[linux-dvb] Re: Crashes in dvb_demux.c

To: Ralph Metzler <rjkm@metzlerbros.de>
Subject: [linux-dvb] Re: Crashes in dvb_demux.c
From: Emard <emard@softhome.net>
Date: Sun, 9 Feb 2003 15:02:25 +0100
Cc: linux-dvb@linuxtv.org
Content-disposition: inline
Content-type: multipart/mixed; boundary="=_jive-9089-1044799413-0001-2"
In-reply-to: <15942.19147.921111.378955@gargle.gargle.HOWL>
References: <20030209085226.GA1328@emard> <15942.19147.921111.378955@gargle.gargle.HOWL>
Reply-to: emard@softhome.net
Sender: Emard <emard@localhost>
Sender: linux-dvb-bounce@linuxtv.org
User-agent: Mutt/1.3.28i

> I don't know exactly why it crashes for you (your dump rather
> points to an out of bounds *buf I think) but ts_pid() can only return values
> <=0x1fff. There should be no check needed.

Neither do I, but it might be gcc optimizer bug. 
ts_pid returns u16 value, and gcc during optimization might
have forgotten to extend it properly to 32 bits, what is 
required for index offset calculation.
Perhaps declaring it u32 ts_pid(u8 *buf) would be sufficient.

If you don't believe it could crash for me, edit your vpeirq/fidbirq 
and use dmapos[whatever] != 0x47 check and also offset dma pointer 
few bytes in advance dmapointer = (dmapointer + 441) % TS_BUFLEN, to 
see this and all the other crashes in matter of minutes or even seconds, 
depending on the transponder activity.

This way, recently I got fourth type of crash as well because if incorrect 
memory block copy from ..._section_packet() (attached).

> 
>  >  	spin_lock(&demux->lock);
>  >  
>  > -	if ((feed = demux->pid2feed[0x2000]))
>  > +	if ((feed = demux->pid2feed[DMX_MAX_PID]))
>  >  		feed->cb.ts(buf, count*188, 0, 0, &feed->feed.ts, DMX_OK); 
> 
> 
> This has to be 0x2000 which stands for "get the complete TS".
> DMX_MAX_PID might change if you want other "special PIDs" in the future.
> Better do something like:
> 
> #define DMX_FULL_TS_PID 0x2000
> 
> and use that.

I see, thanks for that hint.

Emard

ksymoops 2.4.5 on i686 2.4.20.  Options used
     -V (default)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.4.20/ (default)
     -m /boot/2.4.20-nov4l1/System.map (specified)

115200
Unable to handle kernel paging request at virtual address f8940000
f88ebe13
*pde = 019ca067
Oops: 0000
CPU:    0
EIP:    0010:[<f88ebe13>]    Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010203
eax: 000000a6   ebx: 00000016   ecx: 00000021   edx: f2730e9c
esi: f893ffff   edi: f894c034   ebp: 000000a6   esp: c0361ecc
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 0, stackpage=c0361000)
Stack: f894c000 f2730e9c f88ec1d0 f894c000 f894c014 f893ffdf 000000a6 f894c000 
       f893ffc9 f2730e9c ae4c415d 00000016 f2730e9c f88ec45d f894c000 f893ffc9 
       00000001 f893ffc9 f88ec4ba f2730e9c f893ffc9 000001b9 f2730000 f8911000 
Call Trace:    [<f88ec1d0>] [<f88ec45d>] [<f88ec4ba>] [<f890c36e>] [<c01199ce>]
  [<c011985a>] [<c0109ad2>] [<c010bbc8>] [<c0106cf3>] [<f8834415>] [<f883430c>]
  [<c0106cd0>] [<c0106d59>] [<c0105000>] [<c0105027>]
Code: f3 a5 a8 02 74 02 66 a5 a8 01 74 01 a4 5e 5f c3 90 83 ec 04 


>>EIP; f88ebe13 <[dvb-core]dvb_dmx_memcopy+13/24>   <=====

>>edx; f2730e9c <_end+3237617c/384762e0>
>>esi; f893ffff <[dvb-ttpci-budget].data.end+32260/2ad261>
>>edi; f894c034 <[dvb-ttpci-budget].data.end+3e295/2ad261>
>>esp; c0361ecc <init_task_union+1ecc/2000>

