[PATCH] crystalhd git.linuxtv.org kernel driver: FIX null pointer BUG in crystalhd_dioq_fetch_wait() on queue(s) overload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patch should pass at least one test case of this bug.

Signed-off-by: Thomas Schorpp <thomas.schorpp@xxxxxxxxx>

y
tom

8043-Jan 24 18:33:14 tom3 kernel: [  457.636878] BUG: unable to handle kernel NULL pointer dereference at 000000000000002c
8044:Jan 24 18:33:14 tom3 kernel: [  457.637016] IP: [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8045-Jan 24 18:33:14 tom3 kernel: [  457.637150] PGD 631fe067 PUD 57474067 PMD 0
8046-Jan 24 18:33:14 tom3 kernel: [  457.637238] Oops: 0000 [#1] PREEMPT SMP
8047-Jan 24 18:33:14 tom3 kernel: [  457.637326] CPU 0
8048-Jan 24 18:33:14 tom3 kernel: [  457.637361] Modules linked in: uinput parport_pc ppdev lp parport bluetooth nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs acpi_cpufreq mperf cpufreq_powersave cpufreq_stats cpufreq_conservative cpufreq_performance cpufreq_ondemand freq_table fuse dm_mod ext3 jbd pciehp arc4 ath5k ath snd_hda_codec_analog mac80211 cfg80211 snd_hda_intel snd_hda_codec snd_usb_audio thinkpad_acpi snd_pcm_oss snd_mixer_oss snd_hwdep rfkill snd_pcm snd_usbmidi_lib snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device gspca_zc3xx gspca_main snd videodev pcmcia usb_storage v4l2_compat_ioctl32 psmouse yenta_socket tpm_tis pcmcia_rsrc crystalhd(O) snd_page_alloc soundcore tpm pcmcia_core tpm_bios pcspkr serio_raw i2c_i801 nvram wmi rtc_cmos battery ac evdev processor nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_limit xt_tcpudp iptable_filter ip_tables x
_tables ext4 mbcache jbd2 crc16
8049-Jan 24 18:33:14 tom3 kernel: usbhid hid sg sd_mod crc_t10dif ata_generic uhci_hcd ahci libahci ata_piix atkbd libata thermal xhci_hcd ehci_hcd usbcore e1000e usb_common [last unloaded: scsi_wait_scan]
8050-Jan 24 18:33:14 tom3 kernel: [  457.637841]
8051-Jan 24 18:33:14 tom3 kernel: [  457.637841] Pid: 6318, comm: ffmpeg Tainted: G           O 3.2.36-dirty #7 LENOVO 7735Y1T/7735Y1T
8052:Jan 24 18:33:14 tom3 kernel: [  457.637841] RIP: 0010:[<ffffffffa043a14c>]  [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8053-Jan 24 18:33:14 tom3 kernel: [  457.637841] RSP: 0018:ffff88006300dd48  EFLAGS: 00010246
8054-Jan 24 18:33:14 tom3 kernel: [  457.637841] RAX: 0000000000000000 RBX: ffff88007b1cde50 RCX: 0000000000000000
8055-Jan 24 18:33:14 tom3 kernel: [  457.637841] RDX: 0000000000000046 RSI: ffffffffa04395c3 RDI: ffffffff81493e82
8056-Jan 24 18:33:14 tom3 kernel: [  457.637841] RBP: ffff88006300ddf8 R08: 0000000000000000 R09: 0000000000000000
8057-Jan 24 18:33:14 tom3 kernel: [  457.637841] R10: 0000000000000000 R11: ffff88007b1ce510 R12: ffff88007a855d80
8058-Jan 24 18:33:14 tom3 kernel: [  457.637841] R13: 0000000000000000 R14: ffff88007a855da8 R15: ffff88007b1cde50
8059-Jan 24 18:33:14 tom3 kernel: [  457.637841] FS:  00007f559fa7b760(0000) GS:ffff88007f400000(0000) knlGS:0000000000000000
8060-Jan 24 18:33:14 tom3 kernel: [  457.637841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
8061-Jan 24 18:33:14 tom3 kernel: [  457.637841] CR2: 000000000000002c CR3: 0000000057470000 CR4: 00000000000006f0
8062-Jan 24 18:33:14 tom3 kernel: [  457.637841] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
8063-Jan 24 18:33:14 tom3 kernel: [  457.637841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
8064-Jan 24 18:33:14 tom3 kernel: [  457.637841] Process ffmpeg (pid: 6318, threadinfo ffff88006300c000, task ffff88007b1cde50)
8065-Jan 24 18:33:14 tom3 kernel: [  457.637841] Stack:
8066-Jan 24 18:33:14 tom3 kernel: [  457.637841]  0000000000000327 ffff88007b1ce510 ffff88006b199400 ffff88007c1b1090
8067-Jan 24 18:33:14 tom3 kernel: [  457.637841]  ffff88006300de14 ffff8800594145b0 ffff880059414400 ffff88007b1cde50
8068-Jan 24 18:33:14 tom3 kernel: [  457.637841]  ffff88007a855de0 0000000100026d5c 0000000000000000 ffff88007b1cde50
8069-Jan 24 18:33:14 tom3 kernel: [  457.637841] Call Trace:
8070-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff810497e0>] ? try_to_wake_up+0x260/0x260
8071-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffffa043b7b0>] ? bc_cproc_start_capture+0x100/0x100 [crystalhd]
8072-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffffa043d566>] crystalhd_hw_get_cap_buffer+0x56/0x1a0 [crystalhd]
8073-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffffa043b83d>] bc_cproc_fetch_frame+0x8d/0x1b0 [crystalhd]
8074-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffffa0438db1>] chd_dec_api_cmd+0x81/0x100 [crystalhd]
8075-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffffa0438ec0>] chd_dec_ioctl+0x90/0x170 [crystalhd]
8076-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff811704bc>] do_vfs_ioctl+0x9c/0x330
8077-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff8115ebb0>] ? fget_light+0x40/0x140
8078-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff8108d9bd>] ? trace_hardirqs_on_caller+0x11d/0x1b0
8079-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff8117079f>] sys_ioctl+0x4f/0x80
8080-Jan 24 18:33:14 tom3 kernel: [  457.637841]  [<ffffffff8149b6eb>] system_call_fastpath+0x16/0x1b
8081-Jan 24 18:33:14 tom3 kernel: [  457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00
8082:Jan 24 18:33:14 tom3 kernel: [  457.637841] RIP  [<ffffffffa043a14c>] crystalhd_dioq_fetch_wait+0x25c/0x410 [crystalhd]
8083-Jan 24 18:33:14 tom3 kernel: [  457.637841]  RSP <ffff88006300dd48>
8084-Jan 24 18:33:14 tom3 kernel: [  457.637841] CR2: 000000000000002c
8085-Jan 24 18:33:14 tom3 kernel: [  457.663980] ---[ end trace 784283982dcd2475 ]---

