Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750919AbWCOIsu (ORCPT ); Wed, 15 Mar 2006 03:48:50 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751907AbWCOIsu (ORCPT ); Wed, 15 Mar 2006 03:48:50 -0500 Received: from cernmx07.cern.ch ([137.138.166.171]:42792 "EHLO cernmxlb.cern.ch") by vger.kernel.org with ESMTP id S1750919AbWCOIsu (ORCPT ); Wed, 15 Mar 2006 03:48:50 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=cern.ch; q=dns; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding; b=VYnoJomevj1Qwcra241Op1qy9Rq3tYSZh2m+iXQlZiqgHnFy4jY2TxlZ4/ScEAh77+HlgEqbNHnWOomwNjIA1Indye1xhFrHJA3gKnQ9kzYOOGBLu7+BoG8vO3v+sQ1B; Keywords: CERN SpamKiller Note: -51 Charset: west-latin X-Filter: CERNMX07 CERN MX v2.0 051012.1312 Release Message-ID: <4417D4ED.6010808@cern.ch> Date: Wed, 15 Mar 2006 09:48:45 +0100 From: Jiri Tyr User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060128) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sami Farin <7atbggg02@sneakemail.com> CC: linux-kernel@vger.kernel.org, video4linux-list@redhat.com Subject: Re: PROBLEM: four bttv tuners in one PC crashed References: <440C5672.7000009@cern.ch> <200603061656.18846.duncan.sands@math.u-psud.fr> <440D7384.5030307@cern.ch> <200603071332.19614.baldrick@free.fr> In-Reply-To: <200603071332.19614.baldrick@free.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 15 Mar 2006 08:48:43.0525 (UTC) FILETIME=[43C2C350:01C6480D] Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3270 Lines: 80 Hi, I think, it's problem in XAWTV, because I've got the same error if I had only one TV tuner in my PC. I've solved the problem that I reduced number of items in channel list. If I have in the list only 10 channels, then any of the four XAWTV didn't crashed. It's very strange. It looks like the pop-up menu with the channel list write to the memory of the graphics card somewhere out of the memory. What do you think about it? Jiri Sami Farin wrote: >On Sat, Mar 11, 2006 at 11:08:25AM +0100, Bodo Eggert wrote: >> Duncan Sands wrote: >> >> >> The bttv driver/chip seems to cause random memory corruption sometimes, >> >> processes will just start dying... >> > >> > There is a known buffer overflow in the bttv driver (when using >> > grabdisplay). The fix is waiting on an audit of the rest of the >> > bttv (and similar) code, since it looks like the same mistake >> > occurs in several places. >> >> Can you give me a hint on where exactly to shoot at? I'n still hoping it's >> not my VIA board giving me trouble (corrupting the first four bytes of a >> semi-random page). > >check out this email to LKML > >it might not be the Final Fix, but xawtv hasn't crashed on me yet > >From: Duncan Sands >Subject: [PATCH] bttv: correct bttv_risc_packed buffer size >Date: Wed, 25 Jan 2006 11:24:27 +0100 >Cc: Linux Kernel list >MIME-Version: 1.0 >Content-Type: Multipart/Mixed; > boundary="Boundary-00=_cH11D22lqYSaiQl" >Message-Id: <200601251124.28392.duncan.sands@math.u-psud.fr> > > >This patch fixes the strange crashes I was seeing after using >my bttv card to watch television. They were caused by a >buffer overflow in bttv_risc_packed. > >The instruction buffer size calculation contains two errors: >(a) a non-zero padding value can push the start of the next bpl >section to just before a page border, leading to more scanline >splits and thus additional instructions. >(b) the first DMA region can be smaller than one page, so there can >be a scanline split even if bpl*lines is smaller than PAGE_SIZE. > >For example, consider the case where offset is 0, bpl is 2, padding >is 4094, lines is smaller than 2048, the first DMA region has size 1 >and all others have size PAGE_SIZE, assumed to equal 4096. Then >all bpl regions cross page borders and the number of instructions >written is 2*lines+2, rather than lines+2 (the current estimate). >With this patch the number of instructions for this example is >estimated to be 2*lines+3. > >Also, the BUG_ON that was supposed to catch buffer overflows contained >a thinko causing it fire only if the buffer was overrun by a factor of >16 or more. > >I didn't check whether similar mistakes exist elsewhere in the bttv >code. > >Signed-off-by: Duncan Sands > >PS: I'm sending the patch as an attachment because for some reason my >mailer crashes if I try to insert it into the email. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/