Hi,

While trying to test try and report about some other bugs,  i ran into this kernel panic when trying to grab video from my usb 2.0 em28xx videgrabber connected to a usb 2.0 port.
Complete serial log attachted.


[  279.680018] general protection fault: 0000 [#1] SMP
[  279.683901] last sysfs file: /sys/devices/pci0000:00/0000:00:12.2/usb1/1-5/i2c-0/name
[  279.683901] CPU 5 
[  279.683901] Modules linked in: xt_multiport ipt_REJECT xt_recent xt_limit xt_tcpudp powernow_k8 mperf xt_state ipt_MA
SQUERADE ipt_LOG iptable_mangle iptable_filter iptable_nat ip_tables nf_nat x_tables nf_conntrack_ipv4 nf_conntrack nf_d
efrag_ipv4 fuse hwmon_vid loop saa7115 snd_cmipci gameport snd_opl3_lib snd_hwdep snd_mpu401_uart snd_rawmidi em28xx v4l
2_common snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_seq_device videodev snd_timer snd v4l1_compat v4l
2_compat_ioctl32 videobuf_vmalloc videobuf_core psmouse tpm_tis joydev evdev tveeprom serio_raw shpchp edac_core i2c_pii
x4 soundcore pcspkr i2c_core pci_hotplug wmi snd_page_alloc processor button sd_mod r8169 thermal fan thermal_sys [last 
unloaded: scsi_wait_scan]
[  279.683901] 
[  279.683901] Pid: 0, comm: swapper Not tainted 2.6.352.6.35-vanilla-xhci-isoc+ #6 890FXA-GD70 (MS-7640)  /MS-7640
[  279.683901] RIP: 0010:[<ffffffffa004fbc5>]  [<ffffffffa004fbc5>] em28xx_isoc_copy_vbi+0x62e/0x812 [em28xx]
[  279.683901] RSP: 0018:ffff880001b43c68  EFLAGS: 00010082
[  279.683901] RAX: dead000000200200 RBX: 0000000000000804 RCX: ffff880229625818
[  279.683901] RDX: dead000000100100 RSI: 0000000000000003 RDI: ffff880229625868
[  279.683901] RBP: ffff880001b43d08 R08: 0000000000000000 R09: 0000000000000804
[  279.683901] R10: ffff880229597000 R11: 0000000000000000 R12: 0000000000000000
[  279.683901] R13: ffff88022f158820 R14: ffff880229597000 R15: 0000000000000344
[  279.683901] FS:  00007fa4bd3706e0(0000) GS:ffff880001b40000(0000) knlGS:0000000000000000
[  279.683901] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  279.683901] ...
[ message continues ]

Hello Sander,

Which application were you using, and specifically which em28xx based
product do you have?

Devin

On Tue, Aug 10, 2010 at 6:12 PM, Sander Eikelenboom



-- 
Devin J. Heitmueller - Kernel Labs
http://www.kernellabs.com
--

[ message continues ]

Hello Devin,

It's a k-world, which used to work fine (altough with another program, but I can't use that since it seems at least 2 other bugs prevent me from using my VM's :-)
It's this model  http://global.kworld-global.com/main/prod_in.aspx?mnuid=1248&modid=6&pcid=47&a...

Tried to grab with ffmpeg.


--
Sander









-- 
Best regards,
 Sander                            mailto:linux@eikelenboom.it

--

[ message continues ]

On Tue, Aug 10, 2010 at 6:57 PM, Sander Eikelenboom

Is it reproducible?  Or did it just happen once?  If you have a
sequence to reproduce, can you provide the command line you used, etc?

Devin

-- 
Devin J. Heitmueller - Kernel Labs
http://www.kernellabs.com
--

[ message continues ]

Hello Devin,

Yes it's completely reproducible for a change:

ffmpeg -f video4linux -r 25 -s 720x576 -i /dev/video0 out.flv
gave an error:



