From: thomas schorpp <thomas.schorpp@gmail.com>
To: linux-media@vger.kernel.org
Cc: j@jannau.net, jarod@redhat.com
Subject: [PATCH] crystalhd git.linuxtv.org kernel driver: FIX null pointer BUG in crystalhd_dioq_fetch_wait() on queue(s) overload
Date: Fri, 25 Jan 2013 22:38:34 +0100 [thread overview]
Message-ID: <5102FB5A.40000@gmail.com> (raw)
In-Reply-To: <50EF6042.7010908@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 8318 bytes --]
This patch should pass at least one test case of this bug.
Signed-off-by: Thomas Schorpp <thomas.schorpp@gmail.com>
y
tom
8043-Jan 24 18:33:14 tom3 kernel: [ 457.636878] BUG: unable to handle kernel NULL pointer dereference at 000000000000002c
8044:Jan 24 18:33:14 tom3 kernel: [ 457.637016] IP: [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8045-Jan 24 18:33:14 tom3 kernel: [ 457.637150] PGD 631fe067 PUD 57474067 PMD 0
8046-Jan 24 18:33:14 tom3 kernel: [ 457.637238] Oops: 0000 [#1] PREEMPT SMP
8047-Jan 24 18:33:14 tom3 kernel: [ 457.637326] CPU 0
8048-Jan 24 18:33:14 tom3 kernel: [ 457.637361] Modules linked in: uinput parport_pc ppdev lp parport bluetooth nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs acpi_cpufreq mperf cpufreq_powersave cpufreq_stats cpufreq_conservative cpufreq_performance cpufreq_ondemand freq_table fuse dm_mod ext3 jbd pciehp arc4 ath5k ath snd_hda_codec_analog mac80211 cfg80211 snd_hda_intel snd_hda_codec snd_usb_audio thinkpad_acpi snd_pcm_oss snd_mixer_oss snd_hwdep rfkill snd_pcm snd_usbmidi_lib snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device gspca_zc3xx gspca_main snd videodev pcmcia usb_storage v4l2_compat_ioctl32 psmouse yenta_socket tpm_tis pcmcia_rsrc crystalhd(O) snd_page_alloc soundcore tpm pcmcia_core tpm_bios pcspkr serio_raw i2c_i801 nvram wmi rtc_cmos battery ac evdev processor nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_limit xt_tcpudp iptable_filter ip_tables x
_tables ext4 mbcache jbd2 crc16
8049-Jan 24 18:33:14 tom3 kernel: usbhid hid sg sd_mod crc_t10dif ata_generic uhci_hcd ahci libahci ata_piix atkbd libata thermal xhci_hcd ehci_hcd usbcore e1000e usb_common [last unloaded: scsi_wait_scan]
8050-Jan 24 18:33:14 tom3 kernel: [ 457.637841]
8051-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Pid: 6318, comm: ffmpeg Tainted: G O 3.2.36-dirty #7 LENOVO 7735Y1T/7735Y1T
8052:Jan 24 18:33:14 tom3 kernel: [ 457.637841] RIP: 0010:[<ffffffffa043a14c>] [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8053-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RSP: 0018:ffff88006300dd48 EFLAGS: 00010246
8054-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RAX: 0000000000000000 RBX: ffff88007b1cde50 RCX: 0000000000000000
8055-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RDX: 0000000000000046 RSI: ffffffffa04395c3 RDI: ffffffff81493e82
8056-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RBP: ffff88006300ddf8 R08: 0000000000000000 R09: 0000000000000000
8057-Jan 24 18:33:14 tom3 kernel: [ 457.637841] R10: 0000000000000000 R11: ffff88007b1ce510 R12: ffff88007a855d80
8058-Jan 24 18:33:14 tom3 kernel: [ 457.637841] R13: 0000000000000000 R14: ffff88007a855da8 R15: ffff88007b1cde50
8059-Jan 24 18:33:14 tom3 kernel: [ 457.637841] FS: 00007f559fa7b760(0000) GS:ffff88007f400000(0000) knlGS:0000000000000000
8060-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
8061-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CR2: 000000000000002c CR3: 0000000057470000 CR4: 00000000000006f0
