From: "Michał Pecio" <michal.pecio@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Subject: Re: NULL dereference on disconnection during usb_set_interface()
Date: Sat, 17 Feb 2024 20:26:11 +0100 [thread overview]
Message-ID: <20240217202611.6337879c@foxbook> (raw)
In-Reply-To: <2024021724-dweeb-peroxide-2036@gregkh>
Hi Greg,
> There are a number of known-race-conditions in the v4l interface that
> can happen when devices go away and userspace is still holding a
> reference on the character device node.
I wrote to linux-usb because I think this particular crash is a bug in
the USB subsystem - namely, usb_set_interface() appears to crash when
the device is disconnected during its execution.
Indeed, today I came up with an artificial way to reproduce this crash.
I added msleep(1000) right before the call to usb_hcd_alloc_bandwidth()
in usb_set_interface() and pulled the USB plug when it slept.
(BTW, previously the device was not physically disconnected, it looks
like the host controller dropped it due to I/O errors).
Anyway, here's my new crash log:
# this is what normal execution looks like, nothing special happens yet
[ 210.644611] usb_set_interface called from uvc_video_start_transfer
[ 210.644615] sleeping before usb_hcd_alloc_bandwidth
[ 211.668754] usb_set_interface returned
# and now I will disconnect the device during the sleep
[ 216.700611] usb_set_interface called from uvc_video_start_transfer
[ 216.700616] sleeping before usb_hcd_alloc_bandwidth
[ 217.144340] usb 12-1.3: USB disconnect, device number 3
[ 217.746182] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 217.746190] #PF: supervisor read access in kernel mode
[ 217.746192] #PF: error_code(0x0000) - not-present page
[ 217.746195] PGD 0 P4D 0
[ 217.746197] Oops: 0000 [#1] PREEMPT SMP
[ 217.746200] CPU: 0 PID: 815 Comm: yavta Not tainted 6.7.0 #4
[ 217.746204] Hardware name: System manufacturer System Product Name/M4A88TD-M EVO, BIOS 1801 08/09/2012
[ 217.746206] RIP: 0010:usb_ifnum_to_if+0x38/0x50
[ 217.746212] Code: d2 74 32 0f b6 4a 04 84 c9 74 2e ff c9 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 12 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 31 d2 48 89 d0 c3 0f
[ 217.746215] RSP: 0018:ffffc90000b07b90 EFLAGS: 00010206
[ 217.746217] RAX: ffff8880031ac498 RBX: ffff888003144800 RCX: 0000000000000003
[ 217.746219] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8880031ac4b8
[ 217.746221] RBP: 0000000000000000 R08: 0000000000000400 R09: 0000000000000000
[ 217.746223] R10: 0000000000000000 R11: 00000000000003ad R12: ffff8880031acde8
[ 217.746224] R13: 0000000000000000 R14: ffff8880031acc08 R15: ffff888102ca4000
[ 217.746226] FS: 00007f8455cf2740(0000) GS:ffff88811bc00000(0000) knlGS:0000000000000000
[ 217.746228] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 217.746230] CR2: 0000000000000000 CR3: 000000011af26000 CR4: 00000000000006f0
[ 217.746231] Call Trace:
[ 217.746234] <TASK>
[ 217.746237] ? __die+0x2d/0x80
[ 217.746240] ? page_fault_oops+0x15d/0x420
[ 217.746244] ? fixup_exception+0x36/0x280
[ 217.746248] ? exc_page_fault+0x74/0x150
[ 217.746252] ? asm_exc_page_fault+0x22/0x30
[ 217.746256] ? usb_ifnum_to_if+0x38/0x50
[ 217.746258] usb_hcd_alloc_bandwidth+0x208/0x310
[ 217.746263] ? trace_raw_output_tick_stop+0x80/0x80
[ 217.746267] usb_set_interface+0x112/0x430
[ 217.746269] ? _printk+0x48/0x50
[ 217.746273] uvc_video_start_transfer+0x1db/0x650 [uvcvideo]
next prev parent reply other threads:[~2024-02-17 19:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-21 17:18 NULL dereference on disconnection during usb_set_interface() Michał Pecio
2024-02-17 15:31 ` Greg Kroah-Hartman
2024-02-17 19:26 ` Michał Pecio [this message]
2024-02-17 19:55 ` Alan Stern
2024-02-18 0:02 ` Michał Pecio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240217202611.6337879c@foxbook \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).