lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z_PXzvL5Zt9QkivE@hovoldconsulting.com>
Date: Mon, 7 Apr 2025 15:49:02 +0200
From: Johan Hovold <johan@...nel.org>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>
Cc: Robert Foss <rfoss@...nel.org>, Todor Tomov <todor.too@...il.com>,
	Vladimir Zapolskiy <vladimir.zapolskiy@...aro.org>,
	linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: camss NULL-deref on power on with 6.12-rc2

On Mon, Apr 07, 2025 at 01:01:09PM +0200, Johan Hovold wrote:
> On Mon, Apr 07, 2025 at 12:38:56PM +0200, Johan Hovold wrote:
> > On Mon, Apr 07, 2025 at 10:58:52AM +0100, Bryan O'Donoghue wrote:
> > > On 07/04/2025 10:12, Johan Hovold wrote:
> 
> > > > [    5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
> > 
> > > > [    5.744704] Call trace:
> > > > [    5.744706]  camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> > > > [    5.744711]  camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> > > > [    5.744716]  vfe_get+0xb8/0x504 [qcom_camss]
> > > > [    5.744724]  vfe_set_power+0x30/0x58 [qcom_camss]
> > > > [    5.744731]  pipeline_pm_power_one+0x13c/0x150 [videodev]
> > > > [    5.744745]  pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> > > > [    5.744754]  v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> > > > [    5.744762]  v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> > > > [    5.744771]  video_open+0x78/0xf4 [qcom_camss]
> > > > [    5.744776]  v4l2_open+0x80/0x120 [videodev]
> 
> > I've only seen it twice myself (that I've noticed, at least this time it
> > prevented the display from probing so I knew something was wrong).
> 
> Just hit this again with 6.15-rc1 after the third reboot so timing has
> likely changed slightly which now makes it easier to hit this.
> 
> > Since it's obviously a race condition I think you'll need to analyse the
> > code to try to figure out where the bug is. With an hypothesis you may
> > be able to instrument a reliable reproducer (e.g. by adding appropriate
> > delays to extend the race window).
> 
> It's apparently udev which powers up the camera when running v4l_id:
> 
> [    5.859741] CPU: 4 UID: 0 PID: 420 Comm: v4l_id Not tainted 6.15.0-rc1 #106 PREEMPT
> 
> So this looks like the classic bug of drivers registering their devices
> before they have been fully set up.

It's entity->pad which is being dereferenced while NULL in
camss_find_sensor_pad() and when this happens entity->name is also NULL.

Bailing out when entity->pad is NULL allows the machine to boot, but we
should figure out why this function is called before things have been
properly initialised.
 
Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