Re: [Bug 1827452] Re: null pointer dereference in uvcvideo
If you encounter uvc_disconnect then you may have a different issue than I do. I can clearly see via debugging that uvc_disconnect is never reached. In my case the disconnect is happening in usb/core/hub.c:usb_disconnect. The comment on top if this function says "This call is synchronous, and may not be used in an interrupt context" though I can clearly see that during uvc initialization it is being triggered by interrupt (the device disconnecting itself). So the disconnect comes unexpectedly via interrupt from hub, not from uvc_video. Maybe there are two separate issues? https://github.com/torvalds/linux/blob/99613159ad749543621da8238acf1a122880144e/drivers/usb/core/hub.c#L2263 *pdev = NULL; On Tue, Jan 18, 2022 at 2:50 PM Kai-Heng Feng <1827...@bugs.launchpad.net> wrote: > > The issue is that uvc_disconnect() set the USB intf to NULL, but still > kept the uvcvideo device registered, hence a NULL pointer deference > happens afterward. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1827452 > > Title: > null pointer dereference in uvcvideo > > Status in linux package in Ubuntu: > Confirmed > > Bug description: > I have a logitech c920 webcam. When using this camera in obs-studio > v23.x, all of my USB devices stop working and I see the following in > my kernel log: > > [ 590.282211] usb 3-3: new high-speed USB device number 5 using xhci_hcd > [ 592.660916] usb 3-3: New USB device found, idVendor=046d, > idProduct=082d, bcdDevice= 0.11 > [ 592.660922] usb 3-3: New USB device strings: Mfr=0, Product=2, > SerialNumber=1 > [ 592.660925] usb 3-3: Product: HD Pro Webcam C920 > [ 592.660928] usb 3-3: SerialNumber: 2EAD866F > [ 592.664600] uvcvideo: Found UVC 1.00 device HD Pro Webcam C920 > (046d:082d) > [ 592.666416] uvcvideo 3-3:1.0: Entity type for entity Processing 3 was > not initialized! > [ 592.666421] uvcvideo 3-3:1.0: Entity type for entity Extension 6 was not > initialized! > [ 592.666425] uvcvideo 3-3:1.0: Entity type for entity Extension 12 was > not initialized! > [ 592.666428] uvcvideo 3-3:1.0: Entity type for entity Camera 1 was not > initialized! > [ 592.666430] uvcvideo 3-3:1.0: Entity type for entity Extension 8 was not > initialized! > [ 592.666433] uvcvideo 3-3:1.0: Entity type for entity Extension 9 was not > initialized! > [ 592.666436] uvcvideo 3-3:1.0: Entity type for entity Extension 10 was > not initialized! > [ 592.666439] uvcvideo 3-3:1.0: Entity type for entity Extension 11 was > not initialized! > [ 592.22] input: HD Pro Webcam C920 as > /devices/pci:00/:00:14.0/usb3/3-3/3-3:1.0/input/input23 > [ 748.490453] usb 3-3: reset high-speed USB device number 5 using xhci_hcd > [ 938.125745] usb 3-3: USB disconnect, device number 5 > [ 943.298530] BUG: unable to handle kernel NULL pointer dereference at > > [ 943.298533] #PF error: [normal kernel read fault] > [ 943.298534] PGD 8007ca5f3067 P4D 8007ca5f3067 PUD 0 > [ 943.298536] Oops: [#1] SMP PTI > [ 943.298538] CPU: 0 PID: 9442 Comm: libobs: graphic Tainted: P > OE 5.0.0-13-generic #14-Ubuntu > [ 943.298539] Hardware name: Gigabyte Technology Co., Ltd. > Z87-HD3/Z87-HD3, BIOS F7 01/20/2014 > [ 943.298543] RIP: 0010:usb_ifnum_to_if+0x24/0x60 > [ 943.298544] Code: ff c3 0f 1f 40 00 0f 1f 44 00 00 55 48 8b 87 c0 03 00 > 00 48 89 e5 48 85 c0 74 43 0f b6 48 04 84 c9 74 39 48 8b 90 98 00 00 00 <48> > 8b 3a 0f b6 7f 02 39 fe 74 2b 48 8d 90 a0 00 00 00 8d 41 ff 48 > [ 943.298545] RSP: 0018:bdae493dbab0 EFLAGS: 00010202 > [ 943.298547] RAX: a106ae527000 RBX: a1070ad0a800 RCX: > 0004 > [ 943.298547] RDX: RSI: 0001 RDI: > a1070ad0a800 > [ 943.298548] RBP: bdae493dbab0 R08: 00027040 R09: > b57825b8 > [ 943.298549] R10: fba45fce4bc0 R11: 0001 R12: > > [ 943.298550] R13: a10644187b98 R14: ff92 R15: > a1075131a000 > [ 943.298551] FS: 7f93c40d7700() GS:a1075ea0() > knlGS: > [ 943.298552] CS: 0010 DS: ES: CR0: 80050033 > [ 943.298553] CR2: CR3: 0006f8a94004 CR4: > 001606f0 > [ 943.298553] Call Trace: > [ 943.298557] usb_hcd_alloc_bandwidth+0x241/0x370 > [ 943.298559] usb_set_interface+0xfc/0x380 > [ 943.298565] uvc_video_start_transfer+0x155/0x4b0 [uvcvideo] > [ 943.298568] uvc_video_start_streaming+0x7f/0xd0 [uvcvideo] > [ 943.298570] uvc_start_streaming+0x28/0x70 [uvcvideo] > [ 943.298573] vb2_start_streaming+0x6d/0x110 [videobuf2_common] > [ 943.298575] vb2_core_streamon+0x59/0xc0 [videobuf2_common] > [ 943.298578] vb2_streamon+0x18/0x30 [videobuf2_v4l2] > [ 943.298580] uvc_queue_streamon+0x2e/0x50 [uvcvideo] > [ 943.298582]
Re: [Bug 1827452] Re: null pointer dereference in uvcvideo
Sorry I kept the thin USB extension cable that I used to reproduce this. I will try the patch in #23 over the next week or so when I can find time. I still don't think it will have any effect though as the issue seems to be in usbcore. Happy to see once and for all. John On Tue, Jan 18, 2022 at 5:25 AM Benjamin Burns <1827...@bugs.launchpad.net> wrote: > And one more tool that might help you get a more reliable repro: > https://github.com/HexHive/USBFuzz - likely would need modification to > target this specific problem, however. More details here: > https://www.usenix.org/conference/usenixsecurity20/presentation/peng > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1827452 > > Title: > null pointer dereference in uvcvideo > > Status in linux package in Ubuntu: > Confirmed > > Bug description: > I have a logitech c920 webcam. When using this camera in obs-studio > v23.x, all of my USB devices stop working and I see the following in > my kernel log: > > [ 590.282211] usb 3-3: new high-speed USB device number 5 using xhci_hcd > [ 592.660916] usb 3-3: New USB device found, idVendor=046d, > idProduct=082d, bcdDevice= 0.11 > [ 592.660922] usb 3-3: New USB device strings: Mfr=0, Product=2, > SerialNumber=1 > [ 592.660925] usb 3-3: Product: HD Pro Webcam C920 > [ 592.660928] usb 3-3: SerialNumber: 2EAD866F > [ 592.664600] uvcvideo: Found UVC 1.00 device HD Pro Webcam C920 > (046d:082d) > [ 592.666416] uvcvideo 3-3:1.0: Entity type for entity Processing 3 was > not initialized! > [ 592.666421] uvcvideo 3-3:1.0: Entity type for entity Extension 6 was > not initialized! > [ 592.666425] uvcvideo 3-3:1.0: Entity type for entity Extension 12 was > not initialized! > [ 592.666428] uvcvideo 3-3:1.0: Entity type for entity Camera 1 was not > initialized! > [ 592.666430] uvcvideo 3-3:1.0: Entity type for entity Extension 8 was > not initialized! > [ 592.666433] uvcvideo 3-3:1.0: Entity type for entity Extension 9 was > not initialized! > [ 592.666436] uvcvideo 3-3:1.0: Entity type for entity Extension 10 was > not initialized! > [ 592.666439] uvcvideo 3-3:1.0: Entity type for entity Extension 11 was > not initialized! > [ 592.22] input: HD Pro Webcam C920 as > /devices/pci:00/:00:14.0/usb3/3-3/3-3:1.0/input/input23 > [ 748.490453] usb 3-3: reset high-speed USB device number 5 using > xhci_hcd > [ 938.125745] usb 3-3: USB disconnect, device number 5 > [ 943.298530] BUG: unable to handle kernel NULL pointer dereference at > > [ 943.298533] #PF error: [normal kernel read fault] > [ 943.298534] PGD 8007ca5f3067 P4D 8007ca5f3067 PUD 0 > [ 943.298536] Oops: [#1] SMP PTI > [ 943.298538] CPU: 0 PID: 9442 Comm: libobs: graphic Tainted: P >OE 5.0.0-13-generic #14-Ubuntu > [ 943.298539] Hardware name: Gigabyte Technology Co., Ltd. > Z87-HD3/Z87-HD3, BIOS F7 01/20/2014 > [ 943.298543] RIP: 0010:usb_ifnum_to_if+0x24/0x60 > [ 943.298544] Code: ff c3 0f 1f 40 00 0f 1f 44 00 00 55 48 8b 87 c0 03 > 00 00 48 89 e5 48 85 c0 74 43 0f b6 48 04 84 c9 74 39 48 8b 90 98 00 00 00 > <48> 8b 3a 0f b6 7f 02 39 fe 74 2b 48 8d 90 a0 00 00 00 8d 41 ff 48 > [ 943.298545] RSP: 0018:bdae493dbab0 EFLAGS: 00010202 > [ 943.298547] RAX: a106ae527000 RBX: a1070ad0a800 RCX: > 0004 > [ 943.298547] RDX: RSI: 0001 RDI: > a1070ad0a800 > [ 943.298548] RBP: bdae493dbab0 R08: 00027040 R09: > b57825b8 > [ 943.298549] R10: fba45fce4bc0 R11: 0001 R12: > > [ 943.298550] R13: a10644187b98 R14: ff92 R15: > a1075131a000 > [ 943.298551] FS: 7f93c40d7700() GS:a1075ea0() > knlGS: > [ 943.298552] CS: 0010 DS: ES: CR0: 80050033 > [ 943.298553] CR2: CR3: 0006f8a94004 CR4: > 001606f0 > [ 943.298553] Call Trace: > [ 943.298557] usb_hcd_alloc_bandwidth+0x241/0x370 > [ 943.298559] usb_set_interface+0xfc/0x380 > [ 943.298565] uvc_video_start_transfer+0x155/0x4b0 [uvcvideo] > [ 943.298568] uvc_video_start_streaming+0x7f/0xd0 [uvcvideo] > [ 943.298570] uvc_start_streaming+0x28/0x70 [uvcvideo] > [ 943.298573] vb2_start_streaming+0x6d/0x110 [videobuf2_common] > [ 943.298575] vb2_core_streamon+0x59/0xc0 [videobuf2_common] > [ 943.298578] vb2_streamon+0x18/0x30 [videobuf2_v4l2] > [ 943.298580] uvc_queue_streamon+0x2e/0x50 [uvcvideo] > [ 943.298582] uvc_ioctl_streamon+0x3f/0x60 [uvcvideo] > [ 943.298588] v4l_streamon+0x20/0x30 [videodev] > [ 943.298592] __video_do_ioctl+0x19a/0x3f0 [videodev] > [ 943.298596] video_usercopy+0x1a6/0x660 [videodev] > [ 943.298599] ? v4l_s_fmt+0x630/0x630 [videodev] > [ 943.298603] video_ioctl2+0x15/0x20 [videodev] > [ 943.298606]
Re: [Bug 1827452] Re: null pointer dereference in uvcvideo
Sorry this only seems reproducible in a scenario a USB switch or cable that doesn't support enough amps for the device. Any device or webcam which overloads its power supply and then disconnects during UVC initialization will disconnect itself during a critical period in the kernel where an interrupt is not expected. The interrupt will trigger an unexpected disconnect and crash the USB module. The patch was rejected for this by the USB module maintainers. JohnnyB On Sat, Jan 15, 2022 at 2:55 PM Paul Menzel <1827...