| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANiDSCtmU=7fGnKE1U-=Xnv70rVR8SzknPLZHFcPTg5QDVE-Qw@mail.gmail.com> Date: Tue, 25 Nov 2025 09:29:43 +0100 From: Ricardo Ribalda <ribalda@...omium.org> To: Jie Deng <dengjie03@...inos.cn> Cc: laurent.pinchart@...asonboard.com, hansg@...nel.org, mchehab@...nel.org, kieran.bingham@...asonboard.com, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] media: usb: uvc: Fix NULL pointer dereference during USB device hot-unplug Hi Jie On Tue, 25 Nov 2025 at 04:14, Jie Deng <dengjie03@...inos.cn> wrote: > > Hi Ricardo > > Thank you for your reply > > 在 2025/11/24 17:06, Ricardo Ribalda 写道: > > Hi Jie > > > > > > > > On Mon, 24 Nov 2025 at 04:08, Jie Deng <dengjie03@...inos.cn> wrote: > >> Hi Ricardo > >> > >> Thank you for your reply > >> > >> 在 2025/11/22 16:17, Ricardo Ribalda 写道: > >>> Hi Jie > >>> > >>> On Sat, 22 Nov 2025 at 08:26, Jie Deng <dengjie03@...inos.cn> wrote: > >>>> Add safety checks to prevent kernel panic during the race window in > >>>> USB device disconnection. > >>> Can you share the kernel version that you are using? > >> The kernel version I'm using is 5.4.18 > >>> This patch > >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222 > >>> Should prevent the race that you are describing. > >>> > >>> > >>> In your trace you have a reference to uvc_queue_streamoff that was > >>> deleted by that patch > >> This patch may indeed eliminate the problem I described. > >> > >> The 5.4 longterm version should not have synchronized this patch? > > Seems that the patch that fixed the issue: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/media/usb/uvc/uvc_driver.c?id=c9ec6f1736363b2b2bb4e266997389740f628441 > 1. What this patch does: > > Problem scenario: When a USB device is disconnected, the kernel > initiates the > > unregistration process, but the device might still be in a streaming state. > > > 2. The issue fixed by my patch submission: > 1)Problem scenario: When userspace actively stops streaming, the USB > device gets > > disconnected during the stopping process. > > 2)Fix method: In the stream stopping function, check whether the USB > device is still > > connected to avoid accessing structures of already disconnected devices. > This is fixed > > by adding null pointer checks. Your patch only reduces the window for the race condition, but does not solve it. If the device is disconnected between the NULL check and the structure use, there will still be a kernel panic. The proper way to fix it is with: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222 or https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9ec6f1736363b2b2bb4e266997389740f628441 Those patches were not backported to 5.4, only to 5.10. 5.4 will be EOL in 5 days Please move your product to a newer kernel (ideally the latest released by Linus) Regards! > > The patch I submitted addresses a different race condition. > > > Thanks, > > Jie Deng > > > > > Was only backported until 5.10 > > > > 5.4 is EOL this December. So it is probably not worth doing anything more. > > > > Regards! > > > >> > >> Thanks, > >> > >> Jie Deng > >> > > -- Ricardo Ribalda
Powered by blists - more mailing lists