[Home]

Summary:ASTERISK-09021: Zaptel crash in hpec_channel_update
Reporter:Dmitry Dudkin (ddv2005)Labels:
Date Opened:2007-03-15 11:54:39Date Closed:2007-03-30 14:02:09
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Core/General
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) echo_free_patch.patch
( 1) log.txt
Description:System randomly crash after 20 min-1 hour of work in Zaptel (hpec_channel_update+0x48) with shipped HPEC x86.
------------------------------------------------------------------
Unable to handle kernel paging request at virtual address 00080020
printing eip:
df284578
*pde = 1a330001
EIP is at hpec_channel_update+0x48/0x435e [zaptel]
eax: 00000000   ebx: db1c0a18   ecx: 16002000   edx: ddfbdc00
esi: ddfbdc10   edi: db1c0ab4   ebp: c03eff00   esp: c03efb68
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, threadinfo=c03ef000 task=c15510b0)
Stack: 00000008 c03efec0 df288b90 00000000 00000108 00000000 000025e0 00060000
      ffffffff ffffffff 00000001 00000000 c03eff8c c03eff8c df288af0 00000002
      d3ad69c8 da6d8118 d3ad7dcc d3ad61c6 0016aee5 00000000 d85507a0 da6d95d8
------------------------------------------------------------------

edx+4 is array of 'struct echo_can_state':

ddfbdc00:  d3df4000 d3ad6000 da6d8000 d5cf0000   .@...`....m.....
ddfbdc10:  16002000 80794b76 a1f61000 00080018   . ..vKy.........
ddfbdc20:  c800b845 00000001 ce6311f9 1b679743   E.........c.C.g.
ddfbdc30:  8971633f 9e2c284e 0000b400 e9700080   ?cq.N(,.......p.
ddfbdc40:  09c3c400 6c19e508 7b7c7dfd fbfcfdff   .......l.}|{....
ddfbdc50:  7e7d7cff 797dfefd 7d7c7e7b fefeff7e   .|}~..}y{~|}~...
ddfbdc60:  fefdfeff fffffffe 7e7c7dfd fdff7e7d   .........}|~}~..
ddfbdc70:  fffffffd 7c7b7eff 7cff7e7e fefefe7d   .....~{|~~.|}...
ddfbdc80:  fdfd7dfe 7eff7e7c fffefe7c fcfffffe   .}..|~.~|.......
ddfbdc90:  7efffdfb 7b7a7b7a fefffffe 7dfefefe   ...~z{z{.......}
ddfbdca0:  7e7c7c7e fcfdfc7e 7efffffd 7d7d7d7e   ~||~~......~~}}}
ddfbdcb0:  7e7e7c7a fefeffff fefdfbfe 7efcff7c   z|~~........|..~
ddfbdcc0:  7d7efe7e 7e7e7d7d 7eff7e7e 7cffff7e   ~.~}}}~~~~.~~..|
ddfbdcd0:  7c7e7e7d fdfcfefe 7e7e7e7c fffd7e7e   }~~|....|~~~~~..
ddfbdce0:  7d7b7e7e 7cff7eff feffffff fffffffe   ~~{}.~.|........
ddfbdcf0:  fdff7e7d fdfdfdfd fffefdfd 7efffeff   }~.............~
ddfbdd00:  7e7eff7e fdfdff7e fe7e7dff fffefffe   ~.~~~....}~.....
ddfbdd10:  fffefdfe fefefffe 7e7eff7e ff7e7e7e   ........~.~~~~~.
ddfbdd20:  ffffffff fffeff7e 00000000 00000000   ....~...........
ddfbdd30:  00000000 00000000 00000000 00000000   ................
ddfbdd40:  00000000 00000000 00000000 00000000   ................
ddfbdd50:  00000000 00000000 00000000 00000000   ................

you see that data after ddfbdc10 is corrupted and i think that is audio data. But i don't known who is do it. I have crash dump and i can give you additional information by request.

****** ADDITIONAL INFORMATION ******

Linux version 2.6.9-42.0.10.ELsmp (CentOS 4.4)
Hardware: Pentium 4 Dual Core 3.4 Ghz
Comments:By: Jason Parker (jparker) 2007-03-15 12:19:43

Please contact Digium support.  This product cannot be dealt with here.
By: Dmitry Dudkin (ddv2005) 2007-03-29 11:56:27

I found that Zaptel free echo canceller on tone detection by calling kfree(ms->ec). But it is absolutly wrong because Zaptel must call echo_can_free to do it in any case.
zaptel-base.c:4795

/* Check for echo cancel disabling tone */
if (echo_can_disable_detector_update(&ms->txecdis, getlin[x])) {
printk("zaptel Disabled echo canceller because of tone (tx) on channel %d\n", ss->channo);
ms->echocancel = 0;
ms->echostate = ECHO_STATE_IDLE;
ms->echolastupdate = 0;
ms->echotimer = 0;
kfree(ms->ec);
ms->ec = NULL;
break;
}
By: Jason Parker (jparker) 2007-03-30 14:02:08

Fixed in 1.2, 1.4, and trunk in revisions 2353, 2354, and 2355.

Thanks!