linux/drivers/staging/tm6000
Mauro Carvalho Chehab f4b727b3ae V4L/DVB: tm6000: Fix a panic if buffer become NULL
Changing a video standard takes a long time to happen on tm6000, since it
needs to load another firmware, and the i2c implementation on this device
is really slow. When the driver tries to change the video standard, a
kernel panic is produced:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffffa0c7b48a>] tm6000_irq_callback+0x57f/0xac2 [tm6000]
...
Kernel panic - not syncing: Fatal exception in interrupt

By inspecting it with gdb:

(gdb) list *tm6000_irq_callback+0x57f
0x348a is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:202).
197             /* FIXME: move to tm6000-isoc */
198             static int last_line = -2, start_line = -2, last_field = -2;
199
200             /* FIXME: this is the hardcoded window size
201              */
202             unsigned int linewidth = (*buf)->vb.width << 1;
203
204             if (!dev->isoc_ctl.cmd) {
205                     c = (header >> 24) & 0xff;
206

Clearly, it was the trial to access *buf, at line 202 that caused the
Panic.

As ioctl is serialized, While S_STD is handled,QBUF/DQBUF won't be called.
So, the driver will run out of the buffers, and *buf will become NULL.

As, on tm6000, the same URB can contain more than one video buffer, it is
likely to hit a condition where no new buffer is available whily copying
the streams. The fix is to leave the URB copy loop, if there's no more buffers
are available.

The same bug could also be produced by an application that is not fast enough
to request new video buffers.

The same bug were reported by Bee Hock Goh <beehock@gmail.com>.

Thanks-to: Bee Hock Goh <beehock@gmail.com> for reporting the bug
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2010-05-19 12:58:19 -03:00
..
Kconfig V4L/DVB: tm6000: fix build errors 2010-05-18 00:43:57 -03:00
Makefile V4L/DVB: tm6000: remove hack.c hack.h, switch to zl10353 module 2010-05-18 00:44:05 -03:00
README V4L/DVB (12848): tm6000: Add README with todo list 2010-05-18 00:40:23 -03:00
tm6000-alsa.c V4L/DVB: tm6000: Replace all magic values by a register alias 2010-05-18 00:47:09 -03:00
tm6000-cards.c V4L/DVB: tm6000: Properly set alternate when preparing to stream 2010-05-19 12:58:18 -03:00
tm6000-core.c V4L/DVB: tm6000: request labeling board version check 2010-05-19 12:57:32 -03:00
tm6000-dvb.c V4L/DVB: tm6000: Properly set alternate when preparing to stream 2010-05-19 12:58:18 -03:00
tm6000-i2c.c V4L/DVB: tm6000: fix i2c read 2010-05-19 12:58:17 -03:00
tm6000-regs.h V4L/DVB: tm6000: add request to registers of the group 05 2010-05-18 00:47:11 -03:00
tm6000-stds.c V4L/DVB: tm6000: Replace all magic values by a register alias 2010-05-18 00:47:09 -03:00
tm6000-usb-isoc.h V4L/DVB: tm6000: fix some info messages 2010-05-18 00:44:07 -03:00
tm6000-video.c V4L/DVB: tm6000: Fix a panic if buffer become NULL 2010-05-19 12:58:19 -03:00
tm6000.h V4L/DVB: tm6000: Properly set alternate when preparing to stream 2010-05-19 12:58:18 -03:00

Todo:
	- checkpatch.pl cleanups
	- sparse cleanups
	- convert to new i2c approach
	- better support DVB
	- fix reading from i2c, if possible
	- fix loosing frames
	- fix oops?

Please send patches to linux-media@vger.kernel.org