Em Thu, 21 Dec 2017 14:18:04 -0200 Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx> escreveu: > The streamoff logic is causing those warnings: > > WARNING: CPU: 3 PID: 3382 at drivers/media/v4l2-core/videobuf2-core.c:1652 __vb2_queue_cancel+0x177/0x250 [videobuf2_core] > Modules linked in: bnep fuse xt_CHECKSUM iptable_mangle tun ebtable_filter ebtables ip6table_filter ip6_tables xt_physdev br_netfilter bluetooth bridge rfkill ecdh_generic stp llc nf_log_ipv4 nf_log_common xt_LOG xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c sunrpc vfat fat snd_hda_codec_hdmi rc_dib0700_nec i915 rc_pinnacle_pctv_hd em28xx_rc a8293 ts2020 m88ds3103 i2c_mux em28xx_dvb dib8000 dvb_usb_dib0700 dib0070 dib7000m dib0090 dvb_usb dvb_core uvcvideo snd_usb_audio videobuf2_v4l2 dib3000mc videobuf2_vmalloc videobuf2_memops dibx000_common videobuf2_core rc_core snd_usbmidi_lib snd_rawmidi em28xx tveeprom v4l2_common videodev media intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_intel > kvm_intel snd_hda_codec kvm snd_hwdep snd_hda_core snd_seq irqbypass crct10dif_pclmul crc32_pclmul i2c_algo_bit ghash_clmulni_intel snd_seq_device drm_kms_helper snd_pcm intel_cstate intel_uncore snd_timer tpm_tis drm mei_wdt iTCO_wdt iTCO_vendor_support tpm_tis_core snd intel_rapl_perf mei_me mei tpm i2c_i801 soundcore lpc_ich video binfmt_misc hid_logitech_hidpp hid_logitech_dj e1000e crc32c_intel ptp pps_core analog gameport joydev > CPU: 3 PID: 3382 Comm: lt-dvbv5-zap Not tainted 4.14.0+ #3 > Hardware name: /D53427RKE, BIOS RKPPT10H.86A.0048.2017.0506.1545 05/06/2017 > task: ffff94b93bbe1e40 task.stack: ffffb7a98320c000 > RIP: 0010:__vb2_queue_cancel+0x177/0x250 [videobuf2_core] > RSP: 0018:ffffb7a98320fd40 EFLAGS: 00010202 > RAX: 0000000000000001 RBX: ffff94b92ff72428 RCX: 0000000000000000 > RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff94b92ff72428 > RBP: ffffb7a98320fd68 R08: ffff94b92ff725d8 R09: ffffb7a98320fcc8 > R10: ffff94b978003d98 R11: ffff94b92ff72428 R12: ffff94b92ff72428 > R13: 0000000000000282 R14: ffff94b92059ae20 R15: dead000000000100 > FS: 0000000000000000(0000) GS:ffff94b99e380000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000555953007d70 CR3: 000000012be09004 CR4: 00000000001606e0 > Call Trace: > vb2_core_streamoff+0x28/0x90 [videobuf2_core] > dvb_vb2_stream_off+0xd1/0x150 [dvb_core] > dvb_dvr_release+0x114/0x120 [dvb_core] > __fput+0xdf/0x1e0 > ____fput+0xe/0x10 > task_work_run+0x94/0xc0 > do_exit+0x2dc/0xba0 > do_group_exit+0x47/0xb0 > SyS_exit_group+0x14/0x20 > entry_SYSCALL_64_fastpath+0x1a/0xa5 > RIP: 0033:0x7f775e931ed8 > RSP: 002b:00007fff07019d68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 0000000001d02690 RCX: 00007f775e931ed8 > RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 > RBP: 00007fff0701a500 R08: 00000000000000e7 R09: ffffffffffffff70 > R10: 00007f775e854dd8 R11: 0000000000000246 R12: 0000000000000000 > R13: 00000000035fa000 R14: 000000000000000a R15: 000000000000000a > Code: 00 00 04 74 1c 44 89 e8 49 83 c5 01 41 39 84 24 88 01 00 00 77 8a 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 89 df e8 bb fd ff ff eb da <0f> ff 41 8b b4 24 88 01 00 00 85 f6 74 34 bb 01 00 00 00 eb 10 > > There are actually two