Bug #4749
TVheadend crashes when switching to a powervu channel
100%
Description
First of all, this is the first time I am trying to use tvheadend with powervu. I used it in the past with viacess smartcard with no issue.
Versions are:
tvheadend : 4.3-710~g41624278b
oscam build r11392 with OSCam-Emu version 758
On Ubuntu 17.10 PC 64 bits.
My oscam.conf looks like:
[streamrelay]
stream_relay_enabled = 0
[dvbapi]
enabled = 1
pmt_mode = 4
listen_port = 9001
delayer = 80
user = dummy
boxtype = pc
extended_cw_api = 1
I have configured CA tvheadend with:
OSCam net protocol (rev >= 10389) and Extended (OE 2.2)
When I switch to a channel on 9 east with powervu encryption, tvheadend crashes.
Can you help?
Thanks.
Files
History
Updated by Jaroslav Kysela almost 7 years ago
tvh: --trace descrambler,capmt - https://tvheadend.org/projects/tvheadend/wiki/Traces
oscam: enable log level 128
Updated by Eric Dec almost 7 years ago
- File 2017_11_29_tvh_01.log 2017_11_29_tvh_01.log added
- File 2017_11_29_ocam_01.log 2017_11_29_ocam_01.log added
- File 2017_11_29_gdb_01.log 2017_11_29_gdb_01.log added
Jaroslav Kysela wrote:
tvh: --trace descrambler,capmt - https://tvheadend.org/projects/tvheadend/wiki/Traces
oscam: enable log level 128
find the 3 logs attached. (stamped with date of today 29 Nov.
Thanks in advance.
(you can ignore the disecq issues at the beginning of the log, there was a problem with a cable that I fixed after)
Updated by Jaroslav Kysela almost 7 years ago
Could you retest with v4.3-720-g3af771188 ? The commit https://github.com/tvheadend/tvheadend/commit/1db6a4c39fed19f3525ab97e77182797d23a8407 should fix this issue.
Updated by Eric Dec almost 7 years ago
- File 2017_11_29_gdb_02.log 2017_11_29_gdb_02.log added
- File 2017_11_29_tvh_02.log 2017_11_29_tvh_02.log added
- File 2017_11_29_ocam_02.log 2017_11_29_ocam_02.log added
Jaroslav Kysela wrote:
Could you retest with v4.3-720-g3af771188 ? The commit https://github.com/tvheadend/tvheadend/commit/1db6a4c39fed19f3525ab97e77182797d23a8407 should fix this issue.
I copy/paste descrambler.c and rebuilt tvheadend with make command.
I still get a crash, find logs attached (all suffixed with 02).
(is there a better way to get descrambler.c rather than clicking on "raw", select all and copy/paste?)
Thanks gain.
Updated by Joe User almost 7 years ago
Not sure if it is the problem, but the caPMT does not match the real PMT and so oscam ends up sending index 6 and 7 whereas Tvheadend sent only 5 pids in the caPMT
11:10:53 60B87671 c (dvbapi) capmt: 11:10:53 60B87671 c (dvbapi) 03 00 05 01 00 19 01 82 02 00 00 81 08 00 00 00 11:10:53 60B87671 c (dvbapi) 00 00 01 00 09 84 02 13 8D 09 04 0E 00 17 75 02 11:10:53 60B87671 c (dvbapi) 06 18 00 00 04 05 F0 00 00 04 05 F2 00 00 04 05 11:10:53 60B87671 c (dvbapi) FA 00 00 04 05 FC 00 00 11:10:53 60B87671 c (dvbapi) Receiver sends PMT command 3 for channel 0005 11:10:53 60B87671 c (dvbapi) Receiver wants to demux srvid 0005 on adapter 0000 camask 0001 index 0000 pmtpid 0000 11:10:53 60B87671 c (dvbapi) Demuxer 0 try to start new filter for caid: 0001, provid: 000001, pid: 0000 11:10:53 60B87671 c (dvbapi) Sending packet to dvbapi client (fd=10): 11:10:53 60B87671 c (dvbapi) 40 3C 6F 2B 00 00 00 00 00 00 00 00 00 00 00 00 11:10:53 60B87671 c (dvbapi) 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 11:10:53 60B87671 c (dvbapi) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11:10:53 60B87671 c (dvbapi) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11:10:53 60B87671 c (dvbapi) 04 11:10:53 60B87671 c (dvbapi) Demuxer 0 Filter 1 started successfully (caid 0001 provid 000001 pid 0000) 11:10:53 60B87671 c (dvbapi) Demuxer 0 found pmt type: 81 length: 8 (assuming enigma private descriptor: namespace 0000 tsid 01 onid 09) 11:10:53 60B87671 c (dvbapi) Demuxer 0 ecmpid 0 CAID: 0E00 ECM_PID: 1775 PROVID: 000000 11:10:53 60B87671 c (dvbapi) Demuxer 0 stream Videostream (MPEG-2)(type: 02 pid: 0618 length: 0) 11:10:53 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f0 length: 0) 11:10:53 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f2 length: 0) 11:10:53 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fa length: 0) 11:10:53 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fc length: 0) 11:10:53 60B87671 c (dvbapi) Demuxer 0 found 1 ECMpids and 5 STREAMpids in caPMT
