lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <778e2cd0-5371-424f-809d-20f7c3ae5343@linaro.org>
Date: Mon, 7 Apr 2025 10:58:52 +0100
From: Bryan O'Donoghue <bryan.odonoghue@...aro.org>
To: Johan Hovold <johan@...nel.org>, Robert Foss <rfoss@...nel.org>,
 Todor Tomov <todor.too@...il.com>
Cc: Vladimir Zapolskiy <vladimir.zapolskiy@...aro.org>,
 linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: camss NULL-deref on power on with 6.12-rc2

On 07/04/2025 10:12, Johan Hovold wrote:
> On Fri, Oct 11, 2024 at 11:33:30AM +0200, Johan Hovold wrote:
> 
>> This morning I hit the below NULL-deref in camss when booting a 6.12-rc2
>> kernel on the Lenovo ThinkPad X13s.
>>
>> I booted the same kernel another 50 times without hitting it again it so
>> it may not be a regression, but simply an older, hard to hit bug.
>>
>> Hopefully you can figure out what went wrong from just staring at the
>> oops and code.
> 
> Hit the NULL-pointer dereference during boot that I reported back in
> October again today with 6.15-rc1.
> 
> The camss_find_sensor_pad() function was renamed in 6.15-rc1, but
> otherwise it looks identical.
> 
> Johan
> 
> 
> [    5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
> [    5.741162] Mem abort info:
> [    5.741435]   ESR = 0x0000000096000004
> [    5.741707]   EC = 0x25: DABT (current EL), IL = 32 bits
> [    5.741980]   SET = 0, FnV = 0
> [    5.742249]   EA = 0, S1PTW = 0
> [    5.742253]   FSC = 0x04: level 0 translation fault
> [    5.742255] Data abort info:
> [    5.742257]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> [    5.743264]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> [    5.743267]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [    5.743269] user pgtable: 4k pages, 48-bit VAs, pgdp=000000010fb98000
> [    5.743272] [0000000000000030] pgd=0000000000000000, p4d=0000000000000000
> [    5.744064] Internal error: Oops: 0000000096000004 [#1]  SMP
> 
> [    5.744645] CPU: 3 UID: 0 PID: 442 Comm: v4l_id Not tainted 6.15.0-rc1 #106 PREEMPT
> [    5.744647] Hardware name: LENOVO 21BYZ9SRUS/21BYZ9SRUS, BIOS N3HET87W (1.59 ) 12/05/2023
> [    5.744649] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [    5.744651] pc : camss_find_sensor_pad+0x20/0x74 [qcom_camss]
> [    5.744661] lr : camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> [    5.744666] sp : ffff800082dfb8e0
> [    5.744667] x29: ffff800082dfb8e0 x28: ffff800082dfbc68 x27: ffff143e80404618
> [    5.744671] x26: 0000000000000000 x25: 0000000000000000 x24: ffff143e9398baa8
> [    5.744675] x23: ffff800082dfb998 x22: ffff143e9398d9a0 x21: ffff800082dfb9a8
> [    5.744678] x20: 0000000000000002 x19: 0000000000020001 x18: 0000000000000020
> [    5.744682] x17: 3030613563613a33 x16: ffffac4db3ccf814 x15: 706e65672f6b6e69
> [    5.744686] x14: 0000000000000000 x13: ffff143e80b39180 x12: 30613563613a333a
> [    5.744690] x11: ffffac4db50a8920 x10: 0000000000000000 x9 : 0000000000000000
> [    5.744693] x8 : ffffac4db4992000 x7 : ffff800082dfb8e0 x6 : ffff800082dfb870
> [    5.744697] x5 : ffff800082dfc000 x4 : ffff143e9398cc70 x3 : ffff143e9398cb40
> [    5.744701] x2 : ffff143e9398be00 x1 : ffff143e9398d9a0 x0 : 0000000000000000
> [    5.744704] Call trace:
> [    5.744706]  camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> [    5.744711]  camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> [    5.744716]  vfe_get+0xb8/0x504 [qcom_camss]
> [    5.744724]  vfe_set_power+0x30/0x58 [qcom_camss]
> [    5.744731]  pipeline_pm_power_one+0x13c/0x150 [videodev]
> [    5.744745]  pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> [    5.744754]  v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> [    5.744762]  v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> [    5.744771]  video_open+0x78/0xf4 [qcom_camss]
> [    5.744776]  v4l2_open+0x80/0x120 [videodev]
> [    5.755711]  chrdev_open+0xb4/0x204
> [    5.755716]  do_dentry_open+0x138/0x4d0
> [    5.756271]  vfs_open+0x2c/0xe8
> [    5.756274]  path_openat+0x2b8/0x9fc
> [    5.756276]  do_filp_open+0x8c/0x144
> [    5.756277]  do_sys_openat2+0x80/0xdc
> [    5.756279]  __arm64_sys_openat+0x60/0xb0