serveerstertje:/mnt/software/software# ffmpeg -f video4linux -r 25 -s 720x576 -i  /dev/video0 out.flv
FFmpeg version r11872+debian_0.svn20080206-18+lenny1, Copyright (c) 2000-2008 Fa brice Bellard, et al.
  configuration: --enable-gpl --enable-libfaad --enable-pp --enable-swscaler --e nable-x11grab --prefix=/usr --enable-libgsm --enable-libtheora --enable-libvorbi s --enable-pthreads --disable-strip --enable-libdc1394 --enable-shared --disable -static
  libavutil version: 49.6.0
  libavcodec version: 51.50.0
  libavformat version: 52.7.0
  libavdevice version: 52.0.0
  built on Jan 25 2010 18:27:39, gcc: 4.3.2
Input #0, video4linux, from '/dev/video0':
  Duration: N/A, start: 1281511364.644674, bitrate: 165888 kb/s
    Stream #0.0: Video: rawvideo, yuyv422, 720x576 [PAR 0:1 DAR 0:1], 165888 kb/ s, 25.00 tb(r)
File 'out.flv' already exists. Overwrite ? [y/N] y
Output #0, flv, to 'out.flv':
    Stream #0.0: Video: flv, yuv420p, 720x576 [PAR 0:1 DAR 0:1], q=2-31, 200 kb/ s, 25.00 tb(c)
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
VIDIOCMCAPTURE: Invalid argument
frame=    1 fps=  0 q=3.0 Lsize=      38kB time=0.0 bitrate=7687.6kbits/s
video:37kB audio:0kB global headers:0kB muxing overhead 0.530927%



So I tried just:

ffmpeg -i /dev/video0 out.flv

That makes it oops allways and instantly.

--

Sander








-- 
Best regards,
 Sander                            mailto:linux@eikelenboom.it

--

[ message continues ]

Use -f video4linux2.

The -f video4linux option uses the old video4linux1 API.  I have seen
similar strange behavior when I used that ffmpeg option with a v4l2


--

[ message continues ]

Still, we have a bug to fix. The driver shouldn't generating a PANIC if accessed
via V4L1 API.

Cheers,
Mauro.
--

[ message continues ]

On Wed, Aug 11, 2010 at 12:46 PM, Mauro Carvalho Chehab

I agree with Mauro completely.  There is nothing userland should be
able to do which results in a panic (and I have no reason to believe
Pete was suggesting otherwise).  That said, it's really useful to know
that this is some sort of v4l1 backward compatibility problem.

I'll see if I can reproduce this here.

Thanks,

Devin

-- 
Devin J. Heitmueller - Kernel Labs
http://www.kernellabs.com
--

[ message continues ]

Hello Devin,

Yes i can confirm it was my mistake, with video4linux2 it works.

--
Sander





-- 
Best regards,
 Sander                            mailto:linux@eikelenboom.it

--

[ message continues ]

^^^^^^^^^^^^^^^^

List poison.

arch/x86/Kconfig:
                        config ILLEGAL_POINTER_VALUE
                               hex
                               default 0 if X86_32
                               default 0xdead000000000000 if X86_64
                        
include/linux/poison.h:
                        #ifdef CONFIG_ILLEGAL_POINTER_VALUE
                        # define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL)
                        #else
                        # define POISON_POINTER_DELTA 0
                        #endif
                        
                        /*
                         * These are non-NULL pointers that will result in page faults
                         * under normal circumstances, used to verify that nobody uses
                         * non-initialized list entries.
                         */
                        #define LIST_POISON1  ((void *) 0x00100100 + POISON_POINTER_DELTA)
                        #define LIST_POISON2  ((void *) 0x00200200 + POISON_POINTER_DELTA)


         603:	83 ef 80             	sub    $0xffffffffffffff80,%edi  <--- &buf->vb.ts
         606:	e8 69 39 01 e1       	callq  0xffffffffe1013f74 <--- do_gettimeofday()
         60b:	48 8b 4d 88          	mov    -0x78(%rbp),%rcx <--- ?
         60f:	49 c7 86 18 0b 00 00 	movq   $0x0,0xb18(%r14) <--- dev->isoc_ctl.vbi_buf = NULL ?
         616:	00 00 00 00 
         61a:	be 03 00 00 00       	mov    $0x3,%esi        <--- move TASK_NORMAL into a register for the wake_up() macro
         61f:	48 8b 51 40          	mov    0x40(%rcx),%rdx  <--- Fetch the list pointers ?
         623:	48 8b 41 48          	mov    0x48(%rcx),%rax  <--- Fetch the list pointers ?
         627:	48 89 cf             	mov    %rcx,%rdi        <--- ?
         62a:	48 83 c7 50          	add    $0x50,%rdi       <--- ? 
         62e:	48 89 42 08          	mov    %rax,0x8(%rdx)   <----Ooops is here, dereferencing the poisoned list ...
[ message continues ]

https://bugzilla.kernel.org/show_bug.cgi?id=16614On środa, 11 sierpnia 2010 o 

I created a Bugzilla entry at 
https://bugzilla.kernel.org/show_bug.cgi?id=16614
for your bug report, please add your address to the CC list in there, thanks!

-- 
Maciej Rutecki
http://www.maciek.unixy.pl
--

[ message continues ]