219258 – vivid can be trivially crashed

Bug 219258 - vivid can be trivially crashed

Summary: vivid can be trivially crashed

Status:	NEW

Alias:	None

Product:	v4l-dvb
Classification:	Unclassified
Component:	v4l-core (show other bugs)
Hardware:	All Linux

Importance:	P3 blocking
Assignee:	v4l-dvb_v4l-core@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-09-10 13:00 UTC by Artem S. Tashkinov
Modified:	2024-10-23 15:38 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	6.10.8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Artem S. Tashkinov 2024-09-10 13:00:20 UTC

The following command results in an kernel oops followed by the vivid-000-vid-cap kernel thread consuming 100% of CPU and effectively hanging indefinitely:

ffmpeg -i /dev/video0 -f rawvideo -pixel_format yuv420p -video_size 640x360 -c:v libx264 -preset ultrafast -crf 10 /tmp/result.mkv

Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI
CPU: 13 PID: 118428 Comm: ffmpeg Tainted: G           O       6.10.8-zen3 #1
Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS (WI-FI), BIOS 5013 03/22/2024
RIP: 0010:vid_cap_buf_prepare+0x9f/0x1a0 [vivid]
Code: 00 8b 83 08 5e 00 00 31 d2 f7 f1 89 c1 8b 83 68 60 00 00 44 89 da 4c 8d 62 04 0f af c1 41 0f b6 4c 15 09 31 d2 43 8b 74 a5 04 <f7> f1 8d 14 30 45 39 cb 72 36 48 85 d2 0f 85 b3 00 00 00 49 83 c2
RSP: 0018:ffffb0b1c7fb7bc8 EFLAGS: 00010246
RAX: 0000000000054600 RBX: ffff990c76228000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000101 RDI: ffff990c6dfb0474
RBP: ffffb0b1c7fb7be8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: ffffffffc1c26800 R14: 0000000000000003 R15: 0000000000000000
FS:  00007f7c60cb7a80(0000) GS:ffff99192f140000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000376f9178 CR3: 0000000147d38000 CR4: 0000000000b50ef0
Call Trace:
 <TASK>
 ? show_regs.part.0+0x1d/0x30
 ? __die+0x52/0x95
 ? die+0x2a/0x50
 ? do_trap+0x10e/0x120
 ? do_error_trap+0x69/0x90
 ? vid_cap_buf_prepare+0x9f/0x1a0 [vivid]
 ? exc_divide_error+0x37/0x50
 ? vid_cap_buf_prepare+0x9f/0x1a0 [vivid]
 ? asm_exc_divide_error+0x1b/0x20
 ? vid_cap_buf_prepare+0x9f/0x1a0 [vivid]
 __buf_prepare+0x179/0x1c0 [videobuf2_common]
 vb2_core_qbuf+0x329/0x4c0 [videobuf2_common]
 vb2_qbuf+0x87/0xf0 [videobuf2_v4l2]
 ? __smp_call_single_queue+0x49/0x60
 vb2_ioctl_qbuf+0x4e/0x60 [videobuf2_v4l2]
 v4l_qbuf+0x3b/0x50 [videodev]
 __video_do_ioctl+0x461/0x490 [videodev]
 ? futex_wake+0x155/0x170
 video_usercopy+0x316/0x6c0 [videodev]
 ? v4l_s_output+0x60/0x60 [videodev]
 video_ioctl2+0x10/0x20 [videodev]
 v4l2_ioctl+0x4b/0x60 [videodev]
 __x64_sys_ioctl+0x96/0xd0
 x64_sys_call+0xea5/0x1cf0
 do_syscall_64+0x79/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f7c64d25f2d
Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
RSP: 002b:00007ffdd6df3aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000374834c0 RCX: 00007f7c64d25f2d
RDX: 00007ffdd6df3b40 RSI: 00000000c058560f RDI: 0000000000000003
RBP: 00007ffdd6df3af0 R08: 000000003744f010 R09: 0000000000000007
R10: 00007f7c50002540 R11: 0000000000000246 R12: 0000000037488ca0
R13: 0000000037484380 R14: 0000000037484680 R15: 0000000037485f00
 </TASK>
Modules linked in: vivid videobuf2_dma_contig v4l2_tpg v4l2_dv_timings videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common mc uinput tun rfcomm snd_hrtimer nvidia_uvm(O) input_leds msr hid_generic usbhid hid cmac algif_hash algif_skcipher af_alg bnep vboxnetadp(O) vboxnetflt(O) nf_log_syslog btusb btintel nft_limit btbcm bluetooth nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink_log nft_log vboxdrv(O) nf_tables libcrc32c nct6775 nct6775_core hwmon_vid ntfs3 nvidia_drm(O) nvidia_modeset(O) snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component iwlmvm ptp pps_core led_class snd_hda_codec_hdmi mac80211 libarc4 kvm_amd snd_hda_intel kvm snd_intel_dspcfg crct10dif_pclmul snd_hda_codec crc32_pclmul snd_hwdep crc32c_intel polyval_clmulni snd_hda_core nvidia(O) wmi_bmof snd_seq polyval_generic gf128mul sha512_ssse3 sha512_generic snd_seq_device r8169 iwlwifi realtek sha256_ssse3 sha1_ssse3 aesni_intel snd_pcm mdio_devres crypto_simd cfg80211 sr_mod cryptd snd_timer
 ccp pcspkr efi_pstore cdrom k10temp backlight libphy snd rfkill sha1_generic xhci_pci i2c_piix4 xhci_hcd 8250 wmi 8250_base serial_base tpm_crb tpm_tis tpm_tis_core evdev fuse dm_mod nfnetlink efivarfs tpm libaescfb ecdh_generic ecc rng_core ipv6
---[ end trace 0000000000000000 ]---
clocksource: Long readout interval, skipping watchdog check: cs_nsec: 2141191761 wd_nsec: 2141191268
RIP: 0010:vid_cap_buf_prepare+0x9f/0x1a0 [vivid]
Code: 00 8b 83 08 5e 00 00 31 d2 f7 f1 89 c1 8b 83 68 60 00 00 44 89 da 4c 8d 62 04 0f af c1 41 0f b6 4c 15 09 31 d2 43 8b 74 a5 04 <f7> f1 8d 14 30 45 39 cb 72 36 48 85 d2 0f 85 b3 00 00 00 49 83 c2
RSP: 0018:ffffb0b1c7fb7bc8 EFLAGS: 00010246
RAX: 0000000000054600 RBX: ffff990c76228000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000101 RDI: ffff990c6dfb0474
RBP: ffffb0b1c7fb7be8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: ffffffffc1c26800 R14: 0000000000000003 R15: 0000000000000000
FS:  00007f7c60cb7a80(0000) GS:ffff99192ef40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f71d462fdd0 CR3: 0000000147d38000 CR4: 0000000000b50ef0

