V4L2 Std Ctrl Kernel Panic

aie93 · June 15, 2017, 9:17pm

I’ve got an odd error with the V4L2 driver on the TX2 kernel. It didn’t exist on the TX1 kernel, so I wonder if there is a break in the V4L2 implementation that’s been introduced between 3.6 and 4.4? The issue is that I get a kernel panic when setting a standard V4L2 control that is created in the same way that it was in the 3.6 driver, and seemingly the same as the other camera drivers.

The panic occurs as follows:

[ 104.342079] Unable to handle kernel paging request at virtual address ffff00c1f61319b8
[ 104.350156] pgd = ffffffc06aef1000
[ 104.353679] [ffff00c1f61319b8] *pgd=0000000000000000, *pud=0000000000000000
[ 104.361094] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 104.366667] Modules linked in: bnep fuse bluetooth bcmdhd pci_tegra bluedroid_pm
[ 104.374168] CPU: 0 PID: 1482 Comm: python Not tainted 4.4.15 #1
[ 104.380086] Hardware name: quill (DT)
[ 104.383752] task: ffffffc1d5d40000 ti: ffffffc06aeb4000 task.ti: ffffffc06aeb4000
[ 104.391238] PC is at mutex_lock+0x14/0x68
[ 104.395251] LR is at get_ctrl+0x48/0xf8
[ 104.399090] pc : [] lr : [] pstate: 20000145
[ 104.406477] sp : ffffffc06aeb7b40
[ 104.409790] x29: ffffffc06aeb7b40 x28: ffffffc1eb150680
[ 104.415127] x27: ffffffc1eeb01f00 x26: 0000000000000000
[ 104.420462] x25: ffffffc06aeb7d50 x24: 0000007fe2babed0
[ 104.425798] x23: ffffffc00120fb98 x22: ffffffc06aeb7bb8
[ 104.431131] x21: ffffffc1f4282900 x20: ffffffc1f4282900
[ 104.436463] x19: ffff00c1f61319b8 x18: 0000000000000000
[ 104.441797] x17: 0000007f9a6ec950 x16: ffffffc0001d76e8
[ 104.447129] x15: 0000000000f7f2d0 x14: 0000000000f7f298
[ 104.452463] x13: 0000007f7fd112b0 x12: 00000000000001dc
[ 104.457796] x11: 0000000000000007 x10: 0000000000000000
[ 104.463127] x9 : 00000000ffffffd0 x8 : ffffffc06aeb7d58
[ 104.468460] x7 : 0000000000000000 x6 : ffffffc06aeb7d54
[ 104.473794] x5 : 0000000000000003 x4 : ffffffc1f61284e0
[ 104.479127] x3 : ffffffc1f4287018 x2 : 0000000000000004
[ 104.484461] x1 : ffffffc06aeb7bb8 x0 : ffff00c1f61319b8

[ 104.491291] Process python (pid: 1482, stack limit = 0xffffffc06aeb4020)
[ 104.497987] Call trace:
[ 104.500438] [] mutex_lock+0x14/0x68
[ 104.505490] [] get_ctrl+0x48/0xf8
[ 104.510366] [] v4l2_g_ctrl+0x3c/0x60
[ 104.515507] [] v4l_g_ctrl+0x54/0x120
[ 104.520647] [] __video_do_ioctl+0x25c/0x2c8
[ 104.526391] [] video_usercopy+0x294/0x590
[ 104.531962] [] video_ioctl2+0x14/0x20
[ 104.537188] [] v4l2_ioctl+0xe8/0x118
[ 104.542329] [] do_vfs_ioctl+0x33c/0x5f0
[ 104.547726] [] SyS_ioctl+0x8c/0xa0
[ 104.552694] [] el0_svc_naked+0x24/0x28
[ 104.558005] —[ end trace 0678b51317f31422 ]—

I was getting this previously when setting the EDID since that call was setting the integer control. I removed that control call which fixed it, but now I’m getting the same error through a direct ioctl call.

The control is created as follows:
state->detect_tx_5v_ctrl = v4l2_ctrl_new_std(&state->hdl, NULL,
V4L2_CID_DV_RX_POWER_PRESENT, 0, 1, 0, 0);

I’ve added print statements around it to determine if the memory is being freed, but it doesn’t seem to be. Could it be memory corruption from some other bug in the driver, or do you think this is a fault in the kernel?

ShaneCCC · June 16, 2017, 8:57am

Hi aie
Could you try replace the NULL to some dump ops to try.

state->detect_tx_5v_ctrl = v4l2_ctrl_new_std(&state->hdl, NULL,
V4L2_CID_DV_RX_POWER_PRESENT, 0, 1, 0, 0);

aie93 · June 16, 2017, 9:01am

Hi Shane,

I thought about that and tried it. It makes no difference. The issue is occurring due to the mutex handle being null for some reason. I’ve been talking to the maintainer of the V4L driver in the Kernel and he currently believes the issue may be within the NVidia driver rather than within the camera driver or V4L source.

I’m currently building some kernels with debug messages to try and determine precisely what it is that’s failing.

aie93 · June 16, 2017, 10:24am

I have added some debugging statements to try and pin down where the issue is. The pointers that are pertinent are as follows:

At the time the fault occurs:

The “master” control (as defined by ctrl->cluster[0]) is at ffffffc1f42a8900.
The handler within this control is at ffffffc1f61319b8.
The mutex within the handler is at ffff00c1f61319b8.

At the time the control is created the handle to the control is returned as ffffffc1f42a8700.

The related Oops for this information is as follows:

[   33.090491] Unable to handle kernel paging request at virtual address ffff00c1f61319b8
[   33.098813] pgd = ffffffc06bf6f000
[   33.102339] [ffff00c1f61319b8] *pgd=0000000000000000, *pud=0000000000000000
[   33.109724] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   33.115295] Modules linked in: bnep fuse bluetooth bcmdhd pci_tegra bluedroid_pm
[   33.122798] CPU: 0 PID: 1423 Comm: python Not tainted 4.4.15 #6
[   33.128714] Hardware name: quill (DT)
[   33.132378] task: ffffffc1dc20f080 ti: ffffffc1e0e34000 task.ti: ffffffc1e0e34000
[   33.139863] PC is at mutex_lock+0x14/0x68
[   33.143878] LR is at get_ctrl+0x6c/0x158
[   33.147800] pc : [<ffffffc000ab340c>] lr : [<ffffffc000702cd4>] pstate: 80000045
[   33.155187] sp : ffffffc1e0e37b40
[   33.158500] x29: ffffffc1e0e37b40 x28: ffffffc1dc275e00 
[   33.163836] x27: ffffffc1d6c98900 x26: 0000000000000000 
[   33.169170] x25: ffffffc1e0e37d50 x24: 0000007fee75b7c0 
[   33.174504] x23: ffffffc00120fb98 x22: ffffffc1e0e37bb8 
[   33.179838] x21: ffffffc1f42a8900 x20: ffffffc1f42a8900 
[   33.185170] x19: ffff00c1f61319b8 x18: 0000000000000000 
[   33.190502] x17: 0000007f7fa48950 x16: ffffffc0001d76e8 
[   33.195837] x15: 000000000000001f x14: 0000000000007fff 
[   33.201170] x13: 202c293030393861 x12: 00000000000c3d4a 
[   33.206502] x11: 0000000000000000 x10: 00000000000008a0 
[   33.211836] x9 : ffffffc1e0e37930 x8 : ffffffc1dc20f980 
[   33.217170] x7 : 0000000000000400 x6 : 000000000050cdae 
[   33.222504] x5 : 0000000000000000 x4 : ffffffc1e0e37900 
[   33.227837] x3 : 0000000000000000 x2 : ffffffc0717d1b4c 
[   33.233171] x1 : 0000000000000000 x0 : ffff00c1f61319b8 

[   33.239998] Process python (pid: 1423, stack limit = 0xffffffc1e0e34020)
[   33.246694] Call trace:
[   33.249148] [<ffffffc000ab340c>] mutex_lock+0x14/0x68
[   33.254198] [<ffffffc000702cd4>] get_ctrl+0x6c/0x158
[   33.259163] [<ffffffc000702dfc>] v4l2_g_ctrl+0x3c/0x60
[   33.264304] [<ffffffc0006fc0fc>] v4l_g_ctrl+0x54/0x120
[   33.269444] [<ffffffc0006fa6dc>] __video_do_ioctl+0x25c/0x2c8
[   33.275189] [<ffffffc0006fa164>] video_usercopy+0x294/0x590
[   33.280760] [<ffffffc0006fa474>] video_ioctl2+0x14/0x20
[   33.285986] [<ffffffc0006f55d8>] v4l2_ioctl+0xe8/0x118
[   33.291128] [<ffffffc0001d7434>] do_vfs_ioctl+0x33c/0x5f0
[   33.296525] [<ffffffc0001d7774>] SyS_ioctl+0x8c/0xa0
[   33.301492] [<ffffffc000084e70>] el0_svc_naked+0x24/0x28
[   33.306804] ---[ end trace c150824421c0132b ]---

ShaneCCC · July 7, 2017, 4:41am

@aie93
Did you add new ctrl to the sensor driver? Could you try to add it to the reference sensor ov5693 to verify.