[linux-dvb] Problems with kernel oops when installing HVR-1800.
Andy Walls
awalls at radix.net
Sun Dec 28 22:36:16 CET 2008
On Sat, 2008-12-27 at 10:40 -0600, Mark Jenks wrote:
> G'morning all! (at least it's morning here.)
>
> I have a running Mythtv server that is running Suse 10.3 with a
> hvr-1250 just fine on Kernel 2.6.24, and haven't had any problems at
> all.
>
> I tried to install a hvr-1800 in it yesterday, and I get a kernel oops
> on it and X won't start. I compiled up a 2.6.27.10 kernel for it,
> and moved to that, and I still get the oops. Checked my vmalloc and
> I am fine, but increased it anyways to 384 just for grins.
>
> I compiled v4l-dvb-cae6de452897 up against the 2.6.24, and the 2.6.27
> kernels without any changes. Server boots just fine without the
> 1800, but with I get the oops.
>
> The only thing that I can see, is that the 1250 and the 1800 look to
> be using the same interrupt.
>
> Here is more than enough debug info, I hope. :)
>
> Thanks!
>
> -Mark
>
>
> BUG: unable to handle kernel NULL pointer dereference at 000001a0
> IP: [<f8e5a594>] :cx23885:video_open+0x2c/0x150
> *pde = 00000000
> Oops: 0000 [#1] SMP
> Modules linked in: iptable_filter ip_tables ip6_tables x_tables
> cpufreq_conservative cpufreq_userspace cpufreq_powersave powernow_k8
> xfs loop dm_mod cx25840 mt2131 s5h1409 nvidia(P) cx23885
> v4l2_compat_ioctl32 cx2341x videobuf_dma_sg button videobuf_dvb
> dvb_core videobuf_core v4l2_common snd_hda_intel snd_usb_audio
> snd_usb_lib snd_mpu401 snd_cs4232 snd_opl3_lib snd_cs4231_lib snd_pcm
> ohci1394 videodev v4l1_compat osst agpgart btcx_risc rtc_cmos
> i2c_nforce2 snd_timer ieee1394 snd_mpu401_uart tveeprom sr_mod
> snd_hwdep i2c_core rtc_core rtc_lib parport_pc parport st lirc_mceusb2
> snd_rawmidi snd_seq_device snd k8temp hwmon cdrom forcedeth soundcore
> snd_page_alloc lirc_dev sg usbhid hid ff_memless ohci_hcd ehci_hcd
> usbcore sd_mod edd ext3 mbcache jbd fan aic7xxx scsi_transport_spi
> sata_nv pata_amd libata scsi_mod dock thermal processor thermal_sys
>
> Pid: 3178, comm: X Tainted: P (2.6.27.10-default #3)
> EIP: 0060:[<f8e5a594>] EFLAGS: 00013287 CPU: 1
> EIP is at video_open+0x2c/0x150 [cx23885]
> EAX: 00000000 EBX: 00000000 ECX: f7a9f000 EDX: f7a0e000
> ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: f764de90
> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process X (pid: 3178, ti=f764c000 task=f7398c00 task.ti=f764c000)
> Stack: f7a6e540 00000000 f7b16538 00000000 f7bc30a0 c016bee5 f7a6e540
> 00000000
> f7a6e540 f7bc30a0 00000000 c016bdd9 c01683cd f701ebc0 f6d756c0
> f764df14
> f7a6e540 f764df14 00000003 c01684d8 f7a6e540 00000000 00000000
> f764df14
> Call Trace:
> [<c016bee5>] chrdev_open+0x10c/0x122
> [<c016bdd9>] chrdev_open+0x0/0x122
> [<c01683cd>] __dentry_open+0x10d/0x1fc
> [<c01684d8>] nameidata_to_filp+0x1c/0x2c
> [<c0172986>] do_filp_open+0x33d/0x63e
> [<f9b7d8ce>] _nv004117rm+0x9/0x12 [nvidia]
> [<c01582f8>] handle_mm_fault+0x2b3/0x5dd
> [<c017ab2d>] alloc_fd+0x57/0xd3
> [<c01681e8>] do_sys_open+0x3f/0xb8
> [<c01682a5>] sys_open+0x1e/0x23
> [<c01037ad>] sysenter_do_call+0x12/0x21
> =======================
> Code: 31 ed 57 31 ff 56 31 f6 53 83 ec 04 89 14 24 8b 58 34 e8 16 18
> 46 c7 8b 15 d0 ad e6 f8 81 e3 ff ff 0f 00 eb 49 8b 82 84 0d 00 00 <39>
> 98 a0 01 00 00 75 07 89 d6 bf 01 00 00 00 8b 82 88 0d 00 00
> EIP: [<f8e5a594>] video_open+0x2c/0x150 [cx23885] SS:ESP 0068:f764de90
> ---[ end trace c26ff07c077248e0 ]---
Mark,
Using the same interrupt isn't the problem.
