pci/emu10kx.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/dev/sound/pci/emu10k1.c
 ==============================================================================
 --- stable/7/sys/dev/sound/pci/emu10k1.c	Sat Feb 12 13:41:00 2011	(r218606)
 +++ stable/7/sys/dev/sound/pci/emu10k1.c	Sat Feb 12 13:41:02 2011	(r218607)
 @@ -2012,7 +2012,7 @@ emu_pci_attach(device_t dev)
  
  	if (bus_dma_tag_create(/*parent*/bus_get_dma_tag(dev), /*alignment*/2,
  		/*boundary*/0,
 -		/*lowaddr*/1 << 31, /* can only access 0-2gb */
 +		/*lowaddr*/(1U << 31) - 1, /* can only access 0-2gb */
  		/*highaddr*/BUS_SPACE_MAXADDR,
  		/*filter*/NULL, /*filterarg*/NULL,
  		/*maxsize*/sc->bufsz, /*nsegments*/1, /*maxsegz*/0x3ffff,
 
 Modified: stable/7/sys/dev/sound/pci/emu10kx.c
 ==============================================================================
 --- stable/7/sys/dev/sound/pci/emu10kx.c	Sat Feb 12 13:41:00 2011	(r218606)
 +++ stable/7/sys/dev/sound/pci/emu10kx.c	Sat Feb 12 13:41:02 2011	(r218607)
 @@ -2696,7 +2696,7 @@ emu_init(struct emu_sc_info *sc)
  
  	if (bus_dma_tag_create( /* parent */ bus_get_dma_tag(sc->dev),
  	     /* alignment */ 2, /* boundary */ 0,
 -	     /* lowaddr */ 1 << 31,	/* can only access 0-2gb */
 +	     /* lowaddr */ (1U << 31) - 1,	/* can only access 0-2gb */
  	     /* highaddr */ BUS_SPACE_MAXADDR,
  	     /* filter */ NULL, /* filterarg */ NULL,
  	     /* maxsize */ EMU_MAX_BUFSZ, /* nsegments */ 1, /* maxsegz */ 0x3ffff,
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: marius 
State-Changed-When: Sat Feb 12 14:28:57 UTC 2011 
State-Changed-Why:  
Close; this PR was fully handled. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154259 
>Unformatted:
