Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1279978pxb; Fri, 13 Nov 2020 08:37:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJwr00/qvU6BWTAV8NzHT/Tv1YWgT18r4XDfK/kVSL1rf23I/2h9zQ3ED8/B9Cyzjuxqm/rk X-Received: by 2002:a17:906:26c7:: with SMTP id u7mr2786615ejc.96.1605285450768; Fri, 13 Nov 2020 08:37:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605285450; cv=none; d=google.com; s=arc-20160816; b=VAP9hKD6m6lFHTUFlGaPQLyK7R//WMf/cvv4BUsIJH7XXn/U06LbQ8L6YzfTpJc81a Jbn3w031h9YSP23zPl1rPi6ewGD1oePSm8W/TOnDZY8eHu5eco3moFg5YZaS0TAMOX+A YqOb+4gWTDUNYbH6wBSAHZ7BNEUdRCpbycZK+RXd0IzyWZ1EoTM5XYZceMYtzjNIa+vO v2qLtlTolNPA8p94N/nv5pYvVfEJJsQOoN6c4++rYXlJIWZqLlZQoKRiG2yZwqYENL6M zJL2/jeosN2wHuiQFu2b+nJpuv1f/v+CkEVcB8tXgjK86v+7/armk5FpUEfsyP3Xz2Dz SDyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=g1QRu/wETh9xbP2rRsf2g14c2z/NhBbyaR/306tySzs=; b=PR8fAdKKfaMV1smhS5AIqC7QeMlqxVh1jlnBL5giCDAhVXLeU9DxbiIhMK6ioZM+JV feqRAtcZdsYUh9b/FNitVRwp0K1PtSSd0kNq3mTwouj7z1nGNsRH+jHYC+4dM/js1Vxo uATOjAPswHdurA/24cck2r9n6zjXlXyYfyMzurVUsf7ao7fLh3Sh57+Zw4VVZi7EEHFG 1LQ182dk6BhsmEfAe0djg1E0HkJ0RMijceGmfBLpeWP8gjzcE167sDmVskvsSiou2Akr CdD+cxj1E470XFe26PQp9UeOINuxoJP3ExQyGf4RVagWXFOiVKpSP/QjrOuMZWHPUMdU aVXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qn24si6120824ejb.680.2020.11.13.08.37.06; Fri, 13 Nov 2020 08:37:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726355AbgKMQeu (ORCPT + 99 others); Fri, 13 Nov 2020 11:34:50 -0500 Received: from netrider.rowland.org ([192.131.102.5]:59825 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726157AbgKMQeu (ORCPT ); Fri, 13 Nov 2020 11:34:50 -0500 Received: (qmail 324707 invoked by uid 1000); 13 Nov 2020 11:34:49 -0500 Date: Fri, 13 Nov 2020 11:34:49 -0500 From: Alan Stern To: John Boero Cc: Greg Kroah-Hartman , Felipe Balbi , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: core: Null deref in kernel with USB webcams. Message-ID: <20201113163449.GB322940@rowland.harvard.edu> References: <20201112192524.GB287229@rowland.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 13, 2020 at 01:18:05PM +0000, John Boero wrote: > Thanks for the tips. > > I've spent some more time on this this morning. > It looks like it's not the dev after all. What isn't the dev? > Every interface in the dev is set NULL after init. I can't tell what this means. Please be more explicit. > Just like in the original Ubuntu bug 1827452 filed by someone else > the device seems to disconnect itself after uvcvideo initialization. > Then there is a 5 second pause before usb_ifnum_to_if tries > to iterate through its 8 interfaces - all of which are null. > It looks like uvc properly locks the dev, so maybe this could > be caused by any device being unplugged after init? More likely there is a bug in the uvcvideo driver. > The WARNING handle preserves USB function though, > and subsequent lsusb behaves fine: No, the WARN only writes a message to the system log. The "return" statement is what prevented the system from crashing. > $ lsusb | fold -w 80 > Bus 002 Device 002: ID 8087:8002 Intel Corp. 8 channel internal hub > Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > Bus 001 Device 002: ID 8087:800a Intel Corp. Hub > Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > Bus 004 Device 002: ID 0451:8140 Texas Instruments, Inc. TUSB8041 4-Port Hub > Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub > Bus 003 Device 005: ID 1ea7:0064 SHARKOON Technologies GmbH 2.4GHz Wireless rech > argeable vertical mouse [More&Better] > Bus 003 Device 004: ID 145f:025c Trust Trust USB Microphone > Bus 003 Device 002: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID > Bus 003 Device 009: ID 0a5c:21e8 Broadcom Corp. BCM20702A0 Bluetooth 4.0 > Bus 003 Device 008: ID 0451:8142 Texas Instruments, Inc. TUSB8041 4-Port Hub > Bus 003 Device 006: ID 062a:4101 MosArt Semiconductor Corp. Wireless Keyboard/Mo > use > Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub > Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > > 8x (0-7) occurences of the following WARNING: > > [ 140.678756] usb 3-4: USB disconnect, device number 3 > [ 145.995855] ------------[ cut here ]------------ > [ 145.995863] dev interface is NULL in usb_ifnum_to_if > [ 145.995907] WARNING: CPU: 31 PID: 5617 at drivers/usb/core/usb.c:289 > usb_ifnum_to_if+0x58/0x80 You removed the most important part of the log message! What appears below this point? In fact, you should just post the entire log (or put it on a server somewhere and post a URL). Alan Stern