From 6b55009e1dc7c2a66c8f5fad67045f0536c9bbd8 Mon Sep 17 00:00:00 2001 From: Michael Krufky Date: Fri, 2 Jan 2009 15:55:29 -0300 Subject: V4L/DVB (10170): tuner-simple: prevent possible OOPS caused by divide by zero error A user reported the following OOPS with his pcHDTV HD5500 card, which uses a cx88 PCI bridge with a LG-TDVS-H06xF frontend module, made up of a TUA6034 tuner, TDA988x IF demod, and LG DT3303 ATSC/QAM demod. Somehow, tuner-core gets loaded before the digital driver configures the tuner, and tuner-core somehow incorrectly sets the tuner type to LG NTSC (TAPE series) instead of LG TDVS-H06xF. This tuner type does not have the tuning stepsize defined, so an OOPS occurs during the digital tune function. We still dont know how the type gets set incorrectly in the first place. The user has a tainted kernel with a binary nividia module, which COULD have something to do with this, but it's hard to say for sure. Nevertheless, to avoid this division by zero, we should check that stepsize is defined. If stepsize is not defined, print an error and bail out on the tune request. cx8800 0000:05:01.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 cx88[0]: subsystem: 7063:5500, board: pcHDTV HD5500 HDTV [card=47,autodetected], frontend(s): 1 cx88[0]: TV tuner type 47, Radio tuner type -1 tuner' 2-0043: chip found @ 0x86 (cx88[0]) tda9887 2-0043: creating new instance tda9887 2-0043: tda988[5/6/7] found tuner' 2-0061: chip found @ 0xc2 (cx88[0]) tuner-simple 2-0061: creating new instance tuner-simple 2-0061: type set to 47 (LG NTSC (TAPE series)) cx88[0]/0: found at 0000:05:01.0, rev: 5, irq: 19, latency: 32, mmio: 0xea000000 cx88[0]/0: registered device video1 [v4l2] cx88[0]/0: registered device vbi1 cx88_audio 0000:05:01.1: PCI INT A -> GSI 19 (level, low) -> IRQ 19 cx88[0]/1: CX88x/0: ALSA support for cx2388x boards cx88[0]/2: cx2388x 8802 Driver Manager cx88-mpeg driver manager 0000:05:01.2: PCI INT A -> GSI 19 (level, low) -> IRQ 19 cx88[0]/2: found at 0000:05:01.2, rev: 5, irq: 19, latency: 32, mmio: 0xec000000 cx8802_probe() allocating 1 frontend(s) cx88/2: cx2388x dvb driver version 0.0.6 loaded cx88/2: registering cx8802 driver, type: dvb access: shared cx88[0]/2: subsystem: 7063:5500, board: pcHDTV HD5500 HDTV [card=47] cx88[0]/2: cx2388x based DVB/ATSC card tuner-simple 2-0061: attaching existing instance tuner-simple 2-0061: type set to 64 (LG NTSC (TAPE series)) tda9887 2-0043: attaching existing instance DVB: registering new adapter (cx88[0]) DVB: registering adapter 0 frontend 0 (LG Electronics LGDT3303 VSB/QAM Frontend)... [snip] stepsize=0 divide error: 0000 [1] SMP CPU 1 Modules linked in: nls_utf8 fuse sco bridge stp bnep l2cap bluetooth sunrpc nf_conntrack_netbios_ns nf_conntrack_ftp ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 cpufreq_ondemand acpi_cpufreq freq_table xfs lgdt330x dm_multipath cx88_dvb cx88_vp3054_i2c uinput tda9887 tda8290 snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_emul tuner_simple tuner_types tuner msp3400 cx8800 cx88_alsa cx8802 snd_emu10k1 cx88xx snd_rawmidi snd_ac97_codec ir_common ac97_bus saa7115 snd_seq_dummy snd_seq_oss snd_seq_midi_event videobuf_dvb snd_seq dvb_core snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_device videobuf_dma_sg ppdev parport_pc snd_timer videobuf_core snd_page_alloc btcx_risc emu10k1_gp ivtv i2c_algo_bit cx2341x snd_util_mem snd_hwdep nvidia(P) gameport v4l2_common i2c_i801 snd soundcore parport videodev v4l1_compat v4l2_compat_ioctl32 tveeprom i2c_core pcspkr iTCO_wdt iTCO_vendor_support sky2 joydev floppy shpchp ata_generic pata_acpi pata_jmicron [last unloaded: microcode] Pid: 3553, comm: kdvb-ad-0-fe-0 Tainted: P 2.6.27.9-159.fc10.x86_64 #1 RIP: 0010:[] [] simple_dvb_calc_regs+0xab/0x281 [tuner_simple] RSP: 0018:ffff8800605dfd30 EFLAGS: 00010246 RAX: 000000000365c040 RBX: ffff8800605dfdb0 RCX: ffff88007acb8c10 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000246 RBP: ffff8800605dfda0 R08: ffff8800605dfba0 R09: 0000000000000082 R10: 00000010e73c9df1 R11: 0000000100000000 R12: ffff88007ac29c00 R13: ffff88007ac29c00 R14: ffff88007acbb408 R15: ffffffffa09b6fb0 FS: 0000000000000000(0000) GS:ffff88007f804880(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000004e8f40 CR3: 000000007114e000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kdvb-ad-0-fe-0 (pid: 3553, threadinfo ffff8800605de000, task ffff88006fca0000) Stack: ffff8800605dfd40 00000000ffffffa1 ffff88007c055860 0000000000000001 ffff8800605dfda0 ffff8800605dfda0 ffff88007acb8c10 ffffffffa004e48c 8e01880000000390 ffff88007acb8c10 ffff88007ac29c00 0000000000000000 Call Trace: [] ? i2c_transfer+0x80/0x8b [i2c_core] [] simple_dvb_set_params+0x3e/0x9b [tuner_simple] [] lgdt330x_set_parameters+0x188/0x1b9 [lgdt330x] [] dvb_frontend_swzigzag_autotune+0x18e/0x1b5 [dvb_core] [] dvb_frontend_swzigzag+0x1bc/0x21e [dvb_core] [] dvb_frontend_thread+0x528/0x62b [dvb_core] [] ? autoremove_wake_function+0x0/0x38 [] ? dvb_frontend_thread+0x0/0x62b [dvb_core] [] kthread+0x49/0x76 [] child_rip+0xa/0x11 [] ? restore_args+0x0/0x30 [] ? kthread+0x0/0x76 [] ? child_rip+0x0/0x11 Code: 48 8b 05 2a 4e 00 00 41 8b 77 1c 31 d2 0f b7 40 0a 89 f1 03 45 d0 d1 e9 03 0d 23 4e 00 00 69 c0 24 f4 00 00 8d 04 01 48 8b 4d c0 f6 8a 55 d6 88 53 04 41 89 c4 c1 e8 08 88 43 01 8a 45 d7 44 RIP [] simple_dvb_calc_regs+0xab/0x281 [tuner_simple] RSP Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab --- drivers/media/common/tuners/tuner-simple.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'drivers/media/common/tuners') diff --git a/drivers/media/common/tuners/tuner-simple.c b/drivers/media/common/tuners/tuner-simple.c index 1a21191566f5..de7adaf5fa5b 100644 --- a/drivers/media/common/tuners/tuner-simple.c +++ b/drivers/media/common/tuners/tuner-simple.c @@ -820,6 +820,15 @@ static u32 simple_dvb_configure(struct dvb_frontend *fe, u8 *buf, int ret; unsigned frequency = params->frequency / 62500; + if (!tun->stepsize) { + /* tuner-core was loaded before the digital tuner was + * configured and somehow picked the wrong tuner type */ + tuner_err("attempt to treat tuner %d (%s) as digital tuner " + "without stepsize defined.\n", + priv->type, priv->tun->name); + return 0; /* failure */ + } + t_params = simple_tuner_params(fe, TUNER_PARAM_TYPE_DIGITAL); ret = simple_config_lookup(fe, t_params, &frequency, &config, &cb); if (ret < 0) -- cgit v1.2.3