@bugs.launchpad.net> wrote: > I read at [1] about the issue. > > @kaihengfeng, I suggest to send the patch upstream for review even with > no tests. Maybe there will be testers on the Linux kernel mailing list. > > [1]: https://etbe.coker.com.au/2022/01/09/video-conferencing-lca/ > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1827452 > > Title: > null pointer dereference in uvcvideo > > Status in linux package in Ubuntu: > Expired > > Bug description: > I have a logitech c920 webcam. When using this camera in obs-studio > v23.x, all of my USB devices stop working and I see the following in > my kernel log: > > [ 590.282211] usb 3-3: new high-speed USB device number 5 using xhci_hcd > [ 592.660916] usb 3-3: New USB device found, idVendor=046d, > idProduct=082d, bcdDevice= 0.11 > [ 592.660922] usb 3-3: New USB device strings: Mfr=0, Product=2, > SerialNumber=1 > [ 592.660925] usb 3-3: Product: HD Pro Webcam C920 > [ 592.660928] usb 3-3: SerialNumber: 2EAD866F > [ 592.664600] uvcvideo: Found UVC 1.00 device HD Pro Webcam C920 > (046d:082d) > [ 592.666416] uvcvideo 3-3:1.0: Entity type for entity Processing 3 was > not initialized! > [ 592.666421] uvcvideo 3-3:1.0: Entity type for entity Extension 6 was > not initialized! > [ 592.666425] uvcvideo 3-3:1.0: Entity type for entity Extension 12 was > not initialized! > [ 592.666428] uvcvideo 3-3:1.0: Entity type for entity Camera 1 was not > initialized! > [ 592.666430] uvcvideo 3-3:1.0: Entity type for entity Extension 8 was > not initialized! > [ 592.666433] uvcvideo 3-3:1.0: Entity type for entity Extension 9 was > not initialized! > [ 592.666436] uvcvideo 3-3:1.0: Entity type for entity Extension 10 was > not initialized! > [ 592.666439] uvcvideo 3-3:1.0: Entity type for entity Extension 11 was > not initialized! > [ 592.22] input: HD Pro Webcam C920 as > /devices/pci:00/:00:14.0/usb3/3-3/3-3:1.0/input/input23 > [ 748.490453] usb 3-3: reset high-speed USB device number 5 using > xhci_hcd > [ 938.125745] usb 3-3: USB disconnect, device number 5 > [ 943.298530] BUG: unable to handle kernel NULL pointer dereference at > > [ 943.298533] #PF error: [normal kernel read fault] > [ 943.298534] PGD 8007ca5f3067 P4D 8007ca5f3067 PUD 0 > [ 943.298536] Oops: [#1] SMP PTI > [ 943.298538] CPU: 0 PID: 9442 Comm: libobs: graphic Tainted: P >OE 5.0.0-13-generic #14-Ubuntu > [ 943.298539] Hardware name: Gigabyte Technology Co., Ltd. > Z87-HD3/Z87-HD3, BIOS F7 01/20/2014 > [ 943.298543] RIP: 0010:usb_ifnum_to_if+0x24/0x60 > [ 943.298544] Code: ff c3 0f 1f 40 00 0f 1f 44 00 00 55 48 8b 87 c0 03 > 00 00 48 89 e5 48 85 c0 74 43 0f b6 48 04 84 c9 74 39 48 8b 90 98 00 00 00 > <48> 8b 3a 0f b6 7f 02 39 fe 74 2b 48 8d 90 a0 00 00 00 8d 41 ff 48 > [ 943.298545] RSP: 0018:bdae493dbab0 EFLAGS: 00010202 > [ 943.298547] RAX: a106ae527000 RBX: a1070ad0a800 RCX: > 0004 > [ 943.298547] RDX: RSI: 0001 RDI: > a1070ad0a800 > [ 943.298548] RBP: bdae493dbab0 R08: 00027040 R09: > b57825b8 > [ 943.298549] R10: fba45fce4bc0 R11: 0001 R12: > > [ 943.298550] R13: a10644187b98 R14: ff92 R15: > a1075131a000 > [ 943.298551] FS: 7f93c40d7700() GS:a1075ea0() > knlGS: > [ 943.298552] CS: 0010 DS: ES: CR0: 80050033 > [ 943.298553] CR2: CR3: 0006f8a94004 CR4: > 001606f0 > [ 943.298553] Call Trace: > [ 943.298557] usb_hcd_alloc_bandwidth+0x241/0x370 > [ 943.298559] usb_set_interface+0xfc/0x380 > [ 943.298565] uvc_video_start_transfer+0x155/0x4b0 [uvcvideo] > [ 943.298568] uvc_video_start_streaming+0x7f/0xd0 [uvcvideo] > [ 943.298570] uvc_start_streaming+0x28/0x70 [uvcvideo] > [ 943.298573] vb2_start_streaming+0x6d/0x110 [videobuf2_common] > [ 943.298575] vb2_core_streamon+0x59/0xc0 [videobuf2_common] > [ 943.298578] vb2_streamon+0x18/0x30 [videobuf2_v4l2] > [ 943.298580] uvc_queue_streamon+0x2e/0x50 [uvcvideo] > [ 943.298582] uvc_ioctl_streamon+0x3f/0x60 [uvcvideo] > [ 943.298588] v4l_streamon+0x20/0x30 [videodev] > [ 943.298592] __video_do_ioctl+0x19a/0x3f0 [videodev] > [ 943.298596]