11:10:54 60B87671 c (dvbapi) pmt: 11:10:54 60B87671 c (dvbapi) 02 B0 71 00 05 C3 00 00 E6 18 F0 0C 0F 04 53 41 11:10:54 60B87671 c (dvbapi) 50 53 09 04 0E 00 17 75 02 E6 18 F0 0A 86 08 1E 11:10:54 60B87671 c (dvbapi) 00 00 00 00 00 00 00 04 E5 F0 F0 00 04 E5 F2 F0 11:10:54 60B87671 c (dvbapi) 00 04 E5 FA F0 00 04 E5 FC F0 00 85 E4 28 F0 00 11:10:54 60B87671 c (dvbapi) 89 FB 6A F0 0B FE 09 12 02 3D 00 00 00 00 00 00 11:10:54 60B87671 c (dvbapi) 89 FB 71 F0 0B FE 09 19 02 14 00 00 00 00 00 00 11:10:54 60B87671 c (dvbapi) 89 FB 6F F0 0B FE 09 17 03 33 00 00 00 00 00 00 11:10:54 60B87671 c (dvbapi) A5 EE 6E 4F 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Videostream (MPEG-2)(type: 02 pid: 0618 length: 10) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f0 length: 0) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05f2 length: 0) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fa length: 0) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (MPEG-2)(type: 04 pid: 05fc length: 0) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Audiostream (DTS 8)(type: 85 pid: 0428 length: 0) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Reserved(type: 89 pid: 1b6a length: 11) 11:10:54 60B87671 c (dvbapi) Demuxer 0 stream Reserved(type: 89 pid: 1b71 length: 11) 11:10:54 60B87671 c (dvbapi) Demuxer 0 found 1 ECMpids and 8 STREAMpids in PMT
I cheated when I wrote my code and stopped Tvheadend from sending the real PMT. This was especially useful when I use audio stream filters to only use the audio track I want (blocked the radio tracks...) For example for this channel I set the audio stream filter to use pid 1520 exclusively...
BTW - probably best to just do a "git pull" to get all the changes.
Updated by Joe User almost 7 years ago
Also, older versions of oscam-emu did not parse all the PMT pids and would have matched the caPMT. But I am sorry I do not recall when it was changed.
Updated by Eric Dec almost 7 years ago
Joe User wrote:
Also, older versions of oscam-emu did not parse all the PMT pids and would have matched the caPMT. But I am sorry I do not recall when it was changed.
Anything i can do to help?
Updated by Joe User almost 7 years ago
If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.
Updated by Eric Dec almost 7 years ago
Joe User wrote:
If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.
I have searched documentation, not too sure how to do that? What is the parameter name?
Updated by Eric Dec almost 7 years ago
Eric Dec wrote:
Joe User wrote:
If you are using the latest oscam-emu pathc, you can try setting "Max pids for extended CWs" to 5 (under config/DVB-api) and see if that helps.
I have searched documentation, not too sure how to do that? What is the parameter name?
Ok, I found the parameter through the Oscam web Gui, I changed it to 5, restarted oscam, but same result, tvheadend is crashing.
Is there another way to get this working? Using the stream-relay? I found a post from yourself about that, but would I be able to use the latest tvheadend and latest oscam?
Updated by Joe User almost 7 years ago
I am usually running my own version of Tvheadend because it has been quite stable and it includes some changes that I made for myself which are probably of no use to anyone else.
