[lvc-project] [PATCH] media: media-request: fix race between media_request_alloc() and media_request_close()
Laurent Pinchart
laurent.pinchart at ideasonboard.com
Fri Jan 2 15:51:03 MSK 2026
Hi Dmitry,
Thank you for the patch.
On Fri, Jan 02, 2026 at 03:14:10PM +0300, Dmitry Antipov wrote:
> Syzbot has hit (seems twice at least) the following race condition between
> 'media_request_alloc()' and 'media_request_close()':
>
> Thread 0: Thread 1:
> ...
> media_request_alloc(...)
> ...
> req = kzalloc(...)
> ...
> fd_prepare_file(fdf)->private_data = req; [1] ...
> ... media_request_close(...)
> snprintf(req->debug_str, ...) media_request_put(req)
> ...
>
> After [1], an instance of 'struct media_request' is available for
> 'media_request_close()' via the filesystem interface, so 'snprintf()'
> in thread 0 may be issued for a free-in-progress request. Fix this
> by managing an extra reference for that request in 'media_request_alloc()'
> by using 'media_request_get()' and 'media_request_put()' in the former.
This has already been fixed by
https://lore.kernel.org/all/20251209210903.603958-1-minipli@grsecurity.net/
>
> Reported-by: syzbot+2bf29e42be0666f2df70 at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
> Reported-by: syzbot+37fd81fa4305a9eadfb0 at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=37fd81fa4305a9eadfb0
> Fixes: 10905d70d788 ("media: media-request: implement media requests")
> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
> ---
> drivers/media/mc/mc-request.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c
> index 2ac9ac0a740b..969051c1f07c 100644
> --- a/drivers/media/mc/mc-request.c
> +++ b/drivers/media/mc/mc-request.c
> @@ -282,7 +282,7 @@ EXPORT_SYMBOL_GPL(media_request_get_by_fd);
> int media_request_alloc(struct media_device *mdev, int *alloc_fd)
> {
> struct media_request *req;
> - int ret;
> + int ret = 0;
>
> /* Either both are NULL or both are non-NULL */
> if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free))
> @@ -305,12 +305,13 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
> req->updating_count = 0;
> req->access_count = 0;
>
> + media_request_get(req);
> FD_PREPARE(fdf, O_CLOEXEC,
> anon_inode_getfile("request", &request_fops, NULL,
> O_CLOEXEC));
> if (fdf.err) {
> ret = fdf.err;
> - goto err_free_req;
> + goto out;
> }
>
> fd_prepare_file(fdf)->private_data = req;
> @@ -321,14 +322,8 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
> atomic_inc_return(&mdev->request_id), *alloc_fd);
> dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str);
>
> - return 0;
> -
> -err_free_req:
> - if (mdev->ops->req_free)
> - mdev->ops->req_free(req);
> - else
> - kfree(req);
> -
> +out:
> + media_request_put(req);
> return ret;
> }
>
--
Regards,
Laurent Pinchart
More information about the lvc-project
mailing list