From mdtancsa@granite.sentex.ca  Wed Oct 20 18:44:58 2004
Return-Path: <mdtancsa@granite.sentex.ca>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 45FC016A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 Oct 2004 18:44:58 +0000 (GMT)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B56C943D41
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 Oct 2004 18:44:57 +0000 (GMT)
	(envelope-from mdtancsa@granite.sentex.ca)
Received: from granite.sentex.ca (granite-64.sentex.ca [64.7.153.1])
	by smarthost1.sentex.ca (8.13.1/8.13.1) with ESMTP id i9KIivLq071037
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 Oct 2004 14:44:57 -0400 (EDT)
	(envelope-from mdtancsa@granite.sentex.ca)
Received: from granite.sentex.ca (localhost [127.0.0.1])
	by granite.sentex.ca (8.12.10/8.12.10) with ESMTP id i9KIivrU099355
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 20 Oct 2004 14:44:57 -0400 (EDT)
	(envelope-from mdtancsa@granite.sentex.ca)
Received: (from mdtancsa@localhost)
	by granite.sentex.ca (8.12.10/8.12.10/Submit) id i9KIirjF099052;
	Wed, 20 Oct 2004 14:44:53 -0400 (EDT)
	(envelope-from mdtancsa)
Message-Id: <200410201844.i9KIirjF099052@granite.sentex.ca>
Date: Wed, 20 Oct 2004 14:44:53 -0400 (EDT)
From: Mike Tancsa <freebsd-dev@sentex.net>
Reply-To: Mike Tancsa <freebsd-dev@sentex.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: sio tty and uhid tty (perhaps others) stomp on each other leading to kernel data corruption and a panic
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         72935
>Category:       kern
>Synopsis:       sio tty and uhid tty (perhaps others) stomp on each other leading to kernel data corruption and a panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 20 18:50:21 GMT 2004
>Closed-Date:    Fri Nov 12 05:01:38 GMT 2004
>Last-Modified:  Fri Nov 12 05:01:38 GMT 2004
>Originator:     Mike Tancsa
>Release:        RELENG_4
>Organization:
Sentex Communications
>Environment:
System: FreeBSD station.sentex.ca 4.10-STABLE FreeBSD 4.10-STABLE #19: Wed Oct 20 10:44:23 EDT 2004     root@station.sentex.ca:/usr/obj/usr/src/sys/gas  i386


	i386,RELENG_4
>Description:
	        In 4-10 STABLE we have been experiencing an intermittent problem / panic 
when engaging in constant serial I/O and constant usb/uhid device I/O.
What happens is that the kernel panics related to data in cfreelist in 
sys/kern/tty_subr.c

The two panics we have seen are

         panic("clist reservation botch"); in sys/kern/tty_subr.c:103

And

         panic("free: multiple frees"); in sys/kern/kern_malloc.:632

What we believe might be the problem is that the tty_subr routines rely on 
spltty() for concurrency.  The uhid device
(sys/dev/usb/uhid.c) is not of class TTY, but it uses the b_to_q routine 
within its interrupt handler (uhid_intr), so we believe
that uhid_intr will be serviced during some other tty servicing of the 
cfreelist.

The cfreelist within tty_subr is getting corrupted (and/or going to 
null).   We have been able to reproduce the problem in a short
period of time, by introducing a delay within cblock_alloc() and 
cblock_free().  Also we have been able to fix the problem (in
concept only) by doing the following in uhid_open

     int s = splhigh();
     tty_imask |= bio_imask;
     splx( s );



>How-To-Repeat:
	Do a lot of sio activity (preferably with a PUC card) and UHID activity at the same time.  
On average, about 3-5 days for a panic. See 
http://lists.freebsd.org/pipermail/freebsd-stable/2004-October/008964.html
>Fix:

Possibly,

*** uhid.c.orig Wed Oct 20 14:16:05 2004
--- uhid.c      Wed Oct 20 14:16:56 2004
***************
*** 411,416 ****
--- 411,424 ----
        if (sc->sc_dying)
                return (ENXIO);

+ /* KDW - test change to force class tty to include uhid */
+       {
+               int s = splhigh();
+               tty_imask |= bio_imask;
+               splx( s );
+       }
+ /* end KDW */
+
        if (sc->sc_state & UHID_OPEN)
                return (EBUSY);
        sc->sc_state |= UHID_OPEN;






>Release-Note:
>Audit-Trail:

From: Mike Tancsa <mike@sentex.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/72935: sio tty and uhid tty (perhaps others) stomp on
  each other leading to kernel data corruption and a panic
Date: Tue, 26 Oct 2004 15:58:32 -0400

 Not sure if
 
 
 
 update_intr_masks()
 
 is 
 required.http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/usb/uhid.c.diff?r1=1.27.2.12&r2=1.27.2.13
 
 seems to be the commit that broke things in RELENG_4 ?
 
          ---Mike
 
 --------------------------------------------------------------------
 Mike Tancsa,                                      tel +1 519 651 3400
 Sentex Communications,                            mike@sentex.net
 Providing Internet since 1994                    www.sentex.net
 Cambridge, Ontario Canada                         www.sentex.net/mike
 

From: "Keith Winter" <keith@sentex.net>
To: <freebsd-gnats-submit@FreeBSD.org>, <freebsd-dev@sentex.net>
Cc: <freebsd-usb@FreeBSD.org>
Subject: Re: kern/72935: sio tty and uhid tty (perhaps others) stomp on each other leading to kernel data corruption and a panic
Date: Mon, 1 Nov 2004 16:04:59 -0500

 We are trying to generalize the fix for this.  It was pointed out by Julian Elischer that this prevents bio devices from trampling
 on tty devices, but not vice versa.
 
 Would the following be a more general solution for uhid devices?
 
         {
                 int s = splhigh();
                 tty_imask |= bio_imask;
                 bio_imask |= tty_imask;
                 update_intr_masks();
                 splx( s );
         }
 
 The approach is similar to what was done for ppp/slip.
 
 -- KDW
 
 
State-Changed-From-To: open->closed 
State-Changed-By: julian 
State-Changed-When: Fri Nov 12 05:00:56 GMT 2004 
State-Changed-Why:  
Patch applied 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72935 
>Unformatted:
