With a flaky USB 3.0 cable (3m extension + 2m cable + 90 degree adapter) and Logitech BRIO webcam I got exactly the same null pointer dereference twice already. I'm sorry for not using vanilla kernel upfront, but I strongly doubt something as fundamental as this would be different in Xanmod kernel. Call traces are quite similar at the top, so while triggered from different places, the actual bug must be the same. Here are two instances (from different boots): [64977.148098] BUG: kernel NULL pointer dereference, address: 0000000000000000 [64977.148101] #PF: supervisor read access in kernel mode [64977.148102] #PF: error_code(0x0000) - not-present page [64977.148103] PGD 101370067 P4D 101370067 PUD 0 [64977.148105] Oops: 0000 [#1] SMP NOPTI [64977.148107] CPU: 14 PID: 27951 Comm: VideoCapture Not tainted 5.19.10-xanmod1-x64v2 #0~20220920.git017c598 [64977.148109] Hardware name: Gigabyte Technology Co., Ltd. B550 VISION D/B550 VISION D, BIOS F15d 07/20/2022 [64977.148109] RIP: 0010:usb_ifnum_to_if+0x34/0x60 [64977.148113] Code: 74 33 0f b6 4a 04 84 c9 74 33 83 e9 01 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 16 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 cc cc cc cc 31 d2 48 [64977.148114] RSP: 0018:ffffb20951407bb0 EFLAGS: 00010202 [64977.148115] RAX: ffff8cfbbc618098 RBX: ffff8ceb844cc800 RCX: 0000000000000004 [64977.148116] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8cfbbc6180c0 [64977.148117] RBP: 0000000000000000 R08: 0000000080000000 R09: ffffffff8f590de8 [64977.148117] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8cf67c70f398 [64977.148118] R13: 0000000000000000 R14: ffff8cf67c70f208 R15: ffff8ceb8123c000 [64977.148119] FS: 00007f5f51379640(0000) GS:ffff8d0a3ed80000(0000) knlGS:0000000000000000 [64977.148120] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [64977.148120] CR2: 0000000000000000 CR3: 000000023b842000 CR4: 0000000000750ee0 [64977.148121] PKRU: 55555554 [64977.148122] Call Trace: [64977.148123] <TASK> [64977.148124] usb_hcd_alloc_bandwidth+0x241/0x360 [64977.148127] usb_set_interface+0x11d/0x340 [64977.148130] uvc_video_start_transfer+0x17b/0x4b0 [uvcvideo] [64977.148134] uvc_video_start_streaming+0x6f/0xc0 [uvcvideo] [64977.148137] uvc_start_streaming+0x25/0xe0 [uvcvideo] [64977.148139] vb2_start_streaming+0x7f/0x120 [videobuf2_common] [64977.148142] vb2_core_streamon+0x53/0xb0 [videobuf2_common] [64977.148144] uvc_queue_streamon+0x22/0x40 [uvcvideo] [64977.148146] uvc_ioctl_streamon+0x33/0x50 [uvcvideo] [64977.148148] __video_do_ioctl+0x197/0x3e0 [videodev] [64977.148153] ? kernel_clone+0xfb/0x3d0 [64977.148156] video_usercopy+0x2b3/0x670 [videodev] [64977.148160] ? v4l_print_control+0x20/0x20 [videodev] [64977.148163] ? handle_mm_fault+0xcb/0x2b0 [64977.148166] v4l2_ioctl+0x44/0x50 [videodev] [64977.148169] __x64_sys_ioctl+0x8b/0xc0 [64977.148171] do_syscall_64+0x5b/0x80 [64977.148174] entry_SYSCALL_64_after_hwframe+0x63/0xcd [64977.148176] RIP: 0033:0x7f5f8c300aff [64977.148177] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [64977.148178] RSP: 002b:00007f5f51378320 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [64977.148179] RAX: ffffffffffffffda RBX: 00007f5f513783a0 RCX: 00007f5f8c300aff [64977.148180] RDX: 00007f5f513783c0 RSI: 0000000040045612 RDI: 0000000000000178 [64977.148180] RBP: 00007f5f51378630 R08: 00007f5f331b1640 R09: 00007f5f5137811f [64977.148181] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f5f513783c0 [64977.148181] R13: 00007f5d8c8eb390 R14: 00007f5d8c8eb000 R15: 0000000000000000 [64977.148182] </TASK> [64977.148183] Modules linked in: xt_nat veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc overlay nvme_fabrics binfmt_misc nls_iso8859_1 iwlmvm snd_hda_codec_hdmi sch_fq_codel intel_rapl_msr snd_hda_intel intel_rapl_common uvcvideo snd_intel_dspcfg mac80211 snd_usb_audio libarc4 videobuf2_vmalloc snd_intel_sdw_acpi edac_mce_amd videobuf2_memops snd_hda_codec snd_usbmidi_lib videobuf2_v4l2 snd_hda_core videobuf2_common snd_rawmidi nct6775_core snd_hwdep snd_seq_device videodev iwlwifi btusb hwmon_vid kvm_amd btrtl vfio_pci input_leds joydev snd_pcm btbcm mc btintel vfio_pci_core iwlmei snd_timer kvm vfio_virqfd btmtk cfg80211 irqbypass bluetooth snd ucsi_ccg cuse mei ccp typec_ucsi soundcore lp k10temp serio_raw wmi_bmof typec ecdh_generic ecc gigabyte_wmi rapl mac_hid parport msr bfq [64977.148209] ramoops reed_solomon pstore_blk pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear uas usb_storage hid_generic usbhid hid amdgpu iommu_v2 gpu_sched drm_ttm_helper ttm drm_display_helper cec rc_core drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd igb cryptd psmouse i2c_nvidia_gpu drm i2c_piix4 nvme ahci i2c_ccgx_ucsi dca xhci_pci i2c_algo_bit thunderbolt nvme_core libahci xhci_pci_renesas wmi gpio_amdpt [64977.148231] CR2: 0000000000000000 [64977.148232] ---[ end trace 0000000000000000 ]--- [64977.308559] RIP: 0010:usb_ifnum_to_if+0x34/0x60 [64977.308566] Code: 74 33 0f b6 4a 04 84 c9 74 33 83 e9 01 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 16 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 cc cc cc cc 31 d2 48 [64977.308568] RSP: 0018:ffffb20951407bb0 EFLAGS: 00010202 [64977.308570] RAX: ffff8cfbbc618098 RBX: ffff8ceb844cc800 RCX: 0000000000000004 [64977.308571] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8cfbbc6180c0 [64977.308572] RBP: 0000000000000000 R08: 0000000080000000 R09: ffffffff8f590de8 [64977.308574] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8cf67c70f398 [64977.308574] R13: 0000000000000000 R14: ffff8cf67c70f208 R15: ffff8ceb8123c000 [64977.308576] FS: 00007f5f51379640(0000) GS:ffff8d0a3ed80000(0000) knlGS:0000000000000000 [64977.308577] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [64977.308578] CR2: 0000000000000000 CR3: 000000023b842000 CR4: 0000000000750ee0 [64977.308579] PKRU: 55555554 [112221.564394] usb 10-4: USB disconnect, device number 8 [112222.544520] BUG: kernel NULL pointer dereference, address: 0000000000000000 [112222.544524] #PF: supervisor read access in kernel mode [112222.544525] #PF: error_code(0x0000) - not-present page [112222.544526] PGD 0 P4D 0 [112222.544528] Oops: 0000 [#1] SMP NOPTI [112222.544530] CPU: 9 PID: 9584 Comm: VideoCapture Not tainted 5.19.10-xanmod1-x64v2 #0~20220920.git017c598 [112222.544533] Hardware name: Gigabyte Technology Co., Ltd. B550 VISION D/B550 VISION D, BIOS F15d 07/20/2022 [112222.544533] RIP: 0010:usb_ifnum_to_if+0x34/0x60 [112222.544538] Code: 74 33 0f b6 4a 04 84 c9 74 33 83 e9 01 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 16 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 cc cc cc cc 31 d2 48 [112222.544540] RSP: 0018:ffffb3bb10eb7b70 EFLAGS: 00010206 [112222.544541] RAX: ffff91ccf8026898 RBX: ffff91ccc45b9800 RCX: 0000000000000005 [112222.544542] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff91ccf80268c8 [112222.544543] RBP: 0000000000000000 R08: 0000000080000000 R09: ffffffffaff90de8 [112222.544544] R10: 0000000000000001 R11: 0000000000000001 R12: ffff91ccdf4484f8 [112222.544544] R13: 0000000000000000 R14: ffff91ccdf448408 R15: ffff91ccdef7e000 [112222.544545] FS: 00007f8f9efae640(0000) GS:ffff91eb7ec40000(0000) knlGS:0000000000000000 [112222.544546] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [112222.544547] CR2: 0000000000000000 CR3: 0000000110eb8000 CR4: 0000000000750ee0 [112222.544548] PKRU: 55555554 [112222.544549] Call Trace: [112222.544550] <TASK> [112222.544551] usb_hcd_alloc_bandwidth+0x241/0x360 [112222.544555] usb_set_interface+0x11d/0x340 [112222.544558] uvc_video_start_transfer+0x17b/0x4b0 [uvcvideo] [112222.544563] uvc_video_start_streaming+0x6f/0xc0 [uvcvideo] [112222.544566] uvc_start_streaming+0x25/0xe0 [uvcvideo] [112222.544570] vb2_start_streaming+0x7f/0x120 [videobuf2_common] [112222.544573] vb2_core_streamon+0x53/0xb0 [videobuf2_common] [112222.544575] uvc_queue_streamon+0x22/0x40 [uvcvideo] [112222.544578] uvc_ioctl_streamon+0x33/0x50 [uvcvideo] [112222.544581] __video_do_ioctl+0x197/0x3e0 [videodev] [112222.544588] ? __do_sys_clone3+0xc2/0x100 [112222.544590] video_usercopy+0x2b3/0x670 [videodev] [112222.544596] ? v4l_print_control+0x20/0x20 [videodev] [112222.544600] ? sigprocmask+0xa0/0xd0 [112222.544602] ? sigprocmask+0xa0/0xd0 [112222.544602] ? exit_to_user_mode_prepare+0x2b/0x130 [112222.544605] ? syscall_exit_to_user_mode+0x22/0x50 [112222.544607] ? do_syscall_64+0x67/0x80 [112222.544609] v4l2_ioctl+0x44/0x50 [videodev] [112222.544613] __x64_sys_ioctl+0x8b/0xc0 [112222.544616] do_syscall_64+0x5b/0x80 [112222.544618] ? syscall_exit_to_user_mode+0x22/0x50 [112222.544619] ? exit_to_user_mode_prepare+0x2b/0x130 [112222.544620] entry_SYSCALL_64_after_hwframe+0x63/0xcd [112222.544622] RIP: 0033:0x7f8fdc256aff [112222.544624] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [112222.544625] RSP: 002b:00007f8f9efad320 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [112222.544626] RAX: ffffffffffffffda RBX: 00007f8f9efad3a0 RCX: 00007f8fdc256aff [112222.544627] RDX: 00007f8f9efad3c0 RSI: 0000000040045612 RDI: 000000000000003b [112222.544628] RBP: 00007f8f9efad630 R08: 00007f8f800c7640 R09: 00007f8f9efad11f [112222.544629] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f8f9efad3c0 [112222.544629] R13: 00007f8f267c8390 R14: 00007f8f267c8000 R15: 0000000000000000 [112222.544631] </TASK> [112222.544631] Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc overlay nvme_fabrics binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi sch_fq_codel intel_rapl_msr snd_hda_intel iwlmvm uvcvideo intel_rapl_common videobuf2_vmalloc mac80211 snd_intel_dspcfg libarc4 videobuf2_memops snd_usb_audio snd_intel_sdw_acpi videobuf2_v4l2 edac_mce_amd snd_hda_codec nct6775_core snd_usbmidi_lib btusb videobuf2_common btrtl snd_rawmidi snd_hda_core hwmon_vid videodev btbcm snd_seq_device snd_hwdep iwlwifi btintel kvm_amd snd_pcm btmtk vfio_pci joydev input_leds mc iwlmei kvm bluetooth cfg80211 snd_timer vfio_pci_core ucsi_ccg snd typec_ucsi mei ccp ecdh_generic typec soundcore serio_raw gigabyte_wmi ecc k10temp rapl wmi_bmof mac_hid vfio_virqfd irqbypass cuse lp parport msr bfq ramoops reed_solomon pstore_blk pstore_zone efi_pstore ip_tables x_tables [112222.544663] autofs4 