[Bug 1827452] Re: null pointer dereference in uvcvideo
Sorry I've been reluctant to test it since that code block is never even hit during the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
@kaihengfeng The usb disconnect comes directly via interrupt. Execution doesn't hit uvc_disconnect and this patch has no effect. :/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
Thanks I finally managed to set up the same test cable and give this patch a go. I still see the same error - third attempt in the trace attached. I'm still of the opinion that this would need to be fixed in usbcore. ** Attachment added: "dmesg failure on 3rd attempt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+attachment/5445764/+files/dmesg.trace -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
Thanks I will test as soon as I get some time (weekend). I have to hook up my shoddy tester USB cable and compile a fresh kernel but in the meantime trying to get business wrapped up before holidays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
There it is: https://lore.kernel.org/linux- media/CAO5W59geLtP7kHJkW=ELusAcd9==ceqhsuzznukfradtkxz...@mail.gmail.com/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
Yes this was the original thread. Alan was helpful and responsive but in the end he suggested I contact the uvcvideo maintainers which I did and got nowhere. https://lore.kernel.org/linux- usb/20201123152654.gb708...@rowland.harvard.edu/#t The 2nd patch was to uvcvideo maintainers Laurent Pinchart and linux- me...@vger.kernel.org and isn't archived. Maybe it never got through? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
I shared the stack trace. Was there a reply somewhere I didn't get? Is it on lkms? Link? With UVC trace on: [ 638.729455] uvcvideo: uvc_v4l2_open [ 638.824646] uvcvideo: Resuming interface 0 [ 638.824648] uvcvideo: Resuming interface 1 [ 638.825644] uvcvideo: uvc_v4l2_release [ 638.898089] uvcvideo: uvc_v4l2_open [ 638.925805] uvcvideo: Trying format 0x56595559 (YUYV): 1280x720. [ 638.925807] uvcvideo: Using default frame interval 10.0 us (10.0 fps). [ 638.946272] uvcvideo: Trying format 0x56595559 (YUYV): 1280x720. [ 638.946273] uvcvideo: Using default frame interval 10.0 us (10.0 fps). [ 638.946549] uvcvideo: Setting frame interval to 1/10 (100). [ 638.946825] uvcvideo: Control 0x00980927 not found. [ 638.947000] uvcvideo: Control 0x00980927 not found. [ 638.949080] uvcvideo: Device requested 2688 B/frame bandwidth. [ 638.949082] uvcvideo: Selecting alternate setting 10 (2688 B/frame bandwidth). [ 639.102943] uvcvideo: Allocated 5 URB buffers of 32x2688 bytes each. [ 639.205221] uvcvideo: Control 3/4 value change len 7. [ 639.357674] uvcvideo: uvc_v4l2_release [ 639.358800] uvcvideo: uvc_v4l2_open [ 639.379511] uvcvideo: Trying format 0x56595559 (YUYV): 1280x720. [ 639.379514] uvcvideo: Using default frame interval 10.0 us (10.0 fps). [ 639.466691] uvcvideo: Trying format 0x56595559 (YUYV): 1280x720. [ 639.466694] uvcvideo: Using default frame interval 10.0 us (10.0 fps). [ 639.466986] uvcvideo: Setting frame interval to 1/10 (100). [ 639.467269] uvcvideo: Control 0x00980927 not found. [ 639.467403] uvcvideo: Control 0x00980927 not found. [ 639.469801] uvcvideo: Device requested 2688 B/frame bandwidth. [ 639.469804] uvcvideo: Selecting alternate setting 10 (2688 B/frame bandwidth). [ 639.476133] usb 3-4: USB disconnect, device number 3 [ 644.565643] BUG: kernel NULL pointer dereference, address: [ 644.565648] #PF: supervisor read access in kernel mode [ 644.565651] #PF: error_code(0x) - not-present page [ 644.565653] PGD 0 P4D 0 [ 644.565658] Oops: [#1] SMP PTI [ 644.565662] CPU: 34 PID: 31130 Comm: v4l2src1:src Tainted: P S OE 5.9.8-100.fc32.x86_64 #1 [ 644.565665] Hardware name: Hewlett-Packard HP Z640 Workstation/212A, BIOS M60 v02.54 06/12/2020 [ 644.565673] RIP: 0010:usb_ifnum_to_if+0x3a/0x50 [ 644.565677] Code: 34 41 0f b6 50 04 84 d2 74 2f 83 ea 01 49 8d 80 98 00 00 00 49 8d 8c d0 a0 00 00 00 eb 09 48 83 c0 08 48 39 c8 74 12 4c 8b 00 <49> 8b 10 0f b6 52 02 39 f2 75 e9 4c 89 c0 c3 45 31 c0 4c 89 c0 c3 [ 644.565679] RSP: 0018:b41c097ffbc8 EFLAGS: 00010206 [ 644.565682] RAX: 89b9783d7098 RBX: RCX: 89b9783d70b8 [ 644.565684] RDX: 0003 RSI: 0001 RDI: 89b97b55d800 [ 644.565686] RBP: 89b9704db398 R08: R09: 8fbce608 [ 644.565688] R10: 00023411 R11: R12: 89b9704db398 [ 644.565690] R13: 89b97b55d800 R14: 89b97b55d800 R15: 89b9882a [ 644.565694] FS: 7f8d0bfff700() GS:89b98fc8() knlGS: [ 644.565696] CS: 0010 DS: ES: CR0: 80050033 [ 644.565698] CR2: CR3: 001df4d58004 CR4: 001706e0 [ 644.565700] Call Trace: [ 644.565710] usb_hcd_alloc_bandwidth+0x23d/0x360 [ 644.565716] usb_set_interface+0x120/0x360 [ 644.565729] uvc_video_start_transfer+0x19c/0x4f0 [uvcvideo] [ 644.565737] uvc_video_start_streaming+0x7b/0xd0 [uvcvideo] [ 644.565743] uvc_start_streaming+0x2d/0xf0 [uvcvideo] [ 644.565752] vb2_start_streaming+0x63/0x100 [videobuf2_common] [ 644.565758] vb2_core_streamon+0x54/0xb0 [videobuf2_common] [ 644.565775] uvc_queue_streamon+0x2a/0x40 [uvcvideo] [ 644.565782] uvc_ioctl_streamon+0x3a/0x60 [uvcvideo] [ 644.565799] __video_do_ioctl+0x377/0x3b0 [videodev] [ 644.565808] ? mem_cgroup_charge_statistics.constprop.0+0x21/0x50 [ 644.565812] ? __mod_memcg_lruvec_state+0x21/0xe0 [ 644.565822] video_usercopy+0x177/0x570 [videodev] [ 644.565832] ? v4l_print_control+0x20/0x20 [videodev] [ 644.565838] ? selinux_file_ioctl+0x122/0x1c0 [ 644.565847] v4l2_ioctl+0x48/0x50 [videodev] [ 644.565851] __x64_sys_ioctl+0x83/0xb0 [ 644.565855] do_syscall_64+0x33/0x40 [ 644.565862] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 644.565866] RIP: 0033:0x7f8d4cbc93bb [ 644.565870] Code: 0f 1e fa 48 8b 05 dd aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ad aa 0c 00 f7 d8 64 89 01 48 [ 644.565872] RSP: 002b:7f8d0bffe8f8 EFLAGS: 0246 ORIG_RAX: 0010 [ 644.565874] RAX: ffda RBX: 7f8cfc023030 RCX: 7f8d4cbc93bb [ 644.565876] RDX: 556765a0b810 RSI: 40045612 RDI: 002e [ 644.565878] RBP: 556765a0b800 R08: 0fa9 R09: [ 644.565880] R10: fffe R11: 0246 R12:
[Bug 1827452] Re: null pointer dereference in uvcvideo
Hi latest on this. I've played with about 50 custom kernel patches here and I can see exactly what happens. When uvcvideo looks for webcam devices it finds a perfectly healthy idle webcam on the USB hub (even built-in hub). Then when it starts a stream the webcam obviously requires more power. I've seen this with multiple webcam vendors and a cheap USB extension cable. The device initializes and then disconnects when it sometimes decides it needs more power. It disconnects via interrupt even though the comments in hub.c:usb_disconnect say "This call is synchronous, and may not be used in an interrupt context." Disconnect usually occurs during uvc_parse_vendor_control, setting all interfaces in the device to NULL just as usb_ifnum_to_if expects it to NOT be NULL implicitly. In the end an active USB HUB or better cable should fix this but IoT field devices and small Raspberry Pi SBCs often don't have that luxury. I've submitted two options to the kernel maintainers to fix this. One was rejected and one was ignored. 1) usb.c:usb_ifnum_to_if checking NULL before dereferencing interfaces, which would fix this at the usbcore level (which is where the interrupt actually is anyway). This was rejected saying it should be fixed in the driver. 2) uvc_driver.c:uvc_parse_standard_control sleep a few ms (10 or so) to give a device time to decide if it wants to disconnect before proceeding in usb_ifnum_to_if. A device lock would be ideal but I'm still not sure what the best locking strategy would be or if this is the only place it would be required. This inquiry to the uvcvideo maintainers was ignored. Sorry folks I can't seem to get much traction. A simple patch to usb.c preserves usbcore to avoid wiping out the whole usb subsystem during an error but that's not the ideal fix. I'm guessing the kernel maintainers have heard piles of these issues already and can't/don't care for a universal fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
Update again. The kernel maintainers have been helpful but prefer NULL checking to be done in the drivers, not in the kernel. I've explored further with some test builds and it turns out the NULL is actually on the dev config interfaces (usb.c:281 current line). During initialization the Logitech C920 sometimes unplugs/deactivates itself. Apparently many Logitech models do this if you search the issue - Windows included. Shame to have such a great quality camera paired with such subpar firmware. Anyway I'm trying fix uvc_driver.c to verify devices are still plugged in before calling usb_ifnum_to_if. It won't fix webcams or devices that unplug themselves (or get unplugged) during initialization but it will protect the USB subsystem so you can plug it back in again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
Update on this. Pretty sure I managed to find the line in the kernel triggering this. I've submitted a PR to the kernel USB maintainers. Hopefully tested and merged soon. https://github.com/torvalds/linux/commit/a40519014549f60969c8e67a2fd91426db05fe04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1827452] Re: null pointer dereference in uvcvideo
I know this is closed but I've been having this same issue for months as well. In fact I tried a different webcam from a different vendor and I see the same behaviour. Linux 5.8.18-200.fc32.x86_64 #1 SMP Mon Nov 2 19:49:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Just adding this for the record, thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827452 Title: null pointer dereference in uvcvideo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1827452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
