From dmantipov at yandex.ru Fri Jan 2 15:14:10 2026 From: dmantipov at yandex.ru (Dmitry Antipov) Date: Fri, 2 Jan 2026 15:14:10 +0300 Subject: [lvc-project] [PATCH] media: media-request: fix race between media_request_alloc() and media_request_close() Message-ID: <20260102121410.710456-1-dmantipov@yandex.ru> Syzbot has hit (seems twice at least) the following race condition between 'media_request_alloc()' and 'media_request_close()': Thread 0: Thread 1: ... media_request_alloc(...) ... req = kzalloc(...) ... fd_prepare_file(fdf)->private_data = req; [1] ... ... media_request_close(...) snprintf(req->debug_str, ...) media_request_put(req) ... After [1], an instance of 'struct media_request' is available for 'media_request_close()' via the filesystem interface, so 'snprintf()' in thread 0 may be issued for a free-in-progress request. Fix this by managing an extra reference for that request in 'media_request_alloc()' by using 'media_request_get()' and 'media_request_put()' in the former. Reported-by: syzbot+2bf29e42be0666f2df70 at syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70 Reported-by: syzbot+37fd81fa4305a9eadfb0 at syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=37fd81fa4305a9eadfb0 Fixes: 10905d70d788 ("media: media-request: implement media requests") Signed-off-by: Dmitry Antipov --- drivers/media/mc/mc-request.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c index 2ac9ac0a740b..969051c1f07c 100644 --- a/drivers/media/mc/mc-request.c +++ b/drivers/media/mc/mc-request.c @@ -282,7 +282,7 @@ EXPORT_SYMBOL_GPL(media_request_get_by_fd); int media_request_alloc(struct media_device *mdev, int *alloc_fd) { struct media_request *req; - int ret; + int ret = 0; /* Either both are NULL or both are non-NULL */ if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) @@ -305,12 +305,13 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) req->updating_count = 0; req->access_count = 0; + media_request_get(req); FD_PREPARE(fdf, O_CLOEXEC, anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC)); if (fdf.err) { ret = fdf.err; - goto err_free_req; + goto out; } fd_prepare_file(fdf)->private_data = req; @@ -321,14 +322,8 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) atomic_inc_return(&mdev->request_id), *alloc_fd); dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str); - return 0; - -err_free_req: - if (mdev->ops->req_free) - mdev->ops->req_free(req); - else - kfree(req); - +out: + media_request_put(req); return ret; } -- 2.52.0 From laurent.pinchart at ideasonboard.com Fri Jan 2 15:51:03 2026 From: laurent.pinchart at ideasonboard.com (Laurent Pinchart) Date: Fri, 2 Jan 2026 14:51:03 +0200 Subject: [lvc-project] [PATCH] media: media-request: fix race between media_request_alloc() and media_request_close() In-Reply-To: <20260102121410.710456-1-dmantipov@yandex.ru> References: <20260102121410.710456-1-dmantipov@yandex.ru> Message-ID: <20260102125103.GC15048@pendragon.ideasonboard.com> Hi Dmitry, Thank you for the patch. On Fri, Jan 02, 2026 at 03:14:10PM +0300, Dmitry Antipov wrote: > Syzbot has hit (seems twice at least) the following race condition between > 'media_request_alloc()' and 'media_request_close()': > > Thread 0: Thread 1: > ... > media_request_alloc(...) > ... > req = kzalloc(...) > ... > fd_prepare_file(fdf)->private_data = req; [1] ... > ... media_request_close(...) > snprintf(req->debug_str, ...) media_request_put(req) > ... > > After [1], an instance of 'struct media_request' is available for > 'media_request_close()' via the filesystem interface, so 'snprintf()' > in thread 0 may be issued for a free-in-progress request. Fix this > by managing an extra reference for that request in 'media_request_alloc()' > by using 'media_request_get()' and 'media_request_put()' in the former. This has already been fixed by https://lore.kernel.org/all/20251209210903.603958-1-minipli at grsecurity.net/ > > Reported-by: syzbot+2bf29e42be0666f2df70 at syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70 > Reported-by: syzbot+37fd81fa4305a9eadfb0 at syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=37fd81fa4305a9eadfb0 > Fixes: 10905d70d788 ("media: media-request: implement media requests") > Signed-off-by: Dmitry Antipov > --- > drivers/media/mc/mc-request.c | 15 +++++---------- > 1 file changed, 5 insertions(+), 10 deletions(-) > > diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c > index 2ac9ac0a740b..969051c1f07c 100644 > --- a/drivers/media/mc/mc-request.c > +++ b/drivers/media/mc/mc-request.c > @@ -282,7 +282,7 @@ EXPORT_SYMBOL_GPL(media_request_get_by_fd); > int media_request_alloc(struct media_device *mdev, int *alloc_fd) > { > struct media_request *req; > - int ret; > + int ret = 0; > > /* Either both are NULL or both are non-NULL */ > if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) > @@ -305,12 +305,13 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) > req->updating_count = 0; > req->access_count = 0; > > + media_request_get(req); > FD_PREPARE(fdf, O_CLOEXEC, > anon_inode_getfile("request", &request_fops, NULL, > O_CLOEXEC)); > if (fdf.err) { > ret = fdf.err; > - goto err_free_req; > + goto out; > } > > fd_prepare_file(fdf)->private_data = req; > @@ -321,14 +322,8 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) > atomic_inc_return(&mdev->request_id), *alloc_fd); > dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str); > > - return 0; > - > -err_free_req: > - if (mdev->ops->req_free) > - mdev->ops->req_free(req); > - else > - kfree(req); > - > +out: > + media_request_put(req); > return ret; > } > -- Regards, Laurent Pinchart