lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANiDSCuJZU9di2T_zQbk7NVr0--JyPUZkXGur11HKZF8qe3N2Q@mail.gmail.com>
Date: Sat, 22 Nov 2025 09:17:32 +0100
From: Ricardo Ribalda <ribalda@...omium.org>
To: Jie Deng <dengjie03@...inos.cn>
Cc: laurent.pinchart@...asonboard.com, hansg@...nel.org, mchehab@...nel.org, 
	kieran.bingham@...asonboard.com, linux-media@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: usb: uvc: Fix NULL pointer dereference during
 USB device hot-unplug

Hi Jie

On Sat, 22 Nov 2025 at 08:26, Jie Deng <dengjie03@...inos.cn> wrote:
>
> Add safety checks to prevent kernel panic during the race window in
> USB device disconnection.

Can you share the kernel version that you are using?

This patch
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222
Should prevent the race that you are describing.


In your trace you have a reference to uvc_queue_streamoff that was
deleted by that patch

Regards!
>
> The issue occurs in a specific timing window during hot-unplug:
> - usb_disconnect() calls usb_disable_device() which sets
>   dev->actconfig->interface[i] to NULL
> - But dev->actconfig is not yet set to NULL
> - During this window, uvc_video_stop_streaming() calls usb_set_interface()
> - This eventually calls usb_ifnum_to_if() which accesses the already
>   NULL interface[i]->altsetting, causing a kernel panic
> logs:
> [ 9518.891254] Call trace:
> [ 9518.894817]  usb_ifnum_to_if+0x34/0x50
> [ 9518.899681]  usb_set_interface+0x108/0x3c8
> [ 9518.904898]  uvc_video_stop_streaming+0x3c/0x90 [uvcvideo]
> [ 9518.911500]  uvc_stop_streaming+0x24/0x90 [uvcvideo]
> [ 9518.917583]  __vb2_queue_cancel+0x44/0x458 [videobuf2_common]
> [ 9518.924444]  vb2_core_streamoff+0x20/0xb8 [videobuf2_common]
> [ 9518.931221]  vb2_streamoff+0x18/0x60 [videobuf2_v4l2]
> [ 9518.937390]  uvc_queue_streamoff+0x30/0x50 [uvcvideo]
^^^^^^^^


> [ 9518.943557]  uvc_ioctl_streamoff+0x40/0x68 [uvcvideo]
> [ 9518.949724]  v4l_streamoff+0x20/0x28
> [ 9518.954415]  __video_do_ioctl+0x17c/0x3e0
> [ 9518.959540]  video_usercopy+0x1d8/0x558
> [ 9518.964490]  video_ioctl2+0x14/0x1c
> [ 9518.969094]  v4l2_ioctl+0x3c/0x58
> [ 9518.973526]  do_vfs_ioctl+0x374/0x7b0
> [ 9518.978304]  ksys_ioctl+0x78/0xa8
> [ 9518.982734]  sys_ioctl+0xc/0x18
> [ 9518.986991]  __sys_trace_return+0x0/0x4
> [ 9518.991943] Code: eb04005f 54000100 f9400040 91002042 (f9400003)
> [ 9518.999153] ---[ end trace f7c7d3236806d9a4 ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