From: thomas schorpp <thomas.schorpp@gmail.com>
To: linux-media@vger.kernel.org
Cc: j@jannau.net, jarod@redhat.com
Subject: [PATCH] crystalhd git.linuxtv.org kernel driver: FIX null pointer BUG in crystalhd_dioq_fetch_wait() on queue(s) overload
Date: Fri, 25 Jan 2013 22:38:34 +0100 [thread overview]
Message-ID: <5102FB5A.40000@gmail.com> (raw)
In-Reply-To: <50EF6042.7010908@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 8318 bytes --]
This patch should pass at least one test case of this bug.
Signed-off-by: Thomas Schorpp <thomas.schorpp@gmail.com>
y
tom
8043-Jan 24 18:33:14 tom3 kernel: [ 457.636878] BUG: unable to handle kernel NULL pointer dereference at 000000000000002c
8044:Jan 24 18:33:14 tom3 kernel: [ 457.637016] IP: [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8045-Jan 24 18:33:14 tom3 kernel: [ 457.637150] PGD 631fe067 PUD 57474067 PMD 0
8046-Jan 24 18:33:14 tom3 kernel: [ 457.637238] Oops: 0000 [#1] PREEMPT SMP
8047-Jan 24 18:33:14 tom3 kernel: [ 457.637326] CPU 0
8048-Jan 24 18:33:14 tom3 kernel: [ 457.637361] Modules linked in: uinput parport_pc ppdev lp parport bluetooth nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs acpi_cpufreq mperf cpufreq_powersave cpufreq_stats cpufreq_conservative cpufreq_performance cpufreq_ondemand freq_table fuse dm_mod ext3 jbd pciehp arc4 ath5k ath snd_hda_codec_analog mac80211 cfg80211 snd_hda_intel snd_hda_codec snd_usb_audio thinkpad_acpi snd_pcm_oss snd_mixer_oss snd_hwdep rfkill snd_pcm snd_usbmidi_lib snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device gspca_zc3xx gspca_main snd videodev pcmcia usb_storage v4l2_compat_ioctl32 psmouse yenta_socket tpm_tis pcmcia_rsrc crystalhd(O) snd_page_alloc soundcore tpm pcmcia_core tpm_bios pcspkr serio_raw i2c_i801 nvram wmi rtc_cmos battery ac evdev processor nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_limit xt_tcpudp iptable_filter ip_tables x
_tables ext4 mbcache jbd2 crc16
8049-Jan 24 18:33:14 tom3 kernel: usbhid hid sg sd_mod crc_t10dif ata_generic uhci_hcd ahci libahci ata_piix atkbd libata thermal xhci_hcd ehci_hcd usbcore e1000e usb_common [last unloaded: scsi_wait_scan]
8050-Jan 24 18:33:14 tom3 kernel: [ 457.637841]
8051-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Pid: 6318, comm: ffmpeg Tainted: G O 3.2.36-dirty #7 LENOVO 7735Y1T/7735Y1T
8052:Jan 24 18:33:14 tom3 kernel: [ 457.637841] RIP: 0010:[<ffffffffa043a14c>] [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8053-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RSP: 0018:ffff88006300dd48 EFLAGS: 00010246
8054-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RAX: 0000000000000000 RBX: ffff88007b1cde50 RCX: 0000000000000000
8055-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RDX: 0000000000000046 RSI: ffffffffa04395c3 RDI: ffffffff81493e82
8056-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RBP: ffff88006300ddf8 R08: 0000000000000000 R09: 0000000000000000
8057-Jan 24 18:33:14 tom3 kernel: [ 457.637841] R10: 0000000000000000 R11: ffff88007b1ce510 R12: ffff88007a855d80
8058-Jan 24 18:33:14 tom3 kernel: [ 457.637841] R13: 0000000000000000 R14: ffff88007a855da8 R15: ffff88007b1cde50
8059-Jan 24 18:33:14 tom3 kernel: [ 457.637841] FS: 00007f559fa7b760(0000) GS:ffff88007f400000(0000) knlGS:0000000000000000
8060-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
8061-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CR2: 000000000000002c CR3: 0000000057470000 CR4: 00000000000006f0
8062-Jan 24 18:33:14 tom3 kernel: [ 457.637841] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
8063-Jan 24 18:33:14 tom3 kernel: [ 457.637841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
8064-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Process ffmpeg (pid: 6318, threadinfo ffff88006300c000, task ffff88007b1cde50)
8065-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Stack:
8066-Jan 24 18:33:14 tom3 kernel: [ 457.637841] 0000000000000327 ffff88007b1ce510 ffff88006b199400 ffff88007c1b1090
8067-Jan 24 18:33:14 tom3 kernel: [ 457.637841] ffff88006300de14 ffff8800594145b0 ffff880059414400 ffff88007b1cde50
8068-Jan 24 18:33:14 tom3 kernel: [ 457.637841] ffff88007a855de0 0000000100026d5c 0000000000000000 ffff88007b1cde50
8069-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Call Trace:
8070-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff810497e0>] ? try_to_wake_up+0x260/0x260
8071-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043b7b0>] ? bc_cproc_start_capture+0x100/0x100 [crystalhd]
8072-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043d566>] crystalhd_hw_get_cap_buffer+0x56/0x1a0 [crystalhd]
8073-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa043b83d>] bc_cproc_fetch_frame+0x8d/0x1b0 [crystalhd]
8074-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa0438db1>] chd_dec_api_cmd+0x81/0x100 [crystalhd]
8075-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffffa0438ec0>] chd_dec_ioctl+0x90/0x170 [crystalhd]
8076-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff811704bc>] do_vfs_ioctl+0x9c/0x330
8077-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8115ebb0>] ? fget_light+0x40/0x140
8078-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8108d9bd>] ? trace_hardirqs_on_caller+0x11d/0x1b0
8079-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8117079f>] sys_ioctl+0x4f/0x80
8080-Jan 24 18:33:14 tom3 kernel: [ 457.637841] [<ffffffff8149b6eb>] system_call_fastpath+0x16/0x1b
8081-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00
8082:Jan 24 18:33:14 tom3 kernel: [ 457.637841] RIP [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8083-Jan 24 18:33:14 tom3 kernel: [ 457.637841] RSP <ffff88006300dd48>
8084-Jan 24 18:33:14 tom3 kernel: [ 457.637841] CR2: 000000000000002c
8085-Jan 24 18:33:14 tom3 kernel: [ 457.663980] ---[ end trace 784283982dcd2475 ]---
8081-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00
$ linux-stable/scripts/decodecode < oops.txt
All code
========
0: 89 f7 mov %esi,%edi
2: e8 18 9d 05 e1 callq 0xffffffffe1059d1f
7: 45 85 ed test %r13d,%r13d
a: 75 81 jne 0xffffffffffffff8d
c: 48 8b bd 78 ff ff ff mov -0x88(%rbp),%rdi
13: e8 77 17 c4 e0 callq 0xffffffffe0c4178f
18: 85 c0 test %eax,%eax
1a: 0f 85 c7 00 00 00 jne 0xe7
20: 4c 89 e7 mov %r12,%rdi
23: e8 57 f3 ff ff callq 0xfffffffffffff37f
28: 49 89 c0 mov %rax,%r8
2b:* f6 40 2c 03 testb $0x3,0x2c(%rax) <-- trapping instruction
2f: 0f 85 3d 01 00 00 jne 0x172
35: 48 8b 4d 80 mov -0x80(%rbp),%rcx
39: 48 8b 81 d0 00 00 00 mov 0xd0(%rcx),%rax
Code starting with the faulting instruction
===========================================
0: f6 40 2c 03 testb $0x3,0x2c(%rax)
4: 0f 85 3d 01 00 00 jne 0x147
a: 48 8b 4d 80 mov -0x80(%rbp),%rcx
e: 48 8b 81 d0 00 00 00 mov 0xd0(%rcx),%rax
$ gdb /mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd.ko
(gdb) l *(crystalhd_dioq_fetch_wait + 604)
0x216c is in crystalhd_dioq_fetch_wait (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:516).
