From patchwork Fri Nov 19 22:41:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Scally X-Patchwork-Id: 12629655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CCA7C433EF for ; Fri, 19 Nov 2021 22:41:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232763AbhKSWoI (ORCPT ); Fri, 19 Nov 2021 17:44:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231231AbhKSWoH (ORCPT ); Fri, 19 Nov 2021 17:44:07 -0500 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB778C061574 for ; Fri, 19 Nov 2021 14:41:04 -0800 (PST) Received: by mail-wr1-x42f.google.com with SMTP id s13so20596279wrb.3 for ; Fri, 19 Nov 2021 14:41:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:subject:to:cc:message-id:date:user-agent:mime-version :content-language; bh=OEtnAOHBTsG4c4sdw6/n60xBfW9zOtIiMBiWLRR+H00=; b=UQlp+dh0QTHk0s76JKG4cZE/CXlYiUt4//57/Tm0PGGxKfmt0vo5/BqjNgqRwrXFmg 82y1kL2wTKtMqhSHvo8A60GLJbV7PJPCOfLLcPQ3Iz2eVHGvNDGhK44BhNU04IfixeXy bIsZJIoGXDCy0MZr4xMSsqqsPsy61VBE1SwrtdgYpfwb3aVU3WzBsHjGfxlfLsVo+6q0 BHgTlo5SCGY4ktWWm4i1NuNZLzQJMr+g1seAsCt+wOOk9GTAQ0YjRSiJAG99CizXgkVi SLuuYIHzQkHFeMNJKWO7Id0xtXJBbcr8SYiimrnv8McEUGNfmkW/7S2kkf79Lb3H3eJP Q+1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent :mime-version:content-language; bh=OEtnAOHBTsG4c4sdw6/n60xBfW9zOtIiMBiWLRR+H00=; b=ElQmhMgF2QjZHRuAec88SMtpi4YL/PiX8xsHiguCnvKjEjwoACfxM8aH05ipGm/Jl9 uKOLFXRxetO+bXVehc/VW547NS63Bvt4VpLW+w3lc01FydNq1aIBQCcIYlB8WufdOBWm vxgYA6/Iyyj3Wpp0WgIDd/58a/xQYugz+77Oo1K4j473dRXTfC3nAVD1zwh9SAo8ODYd SK1fvg79qyc5qhOzhKdhAoWWN3bFoyY7RS6mveDN+Bj5ZHzUS7SxArHYCkcy//veWB2u /H8H1slX9nSLlU3nUDpQXKwBKY+c7TEkgsXYfJbEB4E87zOrK1YmOHCbmTqdf36yoWa2 guCw== X-Gm-Message-State: AOAM532EVoGn99yDDdkceS7T8YdXjXKuo+sfTvpq98mmTqFlmHQrJ77W v7yVsX9pxe6FsUDVVTtAwkY= X-Google-Smtp-Source: ABdhPJyX16kLU8+EB6sZIXif9FmztPram57gtXoXcTU1LuA23shcl81G6z3HjWBAFVFm4KEQ6A1+ag== X-Received: by 2002:a5d:6a4d:: with SMTP id t13mr11891249wrw.104.1637361663570; Fri, 19 Nov 2021 14:41:03 -0800 (PST) Received: from [192.168.0.16] (cpc141996-chfd3-2-0-cust928.12-3.cable.virginm.net. [86.13.91.161]) by smtp.gmail.com with ESMTPSA id b197sm886700wmb.24.2021.11.19.14.41.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 19 Nov 2021 14:41:03 -0800 (PST) From: Daniel Scally Subject: Kernel oops bisected to media: videobuf2: move cache_hints handling to allocators To: senozhatsky@chromium.org, hverkuil-cisco@xs4all.nl, mchehab+huawei@kernel.org Cc: Linux Media Mailing List Message-ID: Date: Fri, 19 Nov 2021 22:41:02 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Hi all I've been experiencing an oops trying to run libcamera's qcam util (which starts streaming on a camera sensor - the ov8865), which I bisected down to the patch cde513fd9b35: "media: videobuf2: move cache_hints handling to allocators" The traceback from the oops is attached, but the short version is a null pointer dereference in vb2_dma_sg_prepare(). I tried the obvious patch: But that causes a complete lock when I try to stream. Reverting the patch entirely on the other hand does work fine. I'm not familiar with this code at all so not really sure what else to try; any suggestions? Thanks Dan [ 63.000973] BUG: kernel