| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51841aa1-686e-4ae3-9397-c4dadd389b27@kylinos.cn> Date: Wed, 26 Nov 2025 14:43:51 +0800 From: Jie Deng <dengjie03@...inos.cn> To: Ricardo Ribalda <ribalda@...omium.org> Cc: laurent.pinchart@...asonboard.com, hansg@...nel.org, mchehab@...nel.org, kieran.bingham@...asonboard.com, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] media: usb: uvc: Fix NULL pointer dereference during USB device hot-unplug 在 2025/11/25 16:29, Ricardo Ribalda 写道: > Hi Jie > > > On Tue, 25 Nov 2025 at 04:14, Jie Deng <dengjie03@...inos.cn> wrote: >> Hi Ricardo >> >> Thank you for your reply >> >> 在 2025/11/24 17:06, Ricardo Ribalda 写道: >>> Hi Jie >>> >>> >>> >>> On Mon, 24 Nov 2025 at 04:08, Jie Deng <dengjie03@...inos.cn> wrote: >>>> Hi Ricardo >>>> >>>> Thank you for your reply >>>> >>>> 在 2025/11/22 16:17, Ricardo Ribalda 写道: >>>>> Hi Jie >>>>> >>>>> On Sat, 22 Nov 2025 at 08:26, Jie Deng <dengjie03@...inos.cn> wrote: >>>>>> Add safety checks to prevent kernel panic during the race window in >>>>>> USB device disconnection. >>>>> Can you share the kernel version that you are using? >>>> The kernel version I'm using is 5.4.18 >>>>> This patch >>>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222 >>>>> Should prevent the race that you are describing. >>>>> >>>>> >>>>> In your trace you have a reference to uvc_queue_streamoff that was >>>>> deleted by that patch >>>> This patch may indeed eliminate the problem I described. >>>> >>>> The 5.4 longterm version should not have synchronized this patch? >>> Seems that the patch that fixed the issue: >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/media/usb/uvc/uvc_driver.c?id=c9ec6f1736363b2b2bb4e266997389740f628441 >> 1. What this patch does: >> >> Problem scenario: When a USB device is disconnected, the kernel >> initiates the >> >> unregistration process, but the device might still be in a streaming state. >> >> >> 2. The issue fixed by my patch submission: >> 1)Problem scenario: When userspace actively stops streaming, the USB >> device gets >> >> disconnected during the stopping process. >> >> 2)Fix method: In the stream stopping function, check whether the USB >> device is still >> >> connected to avoid accessing structures of already disconnected devices. >> This is fixed >> >> by adding null pointer checks. > Your patch only reduces the window for the race condition, but does > not solve it. > > If the device is disconnected between the NULL check and the structure > use, there will still be a kernel panic. > > The proper way to fix it is with: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222 > or > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9ec6f1736363b2b2bb4e266997389740f628441 > > Those patches were not backported to 5.4, only to 5.10. 5.4 will be > EOL in 5 days > > Please move your product to a newer kernel (ideally the latest > released by Linus) > > Regards! > >> The patch I submitted addresses a different race condition. >> >> >> Thanks, >> >> Jie Deng >> >>> Was only backported until 5.10 >>> >>> 5.4 is EOL this December. So it is probably not worth doing anything more. >>> >>> Regards! Ok. Thank you for your guidance. Jie Deng >>> >>>> Thanks, >>>> >>>> Jie Deng >>>> > >
Powered by blists - more mailing lists