Here's the gory translation of the Ooops data:
The problem is tripped in cx23885-video.c:video_open():
777 static int video_open(struct inode *inode, struct file *file)
778 {
779 int minor = iminor(inode);
780 struct cx23885_dev *h, *dev = NULL;
781 struct cx23885_fh *fh;
782 struct list_head *list;
783 enum v4l2_buf_type type = 0;
784 int radio = 0;
785
786 lock_kernel();
787 list_for_each(list, &cx23885_devlist) {
788 h = list_entry(list, struct cx23885_dev, devlist);
789 if (h->video_dev->minor == minor) {
790 dev = h;
791 type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
792 }
793 if (h->vbi_dev &&
794 h->vbi_dev->minor == minor) {
795 dev = h;
796 type = V4L2_BUF_TYPE_VBI_CAPTURE;
797 }
[...]
Also note the list_entry() & list_for_each() macro definitions:
425 #define list_entry(ptr, type, member) \
426 container_of(ptr, type, member)
[...]
444 #define list_for_each(pos, head) \
445 for (pos = (head)->next; prefetch(pos->next), pos != (head); \
446 pos = pos->next)
The code bytes dumped in the Oops disassemble to:
1: 31 ed xor %ebp,%ebp
3: 57 push %edi
4: 31 ff xor %edi,%edi
6: 56 push %esi
7: 31 f6 xor %esi,%esi
9: 53 push %ebx
a: 83 ec 04 sub $0x4,%esp
d: 89 14 24 mov %edx,(%esp)
10: 8b 58 34 mov 0x34(%eax),%ebx <--- line 779: minor = iminor(inode);
13: e8 16 18 46 c7 call 0xc746182e <--- line 786: lock_kernel()
18: 8b 15 d0 ad e6 f8 mov 0xf8e6add0,%edx <--- line 445: list = (&cx23885_devlist)->next;
1e: 81 e3 ff ff 0f 00 and $0xfffff,%ebx <--- line 779: minor = iminor(inode);
24: eb 49 jmp 0x6f <--- jmp to for loop condition check: line 445: prefetch(list->next), list != &cx23885_devlist;
26: 8b 82 84 0d 00 00 mov 0xd84(%edx),%eax <--- line 426 & 789: h = container_of(list, struct cx23885_dev, devlist); if (h->video_dev...
2c: 39 98 a0 01 00 00 cmp %ebx,0x1a0(%eax) <--- Ooops occurs here: line 789: if (h->video_dev->minor == minor) {
32: 75 07 jne 0x3b
34: 89 d6 mov %edx,%esi <--- line 790: dev = h;
36: bf 01 00 00 00 mov $0x1,%edi <--- line 791: type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
3b: 8b 82 88 0d 00 00 mov 0xd88(%edx),%eax <--- line 793: if (h->vbi_dev ...
So "h->video_dev" (I think) was "NULL" in this call to video_open().
This is a problem with the creation or manipulation of the "struct
cx23885_dev" members of the "cx23885_devlist".
This appears to be a problem with this list iteration in
cx23885-video.c:video_open().