Comment 1 Artem S. Tashkinov 2024-09-10 13:02:41 UTC

Any process trying to open /dev/video0 freezes and cannot be killed.

rmmod -f vivid freezes and cannot be killed.

Comment 2 Artem S. Tashkinov 2024-09-10 13:03:36 UTC

rmmod -f vivid
rmmod: ERROR: libkmod/libkmod-module.c:856 kmod_module_remove_module() could not remove 'vivid': Device or resource busy
rmmod: ERROR: could not remove module vivid: Device or resource busy

Comment 3 Artem S. Tashkinov 2024-09-29 13:16:11 UTC

6.11 no changes:

mc: Linux media interface: v0.10
videodev: Linux video capture interface: v2.00
vivid-000: using single planar format API
vivid-000: V4L2 capture device registered as video0
vivid-000: V4L2 output device registered as video1
vivid-000: V4L2 capture device registered as vbi0, supports raw and sliced VBI
vivid-000: V4L2 output device registered as vbi1, supports raw and sliced VBI
vivid-000: V4L2 capture device registered as swradio0
vivid-000: V4L2 receiver device registered as radio0
vivid-000: V4L2 transmitter device registered as radio1
vivid-000: V4L2 metadata capture device registered as video2
vivid-000: V4L2 metadata output device registered as video3
vivid-000: V4L2 touch capture device registered as v4l-touch0
Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 UID: 0 PID: 87751 Comm: ffmpeg Tainted: G           O       6.11.0-zen3 #1
Tainted: [O]=OOT_MODULE
Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS (WI-FI), BIOS 5013 03/22/2024
RIP: 0010:vid_cap_buf_prepare+0x9f/0x190 [vivid]
Code: 00 8b 83 08 64 00 00 31 d2 f7 f1 89 c1 8b 83 68 66 00 00 44 89 da 4c 8d 62 04 0f af c1 41 0f b6 4c 15 09 31 d2 43 8b 74 a5 04 <f7> f1 8d 14 30 45 39 cb 72 36 48 85 d2 0f 85 a3 00 00 00 49 83 c2
RSP: 0018:ffffb1b946ba3b48 EFLAGS: 00010246
RAX: 0000000000054600 RBX: ffff9698031d8000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: ffff9696d889c474
RBP: ffffb1b946ba3b68 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: ffffffffc1a50c00 R14: 0000000000000003 R15: 0000000000000000
FS:  00007f65a910ba80(0000) GS:ffff96a5eeec0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003973a038 CR3: 0000000129388000 CR4: 0000000000b50ef0
Call Trace:
 <TASK>
 ? show_regs.part.0+0x1d/0x30
 ? __die+0x52/0x95
 ? die+0x2a/0x50
 ? do_trap+0x10e/0x120
 ? do_error_trap+0x69/0x90
 ? vid_cap_buf_prepare+0x9f/0x190 [vivid]
 ? exc_divide_error+0x37/0x50
 ? vid_cap_buf_prepare+0x9f/0x190 [vivid]
 ? asm_exc_divide_error+0x1b/0x20
 ? vid_cap_buf_prepare+0x9f/0x190 [vivid]
 __buf_prepare+0x179/0x1c0 [videobuf2_common]
 vb2_core_qbuf+0x329/0x4c0 [videobuf2_common]
 vb2_qbuf+0x87/0xf0 [videobuf2_v4l2]
 vb2_ioctl_qbuf+0x4e/0x60 [videobuf2_v4l2]
 v4l_qbuf+0x3b/0x50 [videodev]
 __video_do_ioctl+0x461/0x490 [videodev]
 ? do_futex+0x121/0x190
 video_usercopy+0x318/0x6c0 [videodev]
 ? v4l_s_output+0x60/0x60 [videodev]
 video_ioctl2+0x10/0x20 [videodev]
 v4l2_ioctl+0x4b/0x60 [videodev]
 __x64_sys_ioctl+0x96/0xd0
 x64_sys_call+0x10b6/0x1d10
