Re: kern/41957: azalia crashes during boot - uvm_fault

["Björn Barkenfelt" <xbarken%googlemail.com@localhost>]

The following reply was made to PR kern/41957; it has been noted by GNATS.

From: "=?ISO-8859-1?Q?Bj=F6rn?= Barkenfelt" <xbarken%googlemail.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/41957: azalia crashes during boot - uvm_fault
Date: Tue, 08 Sep 2009 21:43:31 +0200

 --=-xKVBYYeeMbB0qjLojA9m
 Content-Type: text/plain; charset="ISO-8859-1"
 Content-Transfer-Encoding: 8bit
 
 On Mon, 2009-09-07 at 06:50 +0000, David Holland wrote:
 > The following reply was made to PR kern/41957; it has been noted by GNATS.
 > 
 > From: David Holland <dholland-bugs%netbsd.org@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: 
 > Subject: Re: kern/41957: azalia crashes during boot - uvm_fault
 > Date: Mon, 7 Sep 2009 06:46:41 +0000
 > 
 >  On Sat, Aug 29, 2009 at 03:45:00PM +0000, xbarken%googlemail.com@localhost 
 > wrote:
 >   > The generic kernel crashed upon boot on my system. The azalia
 >   > driver generates a uvm_fault during boot.
 >   >
 >   > The problem lies in azalia_codec.c where an initialization of a
 >   > pointer is made before a realloc(). A fix for 5.0.1 release is
 >   > included, which solves the problem for me.
 >   > 3166c3166
 >   >
 >   > <       mixer_item_t *m = NULL;
 >   > ---
 >   > >       mixer_item_t *m, *mdac = NULL;
 >  
 >  Could you regenerate this patch using diff -up? (And make sure you do
 >  "diff old new"; I think this patch is reversed.)
 
 Ok, a new diff is attached.
 
 / Björn
 
 --=-xKVBYYeeMbB0qjLojA9m
 Content-Disposition: attachment; filename="azalia_codec.c.diff"
 Content-Type: text/x-patch; name="azalia_codec.c.diff"; charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 --- /usr/src/sys/dev/pci/azalia_codec.c        2009-08-09 20:27:57.000000000 
+0200
 +++ azalia_codec.c     2009-08-29 17:35:13.000000000 +0200
 @@ -3163,9 +3163,9 @@ alc888_init_widget(const codec_t *this, 
  static int
  alc888_mixer_init(codec_t *this)
  {
 -      mixer_item_t *m, *mdac = NULL;
 +      mixer_item_t *m = NULL;
        mixer_devinfo_t *d;
 -      int err, i;
 +      int err, i, imdac;
  
        err = generic_mixer_init(this);
        if (err)
 @@ -3178,12 +3178,19 @@ alc888_mixer_init(codec_t *this)
        }
  
        /* We're looking for front l/r mixer, which we know is nid 0x0c */
 -      for (i = 0; i < this->nmixers; i++)
 +      for (i = 0, imdac = -1; i < this->nmixers; i++)
                if (this->mixers[i].nid == 0x0c) {
 -                      mdac = &this->mixers[i];
 +                      /*  
 +                      *  Rememer at which index we found the mdac. 
 +                      *  Setting a pointer is dangerous at this point
 +                      *  due to a possile realloc() further below
 +                      *  in generic_mixer_ensure_capacity().
 +                      */
 +                      imdac = i;
                        break;
                }
 -      if (mdac) {
 +
 +      if (imdac >= 0 ) {
                /*
                 * ALC888 doesn't have a master mixer, so create a fake
                 * inputs.dac that mirrors outputs.master
 @@ -3194,7 +3201,8 @@ alc888_mixer_init(codec_t *this)
  
                m = &this->mixers[this->nmixers];
                d = &m->devinfo;
 -              memcpy(m, mdac, sizeof(*m));
 +              
 +              memcpy(m, &this->mixers[imdac], sizeof(*m));
                d->mixer_class = AZ_CLASS_INPUT;
                snprintf(d->label.name, sizeof(d->label.name), AudioNdac);
                this->nmixers++;
 
 --=-xKVBYYeeMbB0qjLojA9m--