Trace; f88ec1d0 <[dvb-core]dvb_dmx_swfilter_section_packet+338/4bc>
Trace; f88ec45d <[dvb-core]dvb_dmx_swfilter_packet+109/128>
Trace; f88ec4ba <[dvb-core]dvb_dmx_swfilter_packets+3e/50>
Trace; f890c36e <[dvb-ttpci-budget]vpeirq+8a/c4>
Trace; c01199ce <tasklet_action+46/64>
Trace; c011985a <do_softirq+5a/a4>
Trace; c0109ad2 <do_IRQ+96/a8>
Trace; c010bbc8 <call_do_IRQ+5/d>
Trace; c0106cf3 <default_idle+23/28>
Trace; f8834415 <[apm]apm_cpu_idle+109/13c>
Trace; f883430c <[apm]apm_cpu_idle+0/13c>
Trace; c0106cd0 <default_idle+0/28>
Trace; c0106d59 <cpu_idle+41/54>
Trace; c0105000 <_stext+0/0>
Trace; c0105027 <rest_init+27/28>

Code;  f88ebe13 <[dvb-core]dvb_dmx_memcopy+13/24>
00000000 <_EIP>:
Code;  f88ebe13 <[dvb-core]dvb_dmx_memcopy+13/24>   <=====
   0:   f3 a5                     repz movsl %ds:(%esi),%es:(%edi)   <=====
Code;  f88ebe15 <[dvb-core]dvb_dmx_memcopy+15/24>
   2:   a8 02                     test   $0x2,%al
Code;  f88ebe17 <[dvb-core]dvb_dmx_memcopy+17/24>
   4:   74 02                     je     8 <_EIP+0x8> f88ebe1b <[dvb-core]dvb_dmx_memcopy+1b/24>
Code;  f88ebe19 <[dvb-core]dvb_dmx_memcopy+19/24>
   6:   66 a5                     movsw  %ds:(%esi),%es:(%edi)
Code;  f88ebe1b <[dvb-core]dvb_dmx_memcopy+1b/24>
   8:   a8 01                     test   $0x1,%al
Code;  f88ebe1d <[dvb-core]dvb_dmx_memcopy+1d/24>
   a:   74 01                     je     d <_EIP+0xd> f88ebe20 <[dvb-core]dvb_dmx_memcopy+20/24>
Code;  f88ebe1f <[dvb-core]dvb_dmx_memcopy+1f/24>
   c:   a4                        movsb  %ds:(%esi),%es:(%edi)
Code;  f88ebe20 <[dvb-core]dvb_dmx_memcopy+20/24>
   d:   5e                        pop    %esi
Code;  f88ebe21 <[dvb-core]dvb_dmx_memcopy+21/24>
   e:   5f                        pop    %edi
Code;  f88ebe22 <[dvb-core]dvb_dmx_memcopy+22/24>
   f:   c3                        ret    
Code;  f88ebe23 <[dvb-core]dvb_dmx_memcopy+23/24>
  10:   90                        nop    
Code;  f88ebe24 <[dvb-core]dvb_dmx_swfilter_sectionfilter+0/74>
  11:   83 ec 04                  sub    $0x4,%esp

 <0>Kernel panic: Aiee, killing interrupt handler!

Follow-Ups:
- [linux-dvb] Re: Crashes in dvb_demux.c
  - From: Ralph Metzler <rjkm@metzlerbros.de>

References:
- [linux-dvb] Crashes in dvb_demux.c
  - From: Emard <emard@softhome.net>
- [linux-dvb] Crashes in dvb_demux.c
  - From: Ralph Metzler <rjkm@metzlerbros.de>

Prev by Date: [linux-dvb] Crashes in dvb_demux.c
Next by Date: [linux-dvb] Cinch cable for DVB-S rev2.1
Previous by thread: [linux-dvb] Crashes in dvb_demux.c
Next by thread: [linux-dvb] Re: Crashes in dvb_demux.c
Index(es):
- Date
- Thread

Home | Main Index | Thread Index