 do_syscall_64+0x79/0x150
 ? __count_memcg_events+0x57/0xf0
 ? handle_mm_fault+0x154/0x240
 ? syscall_exit_to_user_mode+0x11/0x1c0
 ? do_syscall_64+0x85/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f65aab25f2d
Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
RSP: 002b:00007ffcd21b6910 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000394c44c0 RCX: 00007f65aab25f2d
RDX: 00007ffcd21b69b0 RSI: 00000000c058560f RDI: 0000000000000003
RBP: 00007ffcd21b6960 R08: 0000000039490010 R09: 0000000000000007
R10: 00007f65980024c0 R11: 0000000000000246 R12: 00000000394c9ca0
R13: 00000000394c5380 R14: 00000000394c5680 R15: 00000000394c6f00
 </TASK>
Modules linked in: vivid videobuf2_dma_contig v4l2_tpg v4l2_dv_timings videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common mc uinput tun rfcomm snd_hrtimer nvidia_uvm(O) cmac algif_hash algif_skcipher af_alg input_leds msr hid_generic usbhid hid bnep vboxnetadp(O) vboxnetflt(O) nf_log_syslog nft_limit btusb btintel btbcm bluetooth nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink_log nft_log vboxdrv(O) nf_tables libcrc32c nct6775 nct6775_core hwmon_vid ntfs3 nvidia_drm(O) nvidia_modeset(O) iwlmvm ptp pps_core mac80211 libarc4 snd_hda_codec_realtek kvm_amd snd_hda_codec_generic snd_hda_scodec_component led_class snd_hda_codec_hdmi ee1004 kvm crct10dif_pclmul crc32_pclmul crc32c_intel snd_hda_intel snd_intel_dspcfg polyval_clmulni wmi_bmof polyval_generic snd_hda_codec sha512_ssse3 nvidia(O) snd_hwdep sha512_generic snd_hda_core sha256_ssse3 iwlwifi sr_mod snd_seq snd_seq_device cdrom snd_pcm sha1_ssse3 r8169 aesni_intel cfg80211 gf128mul snd_timer crypto_simd ccp efi_pstore
 realtek xhci_pci cryptd pcspkr k10temp rfkill backlight snd i2c_piix4 sha1_generic mdio_devres xhci_hcd libphy wmi 8250 8250_base tpm_crb serial_base tpm_tis tpm_tis_core evdev fuse dm_mod nfnetlink efivarfs tpm libaescfb ecdh_generic ecc rng_core ipv6
---[ end trace 0000000000000000 ]---
pstore: backend (efi_pstore) writing error (-28)
RIP: 0010:vid_cap_buf_prepare+0x9f/0x190 [vivid]
Code: 00 8b 83 08 64 00 00 31 d2 f7 f1 89 c1 8b 83 68 66 00 00 44 89 da 4c 8d 62 04 0f af c1 41 0f b6 4c 15 09 31 d2 43 8b 74 a5 04 <f7> f1 8d 14 30 45 39 cb 72 36 48 85 d2 0f 85 a3 00 00 00 49 83 c2
RSP: 0018:ffffb1b946ba3b48 EFLAGS: 00010246
RAX: 0000000000054600 RBX: ffff9698031d8000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000100 RDI: ffff9696d889c474
RBP: ffffb1b946ba3b68 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: ffffffffc1a50c00 R14: 0000000000000003 R15: 0000000000000000
FS:  00007f65a910ba80(0000) GS:ffff96a5eeec0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003973a038 CR3: 0000000129388000 CR4: 0000000000b50ef0

Comment 4 Artem S. Tashkinov 2024-10-23 15:37:47 UTC

This is reproducible in 6.11.5 as well.

Comment 5 Artem S. Tashkinov 2024-10-23 15:38:33 UTC

Hans,

Could you take a look please?

Note You need to log in before you can comment on or make changes to this bug.