Hi Greg, > There are a number of known-race-conditions in the v4l interface that > can happen when devices go away and userspace is still holding a > reference on the character device node. I wrote to linux-usb because I think this particular crash is a bug in the USB subsystem - namely, usb_set_interface() appears to crash when the device is disconnected during its execution. Indeed, today I came up with an artificial way to reproduce this crash. I added msleep(1000) right before the call to usb_hcd_alloc_bandwidth() in usb_set_interface() and pulled the USB plug when it slept. (BTW, previously the device was not physically disconnected, it looks like the host controller dropped it due to I/O errors). Anyway, here's my new crash log: # this is what normal execution looks like, nothing special happens yet [ 210.644611] usb_set_interface called from uvc_video_start_transfer [ 210.644615] sleeping before usb_hcd_alloc_bandwidth [ 211.668754] usb_set_interface returned # and now I will disconnect the device during the sleep [ 216.700611] usb_set_interface called from uvc_video_start_transfer [ 216.700616] sleeping before usb_hcd_alloc_bandwidth [ 217.144340] usb 12-1.3: USB disconnect, device number 3 [ 217.746182] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 217.746190] #PF: supervisor read access in kernel mode [ 217.746192] #PF: error_code(0x0000) - not-present page [ 217.746195] PGD 0 P4D 0 [ 217.746197] Oops: 0000 [#1] PREEMPT SMP [ 217.746200] CPU: 0 PID: 815 Comm: yavta Not tainted 6.7.0 #4 [ 217.746204] Hardware name: System manufacturer System Product Name/M4A88TD-M EVO, BIOS 1801 08/09/2012 [ 217.746206] RIP: 0010:usb_ifnum_to_if+0x38/0x50 [ 217.746212] Code: d2 74 32 0f b6 4a 04 84 c9 74 2e ff c9 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 12 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 31 d2 48 89 d0 c3 0f [ 217.746215] RSP: 0018:ffffc90000b07b90 EFLAGS: 00010206 [ 217.746217] RAX: ffff8880031ac498 RBX: ffff888003144800 RCX: 0000000000000003 [ 217.746219] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8880031ac4b8 [ 217.746221] RBP: 0000000000000000 R08: 0000000000000400 R09: 0000000000000000 [ 217.746223] R10: 0000000000000000 R11: 00000000000003ad R12: ffff8880031acde8 [ 217.746224] R13: 0000000000000000 R14: ffff8880031acc08 R15: ffff888102ca4000 [ 217.746226] FS: 00007f8455cf2740(0000) GS:ffff88811bc00000(0000) knlGS:0000000000000000 [ 217.746228] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 217.746230] CR2: 0000000000000000 CR3: 000000011af26000 CR4: 00000000000006f0 [ 217.746231] Call Trace: [ 217.746234] <TASK> [ 217.746237] ? __die+0x2d/0x80 [ 217.746240] ? page_fault_oops+0x15d/0x420 [ 217.746244] ? fixup_exception+0x36/0x280 [ 217.746248] ? exc_page_fault+0x74/0x150 [ 217.746252] ? asm_exc_page_fault+0x22/0x30 [ 217.746256] ? usb_ifnum_to_if+0x38/0x50 [ 217.746258] usb_hcd_alloc_bandwidth+0x208/0x310 [ 217.746263] ? trace_raw_output_tick_stop+0x80/0x80 [ 217.746267] usb_set_interface+0x112/0x430 [ 217.746269] ? _printk+0x48/0x50 [ 217.746273] uvc_video_start_transfer+0x1db/0x650 [uvcvideo]
