[lvc-project] [PATCH] media: media-request: fix race between media_request_alloc() and media_request_close()

Fedor Pchelkin pchelkin at ispras.ru
Thu Jan 8 13:17:48 MSK 2026 

On Fri, 02. Jan 14:51, Laurent Pinchart wrote:
> Hi Dmitry,
> 
> Thank you for the patch.
> 
> On Fri, Jan 02, 2026 at 03:14:10PM +0300, Dmitry Antipov wrote:
> > Syzbot has hit (seems twice at least) the following race condition between
> > 'media_request_alloc()' and 'media_request_close()':
> > 
> > Thread 0:                                       Thread 1:
> > ...
> > media_request_alloc(...)
> > ...
> >   req = kzalloc(...)
> >   ...
> >   fd_prepare_file(fdf)->private_data = req; [1] ...
> >   ...                                           media_request_close(...)
> >   snprintf(req->debug_str, ...)                   media_request_put(req)
> >   ...
> > 
> > After [1], an instance of 'struct media_request' is available for
> > 'media_request_close()' via the filesystem interface, so 'snprintf()'
> > in thread 0 may be issued for a free-in-progress request. Fix this
> > by managing an extra reference for that request in 'media_request_alloc()'
> > by using 'media_request_get()' and 'media_request_put()' in the former.
> 
> This has already been fixed by
> https://lore.kernel.org/all/20251209210903.603958-1-minipli@grsecurity.net/
> > 
> > Reported-by: syzbot+2bf29e42be0666f2df70 at syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
> > Reported-by: syzbot+37fd81fa4305a9eadfb0 at syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=37fd81fa4305a9eadfb0
> > Fixes: 10905d70d788 ("media: media-request: implement media requests")
> > Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>

Добрый день!  Fixes из текущего коммита указывает на достаточно давний
коммит, из которого следует, что ветки 5.10/6.1/6.12 подвержены ошибке.

В https://lore.kernel.org/all/20251209210903.603958-1-minipli@grsecurity.net/
виновным указан коммит из последнего merge-window, которого нет в stable.

Присутствует ли ошибка в поддерживаемых стабильных ветках и требуется ли
там исправление?

More information about the lvc-project mailing list