btrfs blake2b_generic dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear uas usb_storage hid_generic usbhid amdgpu hid iommu_v2 gpu_sched drm_ttm_helper ttm drm_display_helper cec rc_core drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd igb cryptd i2c_nvidia_gpu dca psmouse drm i2c_piix4 i2c_ccgx_ucsi nvme i2c_algo_bit thunderbolt ahci xhci_pci nvme_core libahci xhci_pci_renesas wmi gpio_amdpt [112222.544683] CR2: 0000000000000000 [112222.544684] ---[ end trace 0000000000000000 ]--- [112222.711095] RIP: 0010:usb_ifnum_to_if+0x34/0x60 [112222.711101] Code: 74 33 0f b6 4a 04 84 c9 74 33 83 e9 01 48 8d 82 98 00 00 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 16 48 8b 10 <48> 8b 0a 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 cc cc cc cc 31 d2 48 [112222.711103] RSP: 0018:ffffb3bb10eb7b70 EFLAGS: 00010206 [112222.711104] RAX: ffff91ccf8026898 RBX: ffff91ccc45b9800 RCX: 0000000000000005 [112222.711105] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff91ccf80268c8 [112222.711106] RBP: 0000000000000000 R08: 0000000080000000 R09: ffffffffaff90de8 [112222.711106] R10: 0000000000000001 R11: 0000000000000001 R12: ffff91ccdf4484f8 [112222.711107] R13: 0000000000000000 R14: ffff91ccdf448408 R15: ffff91ccdef7e000 [112222.711108] FS: 00007f8f9efae640(0000) GS:ffff91eb7ec40000(0000) knlGS:0000000000000000 [112222.711109] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [112222.711109] CR2: 0000000000000000 CR3: 0000000110eb8000 CR4: 0000000000750ee0 [112222.711110] PKRU: 55555554
On Thu, Sep 29, 2022 at 06:53:46PM +0000, bugzilla-daemon@kernel.org wrote: > With a flaky USB 3.0 cable (3m extension + 2m cable + 90 degree adapter) and > Logitech BRIO webcam I got exactly the same null pointer dereference twice > already. That's really an unstable and unsupported system, sorry. If you fix your cable it should work properly, right? > Here are two instances (from different boots): > [64977.148098] BUG: kernel NULL pointer dereference, address: > 0000000000000000 > [64977.148101] #PF: supervisor read access in kernel mode > [64977.148102] #PF: error_code(0x0000) - not-present page > [64977.148103] PGD 101370067 P4D 101370067 PUD 0 > [64977.148105] Oops: 0000 [#1] SMP NOPTI > [64977.148107] CPU: 14 PID: 27951 Comm: VideoCapture Not tainted > 5.19.10-xanmod1-x64v2 #0~20220920.git017c598 What about any kernel log messages from right before this crashed? There should be some disconnect or other USB messages, right? Specifics here would be good to see. > [64977.148109] Hardware name: Gigabyte Technology Co., Ltd. B550 VISION > D/B550 > VISION D, BIOS F15d 07/20/2022 > [64977.148109] RIP: 0010:usb_ifnum_to_if+0x34/0x60 > [64977.148113] Code: 74 33 0f b6 4a 04 84 c9 74 33 83 e9 01 48 8d 82 98 00 00 > 00 48 8d bc ca a0 00 00 00 eb 09 48 83 c0 08 48 39 f8 74 16 48 8b 10 <48> 8b > 0a > 0f b6 49 02 39 f1 75 e9 48 89 d0 c3 cc cc cc cc 31 d2 48 > [64977.148114] RSP: 0018:ffffb20951407bb0 EFLAGS: 00010202 > [64977.148115] RAX: ffff8cfbbc618098 RBX: ffff8ceb844cc800 RCX: > 0000000000000004 > [64977.148116] RDX: 0000000000000000 RSI: 0000000000000001 RDI: > ffff8cfbbc6180c0 > [64977.148117] RBP: 0000000000000000 R08: 0000000080000000 R09: > ffffffff8f590de8 > [64977.148117] R10: 0000000000000001 R11: 0000000000000001 R12: > ffff8cf67c70f398 > [64977.148118] R13: 0000000000000000 R14: ffff8cf67c70f208 R15: > ffff8ceb8123c000 > [64977.148119] FS: 