On 06/01/2010 01:11 AM, Andy Walls wrote:
> On Sun, 2010-05-30 at 12:33 +0200, Silamael wrote:
>> Kernel trace:
>> ---------------------------------------------------------------
>> [ 773.280361] IP: [<f825a7ba>] saa7146_buffer_next+0x5e/0x1ed [saa7146_vv]
>> [ 773.280361] *pde = 00000000
>> [ 773.280361] Oops: 0000 [#1] SMP
>> [ 773.280361] last sysfs file: /sys/module/nfsd/initstate
>> [ 773.280361] Modules linked in: nfsd exportfs nfs lockd nfs_acl
>> auth_rpcgss sunrpc f71882fg coretemp loop lnbp21 stv0299 dvb_ttpci
>> snd_hda_codec_realtek dvb_core saa7146_vv videodev v4l1_compat
>> snd_hda_intel saa7146 snd_hda_codec videobuf_dma_sg snd_hwdep
>> videobuf_core snd_pcm i2c_i801 ttpci_eeprom psmouse snd_timer intel_agp
>> evdev pcspkr snd i2c_core serio_raw agpgart video processor rng_core
>> soundcore button output snd_page_alloc usb_storage uhci_hcd ehci_hcd
>> thermal sd_mod crc_t10dif thermal_sys usbcore nls_base e1000e [last
>> unloaded: scsi_wait_scan]
>> [ 773.280361]
>> [ 773.280361] Pid: 0, comm: swapper Not tainted 2.6.34-rc7 #7
>> A9830IMS/A9830IMS
>> [ 773.280361] EIP: 0060:[<f825a7ba>] EFLAGS: 00010246 CPU: 0
>> [ 773.280361] EIP is at saa7146_buffer_next+0x5e/0x1ed [saa7146_vv]
>> [ 773.280361] EAX: f68b3008 EBX: f733d900 ECX: 00000001 EDX: 00000002
>> [ 773.280361] ESI: ffffffd4 EDI: f68b3000 EBP: 00000000 ESP: c135fefc
>> [ 773.280361] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
>> [ 773.280361] Process swapper (pid: 0, ti=c135e000 task=c138cb60
>> task.ti=c135e000)
>> [ 773.280361] Stack:
>> [ 773.280361] f68b3000 f733d900 c13640bc 0000000a f825e5f6 f733d900
>> fff7fbf7 f825a759
>> [ 773.280361] <0> f733d900 ffffffff f812bdfc fff7fbf7 f6a1e240 00000000
>> c106793a 00000000
>> [ 773.280361] <0> 00000000 c1364080 0000000a c13640bc c135ff80 c1069072
>> 0000000a 0000000a
>> [ 773.280361] Call Trace:
>> [ 773.280361] [<f825e5f6>] ? vbi_irq_done+0x99/0x9f [saa7146_vv]
>> [ 773.280361] [<f825a759>] ? vv_callback+0x10f/0x112 [saa7146_vv]
>> [ 773.280361] [<f812bdfc>] ? interrupt_hw+0x9f/0x1a8 [saa7146]
>> [ 773.280361] [<c106793a>] ? handle_IRQ_event+0x49/0xe7
>> [ 773.280361] [<c1069072>] ? handle_level_irq+0x55/0x9e
>> [ 773.280361] [<c10044cb>] ? handle_irq+0x17/0x1c
>> [ 773.280361] [<c1003da9>] ? do_IRQ+0x38/0x8e
>> [ 773.280361] [<c1002d30>] ? common_interrupt+0x30/0x38
>> [ 773.280361] [<c10086e6>] ? mwait_idle+0x59/0x5e
>> [ 773.280361] [<c1001ae7>] ? cpu_idle+0x91/0xaa
>> [ 773.280361] [<c13b9881>] ? start_kernel+0x31c/0x321
>> [ 773.280361] Code: 50 fc 25 f8 e8 9d 0e 01 c9 83 c4 1c 8b 43 44 89 c2
>> c1 fa 08 38 c2 75 04 0f 0b eb fe 8b 77 08 8d 47 08 39 c6 74 6b 83 ee 2c
>> 31 ed <8b> 4e 2c 8b 56 30 89 51 04 89 0a c7 46 2c 00 01 10 00 c7 46 30
>
> Refer to linux/drivers/media/common/saa7146_fops.c:saa7146_buffer_next()
>
> void saa7146_buffer_next(struct saa7146_dev *dev,
> struct saa7146_dmaqueue *q, int vbi)
> {
> struct saa7146_buf *buf,*next = NULL;
>
> BUG_ON(!q);
>
> DEB_INT(("dev:%p, dmaq:%p, vbi:%d\n", dev, q, vbi));
>
> assert_spin_locked(&dev->slock);
> if (!list_empty(&q->queue)) {
> /* activate next one from queue */
> buf = list_entry(q->queue.next,struct saa7146_buf,vb.queue);
> list_del(&buf->vb.queue);
> if (!list_empty(&q->queue))
> [...]
>
> The code bytes from the above disassemble to:
>
> 37: e8 9d 0e 01 c9 call 0xc9010ed9
> 3c: 83 c4 1c add $0x1c,%esp
> 3f: 8b 43 44 mov 0x44(%ebx),%eax
> 42: 89 c2 mov %eax,%edx
> 44: c1 fa 08 sar $0x8,%edx
> 47: 38 c2 cmp %al,%dl
> 49: 75 04 jne 0x4f
> 4b: 0f 0b ud2a <---+ End of BUG_ON() in
> 4d: eb fe jmp 0x4d <---| assert_spin_locked()
> 4f: 8b 77 08 mov 0x8(%edi),%esi ; %esi = q->queue->head
> 52: 8d 47 08 lea 0x8(%edi),%eax ; %eax = q->queue->head->next
> 55: 39 c6 cmp %eax,%esi ; if (!list_empty(&q->queue))
> 57: 74 6b je 0xc4 ; skip to else clause
> 59: 83 ee 2c sub $0x2c,%esi ; buf = list_entry(q->queue.next,struct saa7146_buf,vb.queue);
> 5c: 31 ed xor %ebp,%ebp
> 5e: 8b 4e 2c mov 0x2c(%esi),%ecx <--- Oops here; %ecx = buf->vb.queue->next
> 61: 8b 56 30 mov 0x30(%esi),%edx
> 64: 89 51 04 mov %edx,0x4(%ecx)
> 67: 89 0a mov %ecx,(%edx)
> 69: c7 46 2c 00 01 10 00 movl $0x100100,0x2c(%esi)
>
> The Oops happens because q->queue.next is NULL, which is invalid. There
> is some sort of saa7146_dmaqueue list or videobuf list corruption
> problem somewhere.
>
> I am not familiar enough with the saa7146 nor videobuf to be of much
> more help.
>
> Regards,
> Andy
>
Hi Andy,
Thank you for the deeper analysis of this crash. That is much more i
could have done ;)
Hopefully someone shows up with some solution too.
Greetings,
Matthias
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
