Re: [PATCH] media: airspy: Guard stop_streaming() against disconnected device
From: Hans Verkuil
Date: Wed May 20 2026 - 03:00:51 EST
On 13/05/2026 07:26, Valery Borovsky wrote:
> airspy_disconnect() clears s->udev under v4l2_lock, but
> airspy_stop_streaming() unconditionally calls airspy_ctrl_msg() and
> airspy_free_stream_bufs() afterwards. If a streaming user closes the
> device after disconnect, stop_streaming() runs and dereferences the
> NULL s->udev:
>
> airspy_stop_streaming()
> airspy_ctrl_msg(s, CMD_RECEIVER_MODE, 0, 0, NULL, 0)
> usb_sndctrlpipe(s->udev, 0) /* NULL deref */
> airspy_free_stream_bufs(s)
> usb_free_coherent(s->udev, ...) /* NULL deref */
>
> Mirror the precedent set by sibling SDR drivers msi2500 and pwc, which
> already guard their hardware teardown block with an "if (udev)" check.
> The queued-buffer drain via airspy_cleanup_queued_bufs() must still
> run unconditionally so vb2 sees its buffers returned.
>
> Issue identified by automated review of the INV-003 series at
> https://sashiko.dev/
>
> Fixes: 634fe5033951 ("[media] airspy: AirSpy SDR driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Valery Borovsky <vebohr@xxxxxxxxx>
> ---
> drivers/media/usb/airspy/airspy.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
> index 8f6b721ba107..50db02d35213 100644
> --- a/drivers/media/usb/airspy/airspy.c
> +++ b/drivers/media/usb/airspy/airspy.c
> @@ -584,12 +584,14 @@ static void airspy_stop_streaming(struct vb2_queue *vq)
>
> mutex_lock(&s->v4l2_lock);
>
> - /* stop hardware streaming */
> - airspy_ctrl_msg(s, CMD_RECEIVER_MODE, 0, 0, NULL, 0);
> + if (s->udev) {
> + /* stop hardware streaming */
> + airspy_ctrl_msg(s, CMD_RECEIVER_MODE, 0, 0, NULL, 0);
>
> - airspy_kill_urbs(s);
> - airspy_free_urbs(s);
> - airspy_free_stream_bufs(s);
> + airspy_kill_urbs(s);
> + airspy_free_urbs(s);
> + airspy_free_stream_bufs(s);
> + }
>
> airspy_cleanup_queued_bufs(s);
>
Here too it is better to replace video_unregister_device(&dev->vdev);
by vb2_video_unregister_device(&dev->vdev);
Similar to what I suggested for rtl2832_sdr.
Regards,
Hans