From: "Michał Pecio" <michal.pecio@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Subject: NULL dereference on disconnection during usb_set_interface()
Date: Sun, 21 Jan 2024 18:18:15 +0100 [thread overview]
Message-ID: <20240121181815.4ab01525@foxbook> (raw)
Hi,
I encountered an interesting race. This USB camera appears to have got
stuck and dropped by the bus during video stream initialization, leading
to an oops. This is a one time occurrence, not reproducible. Maybe not
a very severe issue due to narrow window of opportunity, but still...
Linux v6.7, the host is XHCI.
The first message below comes from uvc_video_start_transfer(). It is
meant to be followed immediately by a call to usb_set_interface() and
apparently during this call things went weird.
After a half second delay the device was disconnected and another five
seconds later a NULL pointer dereference occured.
The crashing function is usb_ifnum_to_if() and disassembly suggests that
the dereferenced NULL value was config->interface[i], for unknown i.
Thanks,
Michal
[ 7079.664238] usb 9-2: Selecting alternate setting 9 (20480 B/frame bandwidth)
[ 7080.202494] usb 9-2: USB disconnect, device number 2
[ 7085.158804] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 7085.158814] #PF: supervisor read access in kernel mode
[ 7085.158816] #PF: error_code(0x0000) - not-present page
[ 7085.158818] PGD 0 P4D 0
[ 7085.158822] Oops: 0000 [#1] PREEMPT SMP
[ 7085.158825] CPU: 0 PID: 12833 Comm: yavta Not tainted 6.7.0 #3
[ 7085.158829] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD MS-7596/760GM -E51 (MS-7596), BIOS V1.10 02/28/2011
[ 7085.158832] RIP: 0010:usb_ifnum_to_if+0x38/0x50
[ 7085.158839] Code: d2 74 32 0f b6 4a 04 84 c9 74 2e ff c9 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 12 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 31 d2 48 89 d0 c3 0f
[ 7085.158842] RSP: 0018:ffffc90000d1fba0 EFLAGS: 00010202
[ 7085.158845] RAX: ffff88812deb5898 RBX: ffff88812d78e000 RCX: 0000000000000002
[ 7085.158847] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88812deb58b0
[ 7085.158849] RBP: 0000000000000000 R08: ffffffff826dad88 R09: ffffffff826dad88
[ 7085.158850] R10: 0000000000000400 R11: 0000000000000000 R12: ffff88812ddfd570
[ 7085.158852] R13: 00000000ffffff92 R14: ffff88812ddfd408 R15: ffff88812ddb7000
[ 7085.158854] FS: 00007f4d672ab740(0000) GS:ffff88820fe00000(0000) knlGS:0000000000000000
[ 7085.158856] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7085.158858] CR2: 0000000000000000 CR3: 000000014c0f5000 CR4: 00000000000006f0
[ 7085.158860] Call Trace:
[ 7085.158863] <TASK>
[ 7085.158867] ? __die+0x2d/0x80
[ 7085.158870] ? page_fault_oops+0x15d/0x420
[ 7085.158874] ? fixup_exception+0x36/0x280
[ 7085.158879] ? exc_page_fault+0x74/0x150
[ 7085.158882] ? asm_exc_page_fault+0x22/0x30
[ 7085.158887] ? usb_ifnum_to_if+0x38/0x50
[ 7085.158890] usb_hcd_alloc_bandwidth+0x208/0x310
[ 7085.158895] usb_set_interface+0x128/0x400
[ 7085.158899] uvc_video_start_transfer+0x1c4/0x600 [uvcvideo]
[ 7085.158908] uvc_video_start_streaming+0x79/0xc0 [uvcvideo]
[ 7085.158914] uvc_start_streaming+0x41/0x100 [uvcvideo]
[ 7085.158922] vb2_start_streaming+0x60/0x120 [videobuf2_common]
[ 7085.158928] vb2_core_streamon+0xc2/0x160 [videobuf2_common]
[ 7085.158934] uvc_queue_streamon+0x35/0x60 [uvcvideo]
[ 7085.158940] uvc_ioctl_streamon+0x46/0x70 [uvcvideo]
[ 7085.158947] __video_do_ioctl+0x38a/0x460 [videodev]
[ 7085.158957] video_usercopy+0x26c/0x720 [videodev]
[ 7085.158965] ? v4l_prepare_buf+0x80/0x80 [videodev]
[ 7085.158974] v4l2_ioctl+0x45/0x50 [videodev]
[ 7085.158982] __x64_sys_ioctl+0xae/0xd0
[ 7085.158987] ? exit_to_user_mode_prepare+0x7a/0x120
[ 7085.158991] do_syscall_64+0x2c/0xd0
[ 7085.158994] entry_SYSCALL_64_after_hwframe+0x46/0x4e
[ 7085.158998] RIP: 0033:0x7f4d673ba3af
[ 7085.159002] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 7085.159004] RSP: 002b:00007ffeecff6480 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 7085.159007] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4d673ba3af
[ 7085.159009] RDX: 00007ffeecff64e4 RSI: 0000000040045612 RDI: 0000000000000003
[ 7085.159010] RBP: 0000000000000001 R08: 0000000000000078 R09: 000055eca2bc36b0
[ 7085.159012] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffeecff6640
[ 7085.159014] R13: 000055eca2bc3a68 R14: 00000000003a9800 R15: 00000000003a9800
[ 7085.159017] </TASK>
[ 7085.159018] Modules linked in: xhci_pci xhci_hcd uvcvideo ccm uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common ext2 ath5k mac80211 libarc4 ath serio_raw cfg80211 snd_pcsp dm_mod nfnetlink ip_tables x_tables [last unloaded: xhci_hcd]
[ 7085.159036] CR2: 0000000000000000
[ 7085.159038] ---[ end trace 0000000000000000 ]---
Disassembly:
0000000000000380 <usb_ifnum_to_if>:
380: e8 00 00 00 00 call 385 <usb_ifnum_to_if+0x5>
385: 48 8b 97 a8 03 00 00 mov 0x3a8(%rdi),%rdx
38c: 48 85 d2 test %rdx,%rdx
38f: 74 32 je 3c3 <usb_ifnum_to_if+0x43>
391: 0f b6 4a 04 movzbl 0x4(%rdx),%ecx
395: 84 c9 test %cl,%cl
397: 74 2e je 3c7 <usb_ifnum_to_if+0x47>
399: ff c9 dec %ecx
39b: 48 8d 82 98 00 00 00 lea 0x98(%rdx),%rax
3a2: 48 8d bc ca a0 00 00 lea 0xa0(%rdx,%rcx,8),%rdi
3a9: 00
3aa: eb 09 jmp 3b5 <usb_ifnum_to_if+0x35>
3ac: 48 83 c0 08 add $0x8,%rax
3b0: 48 39 f8 cmp %rdi,%rax
3b3: 74 12 je 3c7 <usb_ifnum_to_if+0x47>
3b5: 48 8b 10 mov (%rax),%rdx
3b8: 48 8b 0a mov (%rdx),%rcx
3bb: 0f b6 49 02 movzbl 0x2(%rcx),%ecx
3bf: 39 f1 cmp %esi,%ecx
3c1: 75 e9 jne 3ac <usb_ifnum_to_if+0x2c>
3c3: 48 89 d0 mov %rdx,%rax
3c6: c3 ret
3c7: 31 d2 xor %edx,%edx
3c9: 48 89 d0 mov %rdx,%rax
3cc: c3 ret
3cd: 0f 1f 00 nopl (%rax)
next reply other threads:[~2024-01-21 17:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-21 17:18 Michał Pecio [this message]
2024-02-17 15:31 ` NULL dereference on disconnection during usb_set_interface() Greg Kroah-Hartman
2024-02-17 19:26 ` Michał Pecio
2024-02-17 19:55 ` Alan Stern
2024-02-18 0:02 ` Michał Pecio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240121181815.4ab01525@foxbook \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.