From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F9882D9792 for ; Fri, 6 Mar 2026 12:53:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772801632; cv=none; b=V2h00ePHyp1om5PGjqVVEgMOPhWLzHV3zWiWeNEQZRZnVXeKARRrjTaVKJ4vog6gkBXrPkqRgGISvB49sC8AWXu7pREPaBM6dTc5vqP0dzwC7Ipkwh/X5vdOfB+psakHrwq2uMkeEVI5C5m/WfUftPfKXKTLm51b8+W90yEtzLg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772801632; c=relaxed/simple; bh=lk3J/0myuPulEZOU22yofh3RTU9+tKO22u2tikmqBYI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Yw8sX+nNIvYt3kcE02TMOQWMGjS/Jku9lveYm5u2J7r9B7n56io1fZLKVUyfnS/C8L3wbQdKJQ4K68rzPcSvXSk1dTGaNcTkgrRcSrR9HjdMiPdHqP+tDiQ0hbsV75ipco2qtgF8iZz3Zue+2EBtwWXsOKOvC8aNPoNl4keOADo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kUHZFVUt; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kUHZFVUt" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2ae46fc8ec1so39423455ad.3 for ; Fri, 06 Mar 2026 04:53:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772801631; x=1773406431; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WMarrm7JpP1p2eI9Be2YtW3tsN95FbOLkt73JrG5xCk=; b=kUHZFVUt9gmXntYyxPyRxtxo2n+vVh6OQwWcfMYpLSJsBWdJq3IiGcwB+XEzy+Td8T N2JNH1q9r5YTg2VfC+W4biHtVnS/hLpwBJEzBVTNmeknI/vN3r9JH3X09WrC/Uc9xPCa bu/astA7qcAC8vW7uuZBAtQLJswFtapm1FVIac/2513YhBikRSQJEHLxkRTgjn6c+Sfz 5oZWqiKGmgsRT3DVHR5znTPmzcd0x2AEZHFWUvpz8/uJFCukx2WY6urIaVvW15g+jacB s0VzQCUfLEyrHG58Vmmxgqhv8ijHd5KrLr49nue5JaKL22I3zpl/IcWp1/hvdBsc9zrr 1eBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772801631; x=1773406431; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WMarrm7JpP1p2eI9Be2YtW3tsN95FbOLkt73JrG5xCk=; b=gE8sTlt9Iu6TDwmm5opEhXrZrqw6M8i2NVOrqQ0pyfFP7UULE1OtBnT5D/6f+i8Da4 jXG6sNudbKQwMCpfb16l0/m+xt+pwJt/ywFeUTIAPE4NIySDu4rr3wCS0yO68tyU1AgV V4dkCDGxgJz1y9eonatmBbtkzKrgTCrrkYFj4/vE/KWDxb6fXUc5+/c6GEfHlalt8c9K 8NeNHHg+m1UgKLsnEBoiLEJcoS+DBFqVZeUnb1P34j7wTT/a1cfRAiWrTynhVcTq+rHz lbelHdBv/pRD0iFKaUK5ExQBRp4V+d0yLgyw0UtDjd6njZpoCkNS/pBBFeTC1Sqd3cc7 06Bg== X-Forwarded-Encrypted: i=1; AJvYcCX9Rx9vOg/k6lTwEMEzbWWiTmNdJg7GRPVHKmOStP/kIuaEBnjT7vtzPE7MWl82iNmEBN/Qy6c=@vger.kernel.org X-Gm-Message-State: AOJu0YzSKmZmu0D2dbSFSX69M0hELj1PiXgPi9s0ZFlLm+WGX9CVqAMj +qqM+01UL3GXhdUdwTiMaHcZjXVObI0qnXILJiVAe2S/fXP2199otHv1Mux1BGsc X-Gm-Gg: ATEYQzz+/Hhw7TJ7HFknJg53a0FhhfDorNekNH5/gSCH7Q9OJfW5EBuMYL0hPKmJPgg h6XrDwXrnBcqRyfMt3wiLzPMHh91vvtwXwQrT5rM65H3I0oyd4/h/Jsw5z/Ifi9Is1aC5ZAWUi9 N1AQcbuszJ24fEH+ieU1X7kK8D+oj8zEPYbfZtYlV41G+gzWgJp2q2LlbNtEnLXPTvGZlwOiC9P 6r86tyBKuPcGCJbcpYihFSttqVP1CLLJqF4MZ5YItxyG4LJOKAlgkT9CKmj4kXWipFVemAz4IGh pDbJXscO27+6cHjd2h2fiJKDKgjgwtl2qGsGBy9yOcRBAFCT/XX3MAEVfZDtYWspZ2eI/tAqQJ0 GKiGTXLgxiwqXTPgBW63KxJboCJ6GlP/J/TVt7K6jPNoK3s3ol19RfqOSdmi2mtMaUlrthByDgF JBOMGJdhX07CUZnp/Ghsp9VC6kNR7iyvysibEFQUe7hsIBFwYpYxBL2vG91vK4mvCujg== X-Received: by 2002:a17:902:e890:b0:2ae:5163:c2aa with SMTP id d9443c01a7336-2ae823a1852mr21849015ad.20.1772801630811; Fri, 06 Mar 2026 04:53:50 -0800 (PST) Received: from localhost.localdomain ([222.109.75.221]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ae83f74e7bsm19149515ad.46.2026.03.06.04.53.48 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 06 Mar 2026 04:53:50 -0800 (PST) From: Yuchan Nam To: sakari.ailus@linux.intel.com Cc: laurent.pinchart@ideasonboard.com, w@1wt.eu, security@kernel.org, hans@jjverkuil.nl, linux-media@vger.kernel.org, Yuchan Nam , stable@vger.kernel.org Subject: [PATCH v4] media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex Date: Fri, 6 Mar 2026 21:52:23 +0900 Message-ID: <20260306125223.76040-1-entropy1110@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices. Fixes: 6093d3002eab ("media: vb2: keep a reference to the request until dqbuf") Cc: stable@vger.kernel.org Signed-off-by: Yuchan Nam --- Changes since v3: - Revert guard(mutex) usage in media_request_ioctl_reinit() - Restore explicit mutex_unlock() calls in media_request_ioctl_reinit() drivers/media/mc/mc-request.c | 5 +++++ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c index 8ad10c72f9db..4f632a9c292b 100644 --- a/drivers/media/mc/mc-request.c +++ b/drivers/media/mc/mc-request.c @@ -192,6 +192,8 @@ static long media_request_ioctl_reinit(struct media_request *req) struct media_device *mdev = req->mdev; unsigned long flags; + mutex_lock(&mdev->req_queue_mutex); + spin_lock_irqsave(&req->lock, flags); if (req->state != MEDIA_REQUEST_STATE_IDLE && req->state != MEDIA_REQUEST_STATE_COMPLETE) { @@ -199,6 +201,7 @@ static long media_request_ioctl_reinit(struct media_request *req) "request: %s not in idle or complete state, cannot reinit\n", req->debug_str); spin_unlock_irqrestore(&req->lock, flags); + mutex_unlock(&mdev->req_queue_mutex); return -EBUSY; } if (req->access_count) { @@ -206,6 +209,7 @@ static long media_request_ioctl_reinit(struct media_request *req) "request: %s is being accessed, cannot reinit\n", req->debug_str); spin_unlock_irqrestore(&req->lock, flags); + mutex_unlock(&mdev->req_queue_mutex); return -EBUSY; } req->state = MEDIA_REQUEST_STATE_CLEANING; @@ -216,6 +220,7 @@ static long media_request_ioctl_reinit(struct media_request *req) spin_lock_irqsave(&req->lock, flags); req->state = MEDIA_REQUEST_STATE_IDLE; spin_unlock_irqrestore(&req->lock, flags); + mutex_unlock(&mdev->req_queue_mutex); return 0; } diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 37d33d4a363d..a2b650f4ec3c 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -3082,13 +3082,14 @@ static long __video_do_ioctl(struct file *file, } /* - * We need to serialize streamon/off with queueing new requests. + * We need to serialize streamon/off/reqbufs with queueing new requests. * These ioctls may trigger the cancellation of a streaming * operation, and that should not be mixed with queueing a new * request at the same time. */ if (v4l2_device_supports_requests(vfd->v4l2_dev) && - (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF)) { + (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF || + cmd == VIDIOC_REQBUFS)) { req_queue_lock = &vfd->v4l2_dev->mdev->req_queue_mutex; if (mutex_lock_interruptible(req_queue_lock)) -- 2.52.0