Debugging an Ioctl Problem on OpenBSD


I was trying to use a V4L2
Ruby module
on my OpenBSD laptop but ran into a problem where sending the V4L2 ioctls from
this module would fail, while other V4L2 programs on OpenBSD worked fine.

Since I got a few
recently about kernel development and debugging, I thought I’d write up how I
finally tracked it down and fixed it.
(Spoiler: it was not an OpenBSD problem.)

Table of Contents

  1. The Issue
  2. Enabling Debugging in the Kernel Driver
  3. The Bug

The Issue

After first
getting the module to compile on OpenBSD,
I ran some simple Ruby code to set the parameters and start fetching data from
my camera:"/dev/video1")
camera.image_width =640
camera.framerate   =10/1r
camera.format      =:YUYV

But this failed with an ENOTTY error from ioctl:

ioctl(VIDIOC_S_FMT): Inappropriate ioctl for device

The Ruby
C code
that does this looks pretty straightforward:

  struct v4l2_format fmt;


  fmt.type               =V4L2_BUF_TYPE_VIDEO_CAPTURE;
  fmt.fmt.pix.width      =wd;
  fmt.fmt.pix.height     =ht;
  fmt.fmt.pix.field      =V4L2_FIELD_INTERLACED;

  err=xioctl(fd, VIDIOC_S_FMT, &fmt);
  if (err 

The module is using a macro for BZERO that just calls bzero, and an xioctl
wrapper that retries ioctl when it fails with errno==EINTR.

If I look at the code for OpenBSD’s
utility, it
sets the

pretty similarly:

	bzero(&fmt, sizeof(struct v4l2_format));
	if (ioctl(d->fd, VIDIOC_S_FMT, &fmt) 

I tried changing the field to V4L2_FIELD_ANY to match the OpenBSD utility, but
it still failed with ENOTTY.

I usually turn to
to diagnose syscall issues, but in this case it just showed that it was calling
ioctl on a filehandle 14, sending it VIDIOC_S_FMT, and passing some data (a
v4l2_format struct).

90052 ruby27   CALL  ioctl(14,VIDIOC_S_FMT,0x7f7ffffd47c0)
90052 ruby27   RET   ioctl -1 errno 25 Inappropriate ioctl for device

Enabling Debugging in the Kernel Driver

The ioctl is sent through /dev/video1, which arrives at the
driver’s videoioctl function.
It then does some error checking and
passes it along
to the USB-specific
driver’s uvideo_s_fmt function.

There are already some debugging printfs in uvideo_s_fmt, which are done
through a DPRINTF macro which actually prints only when UVIDEO_DEBUG is

int uvideo_debug=1;
#define DPRINTF(l, x...) do { if ((l) 

I added a #define UVIDEO_DEBUG above that block, recompiled the kernel and
booted to it.
Running the video utility makes the kernel print out a line, but it prints
nothing from my Ruby code.

uvideo1: uvideo_s_fmt: requested width=640, height=480

Since the DPRINTF that prints that is pretty high in the function, I’m
guessing it’s not even reaching uvideo, so let’s go back to the video

	DPRINTF(3, "video_ioctl(%zu, '%c', %zu)n",
	    IOCPARM_LEN(cmd), (int) IOCGROUP(cmd), cmd & 0xff);

	switch (cmd) {
		if (!(flags & FWRITE))
			return (EACCES);
		if (sc->hw_if->s_fmt)
			    (struct v4l2_format *)data);

Similarly, we can enable debugging printfs in the video driver by defining
VIDEO_DEBUG at the top, compiling, and rebooting.
Now when I run my Ruby code, I get:

Looking at /usr/src/sys/sys/videoio.h, I can see that it does appear to be the
correct ioctl in the group V, number 5, and a proper size of that
v4l2_format struct:

#define VIDIOC_S_FMT            _IOWR('V',  5, struct v4l2_format)

The _IOWR macro is a
series of macros
that build up an unsigned long that corresponds to every possible ioctl in
the kernel.

So the ioctl is reaching the video driver, appears to be recognized as
VIDIOC_S_FMT, but is not actually reaching the uvideo driver’s s_fmt
function by way of the big switch.
Is it even getting into the case VIDIOC_S_FMT?
Let’s add our own debugging printf to show that we reached that, and the path
it’s taking inside of the function.

When running the video utility, it now prints:

video_ioctl(208, 'V', 5)
uvideo1: uvideo_s_fmt: requested width=640, height=480
uvideo1: uvideo_s_fmt: offered width=640, height=480
S_FMT: returned 0
videoioctl: final ret 0

But when running my Ruby code, it only prints the first line, indicating that
it’s not even reaching the case VIDIOC_S_FMT.
Since the switch is on the entire cmd, not just the number (5) or on the
group (V), it must match all of the ioctl parameters.
Let’s print out the whole thing:

video_ioctl(208, 'V', 5) (3234878981 vs s_fmt 3234878981)
uvideo1: uvideo_s_fmt: requested width=640, height=480
uvideo1: uvideo_s_fmt: offered width=640, height=480
S_FMT: returned 0
videoioctl: final ret 0

And from my Ruby code:

video_ioctl(208, 'V', 5) (18446744072649463301 vs s_fmt 3234878981)
videoioctl: final ret 25

The Bug

At this point I went back to the Ruby C code.
How is it passing the ioctl request parameter?

static int xioctl(int fh, int request, void *arg)
  int r;

  do {
	r=ioctl(fh, request, arg);
  } while (r==-1 && EINTR==errno);

  return r;

Have you spotted it yet?

Let’s look at the OpenBSD
man page:


    ioctl(int d, unsigne

Read More

Ava Chan

Ava Chan

I'm a researcher at Utokyo :) and a big fan of Ava Max