Re: [PATCH v2] media: usb: uvc: Fix NULL pointer dereference during USB device hot-unplug

[Jie Deng]

在 2025/11/25 16:29, Ricardo Ribalda 写道:
> Hi Jie
>
>
> On Tue, 25 Nov 2025 at 04:14, Jie Deng <dengjie03@xxxxxxxxxx> wrote:
> > Hi Ricardo
> >
> > Thank you for your reply
> >
> > 在 2025/11/24 17:06, Ricardo Ribalda 写道:
> > > Hi Jie
> > >
> > >
> > >
> > > On Mon, 24 Nov 2025 at 04:08, Jie Deng <dengjie03@xxxxxxxxxx> wrote:
> > > > Hi Ricardo
> > > >
> > > > Thank you for your reply
> > > >
> > > > 在 2025/11/22 16:17, Ricardo Ribalda 写道:
> > > > > Hi Jie
> > > > >
> > > > > On Sat, 22 Nov 2025 at 08:26, Jie Deng <dengjie03@xxxxxxxxxx> wrote:
> > > > > > Add safety checks to prevent kernel panic during the race window in
> > > > > > USB device disconnection.
> > > > > Can you share the kernel version that you are using?
> > > > The kernel version I'm using is 5.4.18
> > > > > This patch
> > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222
> > > > > Should prevent the race that you are describing.
> > > > >
> > > > >
> > > > > In your trace you have a reference to uvc_queue_streamoff that was
> > > > > deleted by that patch
> > > > This patch may indeed eliminate the problem I described.
> > > >
> > > > The 5.4 longterm version should not have synchronized this patch？
> > > Seems that the patch that fixed the issue:
> > >
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/media/usb/uvc/uvc_driver.c?id=c9ec6f1736363b2b2bb4e266997389740f628441
> > 1. What this patch does:
> >
> > Problem scenario: When a USB device is disconnected, the kernel
> > initiates the
> >
> > unregistration process, but the device might still be in a streaming state.
> >
> >
> > 2. The issue fixed by my patch submission:
> > 1）Problem scenario: When userspace actively stops streaming, the USB
> > device gets
> >
> > disconnected during the stopping process.
> >
> > 2）Fix method: In the stream stopping function, check whether the USB
> > device is still
> >
> > connected to avoid accessing structures of already disconnected devices.
> > This is fixed
> >
> > by adding null pointer checks.
> Your patch only reduces the window for the race condition, but does
> not solve it.
>
> If the device is disconnected between the NULL check and the structure
> use, there will still be a kernel panic.
>
> The proper way to fix it is with:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c93d73c9c2cfa7658f7100d201a47c4856746222
> or
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9ec6f1736363b2b2bb4e266997389740f628441
>
> Those patches were not backported to 5.4, only to 5.10. 5.4 will be
> EOL in 5 days
>
> Please move your product to a newer kernel (ideally the latest
> released by Linus)
>
> Regards!
>
> > The patch I submitted addresses a different race condition.
> >
> >
> > Thanks,
> >
> > Jie Deng
> >
> > > Was only backported until 5.10
> > >
> > > 5.4 is EOL this December. So it is probably not worth doing anything more.
> > >
> > > Regards!

Ok. Thank you for your guidance.

Jie Deng

> > > > Thanks,
> > > >
> > > > Jie Deng