lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8844b682-88c3-44b0-9f15-4d4d1b5da068@kylinos.cn>
Date: Mon, 17 Nov 2025 13:33:27 +0800
From: Jie Deng <dengjie03@...inos.cn>
To: Alan Stern <stern@...land.harvard.edu>
Cc: gregkh@...uxfoundation.org, mathias.nyman@...ux.intel.com,
 sakari.ailus@...ux.intel.com, linux-usb@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: core: fix NULL dereference in usb_ifnum_to_if()
 during device removal


在 2025/11/13 22:50, Alan Stern 写道:
> On Thu, Nov 13, 2025 at 07:44:11PM +0800, Jie Deng wrote:
>> During USB device hot-unplug, in the time window between when
>> usb_disconnect() calls usb_disable_device() to set
>> dev->actconfig->interface[i] to NULL but before dev->actconfig
>> is set to NULL.At this point, outside the kernel, usb_ifnum_to_if()
>> is called through usb_set_interface(), and usb_ifnum_to_if() continues
>> to access interface[i]->altsetting[i], triggering a null pointer.
>> [ 9518.891254][ 1] [ T4650] Call trace:
>> [ 9518.894817][ 1] [ T4650]  usb_ifnum_to_if+0x34/0x50
>> [ 9518.899681][ 1] [ T4650]  usb_set_interface+0x108/0x3c8
>> [ 9518.904898][ 1] [ T4650]  uvc_video_stop_streaming+0x3c/0x90 [uvcvideo]
>> [ 9518.911500][ 1] [ T4650]  uvc_stop_streaming+0x24/0x90 [uvcvideo]
>> [ 9518.917583][ 1] [ T4650]  __vb2_queue_cancel+0x44/0x458 [videobuf2_common]
>> [ 9518.924444][ 1] [ T4650]  vb2_core_streamoff+0x20/0xb8 [videobuf2_common]
>> [ 9518.931221][ 1] [ T4650]  vb2_streamoff+0x18/0x60 [videobuf2_v4l2]
>> [ 9518.937390][ 1] [ T4650]  uvc_queue_streamoff+0x30/0x50 [uvcvideo]
>> [ 9518.943557][ 1] [ T4650]  uvc_ioctl_streamoff+0x40/0x68 [uvcvideo]
>> [ 9518.949724][ 1] [ T4650]  v4l_streamoff+0x20/0x28
>> [ 9518.954415][ 1] [ T4650]  __video_do_ioctl+0x17c/0x3e0
>> [ 9518.959540][ 1] [ T4650]  video_usercopy+0x1d8/0x558
>> [ 9518.964490][ 1] [ T4650]  video_ioctl2+0x14/0x1c
>> [ 9518.969094][ 1] [ T4650]  v4l2_ioctl+0x3c/0x58
>> [ 9518.973526][ 1] [ T4650]  do_vfs_ioctl+0x374/0x7b0
>> [ 9518.978304][ 1] [ T4650]  ksys_ioctl+0x78/0xa8
>> [ 9518.982734][ 1] [ T4650]  sys_ioctl+0xc/0x18
>> [ 9518.986991][ 1] [ T4650]  __sys_trace_return+0x0/0x4
>> [ 9518.991943][ 1] [ T4650] Code: eb04005f 54000100 f9400040 91002042 (f9400003)
>> [ 9518.999153][ 1] [ T4650] ---[ end trace f7c7d3236806d9a4 ]---
> This looks like a bug in the uvc driver.  usb_disable_device() unbinds
> ther interface's driver before it sets dev->actconfig->interface[i] to
> NULL, and the uvc driver shouldn't call usb_set_interface() after it has
> been unbound.
Thank you for your correction.
>
>> To resolve this issue, a null pointer check for config->interface[i]
>> can be added in the usb_ifnum_to_if() function.
> That won't fix the real bug.  You need to change the uvc driver.

I will fix this issue from the uvc driver and submit a patch.

>
> Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