NULL pointer dereference, address: 000000000000005c [ 63.000983] #PF: supervisor read access in kernel mode [ 63.000986] #PF: error_code(0x0000) - not-present page [ 63.000989] PGD 0 P4D 0 [ 63.000994] Oops: 0000 [#1] PREEMPT SMP PTI [ 63.000998] CPU: 1 PID: 2046 Comm: qcam Tainted: G C 5.16.0-rc1+ #419 [ 63.001003] Hardware name: Microsoft Corporation Surface Go 2/Surface Go 2, BIOS 1.0.16 05/24/2021 [ 63.001005] RIP: 0010:vb2_dma_sg_prepare+0x9/0x30 [videobuf2_dma_sg] [ 63.001015] Code: 70 38 8b 48 24 48 8b 38 48 89 e5 8b 56 08 48 8b 36 e8 fb 2c 61 dd 31 c0 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 8b 47 70 40 5c 08 74 01 c3 55 48 8b 47 38 8b 4f 24 48 8b 3f 8b 50 0c 48 [ 63.001019] RSP: 0018:ffffb324c0787c40 EFLAGS: 00010246 [ 63.001022] RAX: 0000000000000000 RBX: ffff9a3094323800 RCX: ffff9a2f5e5f59e0 [ 63.001025] RDX: ffffffffc0718270 RSI: ffff9a309416b2c0 RDI: ffff9a2f421a5700 [ 63.001028] RBP: ffffb324c0787c68 R08: 0000000000000000 R09: ffff9a2f5e5f5000 [ 63.001030] R10: ffff9a30aacb6448 R11: 0000000000000005 R12: 0000000000000000 [ 63.001032] R13: 0000000000000000 R14: ffff9a304ccb0a68 R15: 000000000000000f [ 63.001035] FS: 00007f4b11c93640(0000) GS:ffff9a30aac80000(0000) knlGS:0000000000000000 [ 63.001038] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 63.001041] CR2: 000000000000005c CR3: 000000013b3e2003 CR4: 00000000003706e0 [ 63.001044] Call Trace: [ 63.001046] [ 63.001050] ? __buf_prepare+0x154/0x1c0 [videobuf2_common] [ 63.001060] vb2_core_qbuf+0x399/0x4b0 [videobuf2_common] [ 63.001068] vb2_qbuf+0x6f/0xa0 [videobuf2_v4l2] [ 63.001074] ? vb2_start_streaming+0x6d/0x110 [videobuf2_common] [ 63.001081] vb2_ioctl_qbuf+0x4d/0x60 [videobuf2_v4l2] [ 63.001087] v4l_qbuf+0x40/0x50 [videodev] [ 63.001101] __video_do_ioctl+0x1a7/0x400 [videodev] [ 63.001115] video_usercopy+0x392/0x8d0 [videodev] [ 63.001126] ? v4l_enumstd+0x30/0x30 [videodev] [ 63.001140] video_ioctl2+0x15/0x20 [videodev] [ 63.001151] v4l2_ioctl+0x4c/0x60 [videodev] [ 63.001161] __x64_sys_ioctl+0x91/0xc0 [ 63.001166] do_syscall_64+0x3b/0xc0 [ 63.001170] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 63.001176] RIP: 0033:0x7f4b1df3b31b [ 63.001180] Code: 89 d8 49 8d 3c 1c 48 f7 d8 49 39 c4 72 b5 e8 1c ff ff ff 85 c0 78 ba 4c 89 e0 5b 5d 41 5c c3 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1d 3b 0d 00 f7 d8 64 89 01 48 [ 63.001183] RSP: 002b:00007f4b11c91a68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 63.001187] RAX: ffffffffffffffda RBX: 00007f4afc01e420 RCX: 00007f4b1df3b31b [ 63.001189] RDX: 00007f4b11c91b60 RSI: 00000000c058560f RDI: 0000000000000025 [ 63.001192] RBP: 00007f4b11c91a90 R08: 00007f4b00000ed0 R09: 00007f4b1df8d580 [ 63.001194] R10: 0000000000000001 R11: 0000000000000202 R12: 0000563a52a1ec84 [ 63.001196] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f4b11c93640 [ 63.001201] [ 63.001203] Modules linked in: rfcomm ccm cmac algif_hash algif_skcipher af_alg bnep nls_iso8859_1 x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl_msr dw9719 kvm_intel kvm snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi irqbypass snd_soc_core crct10dif_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_compress