PVR-150 + Kernel 2.6.22 = lirc_i2c segfault!

[geoffp]

I just upgraded to gentoo-sources-2.6.22-r1 on my myth box, and everything works, except that "modprobe lirc_i2c" now segfaults, whether at boot time or thereafter. After a short time, this will freeze up the whole machine.

The error message served is this:

[dshay]

Yes, I'm seeing the same thing (well the segfault, not the whole machine freeze-up). Not that I have a solution...

I have tried every version of lirc, as well as one specifically for the lirc pvr150 in IR blaster mode, as well as CVS of lirc, to no avail.

[geoffp]

I can't find a solution either. I'm trying to figure out if it's a kernel configuration issue, but I'm not turning up anything.

I'm back at 2.6.20 for now, since I can't give up lirc, but the search continues, since I do still want to upgrade my kernel someday...

EDIT: We are not the only ones: http://www.nabble.com/forum/Search.jtp?forum=2054&local=y&query=2.6.22

[thedopefishlives]

I fixed this. The culprit is a change in the kernel from 2.6.21 to 2.6.22, where they modified the length of the "name" field in one of the i2c structures. This causes a buffer overflow in the LIRC driver. I'll attach the patch and ebuild when I get home.

EDIT: I also tried to contact the LIRC developers, but I don't think my message got through. If there's anyone reading this that's on the lirc mailing list, could you please let them know?

EDIT 2: I couldn't wait to post the changes... Here you go:
Modified ebuild
Patch file

[geoffp]

Excellent work, dopefish! I'll try your patch tonight.

Out of sheer curiosity, how in the hell did you track this down? I'm interested in how one would go about debugging a driver like lirc.

[geoffp]

Hey, your patch works great! It would be criminal for the lirc people not to accept it.

[thedopefishlives]

See, on my system, I had the advantage that it didn't crash the kernel; it just hung when I ran modprobe. So I was able to switch to another terminal and run dmesg to see how far the driver got. That told me what function in lirc_i2c.c to look in. Then I started putting in calls to printk() before and after every line of code, to see how far into the function it got. I saw it hung on a call to i2c_attach_client(), which is in the kernel source in drivers/i2c/i2c_core.c. So I went there, found the function, and put in calls to printk() to find out how far it was getting there. The thing that failed was a call to mutex_lock().

I now know where the lockup is - trying to lock the mutex in the I2C structure. Now it was time to find out why. So I went back to the lirc_i2c.c file and put in debugging printk() calls, testing the value of the mutex at various times during the function. I noticed that the mutex changed value after the driver did a strcpy() of the string "Hauppage IR (PVR150)" into the name field, and the first thing that came to mind was "buffer overflow". So I diff'd the i2c.h header file (found in the linux source in the include/linux folder) from 2.6.21 to 2.6.22, and found that they had changed the buffer length to 20. I shortened the LIRC name string, recompiled, and everything worked.

[thedopefishlives]

Just as an addendum to this - the LIRC developers accepted my patch. It should be in the next version.

[geoffp]

That's great news! And thanks for the explanation; maybe next time I'll have enough courage to go and dig through the code myself.

[Tetti]

Thank you for investigating the problem creating this patch, dopefish. It works for me, too.
I have created an issue for this in gentoo bugzilla (https://bugs.gentoo.org/show_bug.cgi?id=187822) and added your patches as attachements. Maybe they can use them to create a lirc-0.8.2-r1.ebuild.