issues here: > > 1) list_del() should be called when changing the buffer state; > > 2) The logic with marks the buffers as done is at the wrong place. > > Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx> I ended by sending a wrong version. The one I sent causes a list corruption, as it deletes a queued value without marking the buffer as done: [ 627.233534] list_del corruption, ffffa0aa01182e20->next is LIST_POISON1 (dead000000000100) Regards, Mauro [PATCH] media: dvb_vb2: fix a warning about streamoff logic The streamoff logic is causing those warnings: WARNING: CPU: 3 PID: 3382 at drivers/media/v4l2-core/videobuf2-core.c:1652 __vb2_queue_cancel+0x177/0x250 [videobuf2_core] Modules linked in: bnep fuse xt_CHECKSUM iptable_mangle tun ebtable_filter ebtables ip6table_filter ip6_tables xt_physdev br_netfilter bluetooth bridge rfkill ecdh_generic stp llc nf_log_ipv4 nf_log_common xt_LOG xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c sunrpc vfat fat snd_hda_codec_hdmi rc_dib0700_nec i915 rc_pinnacle_pctv_hd em28xx_rc a8293 ts2020 m88ds3103 i2c_mux em28xx_dvb dib8000 dvb_usb_dib0700 dib0070 dib7000m dib0090 dvb_usb dvb_core uvcvideo snd_usb_audio videobuf2_v4l2 dib3000mc videobuf2_vmalloc videobuf2_memops dibx000_common videobuf2_core rc_core snd_usbmidi_lib snd_rawmidi em28xx tveeprom v4l2_common videodev media intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_intel kvm_intel snd_hda_codec kvm snd_hwdep snd_hda_core snd_seq irqbypass crct10dif_pclmul crc32_pclmul i2c_algo_bit ghash_clmulni_intel snd_seq_device drm_kms_helper snd_pcm intel_cstate intel_uncore snd_timer tpm_tis drm mei_wdt iTCO_wdt iTCO_vendor_support tpm_tis_core snd intel_rapl_perf mei_me mei tpm i2c_i801 soundcore lpc_ich video binfmt_misc hid_logitech_hidpp hid_logitech_dj e1000e crc32c_intel ptp pps_core analog gameport joydev CPU: 3 PID: 3382 Comm: lt-dvbv5-zap Not tainted 4.14.0+ #3 Hardware name: /D53427RKE, BIOS RKPPT10H.86A.0048.2017.0506.1545 05/06/2017 task: ffff94b93bbe1e40 task.stack: ffffb7a98320c000 RIP: 0010:__vb2_queue_cancel+0x177/0x250 [videobuf2_core] RSP: 0018:ffffb7a98320fd40 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff94b92ff72428 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff94b92ff72428 RBP: ffffb7a98320fd68 R08: ffff94b92ff725d8 R09: ffffb7a98320fcc8 R10: ffff94b978003d98 R11: ffff94b92ff72428 R12: ffff94b92ff72428 R13: 0000000000000282 R14: ffff94b92059ae20 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff94b99e380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555953007d70 CR3: 000000012be09004 CR4: 00000000001606e0 Call Trace: vb2_core_streamoff+0x28/0x90 [videobuf2_core] dvb_vb2_stream_off+0xd1/0x150 [dvb_core] dvb_dvr_release+0x114/0x120 [dvb_core] __fput+0xdf/0x1e0 ____fput+0xe/0x10 task_work_run+0x94/0xc0 do_exit+0x2dc/0xba0 do_group_exit+0x47/0xb0 SyS_exit_group+0x14/0x20 entry_SYSCALL_64_fastpath+0x1a/0xa5 RIP: 0033:0x7f775e931ed8 RSP: 002b:00007fff07019d68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000001d02690 RCX: 00007f775e931ed8 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 00007fff0701a500 R08: 00000000000000e7 R09: ffffffffffffff70 R10: 00007f775e854dd8 R11: 0000000000000246 R12: 0000000000000000 R13: 00000000035fa000 R14: 000000000000000a R15: 000000000000000a Code: 00 00 04 74 1c 44 89 e8 49 83 c5 01 41 39 84 24 88 01 00 00 77 8a 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 89 df e8 bb fd ff ff eb da <0f> ff 41 8b b4 24 88 01 00 00 85 f6 74 34 bb 01 00 00 00 eb 10 There are actually two issues here: 1) list_del() should be called when changing the buffer state; 2) The logic with marks the buffers as done is at the wrong place. Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c index 01424e67b42e..0588c5520419 100644 --- a/drivers/media/dvb-core/dvb_vb2.c +++ b/drivers/media/dvb-core/dvb_vb2.c @@ -90,8 +90,19 @@ static int _start_streaming(struct vb2_queue *vq, unsigned int count) static void _stop_streaming(struct vb2_queue *vq) { struct dvb_vb2_ctx *ctx = vb2_get_drv_priv(vq); + struct dvb_buffer *buf; + unsigned long flags = 0; dprintk(3, "[%s]\n", ctx->name); + + spin_lock_irqsave(&ctx->slock, flags); + while (!list_empty(&ctx->dvb_q)) { + buf = list_entry(ctx->dvb_q.next, + struct dvb_buffer, list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + list_del(&buf->list); + } + spin_unlock_irqrestore(&ctx->slock, flags); } static void _dmxdev_lock(struct vb2_queue *vq) @@ -225,21 +236,8 @@ int dvb_vb2_stream_off(struct dvb_vb2_ctx *ctx) { struct vb2_queue *q = (struct vb2_queue *)&ctx->vb_q; int ret; - unsigned long flags = 0; ctx->state &= ~DVB_VB2_STATE_STREAMON; - spin_lock_irqsave(&ctx->slock, flags); - while (!list_empty(&ctx->dvb_q)) { - struct dvb_buffer *buf; - - buf = list_entry(ctx->dvb_q.next, - struct dvb_buffer, list); - list_del(&buf->list); - spin_unlock_irqrestore(&ctx->slock, flags); - vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); - spin_lock_irqsave(&ctx->slock, flags); - } - spin_unlock_irqrestore(&ctx->slock, flags); ret = vb2_core_streamoff(q, q->type); if (ret) { ctx->state = DVB_VB2_STATE_NONE; @@ -273,11 +271,10 @@ int dvb_vb2_fill_buffer(struct dvb_vb2_ctx *ctx, */ return 0; } + spin_lock_irqsave(&ctx->slock, flags); while (todo) { if (!ctx->buf) { - spin_lock_irqsave(&ctx->slock, flags); if (list_empty(&ctx->dvb_q)) { - spin_unlock_irqrestore(&ctx->slock, flags); dprintk(3, "[%s] Buffer overflow!!!\n", ctx->name); break; @@ -285,14 +282,13 @@ int dvb_vb2_fill_buffer(struct dvb_vb2_ctx *ctx, ctx->buf = list_entry(ctx->dvb_q.next, struct dvb_buffer, list); - list_del(&ctx->buf->list); - spin_unlock_irqrestore(&ctx->slock, flags); ctx->remain = vb2_plane_size(&ctx->buf->vb, 0); ctx->offset = 0; } if (!dvb_vb2_is_streaming(ctx)) { vb2_buffer_done(&ctx->buf->vb, VB2_BUF_STATE_ERROR); + list_del(&ctx->buf->list); ctx->buf = NULL; break; } @@ -309,6 +305,7 @@ int dvb_vb2_fill_buffer(struct dvb_vb2_ctx *ctx, if (ctx->remain == 0) { vb2_buffer_done(&ctx->buf->vb, VB2_BUF_STATE_DONE); + list_del(&ctx->buf->list); ctx->buf = NULL; } } @@ -316,8 +313,10 @@ int dvb_vb2_fill_buffer(struct dvb_vb2_ctx *ctx, if (ctx->nonblocking && ctx->buf) { vb2_set_plane_payload(&ctx->buf->vb, 0, ll); vb2_buffer_done(&ctx->buf->vb, VB2_BUF_STATE_DONE); + list_del(&ctx->buf->list); ctx->buf = NULL; } + spin_unlock_irqrestore(&ctx->slock, flags); if (todo) dprintk(1, "[%s] %d bytes are dropped.\n", ctx->name, todo); Thanks, Mauro