I tested the official version a few months ago and it was working with powervu, but today I tried the latest version form git and while it did not crash, it was not descrambling the channels. I ran it from valgrind and it did crash with the following errors:
==16655== ==16655== Process terminating with default action of signal 11 (SIGSEGV) ==16655== Bad permissions for mapped region at address 0x0 ==16655== at 0x0: ??? ==16655== by 0x3C79B5: key_find_struct (descrambler.c:941) ==16655== by 0x3CA3E6: descrambler_descramble (descrambler.c:1043) ==16655== by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340) ==16655== by 0x3D1007: mpegts_input_process (mpegts_input.c:1419) ==16655== by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553) ==16655== by 0x3239E3: thread_wrapper (wrappers.c:161) ==16655== by 0x69D50A3: start_thread (pthread_create.c:309) ==16655== by 0xBAE987C: clone (clone.S:111) ==16655== ==16655== HEAP SUMMARY: ==16655== in use at exit: 20,723,906 bytes in 184,420 blocks ==16655== total heap usage: 946,891 allocs, 762,471 frees, 248,752,049 bytes allocated ==16655== ==16655== LEAK SUMMARY: ==16655== definitely lost: 6,479 bytes in 15 blocks ==16655== indirectly lost: 549 bytes in 7 blocks ==16655== possibly lost: 13,376 bytes in 38 blocks ==16655== still reachable: 20,703,502 bytes in 184,360 blocks ==16655== suppressed: 0 bytes in 0 blocks ==16655== Rerun with --leak-check=full to see details of leaked memory ==16655== ==16655== For counts of detected and suppressed errors, rerun with: -v ==16655== Use --track-origins=yes to see where uninitialised values come from ==16655== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0) ==16655== could not unlink /tmp/vgdb-pipe-from-vgdb-to-16655-by-root-on-??? ==16655== could not unlink /tmp/vgdb-pipe-to-vgdb-from-16655-by-root-on-??? ==16655== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-16655-by-root-on-???
Sorry I do not have time to debug right now, but will try to look at it later.
Updated by Jaroslav Kysela almost 7 years ago
Did you test v4.3-733-g295288821 ? There's another update for this issue.
Updated by Joe User almost 7 years ago
- File tvhlog.txt tvhlog.txt added
Yes, I did a new clone tonight.
It looks like "key_find_struct" is crashing when it is called for pid 0.
I also see it is called for pid 18.
It should only be called for the video/audio pids I assume???
Sorry, I have not kept up with your new code and this section is new since I forked...
I just did some quick printf for debug:
static th_descrambler_key_t * key_find_struct( th_descrambler_runtime_t *dr, th_descrambler_key_t *tk_old, const uint8_t *tsb, service_t *t ) { th_descrambler_key_t *tk; int i, pid = extractpid(tsb); for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) { printf ("xx i == %d pid = %d \n",i,pid); tk = &dr->dr_keys[i]; if (tk->key_pid == pid) { printf ("xxxx i == %d pid = %d \n",i,pid); if (tk != tk_old && tk_old) printf ("xxxxxxx i == %d pid = %d \n",i,pid); tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t); return tk; } } return NULL; }
Output:
Updated by Joe User almost 7 years ago
BTW - I set an audio filter to exclusively use pid 1520, that is why only pids 1560 and 1520 appear.
But, it crashes with or without the filter.
Updated by Joe User almost 7 years ago
So I had it return null if pid == 0, and it still crashes.
But if I just comment out the failing line, it runs ok...
// tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
Updated by Joe User almost 7 years ago
Ok, last comment tonight (need to concentrate on other things...)
After changing channels a few times. it did crash on pid == 0 even with the failing line commented out.
Sorry don't have time to debug further.
Updated by Jaroslav Kysela almost 7 years ago
Another little fix is in v4.3-734-g4433c27d8 . The tk_old should be zero for PIDs which are not descrambled. And the point is, if (tsb3 & 0x80) == 0) (scrambling bit is not set) the key_find_struct() should not be called. The function ts_recv_packet0/ts_recv_packet2 should be called instead.
Updated by Eric Dec almost 7 years ago
- File 2017_12_01_Oscam.log 2017_12_01_Oscam.log added
- File 2017_12_01_tvh_01.log 2017_12_01_tvh_01.log added
- File 2017_12_01_gdb.log 2017_12_01_gdb.log added
Jaroslav Kysela wrote:
Another little fix is in v4.3-734-g4433c27d8 . The tk_old should be zero for PIDs which are not descrambled. And the point is, if (tsb3 & 0x80) == 0) (scrambling bit is not set) the key_find_struct() should not be called. The function ts_recv_packet0/ts_recv_packet2 should be called instead.
I downloaded the whole tvheadend 4.3.734, recompiled, it is crashing as well
Find logs attached.
Thanks.
