Bug 60645

Summary: smscoreapi.c - doesn't load firmware anymore
Product: Drivers Reporter: artiyfm
Component: Video(Other)Assignee: drivers_video-other
Status: NEW ---    
Severity: normal CC: mchehab, orodruinlair, rio, vincent.gibault
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.10.x Subsystem:
Regression: No Bisected commit-id:

Description artiyfm 2013-07-29 15:50:40 UTC
I get this message when plugging a 'Hauppauge WinTV MiniStick'
- other reports the same error with a 'Siano Mobile Silicon Nice'

smscore_load_firmware_family2: line: 986: sending MSG_SMS_DATA_VALIDITY_REQ expecting 0xcfed1755
smscore_onresponse: line: 1565: MSG_SMS_DATA_VALIDITY_RES, checksum = 0xcfed1755

Kernel 3.9.x and earlier kernels respond with:
smscore_set_device_mode: firmware download success: sms1xxx-hcw-55xxx-dvbt-02.fw
Comment 1 orodruinlair 2013-08-24 11:23:36 UTC
Similar problem here. Kernel version (3.10.7)

smsusb 2-1:1.0: usb_probe_interface
smsusb 2-1:1.0: usb_probe_interface - got id
smscore_load_firmware_family2: line: 986: sending MSG_SMS_DATA_VALIDITY_REQ expecting 0x9cb9c6dc
smscore_onresponse: line: 1565: MSG_SMS_DATA_VALIDITY_RES, checksum = 0x9cb9c6dc
DVB: registering new adapter (Siano Nova B Digital Receiver)
usb 2-1: DVB: registering adapter 0 frontend 0 (Siano Mobile Digital MDTV Receiver)...


If I try to use the device with this kernel I get a kernel panic. With 3.8.x series this device with this firmware works properly.
Comment 2 Vincent Gibault 2013-09-04 17:54:23 UTC
Same problem here,
i can load only load the udev rules when i plug the device ( not when i start the computer with the plug device ).

When i use the device, i get a kernel panic ( my computer freeze, and i had to reboot).
Comment 3 Mauro Carvalho Chehab 2013-09-12 03:37:53 UTC
(In reply to orodruinlair from comment #1)
> Similar problem here. Kernel version (3.10.7)
> 
> smsusb 2-1:1.0: usb_probe_interface
> smsusb 2-1:1.0: usb_probe_interface - got id
> smscore_load_firmware_family2: line: 986: sending MSG_SMS_DATA_VALIDITY_REQ
> expecting 0x9cb9c6dc
> smscore_onresponse: line: 1565: MSG_SMS_DATA_VALIDITY_RES, checksum =
> 0x9cb9c6dc

The above messages look ok.

> DVB: registering new adapter (Siano Nova B Digital Receiver)
> usb 2-1: DVB: registering adapter 0 frontend 0 (Siano Mobile Digital MDTV
> Receiver)...
> 
> 
> If I try to use the device with this kernel I get a kernel panic. With 3.8.x
> series this device with this firmware works properly.

We need a dump of the kernel panic message, in order to know where it is broken.
Comment 4 orodruinlair 2013-09-12 09:00:13 UTC
(In reply to Mauro Carvalho Chehab from comment #3)
> 
> We need a dump of the kernel panic message, in order to know where it is
> broken.

Hope this helps.

? smscore_onresponse+0xd1/0x339 [smsmdtv]
? smsusb_onresponse+0x153/0x1a1 [smsusb]
? usb_hcd_giveback_urb+0x55/0x83
? ehci_urb_done+0x75/0x87
? qh_completions+0x92/0x4df
? ehci_work+0xb7/0x74c
? try_to_wake_up+0x202/0x211
? ehci_irq+0x322/0x367
? hrtimer_interrupt+0x12b/0x1d8
? tick_do_broadcast.constprop.5+0x39/0x78
? usb_hcd_irq+0x22/0x2e
? handle_irq_event_percpu+0x24/0x117
? handle_irq_event+0x2e/0x4e
? get_vtime_delta+0xd/0x59
? handle_fasteoi_irq+0x6d/0x9d
? handle_irq+0x1a/0x1e
? do_IRQ+0x42/0xa7
? common_interrupt+0x6a/0x6a

