Hi,
We used GStreamer to test multiple cameras. If any camera did not stream correctly (i.e., it showed a green screen), closing the GStreamer window caused the system to crash immediately.
Here is a reproducer:
s() {
timeout 3 gst-launch-1.0 v4l2src device=/dev/video$1 ! xvimagesink
}
while :; do s 0 & s 1; done
and the kernel log:
[ 151.277035] [RCE] VI ch[33] frame configuration: 1920x1536
[ 151.277040] [RCE] left skip pixels=0 top skip lines=0
[ 151.277042] [RCE] right crop pixels=1920 bottom crop lines=1536
[ 151.277044] [RCE] pixel format=VI_PIXFMT_FORMAT_T_U8_Y8__V8_Y8 fmt=19
[ 151.328843] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=123 addr=0x7ffc7b0000 gos_idx=255 gos_offset=0
[ 151.328847] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=125 addr=0x7ffc7d0000 gos_idx=255 gos_offset=0
[ 151.328949] tegra_capture_ivc_notify_chan_id: channel context at 1 is busy
[ 151.329576] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=124 addr=0x7ffc7c0000 gos_idx=255 gos_offset=0
[ 151.335804] tegra194-vi5 8181200000.host1x:vi0@8188400000: failed to update control callback
[ 151.335809] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=126 addr=0x7ffc7e0000 gos_idx=255 gos_offset=0
[ 151.336003] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=113 addr=0x7ffc710000 gos_idx=255 gos_offset=0
[ 151.336008] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=114 addr=0x7ffc720000 gos_idx=255 gos_offset=0
[ 151.336011] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=115 addr=0x7ffc730000 gos_idx=255 gos_offset=0
[ 151.344200] tegra-camrtc-capture-vi tegra-capture-vi: vi capture setup failed
[ 151.344203] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=122 addr=0x7ffc7a0000 gos_idx=255 gos_offset=0
[ 151.344323] tegra-camrtc-capture-vi tegra-capture-vi: err_rec: successfully reset the capture channel
[ 151.351521] tegra-camrtc-capture-vi tegra-capture-vi: fatal: error recovery failed
[ 151.368427] tegra-camrtc-capture-vi tegra-capture-vi: err_rec: successfully reset the capture channel
[ 151.401040] [RCE] VI ch[30] frame configuration: 1920x1536
[ 151.401045] [RCE] left skip pixels=0 top skip lines=0
[ 151.401047] [RCE] right crop pixels=1920 bottom crop lines=1536
[ 151.401049] [RCE] pixel format=VI_PIXFMT_FORMAT_T_U8_Y8__V8_Y8 fmt=19
[ 151.401051] [RCE] VI ch[31] frame configuration: 1920x1536
[ 151.401053] [RCE] left skip pixels=0 top skip lines=0
[ 151.401054] [RCE] right crop pixels=1920 bottom crop lines=1536
[ 151.401056] [RCE] pixel format=VI_PIXFMT_FORMAT_T_U8_Y8__V8_Y8 fmt=19
[ 153.606406] max96717 12-0021: sensor_stop_streaming
[ 153.607717] max96717 12-0021: sensor_power_off
[ 153.628510] max96717 12-0020: sensor_stop_streaming
[ 153.629080] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c1c mask=0x06000000 value=0x04000000 (was 0x00020000)
[ 153.629085] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031c1c mask=0x06000000 value=0x04000000 (was 0x04020000)
[ 153.629087] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c1c mask=0x06070000 value=0x00020000 (was 0x04020000)
[ 153.629088] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c58 mask=0x000f0000 value=0x000f0000 (was 0x000f0002)
[ 153.629090] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c68 mask=0xffffffff value=0x84208420 (was 0x83d98465)
[ 153.629092] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c6c mask=0xffffffff value=0x84208420 (was 0x9d656d2b)
[ 153.629093] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c90 mask=0x0000f0fc value=0x00002040 (was 0x00002041)
[ 153.629095] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031c94 mask=0x000000ff value=0x00000011 (was 0x00700011)
