Hi Salah, Cai, I received patches for this from both of you, but both have issues: On 31/07/2021 18:18, Salah Triki wrote: > Use usb_get_dev() to increment the reference count of the usb device > structure in order to avoid releasing the structure while it is still in > use. And use usb_put_dev() to decrement the reference count and thus, > when it will be equal to 0 the structure will be released. > > Signed-off-by: Salah Triki <salah.triki@xxxxxxxxx> > --- > Change since v1: > Modification of the description > > drivers/media/usb/stkwebcam/stk-webcam.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c > index a45d464427c4..3b14679829ed 100644 > --- a/drivers/media/usb/stkwebcam/stk-webcam.c > +++ b/drivers/media/usb/stkwebcam/stk-webcam.c > @@ -1309,7 +1309,7 @@ static int stk_camera_probe(struct usb_interface *interface, > init_waitqueue_head(&dev->wait_frame); > dev->first_init = 1; /* webcam LED management */ > > - dev->udev = udev; > + dev->udev = usb_get_dev(udev); > dev->interface = interface; > usb_get_intf(interface); In the error path of stk_camera_probe you need to call usb_put_dev(), otherwise the udev refcount won't go to 0. > > @@ -1376,6 +1376,7 @@ static void stk_camera_disconnect(struct usb_interface *interface) > > usb_set_intfdata(interface, NULL); > unset_present(dev); > + usb_put_dev(interface_to_usbdev(interface)); Cai just used usb_put_dev(dev->udev) here which makes more sense. Cai also moved this to the stk_v4l_dev_release() function, which is probably a better place. However, there is another bug here as well: these lines in stk_camera_disconnect() should be moved to stk_v4l_dev_release(): v4l2_ctrl_handler_free(&dev->hdl); v4l2_device_unregister(&dev->v4l2_dev); kfree(dev); When the last user of the video device has closed their fh, then stk_v4l_dev_release() is called, so any cleanup of resources/memory should happen there. Right now if you are streaming and the webcam is disconnected (or the device forcibly unloaded), the dev pointer is freed in disconnect, but stk_v4l_dev_release() is called later and will reference freed memory. I'm not sure who of the two of you will make a v3, I leave that to you to fight out :-) Regards, Hans > > wake_up_interruptible(&dev->wait_frame); > >