[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Z_PXzvL5Zt9QkivE@hovoldconsulting.com>
Date: Mon, 7 Apr 2025 15:49:02 +0200
From: Johan Hovold <johan@...nel.org>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>
Cc: Robert Foss <rfoss@...nel.org>, Todor Tomov <todor.too@...il.com>,
Vladimir Zapolskiy <vladimir.zapolskiy@...aro.org>,
linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: camss NULL-deref on power on with 6.12-rc2
On Mon, Apr 07, 2025 at 01:01:09PM +0200, Johan Hovold wrote:
> On Mon, Apr 07, 2025 at 12:38:56PM +0200, Johan Hovold wrote:
> > On Mon, Apr 07, 2025 at 10:58:52AM +0100, Bryan O'Donoghue wrote:
> > > On 07/04/2025 10:12, Johan Hovold wrote:
>
> > > > [ 5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
> >
> > > > [ 5.744704] Call trace:
> > > > [ 5.744706] camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> > > > [ 5.744711] camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> > > > [ 5.744716] vfe_get+0xb8/0x504 [qcom_camss]
> > > > [ 5.744724] vfe_set_power+0x30/0x58 [qcom_camss]
> > > > [ 5.744731] pipeline_pm_power_one+0x13c/0x150 [videodev]
> > > > [ 5.744745] pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> > > > [ 5.744754] v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> > > > [ 5.744762] v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> > > > [ 5.744771] video_open+0x78/0xf4 [qcom_camss]
> > > > [ 5.744776] v4l2_open+0x80/0x120 [videodev]
>
> > I've only seen it twice myself (that I've noticed, at least this time it
> > prevented the display from probing so I knew something was wrong).
>
> Just hit this again with 6.15-rc1 after the third reboot so timing has
> likely changed slightly which now makes it easier to hit this.
>
> > Since it's obviously a race condition I think you'll need to analyse the
> > code to try to figure out where the bug is. With an hypothesis you may
> > be able to instrument a reliable reproducer (e.g. by adding appropriate
> > delays to extend the race window).
>
> It's apparently udev which powers up the camera when running v4l_id:
>
> [ 5.859741] CPU: 4 UID: 0 PID: 420 Comm: v4l_id Not tainted 6.15.0-rc1 #106 PREEMPT
>
> So this looks like the classic bug of drivers registering their devices
> before they have been fully set up.
It's entity->pad which is being dereferenced while NULL in
camss_find_sensor_pad() and when this happens entity->name is also NULL.
Bailing out when entity->pad is NULL allows the machine to boot, but we
should figure out why this function is called before things have been
properly initialised.
Johan
Powered by blists - more mailing lists