[ 153.630720] max96717 12-0020: sensor_power_off
[ 153.689071] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031cb4 mask=0x007f7f7f value=0x00404444 (was 0x00434140)
[ 153.689073] [RCE] NVCSI prod write phy: 2 cil: 0 reg=0x00031cec mask=0x000000ff value=0x00000027 (was 0x00007427)
[ 153.689074] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031c1c mask=0x06070000 value=0x00020000 (was 0x00020000)
[ 153.689076] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031c58 mask=0x000f0000 value=0x000f0000 (was 0x000f0002)
[ 153.689077] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031c68 mask=0xffffffff value=0x84208420 (was 0x84208420)
[ 153.689078] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031c6c mask=0xffffffff value=0x84208420 (was 0x84208420)
[ 153.689080] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031d8c mask=0x0000f0fc value=0x00002040 (was 0x00002041)
[ 153.689081] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031d90 mask=0x000000ff value=0x00000011 (was 0x00640011)
[ 153.689082] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031db0 mask=0x007f7f7f value=0x00404444 (was 0x00435251)
[ 153.689083] [RCE] NVCSI prod write phy: 2 cil: 1 reg=0x00031de8 mask=0x000000ff value=0x00000027 (was 0x00007427)
[ 153.777082] tegra-camrtc-capture-vi tegra-capture-vi: uncorr_err: request timed out after 2500 ms
[ 153.777113] tegra-camrtc-capture-vi tegra-capture-vi: err_rec: attempting to reset the capture channel
[ 153.781961] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=110 addr=0x7ffc6e0000 gos_idx=255 gos_offset=0
[ 153.781971] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=111 addr=0x7ffc6f0000 gos_idx=255 gos_offset=0
[ 153.781977] tegra194-vi5 8181200000.host1x:vi0@8188400000: vi5_get_syncpt_gos_backing: id=112 addr=0x7ffc700000 gos_idx=255 gos_offset=0
[ 153.782156] tegra-camrtc-capture-vi tegra-capture-vi: err_rec: successfully reset the capture channel
[ 153.790531] max96717 1-0020: sensor_stop_streaming
[ 153.791871] max96717 1-0020: sensor_power_off
[ 153.793105] ------------[ cut here ]------------
[ 153.794919] refcount_t: addition on 0; use-after-free.
[ 153.794933] WARNING: CPU: 12 PID: 3783 at lib/refcount.c:25 refcount_warn_saturate+0x120/0x144
[ 153.794951] Modules linked in: nvidia_drm(O) nvidia_modeset(O) nvidia_uvm(O) qrtr bridge stp llc usb_f_ncm usb_f_mass_storage nvidia(O) usb_f_acm u_serial usb_f_rndis u_ether governor_pod_scaling(O) libcomposite snd_soc_tegra186_arad(O) snd_soc_tegra186_asrc snd_soc_tegra210_mixer snd_soc_tegra210_admaif snd_soc_tegra210_mvc snd_soc_tegra210_ope snd_soc_tegra210_sfc snd_soc_tegra_pcm snd_soc_tegra210_amx snd_soc_tegra210_i2s snd_soc_tegra210_adx snd_soc_tegra210_ahub tegra_capture_coe(O) tegra210_adma nvadsp(O) nvvrs_pseq_rtc(O) spidev crct10dif_ce sm3_ce onboard_usb_hub sm3 sha3_ce sha512_ce sha512_arm64 ina238 coresight_trbe nvmap(O) ina3221 coresight arm_spe_pmu snd_soc_tegra_audio_graph_card snd_soc_audio_graph_card nvsciipc(O) bmi088(O) kfifo_buf tegra234_oc_event(O) snd_soc_simple_card_utils ivc_cdev(O) nvpmodel_clk_cap(O) tegra23x_psc(O) thermal_trip_event(O) tegra_cactmon_mc_all(O) nvethernet(O) tegra_aconnect tegra_aocluster(O) vfat snd_soc_rt5640 snd_soc_rl6231 tpm_tis_i2c tpm_tis_core snd_hda_codec_hdmi fat[ 153.795029] nvidia_vrs_pseq(O) lm90 max96712(OE) at24 max96712(OE) snd_hda_tegra mttcan(O) snd_hda_codec host1x_fence(O) snd_hda_core nvpps(O) cfg80211 rfkill can_dev nvidia_cspmu ramoops mc_t26x(O) pwm_tegra_tachometer(O) tegra264_mc_hwpm(O) spi_tegra114 tegra_dce(O) reed_solomon arm_cspmu_module tpm_ftpm_tee camera_diagnostics(O) nvhost_isp5(O) nvhost_vi5(O) tegra_capture_isp(O) nvhost_nvcsi(OE) tegra_se(O) nvhost_pva(O) tegra_se_kds(O) crypto_engine