lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.20.13.2106021750190.20351@monopod.intra.ispras.ru>
Date:   Wed, 2 Jun 2021 18:09:43 +0300 (MSK)
From:   Alexander Monakov <amonakov@...ras.ru>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Kernel oops when unplugging UVC webcam

Hello!

My laptop has a "hardwired" button that disconnects its webcam from USB.
I've noticed the following kernel NULL pointer dereference when unplugging
the webcam that way while an application is grabbing frames:

usb 1-1.4: USB disconnect, device number 3
uvcvideo 1-1.4:1.1: Failed to resubmit video URB (-19).
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] SMP
CPU: 4 PID: 3335 Comm: mpv/demux Not tainted 5.12.2 #73
Hardware name: Micro-Star International Co., Ltd. GE60 0NC/MS-16GA, BIOS E16GAIMS.105 03/28/2012
RIP: 0010:usb_ifnum_to_if+0x35/0x50
Code: [snip]
[snip registers]
Call Trace:
 usb_set_interface+0x2c/0x280
 uvc_video_stop_streaming+0x2f/0x80
 uvc_stop_streaming+0x16/0x40
 __vb2_queue_cancel+0x23/0x1e0
 vb2_core_queue_release+0x1a/0x40
 uvc_queue_release+0x1d/0x30
 uvc_v4l2_release+0x9d/0xd0
 v4l2_release+0xaa/0xb0
 __fput+0x84/0x220
 task_work_run+0x57/0x90
 exit_to_user_mode_prepare+0x100/0x110
 syscall_exit_to_user_mode+0x1d/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae


This does not seem to be reproducible, so perhaps a race is involved.
Complete dmesg is attached.

Thanks.
Alexander
View attachment "dmesg" of type "text/plain" (64809 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