lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z_OrQGspD79k1Mg4@hovoldconsulting.com>
Date: Mon, 7 Apr 2025 12:38:56 +0200
From: Johan Hovold <johan@...nel.org>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>
Cc: Robert Foss <rfoss@...nel.org>, Todor Tomov <todor.too@...il.com>,
	Vladimir Zapolskiy <vladimir.zapolskiy@...aro.org>,
	linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: camss NULL-deref on power on with 6.12-rc2

On Mon, Apr 07, 2025 at 10:58:52AM +0100, Bryan O'Donoghue wrote:
> On 07/04/2025 10:12, Johan Hovold wrote:
> > On Fri, Oct 11, 2024 at 11:33:30AM +0200, Johan Hovold wrote:
> > 
> >> This morning I hit the below NULL-deref in camss when booting a 6.12-rc2
> >> kernel on the Lenovo ThinkPad X13s.
> >>
> >> I booted the same kernel another 50 times without hitting it again it so
> >> it may not be a regression, but simply an older, hard to hit bug.
> >>
> >> Hopefully you can figure out what went wrong from just staring at the
> >> oops and code.
> > 
> > Hit the NULL-pointer dereference during boot that I reported back in
> > October again today with 6.15-rc1.
> > 
> > The camss_find_sensor_pad() function was renamed in 6.15-rc1, but
> > otherwise it looks identical.

> > [    5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030

> > [    5.744704] Call trace:
> > [    5.744706]  camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> > [    5.744711]  camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> > [    5.744716]  vfe_get+0xb8/0x504 [qcom_camss]
> > [    5.744724]  vfe_set_power+0x30/0x58 [qcom_camss]
> > [    5.744731]  pipeline_pm_power_one+0x13c/0x150 [videodev]
> > [    5.744745]  pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> > [    5.744754]  v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> > [    5.744762]  v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> > [    5.744771]  video_open+0x78/0xf4 [qcom_camss]
> > [    5.744776]  v4l2_open+0x80/0x120 [videodev]

> I've never seen this myself.
> 
> I wonder, are you building camcc, camss and the sensor driver into your 
> initrd ?

No, there's nothing camera related in my initramfs.

I've only seen it twice myself (that I've noticed, at least this time it
prevented the display from probing so I knew something was wrong).

Since it's obviously a race condition I think you'll need to analyse the
code to try to figure out where the bug is. With an hypothesis you may
be able to instrument a reliable reproducer (e.g. by adding appropriate
delays to extend the race window).

The fact that the sensor driver is probe deferring may also be relevant
here.

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