aesni_intel snd_hda_codec_realtek ac97_bus snd_hda_codec_generic ledtrig_audio crypto_simd cryptd snd_pcm_dmaengine snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core rapl snd_hwdep snd_pcm intel_cstate joydev snd_seq_midi snd_seq_midi_event snd_rawmidi efi_pstore intel_wmi_thunderbolt snd_seq iwlmvm snd_seq_device snd_timer input_leds mac80211 serio_raw snd libarc4 i915 btusb wmi_bmof iwlwifi btrtl soundcore btbcm btintel cec bluetooth rc_core cfg80211 hid_sensor_gyro_3d hid_sensor_accel_3d hid_sensor_als hid_sensor_rotation ttm ecdh_generic hid_sensor_trigger ecc industrialio_triggered_buffer drm_kms_helper [ 63.001277] 8250_dw hid_multitouch kfifo_buf i2c_algo_bit processor_thermal_device_pci_legacy processor_thermal_device hid_sensor_iio_common ipu3_imgu(C) ipu3_cio2 processor_thermal_rfim fb_sys_fops processor_thermal_mbox syscopyarea ucsi_acpi videobuf2_dma_sg sysfillrect processor_thermal_rapl industrialio sysimgblt intel_pch_thermal mei_me videobuf2_memops intel_rapl_common videobuf2_v4l2 typec_ucsi intel_soc_dts_iosf videobuf2_common mei typec soc_button_array ov8865 v4l2_fwnode intel_skl_int3472_tps68470 tps68470_regulator v4l2_async clk_tps68470 videodev mc int3403_thermal intel_skl_int3472_discrete intel_hid mac_hid sparse_keymap int340x_thermal_zone int3400_thermal acpi_pad acpi_thermal_rel sch_fq_codel parport_pc ppdev lp drm parport ip_tables x_tables autofs4 hid_sensor_hub intel_ishtp_hid mmc_block hid_generic rtsx_pci_sdmmc usbhid crc32_pclmul sdhci_pci cqhci sdhci rtsx_pci intel_ish_ipc intel_ishtp intel_lpss_pci i2c_hid_acpi intel_lpss i2c_hid idma64 virt_dma hid wmi video [ 63.001345] pinctrl_sunrisepoint [ 63.001351] CR2: 000000000000005c [ 63.001354] ---[ end trace 1be187c5743c6313 ]--- [ 63.284270] RIP: 0010:vb2_dma_sg_prepare+0x9/0x30 [videobuf2_dma_sg] [ 63.284286] Code: 70 38 8b 48 24 48 8b 38 48 89 e5 8b 56 08 48 8b 36 e8 fb 2c 61 dd 31 c0 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 8b 47 70 40 5c 08 74 01 c3 55 48 8b 47 38 8b 4f 24 48 8b 3f 8b 50 0c 48 [ 63.284291] RSP: 0018:ffffb324c0787c40 EFLAGS: 00010246 [ 63.284295] RAX: 0000000000000000 RBX: ffff9a3094323800 RCX: ffff9a2f5e5f59e0 [ 63.284298] RDX: ffffffffc0718270 RSI: ffff9a309416b2c0 RDI: ffff9a2f421a5700 [ 63.284301] RBP: ffffb324c0787c68 R08: 0000000000000000 R09: ffff9a2f5e5f5000 [ 63.284303] R10: ffff9a30aacb6448 R11: 0000000000000005 R12: 0000000000000000 [ 63.284305] R13: 0000000000000000 R14: ffff9a304ccb0a68 R15: 000000000000000f [ 63.284308] FS: 00007f4b11c93640(0000) GS:ffff9a30aac80000(0000) knlGS:0000000000000000 [ 63.284311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 63.284314] CR2: 000000000000005c CR3: 000000013b3e2004 CR4: 00000000003706e0 diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 1094575abf95..937f86b93013 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -204,7 +204,7 @@ static void vb2_dma_sg_prepare(void *buf_priv) struct vb2_dma_sg_buf *buf = buf_priv; struct sg_table *sgt = buf->dma_sgt; - if (buf->vb->skip_cache_sync_on_prepare) + if (buf->vb && buf->vb->skip_cache_sync_on_prepare) return; dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir);