[PATCH] fix: sound/usb: snd_media_device_create: incorrect media_device

Linux Sound subsystem development
 help / color / mirror / Atom feed

* [PATCH] fix: sound/usb: snd_media_device_create: incorrect media_device_delete on borrowed reference
@ 2026-06-27  4:09 WenTao Liang
  2026-06-29 10:15 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: WenTao Liang @ 2026-06-27  4:09 UTC (permalink / raw)
  To: perex, tiwai; +Cc: kees, vulab, linux-sound, linux-kernel, stable

In snd_media_device_create(), when chip->media_dev is already set, mdev
borrows the reference without incrementing the refcount. On error paths
through create_fail, media_device_delete() is called which releases the
borrowed reference, corrupting the reference count. Additionally,
chip->media_dev is set to NULL, losing the original reference.

Introduce an 'allocated' flag to distinguish between borrowed and
self-allocated references, and only call media_device_delete() when the
reference was actually acquired by this function invocation.

Cc: stable@vger.kernel.org
Fixes: 66354f18fe5f ("media: sound/usb: Use Media Controller API to share media resources")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 sound/usb/media.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sound/usb/media.c b/sound/usb/media.c
index b7497d18ee3f..290bd24bf301 100644
--- a/sound/usb/media.c
+++ b/sound/usb/media.c
@@ -255,6 +255,7 @@ int snd_media_device_create(struct snd_usb_audio *chip,
 	struct media_device *mdev;
 	struct usb_device *usbdev = interface_to_usbdev(iface);
 	int ret = 0;
+	bool allocated = false;
 
 	/* usb-audio driver is probed for each usb interface, and
 	 * there are multiple interfaces per device. Avoid calling
@@ -272,6 +273,7 @@ int snd_media_device_create(struct snd_usb_audio *chip,
 
 	/* save media device - avoid lookups */
 	chip->media_dev = mdev;
+	allocated = true;
 
 snd_mixer_init:
 	/* Create media entities for mixer and control dev */
@@ -292,9 +294,11 @@ int snd_media_device_create(struct snd_usb_audio *chip,
 create_fail:
 		if (ret) {
 			snd_media_mixer_delete(chip);
-			media_device_delete(mdev, KBUILD_MODNAME, THIS_MODULE);
-			/* clear saved media_dev */
-			chip->media_dev = NULL;
+			if (allocated) {
+				media_device_delete(mdev, KBUILD_MODNAME, THIS_MODULE);
+				/* clear saved media_dev */
+				chip->media_dev = NULL;
+			}
 			dev_err(&usbdev->dev,
 				"Couldn't register media device. Error: %d\n",
 				ret);
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] fix: sound/usb: snd_media_device_create: incorrect media_device_delete on borrowed reference
  2026-06-27  4:09 [PATCH] fix: sound/usb: snd_media_device_create: incorrect media_device_delete on borrowed reference WenTao Liang
@ 2026-06-29 10:15 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-06-29 10:15 UTC (permalink / raw)
  To: WenTao Liang; +Cc: perex, tiwai, kees, linux-sound, linux-kernel, stable

On Sat, 27 Jun 2026 06:09:07 +0200,
WenTao Liang wrote:
> 
> In snd_media_device_create(), when chip->media_dev is already set, mdev
> borrows the reference without incrementing the refcount. On error paths
> through create_fail, media_device_delete() is called which releases the
> borrowed reference, corrupting the reference count. Additionally,
> chip->media_dev is set to NULL, losing the original reference.
> 
> Introduce an 'allocated' flag to distinguish between borrowed and
> self-allocated references, and only call media_device_delete() when the
> reference was actually acquired by this function invocation.

Does this really happen?  The code in question is after the check by
media_devnode_is_registered(), and if chip->media_dev has been already
set, it means that it should have been already registered, hence this
code path won't hit.


thanks,

Takashi


> 
> Cc: stable@vger.kernel.org
> Fixes: 66354f18fe5f ("media: sound/usb: Use Media Controller API to share media resources")
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
> ---
>  sound/usb/media.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/sound/usb/media.c b/sound/usb/media.c
> index b7497d18ee3f..290bd24bf301 100644
> --- a/sound/usb/media.c
> +++ b/sound/usb/media.c
> @@ -255,6 +255,7 @@ int snd_media_device_create(struct snd_usb_audio *chip,
>  	struct media_device *mdev;
>  	struct usb_device *usbdev = interface_to_usbdev(iface);
>  	int ret = 0;
> +	bool allocated = false;
>  
>  	/* usb-audio driver is probed for each usb interface, and
>  	 * there are multiple interfaces per device. Avoid calling
> @@ -272,6 +273,7 @@ int snd_media_device_create(struct snd_usb_audio *chip,
>  
>  	/* save media device - avoid lookups */
>  	chip->media_dev = mdev;
> +	allocated = true;
>  
>  snd_mixer_init:
>  	/* Create media entities for mixer and control dev */
> @@ -292,9 +294,11 @@ int snd_media_device_create(struct snd_usb_audio *chip,
>  create_fail:
>  		if (ret) {
>  			snd_media_mixer_delete(chip);
> -			media_device_delete(mdev, KBUILD_MODNAME, THIS_MODULE);
> -			/* clear saved media_dev */
> -			chip->media_dev = NULL;
> +			if (allocated) {
> +				media_device_delete(mdev, KBUILD_MODNAME, THIS_MODULE);
> +				/* clear saved media_dev */
> +				chip->media_dev = NULL;
> +			}
>  			dev_err(&usbdev->dev,
>  				"Couldn't register media device. Error: %d\n",
>  				ret);
> -- 
> 2.39.5 (Apple Git-154)
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-29 10:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-27  4:09 [PATCH] fix: sound/usb: snd_media_device_create: incorrect media_device_delete on borrowed reference WenTao Liang
2026-06-29 10:15 ` Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox