Bug 21363

Kernel panics at times when looking at movie with RealPlayer.

RealPlayer's preference "Disable 16-bit sound(use 8-bit only)" is checked.
(I don't know whether this has anything to do with the panic.)

Panic occurs at /sys/dev/sound/pcm/channel.c:buf_clear().
I think that it is a cause to do word write for byte buffer.

>  p = (u_int16_t *)(b->buf + b->fp);
>  while (length > 1) {
>    *p++ = data;
>    length -= 2;
>    i += 2;
>    if (i >= b->bufsize) {
>      p = (u_int16_t *)b->buf;
>      i = 0;
>    }
>  }

'b->buf' is pointer to byte buffer.


Here is the panic messages and crash dump trace:
-----
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xc0870000
fault code              = supervisor write, page not present
instruction pointer     = 0x8:0xc02318cc
stack pointer           = 0x10:0xc3044d2c
frame pointer           = 0x10:0xc3044d34
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 639 (rvplayer)
interrupt mask          = tty 
trap number             = 12
panic: page fault
-----
#0  boot (howto=256) at ../../kern/kern_shutdown.c:302
302                     dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0  boot (howto=256) at ../../kern/kern_shutdown.c:302
#1  0xc0147fb0 in poweroff_wait (junk=0xc029e02f, howto=-1024762976)
    at ../../kern/kern_shutdown.c:552
#2  0xc02645f9 in trap_fatal (frame=0xc3044cec, eva=3230072832)
    at ../../i386/i386/trap.c:951
#3  0xc02642d1 in trap_pfault (frame=0xc3044cec, usermode=0, eva=3230072832)
    at ../../i386/i386/trap.c:844
#4  0xc0263e8b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -1065829568, tf_esi = -1065829476, tf_ebp = -1023128268, 
      tf_isp = -1023128296, tf_ebx = 43, tf_edx = 131071, tf_ecx = 32896, 
      tf_eax = -1064894465, tf_trapno = 12, tf_err = 2, tf_eip = -1071441716, 
      tf_cs = 8, tf_eflags = 66050, tf_esp = -1065829476, tf_ss = 533})
    at ../../i386/i386/trap.c:443
#5  0xc02318cc in buf_clear (b=0xc078bb9c, fmt=8, length=533)
    at ../../dev/sound/pcm/channel.c:884
#6  0xc0230ef3 in chn_wrfeed (c=0xc078bb00)
    at ../../dev/sound/pcm/channel.c:285
#7  0xc0230ffe in chn_wrfeed2nd (c=0xc078bb00, buf=0xc3044edc)
    at ../../dev/sound/pcm/channel.c:336
#8  0xc02311b2 in chn_write (c=0xc078bb00, buf=0xc3044edc)
    at ../../dev/sound/pcm/channel.c:476
#9  0xc0232544 in dsp_write (d=0xc0792400, chan=0, buf=0xc3044edc, 
    flag=8323089) at ../../dev/sound/pcm/dsp.c:197
#10 0xc02344d9 in sndwrite (i_dev=0xc0794a00, buf=0xc3044edc, flag=8323089)
    at ../../dev/sound/pcm/sound.c:359
#11 0xc017d0cd in spec_write (ap=0xc3044e6c)
    at ../../miscfs/specfs/spec_vnops.c:281
#12 0xc020f950 in ufsspec_write (ap=0xc3044e6c)
    at ../../ufs/ufs/ufs_vnops.c:1855
#13 0xc020fe05 in ufs_vnoperatespec (ap=0xc3044e6c)
    at ../../ufs/ufs/ufs_vnops.c:2303
#14 0xc01795d8 in vn_write (fp=0xc083ab00, uio=0xc3044edc, cred=0xc084db00, 
    flags=0, p=0xc2eb5ba0) at vnode_if.h:363
#15 0xc01553e5 in dofilewrite (p=0xc2eb5ba0, fp=0xc083ab00, fd=5, 
    buf=0x81a13ac, nbyte=533, offset=-1, flags=0) at ../../sys/file.h:159
#16 0xc01552cb in write (p=0xc2eb5ba0, uap=0xc3044f80)
    at ../../kern/sys_generic.c:310
#17 0xc02648a5 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 135926584, tf_esi = 533, tf_ebp = -1077939908, 
      tf_isp = -1023127596, tf_ebx = 5, tf_edx = 533, tf_ecx = 135926700, 
      tf_eax = 4, tf_trapno = 0, tf_err = 2, tf_eip = 674101540, tf_cs = 31, 
      tf_eflags = 518, tf_esp = -1077939912, tf_ss = 47})
    at ../../i386/i386/trap.c:1150
#18 0xc02591b5 in Xint0x80_syscall ()

Fix: I did patch as follows temporarily.
How-To-Repeat: Run RealPlayer.
(However, a panic does not always occur.)

RealPlayer's preference "Disable 16-bit sound(use 8-bit only)" is checked.
(I don't know whether this has anything to do with the panic.)