00007f5f51379640(0000) GS:ffff8d0a3ed80000(0000) > knlGS:0000000000000000 > [64977.148120] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [64977.148120] CR2: 0000000000000000 CR3: 000000023b842000 CR4: > 0000000000750ee0 > [64977.148121] PKRU: 55555554 > [64977.148122] Call Trace: > [64977.148123] <TASK> > [64977.148124] usb_hcd_alloc_bandwidth+0x241/0x360 > [64977.148127] usb_set_interface+0x11d/0x340 > [64977.148130] uvc_video_start_transfer+0x17b/0x4b0 [uvcvideo] This isn't good, we shouldn't crash when a device is removed, but this might be an issue with some reference counting. More log messages might help out here. thanks, greg k-h
Created attachment 301905 [details] kernel log from latest crash
> That's really an unstable and unsupported system, sorry. If you fix your > cable it should work properly, right? Yes. And I totally understand that is not supported, the only reason I posted this is because it seemed to uncover some race condition in the code that might be beneficial to fix. > What about any kernel log messages from right before this crashed? > There should be some disconnect or other USB messages, right? Specifics here would be good to see. Attached full kernel log. > This isn't good, we shouldn't crash when a device is removed, but this might be an issue with some reference counting. More log messages might help out here. Yes, that is the reason I decided to create a bug report, just hoping it is useful.
Created attachment 301906 [details] kernel log from first crash Previously uploaded file is from second log snippet, this is the first one for completeness since stack traces are slightly different there.
On Fri, Sep 30, 2022 at 11:38:46AM +0000, bugzilla-daemon@kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=216543 > > --- Comment #4 from Nazar Mokrynskyi (nazar@mokrynskyi.com) --- > Created attachment 301906 [details] > --> https://bugzilla.kernel.org/attachment.cgi?id=301906&action=edit > kernel log from first crash > > Previously uploaded file is from second log snippet, this is the first one > for > completeness since stack traces are slightly different there. The log file is full of warnings and other messages way before USB is ever involved. You might want to resolve those first. Anyway, yes, the device disconnects itself from the USB bus which is an electrical event and the video driver fails trying to send data to it, and then things blow up again. As there is a real solution for this (fix the cable), I recommend doing that first :) thanks, greg k-h
Created attachment 301908 [details] Diagnostic patch for uvcvideo driver This looks like a race in the uvcvideo driver, possibly between disconnect and video start. You might be able to trace this down more by running with the attached patch.
Created attachment 303022 [details] Kernel log with uvc-trace patch applied I'm on 6.0.2 and seemingly get this even more frequently with good cable and no extra adapters. So I patched 6.0.2 with uvc-trace above and reproduced it within a few minutes. USB seems to reset, often camera stops or freezes in the browser, but the light on the camera itself remains on. Sometimes I can enable/disable/enable camera for it to reboot, but the last time I did that in the log I got null pointer de-reference again. Please let me know if there is any other information I can provide and what could be the root cause of this annoying behavior.