511 /* Lock against checks from get status calls */
512 if(down_interruptible(&hw->fetch_sem))
513 goto sem_error;
514 r_pkt = crystalhd_dioq_fetch(ioq);
515 /* If format change packet, then return with out checking anything */
516 if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE)) <--- x86 testb instruction XXXXXX
517 goto sem_rel_return;
518 if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
519 picYcomp = link_GetRptDropParam(hw, hw->PICHeight, hw->PICWidth, (void *)r_pkt);
520 }
(gdb) l *(crystalhd_dioq_fetch_wait + 0x410)
0x2320 is in bc_kern_dma_free (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:262).
257 * Return:
258 * none.
259 */
260 void bc_kern_dma_free(struct crystalhd_adp *adp, uint32_t sz, void *ka,
261 dma_addr_t phy_addr)
262 {
263 if (!adp || !ka || !sz || !phy_addr) {
264 printk(KERN_ERR "%s: Invalid arg\n", __func__);
265 return;
266 }
[-- Attachment #2: crystalhd-nullpointer-bugfix.schorpp.01.patch --]
[-- Type: text/x-diff, Size: 819 bytes --]
diff --git a/driver/linux/crystalhd_misc.c b/driver/linux/crystalhd_misc.c
index 410ab9d..b3ce457 100644
--- a/driver/linux/crystalhd_misc.c
+++ b/driver/linux/crystalhd_misc.c
@@ -512,7 +512,10 @@ void *crystalhd_dioq_fetch_wait(struct crystalhd_hw *hw, uint32_t to_secs, uint3
if(down_interruptible(&hw->fetch_sem))
goto sem_error;
r_pkt = crystalhd_dioq_fetch(ioq);
- /* If format change packet, then return with out checking anything */
+ /* If no packet then up and return zero otherwise will *0 BUG the kernel on heavy dioq load */
+ if (!r_pkt)
+ goto sem_rel_return;
+ /* If format change packet then return without checking anything */
if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE))
goto sem_rel_return;
if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
next prev parent reply other threads:[~2013-01-25 21:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-02 7:48 [BUG] crystalhd git.linuxtv.org kernel driver: unable to handle kernel paging requests, improper (spin)locking(?) and paging thomas schorpp
2013-01-03 15:17 ` Oliver Schinagl
2013-01-05 12:21 ` [BUG] crystalhd git.linuxtv.org kernel driver: unable to handle kernel paging requests, improper (spin)locking(?) and paging, null pointer oopses on SMP, libcrstalhd3-git i686 not interfacing to amd64 SMP 3.x kernel thomas schorpp
2013-01-05 12:44 ` thomas schorpp
2013-01-07 23:33 ` [BUG] crystalhd git.linuxtv.org kernel driver: No more Oops or kernel crashes with Linux 3.2 thomas schorpp
2013-01-11 0:43 ` [BUG] crystalhd git.linuxtv.org kernel driver: Crashing again Linux, 3.2, using mozilla flashplugin from adobe thomas schorpp
2013-01-25 21:38 ` thomas schorpp [this message]
2013-02-01 1:52 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX MORE null pointer BUGs triggered by multithreaded or faulty apps thomas schorpp
2013-02-01 20:23 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX kernel unhandled paging request BUG " thomas schorpp
2013-02-04 15:21 ` [PATCH] crystalhd git.linuxtv.org kernel driver: FIX kernel freeze or OOPS in ISRs thomas schorpp
2013-02-08 13:59 ` [PATCH] crystalhd git.linuxtv.org kernel driver: Fix PM suspend broken by emergency patches thomas schorpp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5102FB5A.40000@gmail.com \
--to=thomas.schorpp@gmail.com \
--cc=j@jannau.net \
--cc=jarod@redhat.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).