Unable to handle kernel NULL pointer dereference at virtual address (iMX8MMini)

vincentz63 · ‎01-24-2024

I have a custom board with i.MX8Mini and LPDDR4 RAM, connected to a MIPI CSI2 (DPHY) camera streaming 1080p30.

We have a test application based on GStreamer that stops and starts video streaming every few seconds.

the application triggers a crash in the v4l2 driver stack after several cycles. This can range from 50 stop/start cycles to 100s or 1000s.

The callstack is always the same. The crash happens in the vb2_buffer_done(), and we think it may be the call to “atomic_dec(&q->owned_by_drv_count);” in this function that triggers it. For a given image (OS + application), the virtual address is always the same (in the CS below 0x1f8).

Any idea what could be going wrong? Has something like this been reported already?

Nov 11 23:08:48 imx8mmbluebird kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000000001f8
Nov 11 23:08:48 imx8mmbluebird kernel: Mem abort info:
Nov 11 23:08:48 imx8mmbluebird kernel: ESR = 0x96000006
Nov 11 23:08:48 imx8mmbluebird kernel: Exception class = DABT (current EL), IL = 32 bits
Nov 11 23:08:48 imx8mmbluebird kernel: SET = 0, FnV = 0
Nov 11 23:08:48 imx8mmbluebird kernel: EA = 0, S1PTW = 0
Nov 11 23:08:48 imx8mmbluebird kernel: Data abort info:
Nov 11 23:08:48 imx8mmbluebird kernel: ISV = 0, ISS = 0x00000006
Nov 11 23:08:48 imx8mmbluebird kernel: CM = 0, WnR = 0
Nov 11 23:08:48 imx8mmbluebird kernel: user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000037ca5943
Nov 11 23:08:48 imx8mmbluebird kernel: [00000000000001f8] pgd=000000004e2bc003, pud=000000004e296003, pmd=0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: Internal error: Oops: 96000006 [#1] PREEMPT SMP
Nov 11 23:08:48 imx8mmbluebird kernel: Modules linked in: crc32_ce crct10dif_ce mxc_mipi_csi mx6s_capture gs3470_asl XXXXXXXXXXXXX_camera_mipi overlay galcore(O)
Nov 11 23:08:48 imx8mmbluebird kernel: Process onvif_rtsp_app (pid: 3598, stack limit = 0x0000000097265435)
Nov 11 23:08:48 imx8mmbluebird kernel: CPU: 0 PID: 3598 Comm: XXXXXXXXXXXXX Tainted: G O 4.19.35-1.1.0+g9ec518e5baca #1
Nov 11 23:08:48 imx8mmbluebird kernel: Hardware name: XXXXXXXXXXXXX based on i.MX8MM - rev 6 (Burst) (DT)
Nov 11 23:08:48 imx8mmbluebird kernel: pstate: 20000085 (nzCv daIf -PAN -UAO)
Nov 11 23:08:48 imx8mmbluebird kernel: pc : __ll_sc___cmpxchg_case_acq_4+0x4/0x20
Nov 11 23:08:48 imx8mmbluebird kernel: lr : _raw_spin_lock_irqsave+0x34/0x60
Nov 11 23:08:48 imx8mmbluebird kernel: sp : ffff0000172aba20
Nov 11 23:08:48 imx8mmbluebird kernel: x29: ffff0000172aba20 x28: ffff800013f72300
Nov 11 23:08:48 imx8mmbluebird kernel: x27: ffff00000973b710 x26: ffff00000973b710
Nov 11 23:08:48 imx8mmbluebird kernel: x25: ffff80000ea14bd0 x24: ffff80000ea14930
Nov 11 23:08:48 imx8mmbluebird kernel: x23: 00000000000001f8 x22: 0000000000000007
Nov 11 23:08:48 imx8mmbluebird kernel: x21: 0000000000000000 x20: ffff80000ea14ad8
Nov 11 23:08:48 imx8mmbluebird kernel: x19: 0000000000000080 x18: 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x17: 0000000000000000 x16: 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x15: 0000000000000000 x14: 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x13: 0000000000000000 x12: 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x11: 0000000000000000 x10: 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x9 : 0000000000000000 x8 : 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x7 : 0000000000000200 x6 : 0000000000000000
Nov 11 23:08:48 imx8mmbluebird kernel: x5 : 0000000000000000 x4 : ffff80000ea14c88
Nov 11 23:08:48 imx8mmbluebird kernel: x3 : 00000000000001f8 x2 : 0000000000000001
Nov 11 23:08:48 imx8mmbluebird kernel: x1 : 0000000000000000 x0 : 00000000000001f8
Nov 11 23:08:48 imx8mmbluebird kernel: Call trace:
Nov 11 23:08:48 imx8mmbluebird kernel: __ll_sc___cmpxchg_case_acq_4+0x4/0x20
Nov 11 23:08:48 imx8mmbluebird kernel: vb2_buffer_done+0xa4/0x1b0
Nov 11 23:08:48 imx8mmbluebird kernel: mx6s_stop_streaming+0xbc/0x298 [mx6s_capture]
Nov 11 23:08:48 imx8mmbluebird kernel: __vb2_queue_cancel+0x2c/0x1c8
Nov 11 23:08:48 imx8mmbluebird kernel: vb2_core_streamoff+0x20/0xa8
Nov 11 23:08:48 imx8mmbluebird kernel: vb2_streamoff+0x18/0x60
Nov 11 23:08:48 imx8mmbluebird kernel: mx6s_vidioc_streamoff+0x58/0xc0 [mx6s_capture]
Nov 11 23:08:48 imx8mmbluebird kernel: v4l_streamoff+0x20/0x28
Nov 11 23:08:48 imx8mmbluebird kernel: __video_do_ioctl+0x248/0x498
Nov 11 23:08:48 imx8mmbluebird kernel: video_usercopy+0x268/0x4d0
Nov 11 23:08:48 imx8mmbluebird kernel: video_ioctl2+0x14/0x20
Nov 11 23:08:48 imx8mmbluebird kernel: v4l2_ioctl+0x40/0x118
Nov 11 23:08:48 imx8mmbluebird kernel: do_vfs_ioctl+0xb8/0x890
Nov 11 23:08:48 imx8mmbluebird kernel: ksys_ioctl+0x78/0xa8
Nov 11 23:08:48 imx8mmbluebird kernel: __arm64_sys_ioctl+0x1c/0x28
Nov 11 23:08:48 imx8mmbluebird kernel: el0_svc_common+0x84/0xf0
Nov 11 23:08:48 imx8mmbluebird kernel: el0_svc_handler+0x2c/0x80
Nov 11 23:08:48 imx8mmbluebird kernel: el0_svc+0x8/0xc
Nov 11 23:08:48 imx8mmbluebird kernel: Code: 35ffff91 aa1003e0 d65f03c0 f9800011 (885ffc10)
Nov 11 23:08:48 imx8mmbluebird kernel: ---[ end trace 16bd3712444c4359 ]---

vincentz63 · ‎03-01-2024

Hello,

Any progress on this?

Regards,

Bio_TICFSL · ‎01-25-2024

Hello,

Yes it looks like a bug I will reported immediately thanks for the catch!.

Regards

Unable to handle kernel NULL pointer dereference at virtual address (iMX8MMini)

Unable to handle kernel NULL pointer dereference at virtual address (iMX8MMini)

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano