Issue metadata
Sign in to add a comment
|
[Gandof] Kernel crashing after suspend resume while onboard webcam is working. |
||||||||||||||||||||||
Issue description
Chrome Version: 10895.11.0
OS: ChromeOS
What steps will reproduce the problem?
(1) Sign in to the device.
(2) Use onboard webcam.
start camera app / start hangout/ start webrtc.
(3) Suspend resume the device.
close and open lid
or
'powerd_dbus_suspend'
What is the expected result?
Onboard camera should work properly after resume.
What happens instead?
Device rebooting with a kernel crash.
crash link: https://crash.corp.google.com/browse?stbtiq=6fd47f37fed10c27
Note: This issue is specific to onboard webcam.
USB webcam is working fine.
,
Aug 3
,
Aug 3
+keiichiw@, who did some work on the uvc driver recently. From feedback/console-ramoops: [ 57.553764] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 57.553779] IP: [<ffffffff87619e0d>] do_raw_spin_lock+0xe/0x112 [ 57.553792] PGD 0 [ 57.553797] Oops: 0000 [#1] PREEMPT SMP [ 57.556209] gsmi: Log Shutdown Reason 0x03 [ 57.556216] Modules linked in: xt_TCPMSS ip6table_mangle ip6table_raw veth esp6 ah6 xfrm6_mode_tunnel xfrm6_mode_transport xfrm4_mode_tunnel xfrm4_mode_transport ip6t_REJECT ip6t_ipv6header snd_usb_audio snd_usbmidi_lib rfcomm cmac i2c_dev uinput memc_x86 uvcvideo videobuf2_vmalloc snd_hda_codec_realtek snd_hda_codec_generic x86_pkg_temp_thermal snd_hda_codec_hdmi iio_trig_sysfs cros_ec_accel kfifo_buf industrialio snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_soc_sst_acpi zram snd_seq_dummy bridge stp llc ipt_MASQUERADE xt_mark fuse ip6table_filter ip6_tables snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device iwlmvm iwlwifi iwl7000_mac80211 cfg80211 btusb btbcm btintel bluetooth joydev [ 57.556340] CPU: 0 PID: 4856 Comm: V4L2CaptureThre Not tainted 3.14.0 #1 [ 57.556348] Hardware name: GOOGLE Gandof, BIOS Google_Gandof.6301.155.9 07/30/2015 [ 57.556357] task: ffff88013bed1240 ti: ffff880031024000 task.ti: ffff880031024000 [ 57.556366] RIP: 0010:[<ffffffff87619e0d>] [<ffffffff87619e0d>] do_raw_spin_lock+0xe/0x112 [ 57.556378] RSP: 0018:ffff880031025c20 EFLAGS: 00010082 [ 57.556385] RAX: 0000000000000000 RBX: ffff880035249400 RCX: ffff880035249200 [ 57.556393] RDX: ffff880035249200 RSI: 0000000000000002 RDI: 0000000000000000 [ 57.556400] RBP: ffff880031025c38 R08: 0000000000000000 R09: 000000000000000f [ 57.556408] R10: 0000000000000002 R11: ffffffff87e92540 R12: 0000000000000002 [ 57.556416] R13: 0000000000000003 R14: 0000000000000000 R15: ffff880035249190 [ 57.556425] FS: 00007cc822caf700(0000) GS:ffff88017ec00000(0000) knlGS:0000000000000000 [ 57.556434] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.556440] CR2: 0000000000000004 CR3: 000000013b4f2000 CR4: 00000000000607f0 [ 57.556448] Stack: [ 57.556451] ffff880035249400 0000000000000002 0000000000000003 ffff880031025c48 [ 57.556463] ffffffff87cd0c93 ffff880031025ca0 ffffffff8775ce61 0000000000000002 [ 57.556475] 0000000000000000 ffff880035249200 00000000261dc7d9 ffff880035249400 [ 57.556486] Call Trace: [ 57.556495] [<ffffffff87cd0c93>] _raw_spin_lock_irq+0x17/0x19 [ 57.556504] [<ffffffff8775ce61>] flush_workqueue_prep_pwqs+0x96/0x17c [ 57.556514] [<ffffffff8775d07d>] flush_workqueue+0x136/0x429 [ 57.556527] [<ffffffffc030cd63>] uvc_uninit_video+0x58/0xe3 [uvcvideo] [ 57.556539] [<ffffffffc030cd63>] ? uvc_uninit_video+0x58/0xe3 [uvcvideo] [ 57.556551] [<ffffffffc030ef6b>] uvc_video_enable+0x1b/0x159 [uvcvideo] [ 57.556562] [<ffffffffc030ab42>] uvc_stop_streaming+0x25/0x47 [uvcvideo] [ 57.556573] [<ffffffff87b30ea7>] __vb2_queue_cancel+0x2c/0x144 [ 57.556582] [<ffffffff87b34646>] vb2_queue_release+0x20/0x43 [ 57.556592] [<ffffffffc030ac97>] uvc_queue_release+0x26/0x33 [uvcvideo] [ 57.556603] [<ffffffffc030cbf8>] uvc_v4l2_release+0x4c/0xd7 [uvcvideo] [ 57.556613] [<ffffffff87b20f38>] v4l2_release+0x33/0x6d [ 57.556621] [<ffffffff8764f8f4>] __fput+0xe5/0x1a2 [ 57.556630] [<ffffffff87816ec7>] ____fput+0xe/0x10 [ 57.556639] [<ffffffff876099c0>] task_work_run+0x81/0x97 [ 57.556647] [<ffffffff8760056a>] do_notify_resume+0x57/0x5b [ 57.556656] [<ffffffff87cd192f>] int_signal+0x12/0x17 [ 57.556662] Code: 48 83 c8 ff c7 07 00 00 10 00 c7 47 04 ed 1e af de 48 89 47 10 48 89 e5 89 47 08 5d c3 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 <81> 7f 04 ad 4e ad de 48 89 fb 74 0c 48 c7 c6 3b cc f7 87 e8 8a [ 57.556746] RIP [<ffffffff87619e0d>] do_raw_spin_lock+0xe/0x112 [ 57.556755] RSP <ffff880031025c20> [ 57.556760] CR2: 0000000000000004 [ 57.556766] ---[ end trace 8204a7c654e64ef7 ]--- [ 57.571663] Kernel panic - not syncing: Fatal exception Could it be possibly related to the fixes we landed for issue 820961 ?
,
Aug 6
Was this introduced with M69, works on M68?
,
Aug 6
Not able to reproduce this issue on M68_10718.71.2 build.
,
Aug 7
,
Aug 7
Should be fixed by https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1164964 . PTAL.
,
Aug 7
Once this lands on ToT, please request merge to M69. We will not block beta for this issue, will skip Gandof if necessary.
,
Aug 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/86f2cdb13b40c651151bf419d5ee57a026acbca2 commit 86f2cdb13b40c651151bf419d5ee57a026acbca2 Author: Tomasz Figa <tfiga@chromium.org> Date: Wed Aug 08 09:00:36 2018 CHROMIUM: media: uvcvideo: Do not destroy async workqueue on suspend Currently uvc_video_suspend() calls uvc_uninit_video() with free_buffers argument set to 0, to stop streaming for the duration of suspend without releasing resources. However, it ends up destroying the async workqueue regardless of the argument, which triggers an access after free, if resume fails and userspace closes the file descriptor, which essentially ends up calling uvc_uninit_video() one more time to free the resources. Make uvc_uninit_video() honor free_buffers for async workqueue too and uvc_init_video() skip allocating a new workqueue, if one is already allocated. Fixes: 7ccd6a2f66c4 ("BACKPORT: FROMLIST: media: uvcvideo: Move decode processing to process context") BUG= chromium:870462 TEST=Samus does not crash after a suspend/resume cycle with external camera connected and internal camera streaming. Change-Id: I5541bdb32bd1a9c4244934499fb1f94cbab87e2b Signed-off-by: Tomasz Figa <tfiga@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1164964 Reviewed-by: Ricky Liang <jcliang@chromium.org> Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org> [modify] https://crrev.com/86f2cdb13b40c651151bf419d5ee57a026acbca2/drivers/media/usb/uvc/uvc_video.c
,
Aug 8
Requesting merge of the CL above to M-69.
,
Aug 8
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 8
,
Aug 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/63604270587c0b9ee54d884f172b796a564b975a commit 63604270587c0b9ee54d884f172b796a564b975a Author: Tomasz Figa <tfiga@chromium.org> Date: Wed Aug 08 17:17:21 2018 CHROMIUM: media: uvcvideo: Do not destroy async workqueue on suspend Currently uvc_video_suspend() calls uvc_uninit_video() with free_buffers argument set to 0, to stop streaming for the duration of suspend without releasing resources. However, it ends up destroying the async workqueue regardless of the argument, which triggers an access after free, if resume fails and userspace closes the file descriptor, which essentially ends up calling uvc_uninit_video() one more time to free the resources. Make uvc_uninit_video() honor free_buffers for async workqueue too and uvc_init_video() skip allocating a new workqueue, if one is already allocated. Fixes: 7ccd6a2f66c4 ("BACKPORT: FROMLIST: media: uvcvideo: Move decode processing to process context") BUG= chromium:870462 TEST=Samus does not crash after a suspend/resume cycle with external camera connected and internal camera streaming. Change-Id: I5541bdb32bd1a9c4244934499fb1f94cbab87e2b Signed-off-by: Tomasz Figa <tfiga@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1164964 Reviewed-by: Ricky Liang <jcliang@chromium.org> Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org> (cherry picked from commit 86f2cdb13b40c651151bf419d5ee57a026acbca2) Reviewed-on: https://chromium-review.googlesource.com/1166982 [modify] https://crrev.com/63604270587c0b9ee54d884f172b796a564b975a/drivers/media/usb/uvc/uvc_video.c
,
Aug 8
,
Aug 13
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 14
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sontis@chromium.org
, Aug 2