[lvc-project] [PATCH] media: media-request: fix race between media_request_alloc() and media_request_close()

Dmitry Antipov dmantipov at yandex.ru
Fri Jan 2 15:14:10 MSK 2026 

Syzbot has hit (seems twice at least) the following race condition between
'media_request_alloc()' and 'media_request_close()':

Thread 0:                                       Thread 1:
...
media_request_alloc(...)
...
  req = kzalloc(...)
  ...
  fd_prepare_file(fdf)->private_data = req; [1] ...
  ...                                           media_request_close(...)
  snprintf(req->debug_str, ...)                   media_request_put(req)
  ...

After [1], an instance of 'struct media_request' is available for
'media_request_close()' via the filesystem interface, so 'snprintf()'
in thread 0 may be issued for a free-in-progress request. Fix this
by managing an extra reference for that request in 'media_request_alloc()'
by using 'media_request_get()' and 'media_request_put()' in the former.

Reported-by: syzbot+2bf29e42be0666f2df70 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
Reported-by: syzbot+37fd81fa4305a9eadfb0 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=37fd81fa4305a9eadfb0
Fixes: 10905d70d788 ("media: media-request: implement media requests")
Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
 drivers/media/mc/mc-request.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c
index 2ac9ac0a740b..969051c1f07c 100644
--- a/drivers/media/mc/mc-request.c
+++ b/drivers/media/mc/mc-request.c
@@ -282,7 +282,7 @@ EXPORT_SYMBOL_GPL(media_request_get_by_fd);
 int media_request_alloc(struct media_device *mdev, int *alloc_fd)
 {
 	struct media_request *req;
-	int ret;
+	int ret = 0;
 
 	/* Either both are NULL or both are non-NULL */
 	if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free))
@@ -305,12 +305,13 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
 	req->updating_count = 0;
 	req->access_count = 0;
 
+	media_request_get(req);
 	FD_PREPARE(fdf, O_CLOEXEC,
 		   anon_inode_getfile("request", &request_fops, NULL,
 				      O_CLOEXEC));
 	if (fdf.err) {
 		ret = fdf.err;
-		goto err_free_req;
+		goto out;
 	}
 
 	fd_prepare_file(fdf)->private_data = req;
@@ -321,14 +322,8 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
 		 atomic_inc_return(&mdev->request_id), *alloc_fd);
 	dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str);
 
-	return 0;
-
-err_free_req:
-	if (mdev->ops->req_free)
-		mdev->ops->req_free(req);
-	else
-		kfree(req);
-
+out:
+	media_request_put(req);
 	return ret;
 }
 
-- 
2.52.0

More information about the lvc-project mailing list