search

intel / ipu6-drivers

GNU General Public License v2.0
160 stars 51 forks source link

Reloading module causes null pointer dereference #147

Open zemen opened 1 year ago

zemen commented 1 year ago

I get this error when I unload modules intel_ipu6_isys and ov2740, then run systemctl suspend and then try to modprobe intel_ipu6_isys back. Without suspend everything works fine and camera works properly after reloading.

I use Thinkpad X1 carbon gen10 archlinux with unpatched kernel 6.3.2. I tried both modules ov2740 from upstream and from git, for me looks like the problem is not with this module, also it loads successfully after suspend.

[   69.464042] intel-ipu6 0000:00:05.0: Device 0x465d (rev: 0x2)
[   69.464303] intel-ipu6 0000:00:05.0: physical base address 0x603c000000
[   69.464304] intel-ipu6 0000:00:05.0: mapped as: 0x00000000d42aec21
[   69.464476] intel-ipu6 0000:00:05.0: IPU in secure mode
[   69.464479] intel-ipu6 0000:00:05.0: IPU secure touch = 0x0
[   69.464480] intel-ipu6 0000:00:05.0: IPU camera mask = 0xff
[   69.482137] intel-ipu6 0000:00:05.0: IPC reset done
[   69.482139] intel-ipu6 0000:00:05.0: cpd file name: intel/ipu6ep_fw.bin
[   69.482268] intel-ipu6 0000:00:05.0: FW version: 20220510
[   69.483388] intel-ipu6 0000:00:05.0: Sending BOOT_LOAD to CSE
[   69.500718] intel-ipu6 0000:00:05.0: Sending AUTHENTICATE_RUN to CSE
[   69.574270] intel-ipu6 0000:00:05.0: CSE authenticate_run done
[   69.574475] intel-ipu6 0000:00:05.0: IPU6-v3 driver version 1.0
[   69.601778] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   69.601790] #PF: supervisor read access in kernel mode
[   69.601794] #PF: error_code(0x0000) - not-present page
[   69.601798] PGD 0 P4D 0 
[   69.601804] Oops: 0000 [#1] PREEMPT SMP NOPTI
[   69.601809] CPU: 2 PID: 3540 Comm: modprobe Tainted: G           OE      6.3.2-arch1-1 #1 44a850778a68c42d012ba8e685997cb0375875a4
[   69.601817] Hardware name: LENOVO 21CBCTO1WW/21CBCTO1WW, BIOS N3AET71W (1.36 ) 01/31/2023
[   69.601820] RIP: 0010:software_node_graph_get_port_parent+0x3f/0xa0
[   69.601835] Code: ff ff 77 0a 48 81 7f 08 00 f7 98 af 74 76 31 ff 48 8b 9f c0 00 00 00 48 85 db 74 48 48 8b 83 80 00 00 00 48 c7 c6 a9 56 e1 af <48> 8b 38 e8 99 a4 43 00 85 c0 74 38 48 89 dd 48 83 c5 40 74 13 48
[   69.601840] RSP: 0018:ffffbc1604bc3a78 EFLAGS: 00010286
[   69.601845] RAX: 0000000000000000 RBX: ffff9b22524d9200 RCX: 0000000000000001  
[   69.601848] RDX: ffffffffaf98f700 RSI: ffffffffafe156a9 RDI: ffff9b22524d8f00  
[   69.601851] RBP: ffffbc1604bc3b70 R08: ffffbc1604bc3a48 R09: ffff9b2211b10dc0  
[   69.601854] R10: 0000000000007fc0 R11: 0000000000000000 R12: ffff9b2211b10dc0  
[   69.601856] R13: ffffbc1604bc3ae0 R14: ffff9b220125e0d0 R15: 0000000000000001  
[   69.601859] FS:  00007f0dd38af740(0000) GS:ffff9b293f680000(0000) knlGS:0000000000000000  
[   69.601863] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
[   69.601867] CR2: 0000000000000000 CR3: 0000000134bf2003 CR4: 0000000000f70ee0  
[   69.601870] PKRU: 55555554  
[   69.601872] Call Trace:  
