Bug 2365068 - [abrt] snd_cx231xx_pcm_close: BUG: unable to handle page fault for address: 0000080004087f34 [cx231xx_alsa]
Summary: [abrt] snd_cx231xx_pcm_close: BUG: unable to handle page fault for address: 0...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 42
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:31a12362b4d90a5a695b43cf7e3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-08 09:31 UTC by phkoenig
Modified: 2026-06-08 17:05 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-06-08 17:05:24 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description phkoenig 2025-05-08 09:31:38 UTC
Description of problem:
After use of video capture USB stick with a lot of format problems. system froze after inactivity (during night).

Additional info:
reporter:       libreport-2.17.15
BUG: unable to handle page fault for address: 0000080004087f34
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 4 UID: 1959 PID: 43897 Comm: vlc.bin Not tainted 6.14.5-300.fc42.x86_64 #1
Hardware name: ASUSTeK COMPUTER INC. N550JV/N550JV, BIOS N550JV.208 11/19/2013
RIP: 0010:__mutex_lock.constprop.0+0x6c2/0x7f0
Code: fe 65 ff 0d e8 bd b5 4b 0f 85 54 fe ff ff e8 25 00 e0 fe e9 4a fe ff ff 48 8b 03 a8 08 0f 85 02 01 00 00 66 90 e9 23 fe ff ff <8b> 50 34 85 d2 0f 84 4b fa ff ff 8b 78 14 48 31 c0 0f 1f 00 84 c0
RSP: 0018:ffffb36c21b3bd60 EFLAGS: 00010206
RAX: 0000080004087f00 RBX: ffff938c61252a00 RCX: 000000008040002d
RDX: 0000080004087f00 RSI: 0000000000000002 RDI: ffff938c093bd8a8
RBP: ffffb36c21b3bdf0 R08: ffff938b0e79c6c0 R09: 000000008040002d
R10: ffff938b0e79c6c0 R11: fffffb830639e700 R12: ffff938ac302e388
R13: ffff938c093bd8a8 R14: ffff938b13626d80 R15: ffffb36c21b3bd80
FS:  00007f58f86986c0(0000) GS:ffff938d9ee00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000080004087f34 CR3: 000000030a626003 CR4: 00000000001726f0
Call Trace:
 <TASK>
 snd_cx231xx_pcm_close+0x27/0x130 [cx231xx_alsa]
 ? do_hw_free+0x54/0x70 [snd_pcm]
 snd_pcm_release_substream.part.0+0x38/0x90 [snd_pcm]
 snd_pcm_release+0x5b/0xd0 [snd_pcm]
 __fput+0xe6/0x2a0
 task_work_run+0x5d/0x90
 syscall_exit_to_user_mode+0x1e6/0x210
 do_syscall_64+0x87/0x160
 ? syscall_trace_enter+0x8f/0x200
 ? syscall_exit_to_user_mode+0x10/0x210
 ? do_syscall_64+0x87/0x160
 ? do_syscall_64+0x87/0x160
 ? __irq_exit_rcu+0x4c/0xf0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f591fa7e28b
Code: 73 01 c3 48 8b 0d 95 6b 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 65 6b 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f58f8697c58 EFLAGS: 00000202 ORIG_RAX: 000000000000000b
RAX: 0000000000000000 RBX: 00007f58c4c2d8c0 RCX: 00007f591fa7e28b
RDX: 0000000000000010 RSI: 0000000000001000 RDI: 00007f58fbf2b000
RBP: 00007f58f8697c80 R08: 00007f58fae2de30 R09: 0000000000000000
R10: 00007f58fae67020 R11: 0000000000000202 R12: 0000000000000000
R13: 00000000ffffffed R14: 00007f58c401ade0 R15: 00007f591aee99d0
 </TASK>
Modules linked in: cx231xx_alsa cx25840 cx231xx cx2341x tveeprom i2c_mux uas usb_storage uinput snd_seq_dummy rfcomm snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr bnep sunrpc binfmt_misc vfat intel_rapl_msr fat intel_rapl_common x86_pkg_temp_thermal intel_powerclamp ath9k coretemp ath9k_common kvm_intel ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic mac80211 snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel kvm rtsx_usb_ms memstick snd_intel_dspcfg ath3k snd_intel_sdw_acpi snd_hda_codec btusb btrtl at24 btintel snd_hda_core snd_hwdep libarc4 ath snd_seq btbcm irqbypass asus_nb_wmi iTCO_wdt btmtk mei_pxp mei_hdcp snd_seq_device intel_pmc_bxt iTCO_vendor_support rapl intel_cstate asus_wmi cfg80211 bluetooth snd_pcm sparse_keymap intel_uncore uvcvideo r8169 pktcdvd i2c_i801 uvc
 platform_profile videobuf2_vmalloc i2c_smbus snd_timer pcspkr videobuf2_memops videobuf2_v4l2 snd videobuf2_common realtek mei_me videodev rfkill mei soundcore mc lpc_ich asus_wireless joydev loop dm_multipath nfnetlink zram lz4hc_compress lz4_compress xfs rtsx_usb_sdmmc mmc_core hid_multitouch rtsx_usb i915 nouveau drm_ttm_helper gpu_sched drm_gpuvm drm_exec drm_buddy i2c_algo_bit ttm polyval_clmulni polyval_generic ghash_clmulni_intel drm_display_helper sha512_ssse3 sha256_ssse3 mxm_wmi sha1_ssse3 cec video wmi serio_raw scsi_dh_rdac scsi_dh_emc scsi_dh_alua fuse
CR2: 0000080004087f34

Comment 1 Fedora Release Engineering 2026-05-06 12:52:05 UTC
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 42 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 2 Ashwin Gundarapu 2026-05-22 15:52:25 UTC
I've investigated this bug and submitted a patch to the linux-media
mailing list.

Root Cause:
The snd_cx231xx_pcm_close() function retrieves the cx231xx device
pointer from the ALSA substream using snd_pcm_substream_chip(). If
the device has already been freed or the substream is invalid (which
can happen during device disconnect or error recovery), this returns
NULL. The function then dereferences dev without checking, causing
the page fault at address 0000080004087f34.

The Fix:
Added a NULL check immediately after retrieving the dev pointer.
If dev is NULL, the function logs an error and returns -ENODEV
instead of crashing. This follows the same pattern used in other
media drivers (e.g., cx231xx_video_close, cx231xx_bulk_copy).

Patch submitted:
[PATCH] media: cx231xx: fix null pointer deref in snd_cx231xx_pcm_close

The fix is minimal — 5 lines added, no functional change to the
normal code path. It simply prevents the kernel from crashing when
the device is in an unexpected state during close.

Feedback welcome on the mailing list or here.

Comment 3 Ashwin Gundarapu 2026-05-22 15:54:37 UTC
I'd like to work on this bug. Could a maintainer please assign it to me? My Bugzilla email is linuxuser509.

Comment 4 Aoife Moloney 2026-06-08 17:05:24 UTC
Fedora Linux 42 entered end-of-life (EOL) status on 2026-05-27.

Fedora Linux 42 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.