? cpuidle_enter_state+0x43/0xac
? cpuidle_enter_state+0x3f/0xac
? cpuidle_idle_call+0xcc/0x10a
? arch_cpu_idle+0x6/0x17
? cpu_startup_entry+0xe9/0x145
? start_kernel+0x3cd/0x3d8
? repair_env_string+0x54/0x54

smsdvb_onresponse+0x280/0xa19 [smsdvb]
Fatal exception in interrupt
Panic ocurred, switching back to text console.
Comment 5 Mauro Carvalho Chehab 2013-09-12 10:31:57 UTC
(In reply to orodruinlair from comment #4)
> (In reply to Mauro Carvalho Chehab from comment #3)
> > 
> > We need a dump of the kernel panic message, in order to know where it is
> > broken.
> 
> Hope this helps.
> 
> ? smscore_onresponse+0xd1/0x339 [smsmdtv]
> ? smsusb_onresponse+0x153/0x1a1 [smsusb]
> ? usb_hcd_giveback_urb+0x55/0x83
> ? ehci_urb_done+0x75/0x87
> ? qh_completions+0x92/0x4df
> ? ehci_work+0xb7/0x74c
> ? try_to_wake_up+0x202/0x211
> ? ehci_irq+0x322/0x367
> ? hrtimer_interrupt+0x12b/0x1d8
> ? tick_do_broadcast.constprop.5+0x39/0x78
> ? usb_hcd_irq+0x22/0x2e
> ? handle_irq_event_percpu+0x24/0x117
> ? handle_irq_event+0x2e/0x4e
> ? get_vtime_delta+0xd/0x59
> ? handle_fasteoi_irq+0x6d/0x9d
> ? handle_irq+0x1a/0x1e
> ? do_IRQ+0x42/0xa7
> ? common_interrupt+0x6a/0x6a
> 
> ? cpuidle_enter_state+0x43/0xac
> ? cpuidle_enter_state+0x3f/0xac
> ? cpuidle_idle_call+0xcc/0x10a
> ? arch_cpu_idle+0x6/0x17
> ? cpu_startup_entry+0xe9/0x145
> ? start_kernel+0x3cd/0x3d8
> ? repair_env_string+0x54/0x54
> 
> smsdvb_onresponse+0x280/0xa19 [smsdvb]
> Fatal exception in interrupt
> Panic ocurred, switching back to text console.

Could you please identify the lines where the errors occurred with gdb? Getting it should be easy if you compiled the kernel by hand, or if your distribution has packages for the debug symbol tables.

To get the lines where the error occurred, you need to call gdb with:

$ gdb <path>/smsdvb.ko

(for smsdvb_onresponse+0x280 and smsusb_onresponse+0x153)

and

$ gdb <path>/smsmdtv.ko

(for smscore_onresponse+0xd1)

and, inside gcc:

list <symbol>

For example, this is how to do it on Fedora:

1) Installing the debug info for the current kernel:
    # debuginfo-install kernel-3.10.10-200.fc19.x86_64

(this step is dependent on your distro packages the debuginfo data - and only applies if you're not compiling the kernel by yourself)

On Debian (and likely Ubuntu), this is done with:
   # apt-get install kernel-dbg

2) Using gdb to get the line of the code:

$ gdb /lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsdvb.ko
GNU gdb (GDB) Fedora (7.6-34.fc19)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsdvb.ko...Reading symbols from /usr/lib/debug/usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsdvb.ko.debug...done.
done.
(gdb) list  *smsdvb_onresponse+0x280

(some output)

(gdb) list  *smsusb_onresponse+0x153

(some output)

$ gdb /lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsmdtv.ko
GNU gdb (GDB) Fedora (7.6-34.fc19)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsmdtv.ko...Reading symbols from /usr/lib/debug/usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/smsmdtv.ko.debug...done.
done.
(gdb) list  *smscore_onresponse+0xd1

(some output)
Comment 6 orodruinlair 2013-09-12 11:54:35 UTC
(In reply to Mauro Carvalho Chehab from comment #5)
> Could you please identify the lines where the errors occurred with gdb?
> Getting it should be easy if you compiled the kernel by hand, or if your
> distribution has packages for the debug symbol tables.
> 
> To get the lines where the error occurred, you need to call gdb with:
> 
> $ gdb <path>/smsdvb.ko
> 
> (for smsdvb_onresponse+0x280 and smsusb_onresponse+0x153)
> 
> and
> 
> $ gdb <path>/smsmdtv.ko
> 
> (for smscore_onresponse+0xd1)
> 
> and, inside gcc:
> 
> list <symbol>
> 
> For example, this is how to do it on Fedora:
> 
> 1) Installing the debug info for the current kernel:
>     # debuginfo-install kernel-3.10.10-200.fc19.x86_64
> 
> (this step is dependent on your distro packages the debuginfo data - and
> only applies if you're not compiling the kernel by yourself)
> 
> On Debian (and likely Ubuntu), this is done with:
>    # apt-get install kernel-dbg
> 
> 2) Using gdb to get the line of the code:
> 
> $ gdb
> /lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/
> smsdvb.ko
> GNU gdb (GDB) Fedora (7.6-34.fc19)
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from
> /usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/
> smsdvb.ko...Reading symbols from
> /usr/lib/debug/usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/
> common/siano/smsdvb.ko.debug...done.
> done.
> (gdb) list  *smsdvb_onresponse+0x280
> 
> (some output)
> 
> (gdb) list  *smsusb_onresponse+0x153
> 
> (some output)
> 
> $ gdb
> /lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/
> smsmdtv.ko
> GNU gdb (GDB) Fedora (7.6-34.fc19)
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from
> /usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/common/siano/
> smsmdtv.ko...Reading symbols from
> /usr/lib/debug/usr/lib/modules/3.10.10-200.fc19.x86_64/kernel/drivers/media/
> common/siano/smsmdtv.ko.debug...done.
> done.
> (gdb) list  *smscore_onresponse+0xd1
> 
> (some output)

gdb /lib/modules/3.10.7-gentoo/kernel/drivers/media/common/siano/smsdvb.ko

(gdb) list  *smsdvb_onresponse+0x280
0x673 is in smsdvb_onresponse (drivers/media/common/siano/smsdvb-main.c:278).
273             c->post_bit_error.stat[0].uvalue += p->ber_error_count;
274             c->post_bit_count.stat[0].uvalue += p->ber_bit_count;
275
276             /* Legacy PER/BER */
277             tmp = p->ets_packets * 65535;
278             do_div(tmp, p->ts_packets + p->ets_packets);
279             client->legacy_per = tmp;
280     }
281
282     static void smsdvb_update_dvb_stats(struct smsdvb_client_t *client,
(gdb) 
283                                         struct sms_stats *p)
284     {
285             struct dvb_frontend *fe = &client->frontend;
286             struct dtv_frontend_properties *c = &fe->dtv_property_cache;
287
288             if (client->prt_dvb_stats)
289                     client->prt_dvb_stats(client->debug_data, p);
290
291             client->fe_status = sms_to_status(p->is_demod_locked, p->is_rf_locked);
292

(gdb) list  *smsusb_onresponse+0x153

No symbol "smsusb_onresponse" in current context.

gdb /lib/modules/3.10.7-gentoo/kernel/drivers/media/common/siano/smsmdtv.ko

(gdb) list  *smscore_onresponse+0xd1

0x5fb is in smscore_onresponse (drivers/media/common/siano/smscoreapi.c:1521).
1516            /* If no client registered for type & id,
1517             * check for control client where type is not registered */
1518            if (client)
1519                    rc = client->onresponse_handler(client->context, cb);
1520
1521            if (rc < 0) {
1522                    switch (phdr->msg_type) {
1523                    case MSG_SMS_ISDBT_TUNE_RES:
1524                            break;
1525                    case MSG_SMS_RF_TUNE_RES:
(gdb) 
1526                            break;
1527                    case MSG_SMS_SIGNAL_DETECTED_IND:
1528                            break;
1529                    case MSG_SMS_NO_SIGNAL_IND:
1530                            break;
1531                    case MSG_SMS_SPI_INT_LINE_SET_RES:
1532                            break;
1533                    case MSG_SMS_INTERFACE_LOCK_IND:
1534                            break;
1535                    case MSG_SMS_INTERFACE_UNLOCK_IND:
Comment 7 Christoph Pegel 2013-09-12 13:47:44 UTC
I just build a kernel with debug symbols and obtained similar traces. Obtained the relevant lines from smsmdtv, smsusb and smsdvb:

$ gdb smsmdtv.ko
(gdb) list *smscore_onresponse+0x81
0x771 is in smscore_onresponse (drivers/media/common/siano/smscoreapi.c:1521).
1516		/* If no client registered for type & id,
1517		 * check for control client where type is not registered */
1518		if (client)
1519			rc = client->onresponse_handler(client->context, cb);
1520	
1521		if (rc < 0) {
1522			switch (phdr->msg_type) {
1523			case MSG_SMS_ISDBT_TUNE_RES:
1524				break;
1525			case MSG_SMS_RF_TUNE_RES:
(gdb) quit

$ gdb smsdvb.ko
(gdb) list *smsdvb_onresponse+0x495
0x14b5 is in smsdvb_onresponse (drivers/media/common/siano/smsdvb-main.c:278).
273		c->post_bit_error.stat[0].uvalue += p->ber_error_count;
274		c->post_bit_count.stat[0].uvalue += p->ber_bit_count;
275	
276		/* Legacy PER/BER */
277		tmp = p->ets_packets * 65535;
278		do_div(tmp, p->ts_packets + p->ets_packets);
279		client->legacy_per = tmp;
280	}
281	
282	static void smsdvb_update_dvb_stats(struct smsdvb_client_t *client,
(gdb) quit

$ gdb smsusb.ko
(gdb) list *smsusb_onresponse+0xa9
0x4a9 is in smsusb_onresponse (drivers/media/usb/siano/smsusb.c:135).
130					  phdr->msg_type, phdr->msg_length);
131	
132				smsendian_handle_rx_message((struct sms_msg_data *) phdr);
133	
134				smscore_onresponse(dev->coredev, surb->cb);
135				surb->cb = NULL;
136			} else {
137				sms_err("invalid response "
138					"msglen %d actual %d",
139					phdr->msg_length, urb->actual_length);
(gdb) quit
Comment 8 orodruinlair 2013-09-12 14:19:44 UTC
I forgot to mention that I'm using a 64bit kernel.
Comment 9 Mauro Carvalho Chehab 2013-09-12 15:17:58 UTC
orodruinlair/Christoph Pegel,

Thanks for the debug data

(In reply to orodruinlair from comment #6)
> (In reply to Mauro Carvalho Chehab from comment #5)
> > Could you please identify the lines where the errors occurred with gdb?

> gdb /lib/modules/3.10.7-gentoo/kernel/drivers/media/common/siano/smsdvb.ko
> 
> (gdb) list  *smsdvb_onresponse+0x280
> 0x673 is in smsdvb_onresponse (drivers/media/common/siano/smsdvb-main.c:278).
> 276             /* Legacy PER/BER */
> 277             tmp = p->ets_packets * 65535;
> 278             do_div(tmp, p->ts_packets + p->ets_packets);

Ok, if both ts_packets and ets_packets are 0, this will cause a division by zero, causing the Kernel panic.

The fix is easy: it should not call do_div if the denominator is zero.

I saw a patch for it already at the linux-media ML for one frontend (not sure if it was for this one or for another one).

I'll double check and post an additional comment with the patch.
Comment 10 Mauro Carvalho Chehab 2013-09-12 15:40:38 UTC
(In reply to Mauro Carvalho Chehab from comment #9)
> I saw a patch for it already at the linux-media ML for one frontend (not
> sure if it was for this one or for another one).
> 
> I'll double check and post an additional comment with the patch.