> [    5.757830]  invoke_syscall+0x48/0x110
> [    5.757834]  el0_svc_common.constprop.0+0xc0/0xe0
> [    5.758369]  do_el0_svc+0x1c/0x28
> [    5.758372]  el0_svc+0x48/0x114
> [    5.758889]  el0t_64_sync_handler+0xc8/0xcc
> [    5.759184]  el0t_64_sync+0x198/0x19c
> [    5.759475] Code: f9000bf3 52800033 72a00053 f9402420 (f9401801)
>   
>   
>> [    5.657860] ov5675 24-0010: failed to get HW configuration: -517
>> [    5.676183] vreg_l6q: Bringing 2800000uV into 1800000-1800000uV
>>
>> [    6.517689] qcom-camss ac5a000.camss: Adding to iommu group 22
>>
>> [    6.589201] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
>> [    6.589625] Mem abort info:
>> [    6.589960]   ESR = 0x0000000096000004
>> [    6.590293]   EC = 0x25: DABT (current EL), IL = 32 bits
>> [    6.590630]   SET = 0, FnV = 0
>> [    6.591619]   EA = 0, S1PTW = 0
>> [    6.591968]   FSC = 0x04: level 0 translation fault
>> [    6.592298] Data abort info:
>> [    6.592621]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>> [    6.593112]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>> [    6.593450]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
>> [    6.593783] user pgtable: 4k pages, 48-bit VAs, pgdp=000000010daef000
>> [    6.594139] [0000000000000030] pgd=0000000000000000, p4d=0000000000000000
>> [    6.594214] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> 
>> [    6.594868] CPU: 0 UID: 0 PID: 557 Comm: v4l_id Not tainted 6.12.0-rc2 #165
>> [    6.594871] Hardware name: LENOVO 21BYZ9SRUS/21BYZ9SRUS, BIOS N3HET87W (1.59 ) 12/05/2023
>> [    6.594872] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>> [    6.594874] pc : camss_find_sensor+0x20/0x74 [qcom_camss]
>> [    6.594885] lr : camss_get_pixel_clock+0x18/0x60 [qcom_camss]
>> [    6.594889] sp : ffff800082d538f0
>> [    6.594890] x29: ffff800082d538f0 x28: ffff800082d53c70 x27: ffff670cc0404618
>> [    6.594893] x26: 0000000000000000 x25: 0000000000000000 x24: ffff670cd33173d0
>> [    6.594895] x23: ffff800082d539a8 x22: ffff670cd33192c8 x21: ffff800082d539b8
>> [    6.594898] x20: 0000000000000002 x19: 0000000000020001 x18: 0000000000000000
>> [    6.594900] x17: 0000000000000000 x16: ffffbf0bffbecdd0 x15: 0000000000000001
>> [    6.594902] x14: ffff670cc5c95300 x13: ffff670cc0b38980 x12: ffff670cc5c95ba8
>> [    6.594905] x11: ffffbf0c00f73000 x10: 0000000000000000 x9 : 0000000000000000
>> [    6.594907] x8 : ffffbf0c0085d000 x7 : 0000000000000000 x6 : 0000000000000078
>> [    6.594910] x5 : 0000000000000000 x4 : ffff670cd3318598 x3 : ffff670cd3318468
>> [    6.594912] x2 : ffff670cd3317728 x1 : ffff800082d539b8 x0 : 0000000000000000
>> [    6.594915] Call trace:
>> [    6.594915]  camss_find_sensor+0x20/0x74 [qcom_camss]
>> [    6.594920]  camss_get_pixel_clock+0x18/0x60 [qcom_camss]
>> [    6.594924]  vfe_get+0xb8/0x504 [qcom_camss]
>> [    6.594931]  vfe_set_power+0x30/0x58 [qcom_camss]
>> [    6.594936]  pipeline_pm_power_one+0x13c/0x150 [videodev]
>> [    6.594951]  pipeline_pm_power.part.0+0x58/0xf4 [videodev]
>> [    6.594960]  v4l2_pipeline_pm_use+0x58/0x94 [videodev]
>> [    6.594969]  v4l2_pipeline_pm_get+0x14/0x20 [videodev]
>> [    6.594978]  video_open+0x78/0xf4 [qcom_camss]
>> [    6.594982]  v4l2_open+0x80/0x120 [videodev]
>> [    6.594991]  chrdev_open+0xb4/0x204
>> [    6.594996]  do_dentry_open+0x138/0x4d0
>> [    6.595000]  vfs_open+0x2c/0xe4
>> [    6.595003]  path_openat+0x2b4/0x9fc
>> [    6.595005]  do_filp_open+0x80/0x130
>> [    6.595007]  do_sys_openat2+0xb4/0xe8
>> [    6.595010]  __arm64_sys_openat+0x64/0xac
>> [    6.595012]  invoke_syscall+0x48/0x110
>> [    6.595016]  el0_svc_common.constprop.0+0xc0/0xe0
>> [    6.595018]  do_el0_svc+0x1c/0x28
>> [    6.595021]  el0_svc+0x48/0x114
>> [    6.595023]  el0t_64_sync_handler+0xc0/0xc4
>> [    6.595025]  el0t_64_sync+0x190/0x194
>> [    6.595028] Code: 52800033 72a00053 d503201f f9402400 (f9401801)
>> [    6.595029] ---[ end trace 0000000000000000 ]---

I've never seen this myself.

I wonder, are you building camcc, camss and the sensor driver into your 
initrd ?

---
bod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