Changing a video standard takes a long time to happen on tm6000, since it
needs to load another firmware, and the i2c implementation on this device
is really slow. When the driver tries to change the video standard, a
kernel panic is produced:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffffa0c7b48a>] tm6000_irq_callback+0x57f/0xac2 [tm6000]
...
Kernel panic - not syncing: Fatal exception in interrupt
By inspecting it with gdb:
(gdb) list *tm6000_irq_callback+0x57f
0x348a is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:202).
197 /* FIXME: move to tm6000-isoc */
198 static int last_line = -2, start_line = -2, last_field = -2;
199
200 /* FIXME: this is the hardcoded window size
201 */
202 unsigned int linewidth = (*buf)->vb.width << 1;
203
204 if (!dev->isoc_ctl.cmd) {
205 c = (header >> 24) & 0xff;
206
Clearly, it was the trial to access *buf, at line 202 that caused the
Panic.
As ioctl is serialized, While S_STD is handled,QBUF/DQBUF won't be called.
So, the driver will run out of the buffers, and *buf will become NULL.
As, on tm6000, the same URB can contain more than one video buffer, it is
likely to hit a condition where no new buffer is available whily copying
the streams. The fix is to leave the URB copy loop, if there's no more buffers
are available.
The same bug could also be produced by an application that is not fast enough
to request new video buffers.
The same bug were reported by Bee Hock Goh <beehock@gmail.com>.
Thanks-to: Bee Hock Goh <beehock@gmail.com> for reporting the bug
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
f4b727b3ae