Yes. This was fixed by commit ec532503209053bbee0c7dac410031e50835e01a:
Comment 11 Mauro Carvalho Chehab 2013-09-12 15:42:06 UTC
(In reply to Mauro Carvalho Chehab from comment #10)
> (In reply to Mauro Carvalho Chehab from comment #9)
> > I saw a patch for it already at the linux-media ML for one frontend (not
> > sure if it was for this one or for another one).
> > 
> > I'll double check and post an additional comment with the patch.
> 
> Yes. This was fixed by commit ec532503209053bbee0c7dac410031e50835e01a:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec532503209053bbee0c7dac410031e50835e01a

It should be backported to -stable and to the distro Kernels.
Comment 12 Christoph Pegel 2013-09-12 16:52:32 UTC
(In reply to Mauro Carvalho Chehab from comment #10)
> (In reply to Mauro Carvalho Chehab from comment #9)
> > I saw a patch for it already at the linux-media ML for one frontend (not
> > sure if it was for this one or for another one).
> > 
> > I'll double check and post an additional comment with the patch.
> 
> Yes. This was fixed by commit ec532503209053bbee0c7dac410031e50835e01a:

I patched that commit into my kernel and it still panics. Everything looks the same except the RIP now contains the address of the if statement:

(gdb) list *smsdvb_onresponse+0x495
0x14b5 is in smsdvb_onresponse (drivers/media/common/siano/smsdvb-main.c:278).
273		c->post_bit_error.stat[0].uvalue += p->ber_error_count;
274		c->post_bit_count.stat[0].uvalue += p->ber_bit_count;
275	
276		/* Legacy PER/BER */
277		tmp = p->ets_packets * 65535;
278		if (p->ts_packets + p->ets_packets)
279			do_div(tmp, p->ts_packets + p->ets_packets);
280		client->legacy_per = tmp;
281	}
282
Comment 13 Mauro Carvalho Chehab 2013-09-12 18:10:27 UTC
(In reply to Christoph Pegel from comment #12)
> (In reply to Mauro Carvalho Chehab from comment #10)
> > (In reply to Mauro Carvalho Chehab from comment #9)
> > > I saw a patch for it already at the linux-media ML for one frontend (not
> > > sure if it was for this one or for another one).
> > > 
> > > I'll double check and post an additional comment with the patch.
> > 
> > Yes. This was fixed by commit ec532503209053bbee0c7dac410031e50835e01a:
> 
> I patched that commit into my kernel and it still panics. Everything looks
> the same except the RIP now contains the address of the if statement:
> 
> (gdb) list *smsdvb_onresponse+0x495
> 0x14b5 is in smsdvb_onresponse
> (drivers/media/common/siano/smsdvb-main.c:278).
> 273           c->post_bit_error.stat[0].uvalue += p->ber_error_count;
> 274           c->post_bit_count.stat[0].uvalue += p->ber_bit_count;
> 275   
> 276           /* Legacy PER/BER */
> 277           tmp = p->ets_packets * 65535;
> 278           if (p->ts_packets + p->ets_packets)
> 279                   do_div(tmp, p->ts_packets + p->ets_packets);
> 280           client->legacy_per = tmp;
> 281   }
> 282

That doesn't make any sense. I'm pretty sure that you're still running the old Kernel, as 0x495 is the same offset as your post at comment #7
Comment 14 orodruinlair 2013-09-12 18:21:30 UTC
(In reply to Mauro Carvalho Chehab from comment #11)
> (In reply to Mauro Carvalho Chehab from comment #10)
> > (In reply to Mauro Carvalho Chehab from comment #9)
> > > I saw a patch for it already at the linux-media ML for one frontend (not
> > > sure if it was for this one or for another one).
> > > 
> > > I'll double check and post an additional comment with the patch.
> > 
> > Yes. This was fixed by commit ec532503209053bbee0c7dac410031e50835e01a:
> 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
> ?id=ec532503209053bbee0c7dac410031e50835e01a
> 
> It should be backported to -stable and to the distro Kernels.

I have tested the patch and solves the kernel panic problem.

Thanks for your help.
Comment 15 Christoph Pegel 2013-09-12 18:45:49 UTC
(In reply to Mauro Carvalho Chehab from comment #13)
> (In reply to Christoph Pegel from comment #12)
> > I patched that commit into my kernel and it still panics. Everything looks
> > the same except the RIP now contains the address of the if statement:
> 
> [...]
>
> That doesn't make any sense. I'm pretty sure that you're still running the
> old Kernel, as 0x495 is the same offset as your post at comment #7

I tried it again and it works, so I guess you are right and I just booted the wrong kernel, oops. The device is running fine now.

Thanks for your help!