[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Z_OwdYtSyFDhkYMa@hovoldconsulting.com>
Date: Mon, 7 Apr 2025 13:01:09 +0200
From: Johan Hovold <johan@...nel.org>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>
Cc: Robert Foss <rfoss@...nel.org>, Todor Tomov <todor.too@...il.com>,
Vladimir Zapolskiy <vladimir.zapolskiy@...aro.org>,
linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: camss NULL-deref on power on with 6.12-rc2
On Mon, Apr 07, 2025 at 12:38:56PM +0200, Johan Hovold wrote:
> On Mon, Apr 07, 2025 at 10:58:52AM +0100, Bryan O'Donoghue wrote:
> > On 07/04/2025 10:12, Johan Hovold wrote:
> > > [ 5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
>
> > > [ 5.744704] Call trace:
> > > [ 5.744706] camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> > > [ 5.744711] camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> > > [ 5.744716] vfe_get+0xb8/0x504 [qcom_camss]
> > > [ 5.744724] vfe_set_power+0x30/0x58 [qcom_camss]
> > > [ 5.744731] pipeline_pm_power_one+0x13c/0x150 [videodev]
> > > [ 5.744745] pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> > > [ 5.744754] v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> > > [ 5.744762] v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> > > [ 5.744771] video_open+0x78/0xf4 [qcom_camss]
> > > [ 5.744776] v4l2_open+0x80/0x120 [videodev]
> I've only seen it twice myself (that I've noticed, at least this time it
> prevented the display from probing so I knew something was wrong).
Just hit this again with 6.15-rc1 after the third reboot so timing has
likely changed slightly which now makes it easier to hit this.
> Since it's obviously a race condition I think you'll need to analyse the
> code to try to figure out where the bug is. With an hypothesis you may
> be able to instrument a reliable reproducer (e.g. by adding appropriate
> delays to extend the race window).
It's apparently udev which powers up the camera when running v4l_id:
[ 5.859741] CPU: 4 UID: 0 PID: 420 Comm: v4l_id Not tainted 6.15.0-rc1 #106 PREEMPT
So this looks like the classic bug of drivers registering their devices
before they have been fully set up.
> The fact that the sensor driver is probe deferring may also be relevant
> here.
Johan
Powered by blists - more mailing lists