Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754355AbYCQVwW (ORCPT ); Mon, 17 Mar 2008 17:52:22 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753140AbYCQVwM (ORCPT ); Mon, 17 Mar 2008 17:52:12 -0400 Received: from mail-07.jhb.wbs.co.za ([196.2.97.4]:60687 "EHLO mail-07.jhb.wbs.co.za" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752727AbYCQVwJ (ORCPT ); Mon, 17 Mar 2008 17:52:09 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtsDACGF3kfEAmHGa2dsb2JhbACQfgsHFBiXEA From: Bongani Hlope To: Robert Fitzsimons Subject: Re: 2.6.25-rc[12] Video4Linux Bttv Regression Date: Mon, 17 Mar 2008 23:51:56 +0200 User-Agent: KMail/1.9.9 Cc: Mauro Carvalho Chehab , video4linux-list@redhat.com, linux-kernel@vger.kernel.org References: <200802171036.19619.bonganilinux@mweb.co.za> <20080226154102.GD30463@localhost> <20080227014238.GA2685@localhost> In-Reply-To: <20080227014238.GA2685@localhost> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200803172351.56717.bonganilinux@mweb.co.za> X-Original-Subject: Re: 2.6.25-rc[12] Video4Linux Bttv Regression X-Spam-Score: 0.1 (/) X-Spam-Score-Int: 1 X-Spam-Report: Spam detection software, running on the system "wbs-smtp-out-03.jhb.wbs.co.za", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see Postmaster for details. Content preview: On Wednesday 27 February 2008 03:42:38 Robert Fitzsimons wrote: > > I think I might have seen this problem but it didn't cause a oops for > > me, > > Ok, I found the cause of the oops. Some of radio tuner code was > expecting a struct bttv_fh to be allocated but this wasn't done in > radio_open. So it would dereference an invalid data structure, causing > a hang for me and an oops for Bongani. I also had to add support for > the radio tuner to some shared functions. Patches to follow. > > Robert [...] Content analysis details: (0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS X-Scan-Signature: 1775f507280d954fea2ce7532d16e69f Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6287 Lines: 132 On Wednesday 27 February 2008 03:42:38 Robert Fitzsimons wrote: > > I think I might have seen this problem but it didn't cause a oops for > > me, > > Ok, I found the cause of the oops. Some of radio tuner code was > expecting a struct bttv_fh to be allocated but this wasn't done in > radio_open. So it would dereference an invalid data structure, causing > a hang for me and an oops for Bongani. I also had to add support for > the radio tuner to some shared functions. Patches to follow. > > Robert More info... The Oops seems to be caused by a size mismatch that causes memset to write over other variables in the stack... The following debug hack moved oops to another point in the v4l1-compact code.. So memset(&tun2,0,sizeof(tun2)) seems to be overwriting btv->lock->wait_list: --- drivers/media/video/v4l1-compat.c~ 2007-11-13 10:25:52.000000000 +0200 +++ drivers/media/video/v4l1-compat.c 2008-03-17 23:17:38.000000000 +0200 @@ -688,7 +688,7 @@ { struct video_tuner *tun = arg; - memset(&tun2,0,sizeof(tun2)); + memset(&tun2,-1,sizeof(tun2)); err = drv(inode, file, VIDIOC_G_TUNER, &tun2); if (err < 0) { dprintk("VIDIOCGTUNER / VIDIOC_G_TUNER: %d\n",err); The new oops, where there's another memset(&tun2,0,sizeof(tun2)): BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 IP: [] __mutex_lock_slowpath+0x3b/0xb2 PGD 699d9067 PUD 65837067 PMD 0 Oops: 0002 [1] PREEMPT SMP CPU 1 