If one of these devices only has DVB support and no analog V4L support,
then it would make sense why one of them would have "h->video_dev" set
to NULL. The device shouldn't have a V4L2 "video_dev" if it doesn't
support analog (V4L2) devices. I believe the 1800 supports analog video
but the 1250 does not (someone correct me on this if I'm wrong - I'm no
expert on these devices).
The iteration loop in video_open() needs to be careful about NULL
pointer dereference of h->video_dev for DVB only devices.
Try this patch:
diff -r cae6de452897 linux/drivers/media/video/cx23885/cx23885-video.c
--- a/linux/drivers/media/video/cx23885/cx23885-video.c Fri Dec 26 08:07:39 2008 -0200
+++ b/linux/drivers/media/video/cx23885/cx23885-video.c Sun Dec 28 16:34:04 2008 -0500
@@ -786,7 +786,8 @@ static int video_open(struct inode *inod
lock_kernel();
list_for_each(list, &cx23885_devlist) {
h = list_entry(list, struct cx23885_dev, devlist);
- if (h->video_dev->minor == minor) {
+ if (h->video_dev &&
+ h->video_dev->minor == minor) {
dev = h;
type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
}
If it doesn't work you'll need to find someone with access to a HVR-1250
and HVR-1800 in the same machine to do more interactive debugging (Andy
Walls' thought experiments can only take one so far....).
I can't help further since I don't have any CX23885 based cards.
Regards,
Andy
> # dmesg | grep cx
> cx23885 driver version 0.0.1 loaded
> cx23885 0000:02:00.0: PCI INT A -> Link[APC5] -> GSI 16 (level, low)
> -> IRQ 16
> CORE cx23885[0]: subsystem: 0070:7911, board: Hauppauge WinTV-HVR1250
> [card=3,autodetected]
> cx23885[0]: warning: unknown hauppauge model #0
> cx23885[0]: hauppauge eeprom: model=0
> cx23885_dvb_register() allocating 1 frontend(s)
> cx23885[0]: cx23885 based dvb card
> DVB: registering new adapter (cx23885[0])
> cx23885_dev_checkrevision() Hardware revision = 0xc0
> cx23885[0]/0: found at 0000:02:00.0, rev: 3, irq: 16, latency: 0,
> mmio: 0xfd400000
> cx23885 0000:02:00.0: setting latency timer to 64
> cx23885 0000:03:00.0: PCI INT A -> Link[APC5] -> GSI 16 (level, low)
> -> IRQ 16
> CORE cx23885[1]: subsystem: 0070:7801, board: Hauppauge WinTV-HVR1800
> [card=2,autodetected]
> cx23885[1]: hauppauge eeprom: model=78521
> cx25840' 4-0044: cx25 0-21 found @ 0x88 (cx23885[0])
> cx25840' 7-0044: cx25 0-21 found @ 0x88 (cx23885[1])
> cx23885[1]/0: registered device video0 [v4l2]
> cx23885[1]: registered device video1 [mpeg]
> cx23885_dvb_register() allocating 1 frontend(s)
> cx23885[1]: cx23885 based dvb card
> DVB: registering new adapter (cx23885[1])
> cx23885_dev_checkrevision() Hardware revision = 0xb1
> cx23885[1]/0: found at 0000:03:00.0, rev: 15, irq: 16, latency: 0,
> mmio: 0xfd600000
> cx23885 0000:03:00.0: setting latency timer to 64
>
> # dmesg | grep DVB
> DVB: registering new adapter (cx23885[0])
> DVB: registering adapter 0 frontend 671089123 (Samsung S5H1409
> QAM/8VSB Frontend)...
> tveeprom 5-0050: TV standards NTSC(M) ATSC/DVB Digital (eeprom 0x88)
> DVB: registering new adapter (cx23885[1])
> DVB: registering adapter 1 frontend 0 (Samsung S5H1409 QAM/8VSB
> Frontend)...
