[linux-dvb] Re: dvb-bt8xx and net device

[Holger Waechtler <holger@convergence.de>]

André Stein wrote:
> Hi,
>
> > You can write down the stack trace adresses manually on a piece of 
> > paper and then look up the adresses after the next reboot and driver 
> > load in the kernel symbol table:
> >
> > $ cat /proc/ksyms | sort | less
/proc/ksyms contains the symbols of all loaded modules


> First two things I noticed:
> ° When I setup the network device and run tcpdump -ni dvb0_0 only, 
> allone, nothing happens. I can dump as many packets as I want without 
> any problems.
> ° The actual kernel hang only happens when I try to run the T-DSL 
> Satellit proxy application 
> (http://ipviasky.de/tsky/down/downtslinux.html) after having tcpdump'ed 
> packets. After approx. half a minute I get that fatal oops. Seems that 
> the driver has both problems with promisc mode and multiple network 
> connections/filters..
hmmm. Does this only occur with the bt8xx cards or also with the old 
Nova cards?

oops comments below:


> Here's the oops:
> Unable to handle kernel paging request at virtual address ccb37000
> cca13113
> *pde = 0bf3b067
> Oops: 0002
> CPU:    0
> EIP:    0010:[<cca13113>]  Tainted: P
> Using defaults from ksymoops -t elf32-i386 -a i386
> EFLAGS: 00010216
> eax: ffffffb8   ebx: 00000104     ecx: 3ffbdff3       edx: c91a4018
> esi: c606c77d   edi: ccb37000     ebp: ffffffb8       esp: cbf7fd4c
> ds: 0018   es: 0018   ss: 0018
> Process kupdated (pid: 7, stackpage=cbf7f000)
> Stack: cca2f000 cca2f026 cca134b7 cca2f000 cca2f014 c5f64791 ffffffb8 
> cca2f000
>        cca30074 c5f6468d db5b00fb 00000104 c91a4018 cca13761 cca2f000 
> c5f6468d
>        c5f64000 0000068d c91a412c 00002000 c91a4124 cca138df c91a4018 
> c5f6468d
> Call Trace:    [<cca134b7>] [<cca13761>] [<cca138df>] [<cca22abc>] 
> [<cca22095>]
>   [<cca22abc>] [<c011c5d0>] [<c011c413>] [<c011c23f>] [<c01088bb>] 
> [<c01052a0>]
>   [<c01052a0>] [<c010adf8>] [<c01052a0>] [<c01052a0>] [<c01052cc>] 
> [<c0105332>]
>   [<c0105000>] [<c010504f>]
> Code: f3 a5 a8 02 74 02 66 a5 a8 01 74 01 a4 5e 5f c3 90 83 ec 04
>
>
>  >>EIP; cca13113 <[dvb-core]dvb_dmx_memcopy+13/24>   <=====
>
>  >>edx; c91a4018 <_end+8e32794/c4dc7dc>
>  >>esi; c606c77d <_end+5cfaef9/c4dc7dc>
>  >>esp; cbf7fd4c <_end+bc0e4c8/c4dc7dc>
>
> Trace; cca134b7 <[dvb-core]dvb_dmx_swfilter_section_packet+31f/49c>
> Trace; cca13761 <[dvb-core]dvb_dmx_swfilter_packet+12d/184>
> Trace; cca138df <[dvb-core]dvb_dmx_swfilter+df/11c>
> Trace; cca22abc <[dvb-bt8xx]dvb_bt8xx_tasklet+0/13>
> Trace; cca22095 <[dvb-bt8xx]dvb_bt8xx_task+35/58>
> Trace; cca22abc <[dvb-bt8xx]dvb_bt8xx_tasklet+0/13>
> Trace; c011c5d0 <bh_action+4c/88>
> Trace; c011c413 <tasklet_action+67/a0>
> Trace; c011c23f <do_softirq+6f/cc>
> Trace; c01088bb <do_IRQ+db/ec>
> Trace; c01052a0 <default_idle+0/34>
> Trace; c01052a0 <default_idle+0/34>
> Trace; c010adf8 <call_do_IRQ+5/d>
> Trace; c01052a0 <default_idle+0/34>
> Trace; c01052a0 <default_idle+0/34>
> Trace; c01052cc <default_idle+2c/34>
> Trace; c0105332 <cpu_idle+3e/54>
> Trace; c0105000 <_stext+0/0>
> Trace; c010504f <rest_init+4f/50>
>
> Code;  cca13113 <[dvb-core]dvb_dmx_memcopy+13/24>
> 00000000 <_EIP>:
> Code;  cca13113 <[dvb-core]dvb_dmx_memcopy+13/24>   <=====
>    0:   f3 a5                     repz movsl %ds:(%esi),%es:(%edi)   <=====
> Code;  cca13115 <[dvb-core]dvb_dmx_memcopy+15/24>
>    2:   a8 02                     test   $0x2,%al
> Code;  cca13117 <[dvb-core]dvb_dmx_memcopy+17/24>
>    4:   74 02                     je     8 <_EIP+0x8>
> Code;  cca13119 <[dvb-core]dvb_dmx_memcopy+19/24>
>    6:   66 a5                     movsw  %ds:(%esi),%es:(%edi)
> Code;  cca1311b <[dvb-core]dvb_dmx_memcopy+1b/24>
>    8:   a8 01                     test   $0x1,%al
> Code;  cca1311d <[dvb-core]dvb_dmx_memcopy+1d/24>
>    a:   74 01                     je     d <_EIP+0xd>
> Code;  cca1311f <[dvb-core]dvb_dmx_memcopy+1f/24>
>    c:   a4                        movsb  %ds:(%esi),%es:(%edi)
> Code;  cca13120 <[dvb-core]dvb_dmx_memcopy+20/24>
>    d:   5e                        pop    %esi
> Code;  cca13121 <[dvb-core]dvb_dmx_memcopy+21/24>
>    e:   5f                        pop    %edi
> Code;  cca13122 <[dvb-core]dvb_dmx_memcopy+22/24>
>    f:   c3                        ret
> Code;  cca13123 <[dvb-core]dvb_dmx_memcopy+23/24>
>   10:   90                        nop
> Code;  cca13124 <[dvb-core]dvb_dmx_swfilter_sectionfilter+0/74>
>   11:   83 ec 04                  sub    $0x4,%esp
>
>  <0>Kernel panic: Aiee: killing interrupt handler!
>
> 1 warning issued.  Results may not be reliable.
>
>
> I hope you've got an idea what's going wrong..
I suppose this oops occurs because the software demux is called with 
invalid buffer pointers or buffer length arguments. Thus the memcpy 
function crashes when it's trying to read after the end of the buffer. 
Or there is a serious undiscovered bug in the software demultiplexer.

I added some more restricted locking and an additional sanity check in 
the synchronizer code, could you please add some printk()'s in the 
dvb_dmx_swfilter(), dvb_dmx_swfilter_section_packet() and 
dvb_dmx_memcopy() functions in order to find out what exactly is going 
wrong?

Please print the actual line number (remember that you must not insert 
new lines in order to maintain the original line numbers), the requested 
number of copied bytes, the copy start offset and whether the bytes are 
copied from demux->tsbuf in dvb_dmx_swfilter() or from 
card->bt->buf_cpu[] through the tasklet processing function 
(dvb_bt8xx_task() in dvb-bt8xx.c)?

many thanks for all your patience,

Holger



--
Info:
To unsubscribe send a mail to ecartis@linuxtv.org with "unsubscribe linux-dvb" as subject.