[BUG] divide by zero in uvc_video_clock_update, v3.3-rc4

[BUG] divide by zero in uvc_video_clock_update, v3.3-rc4

[James Hogan]

Hi,

I just tried v3.3-rc4 on an Acer Aspire One Happy 2 netbook. I happened
to open the settings dialog box of kopete, which shows a view of the
webcam. The kernel switched to a text console with a register dump (see below),
indicating a divide error in uvc_video_clock_update.

The IP is on 7482, a divide, presumably by %r11 (see objdump output below)
which is 0 in the register dump. It appears to be the div_u64 in
uvc_video_clock_update().

I haven't tried any other recent kernel versions.

My asm is rusty and I don't really have any time to look further into it. Is
this enough to go on?

Thanks
James


objdump output:

    7468:       48 69 c0 00 ca 9a 3b    imul   $0x3b9aca00,%rax,%rax
    746f:       48 29 d0                sub    %rdx,%rax
    7472:       8d 97 00 36 65 c4       lea    -0x3b9aca00(%rdi),%edx
    7478:       48 0f af 55 a8          imul   -0x58(%rbp),%rdx
    747d:       48 01 d0                add    %rdx,%rax
    7480:       31 d2                   xor    %edx,%edx
    7482:       49 f7 f3                div    %r11
    7485:       48 ba 53 5a 9b a0 2f    movabs $0x44b82fa09b5a53,%rdx
    748c:       b8 44 00 
          - (u64)y2 * (u64)x1;
        y = div_u64(y, x2 - x1);

        div = div_u64_rem(y, NSEC_PER_SEC, &rem);
        ts.tv_sec = first->host_ts.tv_sec - 1 + div;

kernel log:

divide error: 0000 [#1] SMP 
CPU 1 
Modules linked in: sunrpc 8021q garp stp llc cpufreq_ondemand acpi_cpufreq freq_table mperf ip6t_REJECT nf_conntrack_ipv4 nf_conntrack_ipv6 nf_defrag_ipv6 nf_defrag_ipv4 xt_state nf_conntrack ip6table_filter ip6_tables rfcomm bnep arc4 brcmsmac mac80211 snd_hda_codec_realtek btusb bluetooth snd_hda_intel uvcvideo snd_hda_codec videobuf2_core videodev snd_hwdep snd_seq brcmutil cfg80211 snd_seq_device snd_pcm acer_wmi sparse_keymap snd_timer media v4l2_compat_ioctl32 videobuf2_vmalloc rfkill crc8 cordic videobuf2_memops bcma iTCO_wdt iTCO_vendor_support r8169 snd i2c_i801 microcode serio_raw joydev mii pcspkr soundcore snd_page_alloc wmi i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan]

Pid: 1393, comm: kopete Not tainted 3.3.0-rc4 #104 Acer AOHAPPY2/JE06_PT 
RIP: 0010:[<ffffffffa0267482>]  [<ffffffffa0267482>] uvc_video_clock_update+0x1d2/0x3b0 [uvcvideo]
RSP: 0018:ffff880018741ac8  EFLAGS: 00010046
RAX: 0000060d5419b0a3 RBX: ffff88003aba1800 RCX: 0000000008650000
RDX: 0000000000000000 RSI: 0000000008650000 RDI: 000000003b9c96c9
RBP: ffff880018741b98 R08: 000000003b9c96c9 R09: 0000000000000098
R10: 0000000000000079 R11: 0000000000000000 R12: ffff880010fd9780
R13: ffff880010fd9760 R14: 000000000bc1c40b R15: ffff88003aba1d50
FS:  00007f2cf7e28840(0000) GS:ffff88003f280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000229cf0c CR3: 0000000018724000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kopete (pid: 1393, threadinfo ffff880018740000, task ffff880018641720)
Stack:
 ffff8800034772d0 0000000000000000 ffff880018741b28 ffff880021eaef80
 ffff880018741b18 0000000000000000 ffff880016613900 0000000002f04820
 0000000000000000 0000000000000000 ffff880018741ea4 0000000000000000
Call Trace:
 [<ffffffff81191266>] ? do_sys_poll+0x416/0x500
 [<ffffffffa0262f66>] uvc_buffer_finish+0x26/0x30 [uvcvideo]
 [<ffffffffa023073a>] vb2_dqbuf+0x23a/0x3c0 [videobuf2_core]
 [<ffffffff81290a74>] ? avc_has_perm_flags+0x74/0x90
 [<ffffffff8160e7f6>] ? mutex_lock_interruptible+0x16/0x50
 [<ffffffff815a14e4>] ? unix_stream_recvmsg+0x674/0x780
 [<ffffffffa02632c8>] uvc_dequeue_buffer+0x48/0x70 [uvcvideo]
 [<ffffffffa0264df4>] uvc_v4l2_do_ioctl+0xd64/0x1290 [uvcvideo]
 [<ffffffffa02102d0>] video_usercopy+0x120/0x550 [videodev]
 [<ffffffffa0264090>] ? uvc_v4l2_open+0x130/0x130 [uvcvideo]
 [<ffffffff81290a74>] ? avc_has_perm_flags+0x74/0x90
 [<ffffffffa02637e9>] uvc_v4l2_ioctl+0x29/0x70 [uvcvideo]
 [<ffffffffa020f3db>] v4l2_ioctl+0xcb/0x160 [videodev]
 [<ffffffff8118f018>] do_vfs_ioctl+0x98/0x550
 [<ffffffff8118f561>] sys_ioctl+0x91/0xa0
 [<ffffffff81618be9>] system_call_fastpath+0x16/0x1b
Code: f2 48 89 45 a8 89 c8 41 89 cb 49 0f af d0 41 29 f3 48 69 c0 00 ca 9a 3b 48 29 d0 8d 97 00 36 65 c4 48 0f af 55 a8 48 01 d0 31 d2 <49> f7 f3 48 ba 53 5a 9b a0 2f b8 44 00 4d 8b 5c 24 08 49 89 c0 
RIP  [<ffffffffa0267482>] uvc_video_clock_update+0x1d2/0x3b0 [uvcvideo]
 RSP <ffff880018741ac8>
---[ end trace d8809c0cd76234c6 ]---
uvcvideo: Failed to resubmit video URB (-27).
uvcvideo: Failed to resubmit video URB (-27).
uvcvideo: Failed to resubmit video URB (-27).
uvcvideo: Failed to resubmit video URB (-27).
uvcvideo: Failed to resubmit video URB (-27).

