Hi, I encountered an interesting race. This USB camera appears to have got stuck and dropped by the bus during video stream initialization, leading to an oops. This is a one time occurrence, not reproducible. Maybe not a very severe issue due to narrow window of opportunity, but still... Linux v6.7, the host is XHCI. The first message below comes from uvc_video_start_transfer(). It is meant to be followed immediately by a call to usb_set_interface() and apparently during this call things went weird. After a half second delay the device was disconnected and another five seconds later a NULL pointer dereference occured. The crashing function is usb_ifnum_to_if() and disassembly suggests that the dereferenced NULL value was config->interface[i], for unknown i. Thanks, Michal [ 7079.664238] usb 9-2: Selecting alternate setting 9 (20480 B/frame bandwidth) [ 7080.202494] usb 9-2: USB disconnect, device number 2 [ 7085.158804] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 7085.158814] #PF: supervisor read access in kernel mode [ 7085.158816] #PF: error_code(0x0000) - not-present page [ 7085.158818] PGD 0 P4D 0 [ 7085.158822] Oops: 0000 [#1] PREEMPT SMP [ 7085.158825] CPU: 0 PID: 12833 Comm: yavta Not tainted 6.7.0 #3 [ 7085.158829] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD MS-7596/760GM -E51 (MS-7596), BIOS V1.10 02/28/2011 [ 7085.158832] RIP: 0010:usb_ifnum_to_if+0x38/0x50 [ 7085.158839] Code: d2 74 32 0f b6 4a 04 84 c9 74 2e ff c9 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 12 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 31 d2 48 89 d0 c3 0f [ 7085.158842] RSP: 0018:ffffc90000d1fba0 EFLAGS: 00010202 [ 7085.158845] RAX: ffff88812deb5898 RBX: ffff88812d78e000 RCX: 0000000000000002 [ 7085.158847] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88812deb58b0 [ 7085.158849] RBP: 0000000000000000 R08: ffffffff826dad88 R09: ffffffff826dad88 [ 7085.158850] R10: 0000000000000400 R11: 0000000000000000 R12: ffff88812ddfd570 [ 7085.158852] R13: 00000000ffffff92 R14: ffff88812ddfd408 R15: ffff88812ddb7000 [ 7085.158854] FS: 00007f4d672ab740(0000) GS:ffff88820fe00000(0000) knlGS:0000000000000000 [ 7085.158856] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7085.158858] CR2: 0000000000000000 CR3: 000000014c0f5000 CR4: 00000000000006f0 [ 7085.158860] Call Trace: [ 7085.158863] <TASK> [ 7085.158867] ? __die+0x2d/0x80 [ 7085.158870] ? page_fault_oops+0x15d/0x420 [ 7085.158874] ? fixup_exception+0x36/0x280 [ 7085.158879] ? exc_page_fault+0x74/0x150 [ 7085.158882] ? asm_exc_page_fault+0x22/0x30 [ 7085.158887] ? usb_ifnum_to_if+0x38/0x50 [ 7085.158890] usb_hcd_alloc_bandwidth+0x208/0x310 [ 7085.158895] usb_set_interface+0x128/0x400 [ 7085.158899] uvc_video_start_transfer+0x1c4/0x600 [uvcvideo] [ 7085.158908] uvc_video_start_streaming+0x79/0xc0 [uvcvideo] [ 7085.158914] uvc_start_streaming+0x41/0x100 [uvcvideo] [ 7085.158922] vb2_start_streaming+0x60/0x120 [videobuf2_common] [ 7085.158928] vb2_core_streamon+0xc2/0x160 [videobuf2_common] [ 7085.158934] uvc_queue_streamon+0x35/0x60 [uvcvideo] [ 7085.158940] uvc_ioctl_streamon+0x46/0x70 [uvcvideo] [ 7085.158947] __video_do_ioctl+0x38a/0x460 [videodev] [ 7085.158957] video_usercopy+0x26c/0x720 [videodev] [ 7085.158965] ? v4l_prepare_buf+0x80/0x80 [videodev] [ 7085.158974] v4l2_ioctl+0x45/0x50 [videodev] [ 7085.158982] __x64_sys_ioctl+0xae/0xd0 [ 7085.158987] ? exit_to_user_mode_prepare+0x7a/0x120 [ 7085.158991] do_syscall_64+0x2c/0xd0 [ 7085.158994] entry_SYSCALL_64_after_hwframe+0x46/0x4e [ 7085.158998] RIP: 0033:0x7f4d673ba3af [ 7085.159002] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 7085.159004] RSP: 002b:00007ffeecff6480 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 7085.159007] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4d673ba3af [ 7085.159009] RDX: 00007ffeecff64e4 RSI: 0000000040045612 RDI: 0000000000000003 [ 7085.159010] RBP: 0000000000000001 R08: 0000000000000078 R09: 000055eca2bc36b0 [ 7085.159012] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffeecff6640 [ 7085.159014] R13: 000055eca2bc3a68 R14: 00000000003a9800 R15: 00000000003a9800 [ 7085.159017] </TASK> [ 7085.159018] Modules linked in: xhci_pci xhci_hcd uvcvideo ccm uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common ext2 ath5k mac80211 libarc4 ath serio_raw cfg80211 snd_pcsp dm_mod nfnetlink ip_tables x_tables [last unloaded: xhci_hcd] [ 7085.159036] CR2: 0000000000000000 [ 7085.159038] ---[ end trace 0000000000000000 ]--- Disassembly: 0000000000000380 <usb_ifnum_to_if>: 380: e8 00 00 00 00 call 385 <usb_ifnum_to_if+0x5> 385: 48 8b 97 a8 03 00 00 mov 0x3a8(%rdi),%rdx 38c: 48 85 d2 test %rdx,%rdx 38f: 74 32 je 3c3 <usb_ifnum_to_if+0x43> 391: 0f b6 4a 04 movzbl 0x4(%rdx),%ecx 395: 84 c9 test %cl,%cl 397: 74 2e je 3c7 <usb_ifnum_to_if+0x47> 399: ff c9 dec %ecx 39b: 48 8d 82 98 00 00 00 lea 0x98(%rdx),%rax 3a2: 48 8d bc ca a0 00 00 lea 0xa0(%rdx,%rcx,8),%rdi 3a9: 00 3aa: eb 09 jmp 3b5 <usb_ifnum_to_if+0x35> 3ac: 48 83 c0 08 add $0x8,%rax 3b0: 48 39 f8 cmp %rdi,%rax 3b3: 74 12 je 3c7 <usb_ifnum_to_if+0x47> 3b5: 48 8b 10 mov (%rax),%rdx 3b8: 48 8b 0a mov (%rdx),%rcx 3bb: 0f b6 49 02 movzbl 0x2(%rcx),%ecx 3bf: 39 f1 cmp %esi,%ecx 3c1: 75 e9 jne 3ac <usb_ifnum_to_if+0x2c> 3c3: 48 89 d0 mov %rdx,%rax 3c6: c3 ret 3c7: 31 d2 xor %edx,%edx 3c9: 48 89 d0 mov %rdx,%rax 3cc: c3 ret 3cd: 0f 1f 00 nopl (%rax)
