Bug 628404 - oops in snd_pcm_substream_proc_status_read()
Summary: oops in snd_pcm_substream_proc_status_read()
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-29 23:00 UTC by Tom London
Modified: 2010-09-20 02:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-09-20 02:55:00 UTC
Type: ---

Attachments (Terms of Use)
output of 'dmesg' showing 'general protection fault' trace, etc. (61.43 KB, text/plain)
2010-08-29 23:00 UTC, Tom London
no flags Details

Description Tom London 2010-08-29 23:00:26 UTC
Created attachment 441847 [details]
output of 'dmesg' showing 'general protection fault' trace, etc.

Description of problem:
Got the following 'general protection fault' when I tried to 'log out' from a long running (about 8 hours) gnome session.

gdm/gnome failed to restart/recover.  I had to ctrl-alt-F2 and login as root to get some log info, etc.

System is a Thinkpad X200.

I attach output of 'dmesg'.

polkit-gnome-au[1909]: segfault at ffffffff00d327a0 ip 000000332a02ee69 sp 00007fff77b59d90 error 4 in libglib-2.0.so.0.2514.0[332a000000+101000]
gnome-terminal[2012] trap int3 ip:332a0479c9 sp:7fffcc987120 error:0
gnome-panel[1907]: segfault at 333e44c500 ip 000000333e44c500 sp 00007fffd997f638 error 14 in libxcb-aux.so.0.0.0[333e800000+2000]
dconf-service[2922] trap int3 ip:332a0479c9 sp:7fffd2782b20 error:0
general protection fault: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:1b.0/sound/card0/pcmC0D0c/pcm_class
CPU 1 
Modules linked in: vfat fat fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf ip6t_REJECT nf_conntrack_ipv6 xt_physdev ip6table_filter ip6_tables kvm_intel kvm uinput snd_hda_codec_conexant usblp arc4 ecb snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device iwlagn snd_pcm iwlcore thinkpad_acpi snd_timer snd i2c_i801 mac80211 soundcore microcode iTCO_wdt iTCO_vendor_support e1000e cfg80211 wmi snd_page_alloc rfkill ipv6 usb_storage i915 drm_kms_helper drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan]

Pid: 16071, comm: pulseaudio Not tainted 2.6.36-0.11.rc2.git5.fc15.x86_64 #1 74585FU/74585FU
RIP: 0010:[<ffffffffa0296742>]  [<ffffffffa0296742>] snd_pcm_substream_proc_status_read+0x164/0x1ad [snd_pcm]
RSP: 0018:ffff8801178c1b58  EFLAGS: 00010292
RAX: 6b6b6b6b6b6b6b6b RBX: ffff88003d993bc8 RCX: 0000000000000000
RDX: ffffffffa02a1996 RSI: ffffffffa02a1997 RDI: ffff88003d993bc8
RBP: ffff8801178c1c18 R08: 0000000000000006 R09: 00000000fffffff7
R10: ffff8800044ea048 R11: 0000000000000000 R12: ffff8801332d31b0
R13: ffff88013438d488 R14: ffff88013438e050 R15: ffff880111131880
FS:  00007fbccba77780(0000) GS:ffff880002e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fbf324db008 CR3: 00000001157be000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process pulseaudio (pid: 16071, threadinfo ffff8801178c0000, task ffff880130f88000)
 0000000000000003 0000000000005e84 000000002ee6c142 0000000000005e85
<0> 000000001624774a 0000000000000000 00000000000064b0 00000000000064b0
<0> 00000000000064b0 00000000000064b0 0000000000000000 0000000000000000
Call Trace:
 [<ffffffffa020ac22>] snd_info_entry_open+0x307/0x389 [snd]
 [<ffffffff81179034>] proc_reg_open+0xfa/0x17a
 [<ffffffffa020a91b>] ? snd_info_entry_open+0x0/0x389 [snd]
 [<ffffffffa0209fa7>] ? snd_info_entry_release+0x0/0xd8 [snd]
 [<ffffffff81178f3a>] ? proc_reg_open+0x0/0x17a
 [<ffffffff81128f1f>] __dentry_open+0x1c2/0x338
 [<ffffffff81129da0>] nameidata_to_filp+0x3f/0x50
 [<ffffffff81136200>] do_last+0x432/0x5af
 [<ffffffff81246a75>] ? __raw_spin_lock_init+0x31/0x50
 [<ffffffff811365ad>] do_filp_open+0x230/0x5e1
 [<ffffffff810fac10>] ? might_fault+0x5c/0xac
 [<ffffffff8114040b>] ? alloc_fd+0x3b/0x17c
 [<ffffffff8107fc2a>] ? lock_release+0x19a/0x1a6
 [<ffffffff8114053a>] ? alloc_fd+0x16a/0x17c
 [<ffffffff81129e11>] do_sys_open+0x60/0xfc
 [<ffffffff8149aca2>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff81129ecd>] sys_open+0x20/0x22
 [<ffffffff81009cb2>] system_call_fastpath+0x16/0x1b
Code: df 31 c0 e8 e6 40 f7 ff 48 c7 c6 90 19 2a a0 48 89 df 31 c0 e8 d5 40 f7 ff 49 8b 84 24 f0 00 00 00 48 c7 c6 97 19 2a a0 48 89 df <48> 8b 50 08 31 c0 e8 b8 40 f7 ff 49 8b 84 24 f8 00 00 00 48 c7 
RIP  [<ffffffffa0296742>] snd_pcm_substream_proc_status_read+0x164/0x1ad [snd_pcm]
 RSP <ffff8801178c1b58>
---[ end trace 96389f116dd90473 ]---

Version-Release number of selected component (if applicable):

How reproducible:
Don't know.....

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Chuck Ebbert 2010-08-30 10:41:39 UTC
Faulting insn:
48 8b 50 08          	mov    0x8(%rax),%rdx

RAX: 6b6b6b6b6b6b6b6b

Comment 2 Chuck Ebbert 2010-08-30 12:38:34 UTC

453 snd_iprintf(buffer, "hw_ptr : %ld\n", runtime->status->hw_ptr);

runtime = 0x6b6b6b6b6b6b6b6b

The code checks for NULL before using it, but this is a poison value.

Comment 4 Chuck Ebbert 2010-09-02 09:52:51 UTC
A possible fix from the ALSA maintainers went in 2.6.36-0.15.rc3.git0

Comment 5 Tom London 2010-09-03 17:18:06 UTC
OK.  I've installed kernel-2.6.36-0.16.rc3.git0.fc15.x86_64 and rebooted...

I'll try to 'pound' it a bit, but I'm not actually sure what I did to trigger the GPF.

Comment 6 Chuck Ebbert 2010-09-20 02:55:00 UTC
Patch is merged upstream; I'm going to close this. Re-open if you hit it again.

Note You need to log in before you can comment on or make changes to this bug.