git-server-git.apps.pok.os.sepia.ceph.com Git

author	Yuchan Nam <entropy1110@gmail.com>
	Fri, 6 Mar 2026 12:52:23 +0000 (21:52 +0900)
committer	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
	Wed, 18 Mar 2026 10:21:31 +0000 (11:21 +0100)
commit	bef4f4a88b73e4cc550d25f665b8a9952af22773
tree	234d6b14978d933251f2404d6d17ba564948a012	tree \| snapshot
parent	ac62a20035ecc18e6d365c6c792f5965ce1da77c	commit \| diff

media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex

MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.

We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.

This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.

Fixes: 6093d3002eab ("media: vb2: keep a reference to the request until dqbuf")
Cc: stable@vger.kernel.org
Signed-off-by: Yuchan Nam <entropy1110@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

drivers/media/mc/mc-request.c		diff \| blob \| history
drivers/media/v4l2-core/v4l2-ioctl.c		diff \| blob \| history