nvhost_capture(O) tegra_camera(OE) v4l2_dv_timings host1x_nvhost(O) tegra_drm(O) tegra_wmark(O) nvhwpm(O) drm_display_helper drm_dp_aux_bus cec drm_kms_helper host1x(O) tegra_camera_platform(O) mc_utils(O) capture_ivc(O) v4l2_fwnode v4l2_async videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videodev videobuf2_common mc camchar(O) rtcpu_debug(O) tegra_camera_rtcpu(O) drm ivc_bus(O) hsp_mailbox_client(O) fuse nvme_fabrics nfnetlink ip_tables x_tables ipv6 pwm_fan pwm_tegra tegra_bpmp_thermal tegra_xudc uas ucsi_ccg typec_ucsi typec nvme nvme_core
[ 153.795108] phy_tegra194_p2u pcie_tegra194 ufs_tegra(O) pcie_tegra264(O)
[ 153.795114] CPU: 12 PID: 3783 Comm: pool-gst-launch Tainted: G W OE 6.8.12-tegra #7
[ 153.795118] Hardware name: NVIDIA Jetson AGX Thor 128GB/Jetson, BIOS r38.2-899cdbc9 11/11/2025
[ 153.795120] pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 153.795125] pc : refcount_warn_saturate+0x120/0x144
[ 153.795131] lr : refcount_warn_saturate+0x120/0x144
[ 153.795135] sp : ffff80008e3039d0
[ 153.795137] x29: ffff80008e3039d0 x28: ffff0000872e5dc0 x27: 0000000000000009
[ 153.795142] x26: 0000000000000000 x25: 0000ffff9fe396a8 x24: ffff0000872e63c0
[ 153.795146] x23: ffff00008cef5108 x22: ffff00008cef5080 x21: ffff00008cef5590
[ 153.795150] x20: ffff0000d36d92f0 x19: ffff0000d36d92c0 x18: 0000000000017c2f
[ 153.795153] x17: ffff80008e305000 x16: ffffc4978a6a10c8 x15: ffff80008e303320
[ 153.795157] x14: 0000000000000f9e x13: 00000000ffffffea x12: ffffc4978d243e80
[ 153.795161] x11: 0000000000000001 x10: 0000000000000001 x9 : 0000000000017fe8
[ 153.795165] x8 : ffffc4978d1ebe08 x7 : c0000000ffffefff x6 : 0000000000057fa8
[ 153.795168] x5 : ffff001f57e27d08 x4 : 0000000000000000 x3 : ffff3b87cb593000
[ 153.795172] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000872e5dc0
[ 153.795176] Call trace:
[ 153.795178] refcount_warn_saturate+0x120/0x144
[ 153.795183] kthread_stop+0x1b4/0x260
[ 153.795190] vi5_channel_stop_kthreads+0x4c/0x68 [tegra_camera]
[ 153.795219] vi5_channel_stop_streaming+0x138/0x13c [tegra_camera]
[ 153.795237] tegra_channel_stop_streaming+0x28/0x50 [tegra_camera]
[ 153.795256] __vb2_queue_cancel+0x2c/0x2b8 [videobuf2_common]
[ 153.795268] vb2_core_queue_release+0x24/0x5c [videobuf2_common]
[ 153.795274] _vb2_fop_release+0x88/0xbc [videobuf2_v4l2]
[ 153.795282] tegra_channel_close+0x5c/0x138 [tegra_camera]
[ 153.795300] v4l2_release+0xe4/0xec [videodev]
[ 153.795325] __fput+0x78/0x2c4
[ 153.795332] ____fput+0x10/0x1c
[ 153.795336] task_work_run+0x74/0xd0
[ 153.795349] do_exit+0x320/0x998
[ 153.795357] do_group_exit+0x34/0x90
[ 153.795361] copy_siginfo_to_user+0x0/0x164
[ 153.795370] do_notify_resume+0x118/0x8d0
[ 153.795378] el0_svc+0x98/0xa8
[ 153.795386] el0t_64_sync_handler+0x120/0x12c
[ 153.795391] el0t_64_sync+0x194/0x198
[ 153.795393] ---[ end trace 0000000000000000 ]---
[ 153.795400] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 153.816924] Mem abort info:
[ 153.819720] ESR = 0x0000000096000004
[ 153.823561] EC = 0x25: DABT (current EL), IL = 32 bits
[ 153.828800] SET = 0, FnV = 0
[ 153.831943] EA = 0, S1PTW = 0
[ 153.835085] FSC = 0x04: level 0 translation fault
[ 153.839989] Data abort info:
[ 153.842770] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 153.848361] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 153.853250] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 153.858490] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001a79d9000
[ 153.865124] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
This is reproducible with fake video file registered with tegracam_v4l2subdev_register