Updated by Joe User almost 7 years ago
- File tvhlog_2.txt tvhlog_2.txt added
still crashes:
==27596== Thread 36 tvh:mi-main: ==27596== Jump to the invalid address stated on the next line ==27596== at 0x0: ??? ==27596== by 0x3C7955: key_find_struct (descrambler.c:941) ==27596== by 0x3CA381: descrambler_descramble (descrambler.c:1043) ==27596== by 0x3D3C99: ts_recv_packet1 (tsdemux.c:340) ==27596== by 0x3D0F97: mpegts_input_process (mpegts_input.c:1419) ==27596== by 0x3D0F97: mpegts_input_thread (mpegts_input.c:1553) ==27596== by 0x323983: thread_wrapper (wrappers.c:161) ==27596== by 0x69D50A3: start_thread (pthread_create.c:309) ==27596== by 0xBAE987C: clone (clone.S:111) ==27596== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==27596== 2017-12-01 10:30:00.260 [ ALERT] CRASH: Signal: 11 in PRG: /home/builder/tvheadend_official/tvheadend/build.linux/tvheadend (4.3-734~g4433c27) [a1fdbc4a4a4a785e765171a3bed458a17e5987f3] CWD: /root 2017-12-01 10:30:00.261 [ ALERT] CRASH: Fault address (nil) (Access error) 2017-12-01 10:30:00.262 [ ALERT] CRASH: Loaded libraries: /usr/lib/valgrind/vgpreload_core-amd64-linux.so /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so /usr/lib/libdvben50221.so /usr/lib/libdvbapi.so /usr/lib/libucsi.so /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libpcre.so.3 /usr/lib/liburiparser.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libvdpau.so.1 /usr/lib/x86_64-linux-gnu/libX11.so.6 /usr/lib/x86_64-linux-gnu/libxcb.so.1 /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0 /usr/lib/x86_64-linux-gnu/libasound.so.2 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libx264.so.148 /usr/lib/ 2017-12-01 10:30:00.263 [ ALERT] CRASH: Register dump [23]: 0000000000000618000000000000061800000000000002f00000000000000000000000001b0b00f00000000000000000000000001b602131000000001b5ff7f0000000001b5ff81000000000158e7b6000000000000000bc000000001b5ff6a00000000000000000000000001b5ff7f000000000158e7b60000000001f4075780000000000000000000000000000008100000000000000000000000000000000000000000000000000000000000000000000000000000000 2017-12-01 10:30:00.263 [ ALERT] CRASH: STACKTRACE 2017-12-01 10:30:00.340 [ ALERT] CRASH: /home/builder/tvheadend_official/tvheadend/src/trap.c:148 0x35e19a 0x108000 ==27596== ==27596== Process terminating with default action of signal 11 (SIGSEGV) ==27596== Bad permissions for mapped region at address 0x0 ==27596== at 0x0: ??? ==27596== by 0x3C7955: key_find_struct (descrambler.c:941) ==27596== by 0x3CA381: descrambler_descramble (descrambler.c:1043) ==27596== by 0x3D3C99: ts_recv_packet1 (tsdemux.c:340) ==27596== by 0x3D0F97: mpegts_input_process (mpegts_input.c:1419) ==27596== by 0x3D0F97: mpegts_input_thread (mpegts_input.c:1553) ==27596== by 0x323983: thread_wrapper (wrappers.c:161) ==27596== by 0x69D50A3: start_thread (pthread_create.c:309) ==27596== by 0xBAE987C: clone (clone.S:111) ==27596== ==27596== HEAP SUMMARY: ==27596== in use at exit: 19,497,618 bytes in 177,730 blocks ==27596== total heap usage: 1,093,839 allocs, 916,109 frees, 296,925,147 bytes allocated ==27596== ==27596== LEAK SUMMARY: ==27596== definitely lost: 7,019 bytes in 23 blocks ==27596== indirectly lost: 6,000 bytes in 6 blocks ==27596== possibly lost: 15,488 bytes in 44 blocks ==27596== still reachable: 19,469,111 bytes in 177,657 blocks ==27596== suppressed: 0 bytes in 0 blocks ==27596== Rerun with --leak-check=full to see details of leaked memory ==27596== ==27596== For counts of detected and suppressed errors, rerun with: -v ==27596== Use --track-origins=yes to see where uninitialised values come from ==27596== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0) ==27596== could not unlink /tmp/vgdb-pipe-from-vgdb-to-27596-by-root-on-??? ==27596== could not unlink /tmp/vgdb-pipe-to-vgdb-from-27596-by-root-on-??? ==27596== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-27596-by-root-on-??? Killed
It is crashing on
tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
even with pids which are scrambled.
With these printfs:
for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) { tk = &dr->dr_keys[i]; if (tk->key_pid == pid) { printf ("xxxx i == %d tk->key_pid == %d pid = %d \n",i,tk->key_pid,pid); if (tk != tk_old && tk_old) { printf ("xxxxxxx i == %d tk->key_pid == %d pid = %d \n",i,tk->key_pid,pid); fflush(stdout); tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t); } return tk; } } return NULL;
this is the end of the output:
xxxx i == 0 tk->key_pid == 1560 pid = 1560 xxxx i == 0 tk->key_pid == 1560 pid = 1560 xxxx i == 0 tk->key_pid == 1560 pid = 1560 xxxx i == 2 tk->key_pid == 0 pid = 0 xxxx i == 0 tk->key_pid == 1560 pid = 1560 xxxxxxx i == 0 tk->key_pid == 1560 pid = 1560 ==30236== Thread 35 tvh:mi-main: ==30236== Jump to the invalid address stated on the next line ==30236== at 0x0: ??? ==30236== by 0x3C7AA2: key_find_struct (descrambler.c:944) ==30236== by 0x3CA3F1: descrambler_descramble (descrambler.c:1047) ==30236== by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340) ==30236== by 0x3D1007: mpegts_input_process (mpegts_input.c:1419) ==30236== by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553) ==30236== by 0x323983: thread_wrapper (wrappers.c:161) ==30236== by 0x69D50A3: start_thread (pthread_create.c:309) ==30236== by 0xBAE987C: clone (clone.S:111) ==30236== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==30236== 2017-12-01 10:58:45.685 [ ALERT] CRASH: Signal: 11 in PRG: /home/builder/tvheadend_official/tvheadend/build.linux/tvheadend (4.3-734~g4433c27-dirty) [a1fdbc4a4a4a785e765171a3bed458a17e597f3] CWD: /root 2017-12-01 10:58:45.686 [ ALERT] CRASH: Fault address (nil) (Access error) 2017-12-01 10:58:45.686 [ ALERT] CRASH: Loaded libraries: /usr/lib/valgrind/vgpreload_core-amd64-linux.so /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so /usr/lib/libdvben50221.so /ur/lib/libdvbapi.so /usr/lib/libucsi.so /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libpcreso.3 /usr/lib/liburiparser.so.1 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 /lib/x86_64-linux-gnu/libdbus-1.so.3 /lib/x86_64-linux-gnu/lidl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libvdpau.so.1 /usr/lib/x86_64-linux-gnu/libX11.so. /usr/lib/x86_64-linux-gnu/libxcb.so.1 /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0 /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 /usr/lib/x86_64-linux-gnu/libxcb-shape.so.0 /usr/lib/x86_6-linux-gnu/libasound.so.2 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libx264.so.148 /usr/lib/ 2017-12-01 10:58:45.687 [ ALERT] CRASH: Register dump [23]: 000000001f207700000000000ba4c99a000000000bda56a00000000000000000000000001518f460000000001518f6100000000000000000000000001518f40000000001518f630000000001583384000000000000006180000000000000000000000000000000000000000000000000000000000000041000000001f206538000000000000000000000000000000440000000000000000000000000000000000000000000000000000000000000000000000000000000 2017-12-01 10:58:45.687 [ ALERT] CRASH: STACKTRACE 2017-12-01 10:58:45.736 [ ALERT] CRASH: /home/builder/tvheadend_official/tvheadend/src/trap.c:148 0x35e19a 0x108000 ==30236== ==30236== Process terminating with default action of signal 11 (SIGSEGV) ==30236== Bad permissions for mapped region at address 0x0 ==30236== at 0x0: ??? ==30236== by 0x3C7AA2: key_find_struct (descrambler.c:944) ==30236== by 0x3CA3F1: descrambler_descramble (descrambler.c:1047) ==30236== by 0x3D3D09: ts_recv_packet1 (tsdemux.c:340) ==30236== by 0x3D1007: mpegts_input_process (mpegts_input.c:1419) ==30236== by 0x3D1007: mpegts_input_thread (mpegts_input.c:1553) ==30236== by 0x323983: thread_wrapper (wrappers.c:161) ==30236== by 0x69D50A3: start_thread (pthread_create.c:309) ==30236== by 0xBAE987C: clone (clone.S:111) ==30236== ==30236== HEAP SUMMARY: ==30236== in use at exit: 19,487,998 bytes in 177,730 blocks ==30236== total heap usage: 1,080,330 allocs, 902,600 frees, 294,128,130 bytes allocated ==30236== ==30236== LEAK SUMMARY: ==30236== definitely lost: 6,979 bytes in 22 blocks ==30236== indirectly lost: 5,000 bytes in 5 blocks ==30236== possibly lost: 15,136 bytes in 43 blocks ==30236== still reachable: 19,460,883 bytes in 177,660 blocks ==30236== suppressed: 0 bytes in 0 blocks ==30236== Rerun with --leak-check=full to see details of leaked memory ==30236== ==30236== For counts of detected and suppressed errors, rerun with: -v ==30236== Use --track-origins=yes to see where uninitialised values come from ==30236== ERROR SUMMARY: 57 errors from 2 contexts (suppressed: 0 from 0) ==30236== could not unlink /tmp/vgdb-pipe-from-vgdb-to-30236-by-root-on-??? ==30236== could not unlink /tmp/vgdb-pipe-to-vgdb-from-30236-by-root-on-??? ==30236== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-30236-by-root-on-??? Killed
longer output attached.