8062-Jan 24 18:33:14 tom3 kernel: [ 457.637841] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
8063-Jan 24 18:33:14 tom3 kernel: [ 457.637841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
8064-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Process ffmpeg (pid: 6318, threadinfo ffff88006300c000, task ffff88007b1cde50)
8065-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Stack:
8066-Jan 24 18:33:14 tom3 kernel: [ 457.637841] 0000000000000327 ffff88007b1ce510 ffff88006b199400 ffff88007c1b1090
8067-Jan 24 18:33:14 tom3 kernel: [ 457.637841] ffff88006300de14 ffff8800594145b0 ffff880059414400 ffff88007b1cde50
8068-Jan 24 18:33:14 tom3 kernel: [ 457.637841] ffff88007a855de0 0000000100026d5c 0000000000000000 ffff88007b1cde50
8069-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Call Trace:
8070-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff810497e0>] ? try_to_wake_up+0x260/0x260
8071-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043b7b0>] ? bc_cproc_start_capture+0x100/0x100 [crystalhd]
8072-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043d566>] crystalhd_hw_get_cap_buffer+0x56/0x1a0 [crystalhd]
8073-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043b83d>] bc_cproc_fetch_frame+0x8d/0x1b0 [crystalhd]
8074-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa0438db1>] chd_dec_api_cmd+0x81/0x100 [crystalhd]
8075-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa0438ec0>] chd_dec_ioctl+0x90/0x170 [crystalhd]
8076-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff811704bc>] do_vfs_ioctl+0x9c/0x330
8077-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8115ebb0>] ? fget_light+0x40/0x140
8078-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8108d9bd>] ? trace_hardirqs_on_caller+0x11d/0x1b0
8079-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8117079f>] sys_ioctl+0x4f/0x80
8080-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8149b6eb>] system_call_fastpath+0x16/0x1b
8081-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00
8082:Jan 24 18:33:14 tom3 kernel: [ 457.637841] RIP [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8083-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RSP <ffff88006300dd48>
8084-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CR2: 000000000000002c
8085-Jan 24 18:33:14 tom3 kernel: [ 457.663980] ---[ end trace 784283982dcd2475 ]---
8081-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00
$ linux-stable/scripts/decodecode < oops.txt
All code
========
0: 89 f7 mov %esi,%edi
2: e8 18 9d 05 e1 callq 0xffffffffe1059d1f
7: 45 85 ed test %r13d,%r13d
a: 75 81 jne 0xffffffffffffff8d
c: 48 8b bd 78 ff ff ff mov -0x88(%rbp),%rdi
13: e8 77 17 c4 e0 callq 0xffffffffe0c4178f
18: 85 c0 test %eax,%eax
1a: 0f 85 c7 00 00 00 jne 0xe7
20: 4c 89 e7 mov %r12,%rdi
23: e8 57 f3 ff ff callq 0xfffffffffffff37f
28: 49 89 c0 mov %rax,%r8
2b:* f6 40 2c 03 testb $0x3,0x2c(%rax) <-- trapping instruction
2f: 0f 85 3d 01 00 00 jne 0x172
35: 48 8b 4d 80 mov -0x80(%rbp),%rcx
39: 48 8b 81 d0 00 00 00 mov 0xd0(%rcx),%rax
Code starting with the faulting instruction
===========================================
0: f6 40 2c 03 testb $0x3,0x2c(%rax)
4: 0f 85 3d 01 00 00 jne 0x147
a: 48 8b 4d 80 mov -0x80(%rbp),%rcx
e: 48 8b 81 d0 00 00 00 mov 0xd0(%rcx),%rax
$ gdb /mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd.ko
(gdb) l *(crystalhd_dioq_fetch_wait + 604)
0x216c is in crystalhd_dioq_fetch_wait (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:516).