[   69.601877]  <TASK>  
[   69.601885]  fwnode_graph_get_port_parent+0x65/0xb0  
[   69.601891]  fwnode_graph_get_remote_port_parent+0x41/0x90  
[   69.601900]  v4l2_async_nf_parse_fwnode_endpoints+0xc6/0x400 [v4l2_fwnode 68a4d5edbfa73aa24e2fa9bfdab746e4f4ca7150]  
[   69.601920]  ? __pfx_isys_fwnode_parse+0x10/0x10 [intel_ipu6_isys b2ac461bc4905946734b69f7aa04c6de574037d6]  
[   69.601955]  isys_probe+0x718/0x950 [intel_ipu6_isys b2ac461bc4905946734b69f7aa04c6de574037d6]  
[   69.601980]  ipu_bus_probe+0x5c/0xf0 [intel_ipu6 8c5c0d34bb10b7f96d25c019badb8903d2e64677]  
[   69.602004]  really_probe+0x19b/0x3e0  
[   69.602015]  ? __pfx___driver_attach+0x10/0x10  
[   69.602023]  __driver_probe_device+0x78/0x160  
[   69.602031]  driver_probe_device+0x1f/0x90  
[   69.602038]  __driver_attach+0xd2/0x1c0  
[   69.602046]  bus_for_each_dev+0x85/0xd0  
[   69.602053]  bus_add_driver+0x116/0x220  
[   69.602060]  driver_register+0x59/0x100  
[   69.602068]  ? __pfx_init_module+0x10/0x10 [intel_ipu6_isys b2ac461bc4905946734b69f7aa04c6de574037d6]  
[   69.602090]  do_one_initcall+0x5a/0x240  
[   69.602102]  do_init_module+0x4a/0x200  
[   69.602111]  __do_sys_init_module+0x17f/0x1b0  
[   69.602118]  ? __vm_munmap+0xbc/0x150  
[   69.602130]  do_syscall_64+0x5d/0x90
[   69.602141]  ? do_syscall_64+0x6c/0x90
[   69.602147]  ? ksys_read+0x6f/0xf0
[   69.602153]  ? syscall_exit_to_user_mode+0x1b/0x40
[   69.602158]  ? do_syscall_64+0x6c/0x90
[   69.602164]  ? exc_page_fault+0x7c/0x180
[   69.602172]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   69.602180] RIP: 0033:0x7f0dd3321f9e
[   69.602264] Code: 48 8b 0d bd ed 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8a ed 0c 00 f7 d8 64 89 01 48
[   69.602267] RSP: 002b:00007fff60940bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000af
[   69.602272] RAX: ffffffffffffffda RBX: 000055dfb4adb0d0 RCX: 00007f0dd3321f9e
[   69.602275] RDX: 000055dfb334bcb2 RSI: 000000000006b03d RDI: 00007f0dd2c5f010
[   69.602278] RBP: 000055dfb334bcb2 R08: 000000000008c000 R09: 0000000000000000
[   69.602281] R10: 0000000000037711 R11: 0000000000000246 R12: 0000000000040000
[   69.602283] R13: 000055dfb4adae80 R14: 0000000000000000 R15: 000055dfb4aded60
[   69.602288]  </TASK>
[   69.602290] Modules linked in: intel_ipu6_isys(OE+) intel_ipu6(OE) ov2740(OE) v4l2_fwnode v4l2_async rfcomm ccm cmac algif_hash algif_skcipher af_alg bnep btusb btrtl btbcm btintel btmtk bluetooth gpio_ljca(OE) spi_ljca(OE) i2c_ljca(OE
) ljca(OE) ecdh_generic hid_sensor_custom_intel_hinge hid_sensor_trigger industrialio_triggered_buffer kfifo_buf hid_sensor_iio_common industrialio hid_sensor_custom hid_sensor_hub intel_ishtp_hid snd_ctl_led snd_soc_skl_hda_dsp snd_soc_i
ntel_hda_dsp_common snd_sof_probes snd_soc_hdac_hdmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence
 snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_bus snd_soc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp snd_compres
s coretemp ac97_bus joydev iwlmvm snd_pcm_dmaengine kvm_intel mousedev kvm