Updated by Joe User almost 7 years ago
@Eric, if you comment out line 941 of src/descrambler/descrambler.c
// tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
then it will work (for at least awhile), but not necessarily fixed.
Updated by Eric Dec almost 7 years ago
Joe User wrote:
@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]then it will work (for at least awhile), but not necessarily fixed.
I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)
Updated by Jaroslav Kysela almost 7 years ago
Joe Miller User : you should look why tk_old->key_csa.csa_flush is NULL. This code should be never reached. The key descramblers including callbacks should be set in descrambler_keys() - tvhcsa_set_type() calls.
Updated by Joe User almost 7 years ago
Eric Dec wrote:
Joe User wrote:
@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]then it will work (for at least awhile), but not necessarily fixed.
I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)
Sorry, I had added brackets after the if statement before to add the printf. It also crashed sometimes for pid == 0 so I ignore that case.
Try this change:
diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c index 80dbf24..d247100 100644 --- a/src/descrambler/descrambler.c +++ b/src/descrambler/descrambler.c @@ -936,9 +936,10 @@ key_find_struct( th_descrambler_runtime_t *dr, int i, pid = extractpid(tsb); for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) { tk = &dr->dr_keys[i]; - if (tk->key_pid == pid) { - if (tk != tk_old && tk_old) - tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t); + if ( pid == 0 ) return NULL; + if (tk->key_pid == pid) { + // if (tk != tk_old && tk_old) + // tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t); return tk; } } @@ -1035,7 +1036,7 @@ descrambler_descramble ( service_t *t, if (len2 == 0) goto dd_destroy; if ((tsb2[3] & 0x80) == 0) { - ts_recv_packet2((mpegts_service_t *)t, tsb2, len2); + ts_recv_packet0((mpegts_service_t *)t, st, tsb2, len2); goto dd_destroy; } if (dr->dr_key_multipid) {
Again, this is just a quick hack, not a real solution and may cause other problems (very limited testing - 2-3min...)
Updated by Joe User almost 7 years ago
Jaroslav Kysela wrote:
Joe Miller User : you should look why tk_old->key_csa.csa_flush is NULL. This code should be never reached. The key descramblers including callbacks should be set in descrambler_keys() - tvhcsa_set_type() calls.
I will try, but probably will not have time to look at it again until next week...
Updated by Eric Dec almost 7 years ago
Joe User wrote:
Eric Dec wrote:
Joe User wrote:
@Eric, if you comment out line 941 of src/descrambler/descrambler.c
[...]then it will work (for at least awhile), but not necessarily fixed.
I commented the line as above, indeed it does not crash, but it does not decode.
(I tried on few releases I had downloaded)
What else could it be? My oscam emu (I also tried the very old one where your change request was implemented)Sorry, I had added brackets after the if statement before to add the printf. It also crashed sometimes for pid == 0 so I ignore that case.
Try this change:[...]
Again, this is just a quick hack, not a real solution and may cause other problems (very limited testing - 2-3min...)
Joe? Guess what? It works!!!!!!!!!!!!!
I made the changes that you show in your message on v4.3-734-g4433c27d8 and I have picture and sound.
Thanks a lot.....
Updated by Eric Dec almost 7 years ago
Oups, I have been talking too fast.
After 10mn tvheadend crashes again.
Updated by Eric Dec almost 7 years ago
I am rerunning it with gdb in log mode....but does not want to crash anymore after 30mn.
Updated by Joe User almost 7 years ago
I did another quick test to narrow down the problem, and this simplified patch seems to work ok. Still a hack that does not address the problem, but I am not sure why something with pid == 0 is there. Maybe a problem with extractpid?? The real pid 0 packet should not have its scrambled bit set.
diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c index 80dbf24..0096961 100644 --- a/src/descrambler/descrambler.c +++ b/src/descrambler/descrambler.c @@ -936,6 +936,7 @@ key_find_struct( th_descrambler_runtime_t *dr, int i, pid = extractpid(tsb); for (i = 0; i < DESCRAMBLER_MAX_KEYS; i++) { tk = &dr->dr_keys[i]; + if ( pid == 0 ) return NULL; if (tk->key_pid == pid) { if (tk != tk_old && tk_old) tk_old->key_csa.csa_flush(&tk_old->key_csa, (mpegts_service_t *)t);
Updated by Eric Dec almost 7 years ago
Joe User wrote:
I did another quick test to narrow down the problem, and this simplified patch seems to work ok. Still a hack that does not address the problem, but I am not sure why something with pid 0 is there. Maybe a problem with extractpid?? The real pid 0 packet should not have its scrambled bit set.
[...]
This means I roll back all previous changes and simply add the line " if ( pid 0 ) return NULL;" ?