511 /* Lock against checks from get status calls */
512 if(down_interruptible(&hw->fetch_sem))
513 goto sem_error;
514 r_pkt = crystalhd_dioq_fetch(ioq);
515 /* If format change packet, then return with out checking anything */
516 if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE)) <--- x86 testb instruction XXXXXX
517 goto sem_rel_return;
518 if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
519 picYcomp = link_GetRptDropParam(hw, hw->PICHeight, hw->PICWidth, (void *)r_pkt);
520 }
(gdb) l *(crystalhd_dioq_fetch_wait + 0x410)
0x2320 is in bc_kern_dma_free (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:262).
257 * Return:
258 * none.
259 */
260 void bc_kern_dma_free(struct crystalhd_adp *adp, uint32_t sz, void *ka,
261 dma_addr_t phy_addr)
262 {
263 if (!adp || !ka || !sz || !phy_addr) {
264 printk(KERN_ERR "%s: Invalid arg\n", __func__);
265 return;
266 }
[-- Attachment #2: crystalhd-nullpointer-bugfix.schorpp.01.patch --]
[-- Type: text/x-diff, Size: 819 bytes --]
diff --git a/driver/linux/crystalhd_misc.c b/driver/linux/crystalhd_misc.c
index 410ab9d..b3ce457 100644
--- a/driver/linux/crystalhd_misc.c
+++ b/driver/linux/crystalhd_misc.c
@@ -512,7 +512,10 @@ void *crystalhd_dioq_fetch_wait(struct crystalhd_hw *hw, uint32_t to_secs, uint3
if(down_interruptible(&hw->fetch_sem))
goto sem_error;
r_pkt = crystalhd_dioq_fetch(ioq);
- /* If format change packet, then return with out checking anything */
+ /* If no packet then up and return zero otherwise will *0 BUG the kernel on heavy dioq load */
+ if (!r_pkt)
+ goto sem_rel_return;
+ /* If format change packet then return without checking anything */
if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE))
goto sem_rel_return;
if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
next prev parent reply other threads:[~2013-01-25 21:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-02 7:48 [BUG] crystalhd git.linuxtv.org kernel driver: unable to handle kernel paging requests, improper (spin)locking(?) and paging thomas schorpp
2013-01-03 15:17 ` Oliver Schinagl
2013-01-05 12:21 ` [BUG] crystalhd git.linuxtv.org kernel driver: unable to handle kernel paging requests, improper (spin)locking(?) and paging, null pointer oopses on SMP, libcrstalhd3-git i686 not interfacing to amd64 SMP 3.x kernel thomas schorpp
2013-01-05 12:44 ` thomas schorpp
2013-01-07 23:33 ` [BUG] crystalhd git.linuxtv.org kernel driver: No more Oops or kernel crashes with Linux 3.2 thomas schorpp
2013-01-11 0:43 ` [BUG] crystalhd git.linuxtv.org kernel driver: Crashing again Linux, 3.2, using mozilla flashplugin from adobe thomas schorpp
2013-01-25 21:38 ` thomas schorpp [this message]
2013-02-01 1:52 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX MORE null pointer BUGs triggered by multithreaded or faulty apps thomas schorpp
2013-02-01 20:23 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX kernel unhandled paging request BUG " thomas schorpp
2013-02-04 15:21 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX kernel freeze or OOPS in ISRs thomas schorpp
2013-02-08 13:59 ` [PATCH] crystalhd git.linuxtv.org kernel driver: Fix PM suspend broken by emergency patches thomas schorpp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5102FB5A.40000@gmail.com \
--to=thomas.schorpp@gmail.com \
--cc=j@jannau.net \
--cc=jarod@redhat.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.