[GIT PULL FOR v3.3] uvcvideo divide by 0 fix

[Laurent Pinchart]

Hi Mauro,

The following changes since commit b01543dfe67bb1d191998e90d20534dc354de059:

  Linux 3.3-rc4 (2012-02-18 15:53:33 -0800)

are available in the git repository at:
  git://linuxtv.org/pinchartl/uvcvideo.git uvcvideo-stable

The patch fixes a divide by 0 bug reported by a couple of users already. Could 
you please make sure it gets into v3.3 ?

Laurent Pinchart (1):
      uvcvideo: Avoid division by 0 in timestamp calculation

 drivers/media/video/uvc/uvc_video.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

-- 
Regards,

Laurent Pinchart

Re: [BUG] divide by zero in uvc_video_clock_update, v3.3-rc4

[Hans Petter Selasky]

On Monday 20 February 2012 00:41:51 James Hogan wrote:
> Hi,
> 
> I just tried v3.3-rc4 on an Acer Aspire One Happy 2 netbook. I happened
> to open the settings dialog box of kopete, which shows a view of the
> webcam. The kernel switched to a text console with a register dump (see
> below), indicating a divide error in uvc_video_clock_update.
> 
> The IP is on 7482, a divide, presumably by %r11 (see objdump output below)
> which is 0 in the register dump. It appears to be the div_u64 in
> uvc_video_clock_update().
> 
> I haven't tried any other recent kernel versions.
> 
> My asm is rusty and I don't really have any time to look further into it.
> Is this enough to go on?
> 
> Thanks
> James

Hi,

This is a known issue which has been fixed by:

http://git.linuxtv.org/pinchartl/uvcvideo.git/commit/5c97eb2eb9c45dad8825de7754ceb33699451978

--HPS

Re: [GIT PULL FOR v3.3] uvcvideo divide by 0 fix

[Hans Petter Selasky]

On Monday 20 February 2012 12:49:39 Laurent Pinchart wrote:
> Hi Mauro,
> 
> The following changes since commit
> b01543dfe67bb1d191998e90d20534dc354de059:
> 
>   Linux 3.3-rc4 (2012-02-18 15:53:33 -0800)
> 
> are available in the git repository at:
>   git://linuxtv.org/pinchartl/uvcvideo.git uvcvideo-stable
> 
> The patch fixes a divide by 0 bug reported by a couple of users already.
> Could you please make sure it gets into v3.3 ?
> 
> Laurent Pinchart (1):
>       uvcvideo: Avoid division by 0 in timestamp calculation
> 
>  drivers/media/video/uvc/uvc_video.c |   14 +++++++++-----
>  1 files changed, 9 insertions(+), 5 deletions(-)

Has this patch been pulled back into media_tree.git ?

--HPS

Re: [GIT PULL FOR v3.3] uvcvideo divide by 0 fix

[Laurent Pinchart]

Hi Hans,

On Sunday 11 March 2012 22:00:35 Hans Petter Selasky wrote:
> On Monday 20 February 2012 12:49:39 Laurent Pinchart wrote:
> > Hi Mauro,
> > 
> > The following changes since commit
> > 
> > b01543dfe67bb1d191998e90d20534dc354de059:
> >   Linux 3.3-rc4 (2012-02-18 15:53:33 -0800)
> > 
> > are available in the git repository at:
> >   git://linuxtv.org/pinchartl/uvcvideo.git uvcvideo-stable
> > 
> > The patch fixes a divide by 0 bug reported by a couple of users already.
> > Could you please make sure it gets into v3.3 ?
> > 
> > Laurent Pinchart (1):
> >       uvcvideo: Avoid division by 0 in timestamp calculation
> >  
> >  drivers/media/video/uvc/uvc_video.c |   14 +++++++++-----
> >  1 files changed, 9 insertions(+), 5 deletions(-)
> 
> Has this patch been pulled back into media_tree.git ?

It doesn't seem so.

Mauro, could you please pull this ASAP ? v3.3 is very close.

-- 
Regards,

Laurent Pinchart