By the way, in my test of yesterday, I have let it running few hours in debug mode, and it did not crash.
I will try your last change later today, tanks again.
Updated by Andrey Orlin almost 7 years ago
- File tvhserver.log tvhserver.log added
I also have tvheadend crash with OScam
Versions:
OS: CentOS Linux release 7.4.1708 (Core)
TVH: 4.3-734~g4433c27
OScam: oscam-1.20-unstable_svn-r11388
oscam.conf:
[dvbapi]
enabled = 1
au = 1
pmt_mode = 4
request_mode = 1
delayer = 60
ecminfo_type = 1
user = tvh
read_sdt = 2
write_sdt_prov = 1
boxtype = pc-nodmx
tvheadend capmt:
Mode: OSCam pc-nodmx (rev >= 9756)
Socket: /tmp/camd.socket
CW mode: Standard/Auto
Dec 1 22:57:00 localhost tvheadend[9080]: capmt: shara: Starting CAPMT server for service "VIP Comedy" on adapter 2 Dec 1 22:57:00 localhost tvheadend[9080]: subscription: 0018: "HTTP" subscribing on channel "VIP Comedy", weight: 100, adapter: "Tmax TAS2101 #2 : DVB-S #0", network: "NTVPlus", mux: "11938.46R", provider: "HTB+", service: "VIP Comedy", profile="pass", hostname="::ffff:192.168.1.209", username="ea", client="TvhClient-TV/155 LibVLC/3.0.0-git" Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: Signal: 6 in PRG: /usr/bin/tvheadend (4.3-734~g4433c27) [b8acf19680d6269a9b8f2627841acc09268c0a1d] CWD: / Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: Fault address 0x2378 (N/A) Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: Loaded libraries: /lib64/libdvben50221.so /lib64/libdvbapi.so /lib64/libucsi.so /lib64/libssl.so.10 /lib64/libcrypto.so.10 /lib64/libz.so.1 /lib64/libpcre2-8.so.0 /lib64/liburiparser.so.1 /lib64/libavahi-common.so.3 /lib64/libavahi-client.so.3 /lib64/libdbus-1.so.3 /lib64/libdl.so.2 /lib64/libpthread.so.0 /lib64/libm.so.6 /lib64/librt.so.1 /lib64/libstdc++.so.6 /lib64/libc.so.6 /lib64/libgssapi_krb5.so.2 /lib64/libkrb5.so.3 /lib64/libcom_err.so.2 /lib64/libk5crypto.so.3 /lib64/ld-linux-x86-64.so.2 /lib64/libgcc_s.so.1 /lib64/libkrb5support.so.0 /lib64/libkeyutils.so.1 /lib64/libresolv.so.2 /lib64/libselinux.so.1 /lib64/libpcre.so.1 /lib64/libnss_files.so.2 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: Register dump [23]: 00007f5f9eead70000000000000000200000000000000008000000000000020600005617ad197a5000007f5f940bce2000000000000042ce00000000000000830000000000002378000000000000239400000026950b214c00007f5f940bcf9800000000000000060000000000000000ffffffffffffffff00007f5f9eeab29800007f5fa9a671f70000000000000206000000000000003300000000000000000000000000000000fffffffe7ffbba130000000000000000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: STACKTRACE Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/trap.c:148 0x5617ad0bd4da 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: ??:0 0x7f5faa6165e0 0x7f5faa607000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: gsignal+0x37 (/lib64/libc.so.6) Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: abort+0x148 (/lib64/libc.so.6) Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/tvheadend.h:101 0x5617ad0786c2 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:2319 0x5617ad196bfd 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:2356 0x5617ad197ec1 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1057 0x5617ad197ffe 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:642 0x5617ad1980ed 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:736 0x5617ad198663 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1627 0x5617ad19a6ac 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/descrambler/capmt.c:1850 0x5617ad19a8b2 0x5617ace69000 Dec 1 22:57:00 localhost tvheadend[9080]: CRASH: /home/dist_tvheadend/tvheadend/src/wrappers.c:161 0x5617ad082952 0x5617ace69000 Dec 1 22:57:00 localhost systemd: tvheadend.service: main process exited, code=killed, status=6/ABRT
P.S.
1) Capmt mode with TVHeadend v4.2.4 works perfectly
2) TVHeadend 4.3-734~g4433c27 -> CCcam -> Oscam works perfectly
Updated by Jaroslav Kysela almost 7 years ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.
Updated by Eric Dec almost 7 years ago
Jaroslav Kysela wrote:
Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.
You mean you did more changes than what joe was proposing?
I am asking, because today i did some try with joe fix on other poeervu channels, and it kept craching again or not descrambling.
I will try tomorrow your new version.
Thanks for your effort.