Modules linked in: snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq binfmt_misc loop nls_cp437 vfat fat nls_iso8859_1 ntfs thermal processor fan container button pcspkr snd_pcm_oss snd_mixer_oss snd_emu10k1 tuner tea5767 tda8290 tuner_xc2028 tda9887 tuner_simple snd_rawmidi mt20xx snd_ac97_codec tea5761 bttv ac97_bus snd_pcm ir_common firewire_ohci snd_seq_device compat_ioctl32 firewire_core snd_timer uhci_hcd videodev ehci_hcd snd_page_alloc v4l1_compat crc_itu_t snd_util_mem usbcore v4l2_common snd_hwdep videobuf_dma_sg ohci1394 ide_cd_mod snd videobuf_core emu10k1_gp ieee1394 sr_mod btcx_risc evdev gameport i2c_viapro tveeprom cdrom sg tg3 soundcore Pid: 4230, comm: radio Not tainted 2.6.25-rc5-dirty #46 RIP: 0010:[] [] __mutex_lock_slowpath+0x3b/0xb2 RSP: 0018:ffff8100658455e8 EFLAGS: 00010246 RAX: ffff81007fbeff10 RBX: ffff81007fbeff08 RCX: 0000000000000000 RDX: ffff8100658455e8 RSI: ffffffff8816711c RDI: ffff81007fbeff0c RBP: ffff810065845628 R08: ffffffff880e98df R09: 0000000000000002 R10: ffff810065845f38 R11: 0000000000000246 R12: ffff81007fbeff0c R13: 0000000000000000 R14: ffff8100699d0d10 R15: ffffffff88167110 FS: 00007f0c740e46f0(0000) GS:ffff81007fb6adc0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000065835000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process radio (pid: 4230, threadinfo ffff810065844000, task ffff8100699d0d10) Stack: ffff81007fbeff10 ffff810065845774 0000000265845688 ffff810065845768 ffff81007fbef800 ffff810065845c68 0000000000000000 ffff81007fbeff08 ffff810065845638 ffffffff8045a16f ffff810065845668 ffffffff8814692f Call Trace: [] mutex_lock+0xe/0x10 [] :bttv:bttv_s_frequency+0x46/0x9f [] :videodev:__video_do_ioctl+0x2ca4/0x2e16 [] ? hrtick_set+0xdf/0xe8 [] ? default_idle+0x0/0x5f [] ? thread_return+0x6c/0xbf [] :v4l1_compat:v4l_compat_translate_ioctl+0x1116/0x1b01 [] ? generic_unplug_device+0x2c/0x30 [] ? :videodev:__video_do_ioctl+0x0/0x2e16 [] ? mark_page_accessed+0x20/0x36 [] ? __find_get_block+0x153/0x165 [] ? __getblk+0x20/0x22b [] ? blk_recount_segments+0x3e/0x68 [] ? mempool_alloc+0x48/0xf9 [] ? cache_alloc_refill+0x1cc/0x233 [] ? blk_rq_map_sg+0x12b/0x24b [] ? lock_timer_base+0x26/0x4a [] ? dma_timer_expiry+0x0/0x6d [] ? __mod_timer+0xc4/0xd6 [] ? __delay+0x27/0x59 [] ? __delay+0x27/0x59 [] ? __delay+0x27/0x59 [] ? __delay+0x27/0x59 [] ? __delay+0x27/0x59 [] ? __udelay+0x40/0x42 [] ? i2c_stop+0x47/0x4b [] ? bit_xfer+0x412/0x423 [] ? i2c_transfer+0x79/0x85 [] ? :tuner_simple:simple_set_params+0x2b9/0xc18 [] ? enqueue_task_fair+0x179/0x186 [] ? task_rq_lock+0x3d/0x73 [] ? try_to_wake_up+0x1ae/0x1bf [] ? smp_send_reschedule+0x1d/0x1f [] ? default_wake_function+0xd/0xf [] ? __wake_up_common+0x46/0x75 [] :videodev:__video_do_ioctl+0x139/0x2e16 [] ? n_tty_receive_buf+0xf18/0xf77 [] ? filemap_fault+0x1fe/0x371 [] :videodev:video_ioctl2+0x1b8/0x259 [] ? remove_wait_queue+0x3c/0x41 [] ? __wake_up+0x43/0x4f [] vfs_ioctl+0x5e/0x77 [] do_vfs_ioctl+0x24d/0x262 [] sys_ioctl+0x42/0x67 [] ? sys_write+0x47/0x70 [] system_call_after_swapgs+0x7b/0x80 Code: 89 fb 4c 89 e7 48 83 ec 20 65 4c 8b 34 25 00 00 00 00 e8 e5 0f 00 00 48 8d 43 08 48 8d 55 c0 48 8b 48 08 48 89 45 c0 48 89 50 08 <48> 89 11 48 83 ca ff 48 89 4d c8 4c 89 75 d0 48 89 d0 87 03 ff RIP [] __mutex_lock_slowpath+0x3b/0xb2 RSP CR2: 0000000000000000 ---[ end trace 821f8e64b81db17b ]--- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/