>
>
>
> # ls -l vid*
> lrwxrwxrwx 1 root root 6 Dec 27 03:35 video -> video0
> crw-rw---- 1 root video 81, 0 Dec 27 03:35 video0
> crw-rw---- 1 root video 81, 1 Dec 27 03:35 video1
>
>
> # ls -lR dvb*
> dvb:
> total 0
> drwxr-xr-x 2 root root 120 Dec 27 03:35 adapter0
> drwxr-xr-x 2 root root 120 Dec 27 03:35 adapter1
>
> dvb/adapter0:
> total 0
> crw-rw---- 1 root video 212, 1 Dec 27 03:35 demux0
> crw-rw---- 1 root video 212, 2 Dec 27 03:35 dvr0
> crw-rw---- 1 root video 212, 0 Dec 27 03:35 frontend0
> crw-rw---- 1 root video 212, 3 Dec 27 03:35 net0
>
> dvb/adapter1:
> total 0
> crw-rw---- 1 root video 212, 5 Dec 27 03:35 demux0
> crw-rw---- 1 root video 212, 6 Dec 27 03:35 dvr0
> crw-rw---- 1 root video 212, 4 Dec 27 03:35 frontend0
> crw-rw---- 1 root video 212, 7 Dec 27 03:35 net0
>
> # cat /proc/meminfo
> MemTotal: 3115468 kB
> MemFree: 2787964 kB
> Buffers: 9580 kB
> Cached: 224572 kB
> SwapCached: 0 kB
> Active: 106360 kB
> Inactive: 185368 kB
> HighTotal: 2489280 kB
> HighFree: 2191700 kB
> LowTotal: 626188 kB
> LowFree: 596264 kB
> SwapTotal: 2104504 kB
> SwapFree: 2104504 kB
> Dirty: 2000 kB
> Writeback: 0 kB
> AnonPages: 57640 kB
> Mapped: 27928 kB
> Slab: 14800 kB
> SReclaimable: 8112 kB
> SUnreclaim: 6688 kB
> PageTables: 972 kB
> NFS_Unstable: 0 kB
> Bounce: 0 kB
> WritebackTmp: 0 kB
> CommitLimit: 3662236 kB
> Committed_AS: 321112 kB
> VmallocTotal: 376824 kB
> VmallocUsed: 22080 kB
> VmallocChunk: 354048 kB
> HugePages_Total: 0
> HugePages_Free: 0
> HugePages_Rsvd: 0
> HugePages_Surp: 0
> Hugepagesize: 4096 kB
> DirectMap4k: 20480 kB
> DirectMap4M: 634880 kB
>
> # cat /proc/interrupts
> CPU0 CPU1
> 0: 43 1 IO-APIC-edge timer
> 1: 0 8 IO-APIC-edge i8042
> 7: 1 0 IO-APIC-edge parport0
> 8: 0 79 IO-APIC-edge rtc0
> 9: 0 0 IO-APIC-fasteoi acpi
> 10: 0 0 IO-APIC-edge MPU401 UART
> 12: 0 114 IO-APIC-edge i8042
> 14: 0 0 IO-APIC-edge pata_amd
> 15: 8 70 IO-APIC-edge pata_amd
> 16: 0 14 IO-APIC-fasteoi cx23885[0], cx23885[1]
> 17: 4 55 IO-APIC-fasteoi aic7xxx
> 19: 0 3 IO-APIC-fasteoi ohci1394
> 20: 0 4 IO-APIC-fasteoi ehci_hcd:usb2
> 21: 50 639 IO-APIC-fasteoi ohci_hcd:usb1
> 22: 0 0 IO-APIC-fasteoi sata_nv
> 23: 4394 9058 IO-APIC-fasteoi sata_nv, eth0
> NMI: 0 0 Non-maskable interrupts
> LOC: 6058 6020 Local timer interrupts
> RES: 3291 1978 Rescheduling interrupts
> CAL: 2402 122 function call interrupts
> TLB: 261 129 TLB shootdowns
> TRM: 0 0 Thermal event interrupts
> SPU: 0 0 Spurious interrupts
> ERR: 1
> MIS: 0
>
> _______________________________________________
> linux-dvb mailing list
> linux-dvb at linuxtv.org
> http://www.linuxtv.org/cgi-bin/mailman/listinfo/linux-dvb
More information about the linux-dvb
mailing list