8081-Jan 24 18:33:14 tom3 kernel: [ 457.637841] Code: 89 f7 e8 18 9d 05 e1 45 85 ed 75 81 48 8b bd 78 ff ff ff e8 77 17 c4 e0 85 c0 0f 85 c7 00 00 00 4c 89 e7 e8 57 f3 ff ff 49 89 c0 <f6> 40 2c 03 0f 85 3d 01 00 00 48 8b 4d 80 48 8b 81 d0 00 00 00

$ linux-stable/scripts/decodecode < oops.txt
All code
========
   0:	89 f7                	mov    %esi,%edi
   2:	e8 18 9d 05 e1       	callq  0xffffffffe1059d1f
   7:	45 85 ed             	test   %r13d,%r13d
   a:	75 81                	jne    0xffffffffffffff8d
   c:	48 8b bd 78 ff ff ff 	mov    -0x88(%rbp),%rdi
  13:	e8 77 17 c4 e0       	callq  0xffffffffe0c4178f
  18:	85 c0                	test   %eax,%eax
  1a:	0f 85 c7 00 00 00    	jne    0xe7
  20:	4c 89 e7             	mov    %r12,%rdi
  23:	e8 57 f3 ff ff       	callq  0xfffffffffffff37f
  28:	49 89 c0             	mov    %rax,%r8
  2b:*	f6 40 2c 03          	testb  $0x3,0x2c(%rax)     <-- trapping instruction
  2f:	0f 85 3d 01 00 00    	jne    0x172
  35:	48 8b 4d 80          	mov    -0x80(%rbp),%rcx
  39:	48 8b 81 d0 00 00 00 	mov    0xd0(%rcx),%rax

Code starting with the faulting instruction
===========================================
   0:	f6 40 2c 03          	testb  $0x3,0x2c(%rax)
   4:	0f 85 3d 01 00 00    	jne    0x147
   a:	48 8b 4d 80          	mov    -0x80(%rbp),%rcx
   e:	48 8b 81 d0 00 00 00 	mov    0xd0(%rcx),%rax

$ gdb /mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd.ko
(gdb) l *(crystalhd_dioq_fetch_wait + 604)
0x216c is in crystalhd_dioq_fetch_wait (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:516).
511				/* Lock against checks from get status calls */
512				if(down_interruptible(&hw->fetch_sem))
513					goto sem_error;
514				r_pkt = crystalhd_dioq_fetch(ioq);
515				/* If format change packet, then return with out checking anything */
516				if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE)) <--- x86 testb instruction XXXXXX
517					goto sem_rel_return;
518				if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
519					picYcomp = link_GetRptDropParam(hw, hw->PICHeight, hw->PICWidth, (void *)r_pkt);
520				}
(gdb) l *(crystalhd_dioq_fetch_wait + 0x410)
0x2320 is in bc_kern_dma_free (/mnt/data/usr/local/src/crystalhd/driver/linux/crystalhd_misc.c:262).
257	 * Return:
258	 *     none.
259	 */
260	void bc_kern_dma_free(struct crystalhd_adp *adp, uint32_t sz, void *ka,
261			      dma_addr_t phy_addr)
262	{
263		if (!adp || !ka || !sz || !phy_addr) {
264			printk(KERN_ERR "%s: Invalid arg\n", __func__);
265			return;
266		}

diff --git a/driver/linux/crystalhd_misc.c b/driver/linux/crystalhd_misc.c
index 410ab9d..b3ce457 100644
--- a/driver/linux/crystalhd_misc.c
+++ b/driver/linux/crystalhd_misc.c
@@ -512,7 +512,10 @@ void *crystalhd_dioq_fetch_wait(struct crystalhd_hw *hw, uint32_t to_secs, uint3
 			if(down_interruptible(&hw->fetch_sem))
 				goto sem_error;
 			r_pkt = crystalhd_dioq_fetch(ioq);
-			/* If format change packet, then return with out checking anything */
+			/* If no packet then up and return zero otherwise will *0 BUG the kernel on heavy dioq load */
+			if (!r_pkt) 
+				goto sem_rel_return;
+			/* If format change packet then return without checking anything */
 			if (r_pkt->flags & (COMP_FLAG_PIB_VALID | COMP_FLAG_FMT_CHANGE))
 				goto sem_rel_return;
 			if (hw->adp->pdev->device == BC_PCI_DEVID_LINK) {
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux