Tvheadend

Hi,

I've had a crash when two clients, at the same time, have tuned the same MUX over a remote SAT>IP server.

At this time, I'm not using TCP transport, but regular RTP over UDP between the local and the remote servers. The server that suffered the crash was the local one.

I can't reproduce the crash, as the timing are very close. Also I don't have the full backtrace, but I isolated this info:

2017-09-22 16:32:03.031 [  ALERT]:CRASH: Fault address (nil) (N/A)

2017-09-22 16:32:03.315 [  ALERT]:CRASH: /src/tvheadend-master/src/input/mpegts.h:111 0x7f6500619082 0x7f65003d5000

static inline int mpegts_pid_rexists ( mpegts_apids_t *pids, uint16_t pid )
-->   { return pids && (pids->all || mpegts_pid_find_rindex(pids, pid) >= 0); }

2017-09-22 16:32:03.353 [  ALERT]:CRASH: /src/tvheadend-master/src/input/mpegts/mpegts_input.c:1325 0x7f6500615e86 0x7f65003d5000

      /* Stream raw PIDs */
      if (type & MPS_RAW) {
        LIST_FOREACH(mps, &mp->mp_raw_subs, mps_raw_link)
-->       ts_recv_raw((mpegts_service_t *)mps->mps_owner, tsb, llen);
      }

So, I suspect that some NULL pointer is inside the function "ts_recv_raw()@tsdemux.c"
http://github.com/tvheadend/tvheadend/blob/36f61c919517b49ca8df8a18f422f5f4e0b88c3f/src/input/mpegts/tsdemux.c#L409

Could be that the "pids" pointer in the "mpegts_pid_rexists()" has been NULL?
So, it's possible that the slave service may be NULL when iterating in the list inside "ts_recv_raw()"?
In this case, then I think that some mutex lock as been forgotten.

Please, can you review it, or add and ASSERT and not interate if the slave is NULL?