[   69.602382]  snd_hda_intel irqbypass mac80211 snd_intel_dspcfg videobuf2_dma_contig snd_intel_sdw_acpi pmt_telemetry rapl iTCO_wdt vfat videobuf2_memops hid_multitouch intel_pmc_bxt squashfs processor_thermal_device_pci intel_cstate vi
deobuf2_v4l2 fat mei_hdcp mei_pxp mei_wdt libarc4 iTCO_vendor_support intel_rapl_msr pmt_class snd_hda_codec processor_thermal_device think_lmi nxp_nci_i2c videobuf2_common intel_uncore processor_thermal_rfim snd_hda_core psmouse pcspkr f
irmware_attributes_class wmi_bmof iwlwifi nxp_nci thinkpad_acpi ucsi_acpi processor_thermal_mbox snd_hwdep snd_pcm typec_ucsi spi_nor ledtrig_audio processor_thermal_rapl nci intel_lpss_pci snd_timer mei_me cfg80211 mei_vsc(OE) intel_ish_
ipc i2c_hid_acpi nfc platform_profile intel_lpss typec i2c_i801 intel_rapl_common int3403_thermal snd mtd intel_skl_int3472_tps68470 i2c_smbus thunderbolt idma64 intel_ishtp intel_vsec igen6_edac roles mei rfkill soundcore soc_button_arra
y i2c_hid int340x_thermal_zone tps68470_regulator clk_tps68470 int3400_thermal
[   69.602486]  acpi_thermal_rel videodev intel_hid intel_skl_int3472_discrete acpi_pad mc acpi_tad sparse_keymap mac_hid vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) dm_multipath sg crypto_user fuse loop ip_tables x_tables ext4 crc32c_gener
ic crc16 mbcache jbd2 dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic serio_raw gf128mul nvme atkbd ghash_clmulni_intel libps2 sha512_ssse3 aesni_intel
 vivaldi_fmap spi_intel_pci nvme_core i8042 xhci_pci crypto_simd cryptd spi_intel nvme_common xhci_pci_renesas serio i915 i2c_algo_bit drm_buddy intel_gtt video wmi drm_display_helper cec ttm
[   69.602568] Unloaded tainted modules: ov2740(OE):1 intel_ipu6(OE):1 intel_ipu6_psys(OE):1 intel_ipu6_isys(OE):1 [last unloaded: v4l2_async]
[   69.602584] CR2: 0000000000000000
[   69.602588] ---[ end trace 0000000000000000 ]---
[   69.602591] RIP: 0010:software_node_graph_get_port_parent+0x3f/0xa0
[   69.602598] Code: ff ff 77 0a 48 81 7f 08 00 f7 98 af 74 76 31 ff 48 8b 9f c0 00 00 00 48 85 db 74 48 48 8b 83 80 00 00 00 48 c7 c6 a9 56 e1 af <48> 8b 38 e8 99 a4 43 00 85 c0 74 38 48 89 dd 48 83 c5 40 74 13 48
[   69.602602] RSP: 0018:ffffbc1604bc3a78 EFLAGS: 00010286
[   69.602605] RAX: 0000000000000000 RBX: ffff9b22524d9200 RCX: 0000000000000001
[   69.602608] RDX: ffffffffaf98f700 RSI: ffffffffafe156a9 RDI: ffff9b22524d8f00
[   69.602611] RBP: ffffbc1604bc3b70 R08: ffffbc1604bc3a48 R09: ffff9b2211b10dc0
[   69.602614] R10: 0000000000007fc0 R11: 0000000000000000 R12: ffff9b2211b10dc0
[   69.602616] R13: ffffbc1604bc3ae0 R14: ffff9b220125e0d0 R15: 0000000000000001
[   69.602619] FS:  00007f0dd38af740(0000) GS:ffff9b293f680000(0000) knlGS:0000000000000000
[   69.602622] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.602625] CR2: 0000000000000000 CR3: 0000000134bf2003 CR4: 0000000000f70ee0
[   69.602628] PKRU: 55555554
[   69.602630] note: modprobe[3540] exited with irqs disabled
polair commented 1 year ago

I report a nearly identical segfault/stack trace with the Nano Gen2 and ov2740 sensor. Text in #107