Re: camss NULL-deref on power on with 6.12-rc2

From: Johan Hovold
Date: Mon Apr 07 2025 - 06:39:07 EST

Next message: Arnd Bergmann: "[RFC] PCI: add CONFIG_MMU dependency"
Previous message: Dan Carpenter: "Re: [PATCH v6] staging: rtl8723bs: Add error handling for sd_read()"
In reply to: Bryan O'Donoghue: "Re: camss NULL-deref on power on with 6.12-rc2"
Next in thread: Johan Hovold: "Re: camss NULL-deref on power on with 6.12-rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 07, 2025 at 10:58:52AM +0100, Bryan O'Donoghue wrote:
> On 07/04/2025 10:12, Johan Hovold wrote:
> > On Fri, Oct 11, 2024 at 11:33:30AM +0200, Johan Hovold wrote:
> >
> >> This morning I hit the below NULL-deref in camss when booting a 6.12-rc2
> >> kernel on the Lenovo ThinkPad X13s.
> >>
> >> I booted the same kernel another 50 times without hitting it again it so
> >> it may not be a regression, but simply an older, hard to hit bug.
> >>
> >> Hopefully you can figure out what went wrong from just staring at the
> >> oops and code.
> >
> > Hit the NULL-pointer dereference during boot that I reported back in
> > October again today with 6.15-rc1.
> >
> > The camss_find_sensor_pad() function was renamed in 6.15-rc1, but
> > otherwise it looks identical.

> > [ 5.740833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030

> > [ 5.744704] Call trace:
> > [ 5.744706] camss_find_sensor_pad+0x20/0x74 [qcom_camss] (P)
> > [ 5.744711] camss_get_pixel_clock+0x18/0x64 [qcom_camss]
> > [ 5.744716] vfe_get+0xb8/0x504 [qcom_camss]
> > [ 5.744724] vfe_set_power+0x30/0x58 [qcom_camss]
> > [ 5.744731] pipeline_pm_power_one+0x13c/0x150 [videodev]
> > [ 5.744745] pipeline_pm_power.part.0+0x58/0xf4 [videodev]
> > [ 5.744754] v4l2_pipeline_pm_use+0x58/0x94 [videodev]
> > [ 5.744762] v4l2_pipeline_pm_get+0x14/0x20 [videodev]
> > [ 5.744771] video_open+0x78/0xf4 [qcom_camss]
> > [ 5.744776] v4l2_open+0x80/0x120 [videodev]

> I've never seen this myself.
>
> I wonder, are you building camcc, camss and the sensor driver into your
> initrd ?

No, there's nothing camera related in my initramfs.

I've only seen it twice myself (that I've noticed, at least this time it
prevented the display from probing so I knew something was wrong).

Since it's obviously a race condition I think you'll need to analyse the
code to try to figure out where the bug is. With an hypothesis you may
be able to instrument a reliable reproducer (e.g. by adding appropriate
delays to extend the race window).

The fact that the sensor driver is probe deferring may also be relevant
here.

Johan

Next message: Arnd Bergmann: "[RFC] PCI: add CONFIG_MMU dependency"
Previous message: Dan Carpenter: "Re: [PATCH v6] staging: rtl8723bs: Add error handling for sd_read()"
In reply to: Bryan O'Donoghue: "Re: camss NULL-deref on power on with 6.12-rc2"
Next in thread: Johan Hovold: "Re: camss NULL-deref on power on with 6.12-rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]