Re: install/59621: kernel panic with Fujitsu Siemens Lifebook E Series

["Michael van Elst via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR install/59621; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: install/59621: kernel panic with Fujitsu Siemens Lifebook E Series
Date: Sun, 31 Aug 2025 14:45:12 -0000 (UTC)

 df4nx%gmx.net@localhost writes:
 
 >On booting the install media boot.iso of the NetBSD 10.1 release a kernelr
 >panic occured.
 >Disable the esm driver with uc> disable esm it boots correct without panic=
 
 [   1.0005278] esm0 at pci0 dev 13 function 0: ESS Technology Maestro 2E P=
 CI Audio Accelerator (rev. 0x10)
 [   1.0005278] esm0: interrupting at irq 9
 [   1.0005278] esm0: esm_read_codec() RW_DONE timed out.
 [   1.0005278] esm0: will perform cold reset.
 [   1.0005278] uvm_fault(0xc15ad960, 0, 1) -> 0xe
 [   1.0005278] fatal page fault in supervisor mode
 [   1.0005278] trap type 6 code 0 eip 0xc0127a2c cs 0x8 eflags 0x10282 cr2=
  0 ilevel 0x8 esp 0xc0213017
 [   1.0005278] curlwp 0xc14dfac0 pid 0 lid 0 lowest kstack 0xc18892c0
 kernel: supervisor trap page fault, code=3D0
 Stopped in pid 0.0 (system) at  netbsd:bus_space_read_1+0xc:    cmpl    $0=
 ,0(%ea
 x)
 
 db{0}> trace
 bus_space_read_1(c1ed6200,0,0,c188aa28,c0cd536f,a,5,c1ed6228,c188aa1c,0) a=
 t netb
 sd:bus_space_read_1+0xc
 ac97_attach_type(c1eb1730,c1ed6200,1,c1eb1704,c188abc8,c02150ac,c1eb1730,c=
 1ed620
 0,c1eb1704,1000c0) at netbsd:ac97_attach_type+0xc01
 ac97_attach(c1eb1730,c1ed6200,c1eb1704,1000c0,c0214102,c1ed6200,c1ed6224,c=
 1eb171
 
 
 
 The crash happens in bus_space_read_1 where a NULL pointer is passed
 as bus tag. This sounds weird, but is explained by:
 
 int
 esm_read_codec(void *sc, uint8_t regno, uint16_t *result)
 {
         struct esm_softc *ess;
         unsigned t;
  
         ess = sc;
 ...
 }
 
 static void
 esm_attach(device_t parent, device_t self, void *aux)
 {
 ...
 	ess = device_private(self);
 
 
         /* initialize AC97 host interface */
         ess->host_if.arg = self;
         ess->host_if.attach = esm_attach_codec;
         ess->host_if.read = esm_read_codec;
         ess->host_if.write = esm_write_codec;
         ess->host_if.reset = esm_reset_codec;
         ess->host_if.flags = esm_flags_codec;
 
         if (ac97_attach(&ess->host_if, self, &ess->sc_lock) != 0) {
 ...
 }
 
 static void
 ac97_read(struct ac97_softc *as, uint8_t reg, uint16_t *val)
 {
 ...
 	if (as->host_if->read(as->host_if->arg, reg, val)) {
 ...
 }
 
 
 
 The interface routines expect the first argument to be the
 'struct esm_softc *', but ac97 will call it with esp->host_if.arg
 which is the device pointer.
 
 
 Can you try the following patch ?
 
 
 Index: sys/dev/pci/esm.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dev/pci/esm.c,v
 retrieving revision 1.66
 diff -p -u -r1.66 esm.c
 --- sys/dev/pci/esm.c   23 May 2022 13:53:37 -0000      1.66
 +++ sys/dev/pci/esm.c   31 Aug 2025 14:43:45 -0000
 @@ -1619,7 +1619,7 @@ esm_attach(device_t parent, device_t sel
         ess->codec_flags |= AC97_HOST_DONT_READ;
  
         /* initialize AC97 host interface */
 -       ess->host_if.arg = self;
 +       ess->host_if.arg = ess;
         ess->host_if.attach = esm_attach_codec;
         ess->host_if.read = esm_read_codec;
         ess->host_if.write = esm_write_codec;