Updated by Eric Dec almost 7 years ago
Jaroslav Kysela wrote:
Applied in changeset commit:tvheadend|b2ef96cfca037cd8054913a5c8cc334d7239d765.
I have tried this new version. It works fine on the channels i was trying before, but now it crashes on channels from another satellite (with powervu).
Should ii upload logs here or open another bug?
Updated by Joe User almost 7 years ago
@Eric, I wrote my patch was just a quick hack, not a solution...
@Jaroslav. I built new version and some quick tests on extended_cw channels on 9E and 4.9E all worked. Did not test any other encryptions yet, maybe tomorrow.
Thanks
Updated by Petar Ivanov almost 7 years ago
Still crash here with last TVH 4.3-741~g0b24fb883
gdb:
Thread 36 "tvh:mi-main" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe4be8700 (LWP 25933)] 0x0000555555831eba in key_valid (tk=0x0, ki=157 '\235') at src/descrambler/descrambler.c:876 876 return tk->key_valid & mask;
2017-12-03 04:47:12.199 [ ALERT] CRASH: Signal: 11 in PRG: /home/tvh/tvheadend/build.linux/tvheadend (4.3-741~g0b24fb883) [7908324f0ac08fe5b063e35f1e8f9e7fdd413838] CWD: /home/tvh/tvheadend 2017-12-03 04:47:12.199 [ ALERT] CRASH: Fault address 0x91 (Address not mapped) 2017-12-03 04:47:12.199 [ ALERT] CRASH: Loaded libraries: linux-vdso.so.1 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /lib/x86_64-linux-gnu/libz.so.1 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/librt.so.1 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /lib/x86_64-linux-gnu/libmvec.so.1 /lib/x86_64-linux-gnu/libgcc_s.so.1/lib/x86_64-linux-gnu/libc.so.6/lib64/ld-linux-x86-64.so.2 2017-12-03 04:47:12.199 [ ALERT] CRASH: Register dump [23]: 00005638bcd0c05825a5fd9e86d38a2d61b5d5b3f5642629038d83d28da80cb200007f477d5ef7ae00007f477d5ef7af00005638b762a44000007f475f5fa7000000000000000000000000000000009700007f475f5f951000000000000000000000000000000097000000000000000000007f474800865900007f475f5f951000005638b3e81eba0000000000010202002b0000000000330000000000000004000000000000000efffffffe7ffbba110000000000000091 2017-12-03 04:47:12.199 [ ALERT] CRASH: STACKTRACE 2017-12-03 04:47:12.240 [ ALERT] CRASH: /home/tvh/tvheadend/src/trap.c:148 0x5638b3de633a 0x5638b3ba4000 2017-12-03 04:47:12.295 [ ALERT] CRASH: ??:0 0x7f4785b653b0 0x7f4785b53000 2017-12-03 04:47:12.338 [ ALERT] CRASH: /home/tvh/tvheadend/src/descrambler/descrambler.c:876 0x5638b3e81eba 0x5638b3ba4000 2017-12-03 04:47:12.375 [ ALERT] CRASH: /home/tvh/tvheadend/src/descrambler/descrambler.c:1142 0x5638b3e82a30 0x5638b3ba4000 2017-12-03 04:47:12.415 [ ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/tsdemux.c:340 0x5638b3e90daf 0x5638b3ba4000 2017-12-03 04:47:12.457 [ ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/mpegts_input.c:1410 (discriminator 2) 0x5638b3e8d9e6 0x5638b3ba4000 2017-12-03 04:47:12.498 [ ALERT] CRASH: /home/tvh/tvheadend/src/input/mpegts/mpegts_input.c:1553 0x5638b3e8e019 0x5638b3ba4000 2017-12-03 04:47:12.538 [ ALERT] CRASH: /home/tvh/tvheadend/src/wrappers.c:161 0x5638b3d95f19 0x5638b3ba4000 2017-12-03 04:47:12.593 [ ALERT] CRASH: ??:0 0x7f4785b5a519 0x7f4785b53000 2017-12-03 04:47:12.593 [ ALERT] CRASH: clone+0x3f (/lib/x86_64-linux-gnu/libc.so.6)
Updated by Eric Dec almost 7 years ago
Joe User wrote:
@Eric, I wrote my patch was just a quick hack, not a solution...
@Jaroslav. I built new version and some quick tests on extended_cw channels on 9E and 4.9E all worked. Did not test any other encryptions yet, maybe tomorrow.
Thanks
You are right.
In fact the other crash i have does not seem to be powervu related, seems dealing with epg, i am not sure yet.
Thanks for having helped.
Updated by Jaroslav Kysela almost 7 years ago
All descrambling related issues should be resolved in the latest master now. Please, create a new issue otherwise.