1. Patchew
  2. linux
  3. View series

[PATCH] media: dvb_demux: fix potential TOCTOU race conditions

Gui-Dong Han posted 1 patch 2 weeks, 3 days ago
There is a newer version of this series
drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
[PATCH] media: dvb_demux: fix potential TOCTOU race conditions
Posted by Gui-Dong Han 2 weeks, 3 days ago 
The dvb_demux functions handle frontend connectivity without holding
dvbdemux->mutex during checks, leading to TOCTOU race conditions. In
dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set
demux->frontend to NULL after the check, causing a potential NULL pointer
dereference. In dvbdmx_connect_frontend(), a concurrent connection could
set the frontend between the check and the lock. This allows the second
caller to overwrite the existing frontend, leading to resource leaks.
The dvb_demux module should use its own mutex to ensure thread safety
for these internal state checks.

Fix this by extending the lock scope. Move the frontend state checks
inside the dvbdemux->mutex critical section to ensure the state remains
stable during the operation.

This possible bug was found by our experimental static analysis tool,
which analyzes lock usage to detect TOCTOU issues.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
---
 drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..e9e833285f0f 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1147,15 +1147,18 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 	void *p;
 
-	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
+	if (mutex_lock_interruptible(&dvbdemux->mutex))
+		return -ERESTARTSYS;
+
+	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
+		mutex_unlock(&dvbdemux->mutex);
 		return -EINVAL;
+	}
 
 	p = memdup_user(buf, count);
-	if (IS_ERR(p))
+	if (IS_ERR(p)) {
+		mutex_unlock(&dvbdemux->mutex);
 		return PTR_ERR(p);
-	if (mutex_lock_interruptible(&dvbdemux->mutex)) {
-		kfree(p);
-		return -ERESTARTSYS;
 	}
 	dvb_dmx_swfilter(dvbdemux, p, count);
 	kfree(p);
@@ -1208,11 +1211,13 @@ static int dvbdmx_connect_frontend(struct dmx_demux *demux,
 {
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 
-	if (demux->frontend)
-		return -EINVAL;
-
 	mutex_lock(&dvbdemux->mutex);
 
+	if (demux->frontend) {
+		mutex_unlock(&dvbdemux->mutex);
+		return -EINVAL;
+	}
+
 	demux->frontend = frontend;
 	mutex_unlock(&dvbdemux->mutex);
 	return 0;
-- 
2.43.0
Re: [PATCH] media: dvb_demux: fix potential TOCTOU race conditions
Posted by Gui-Dong Han 2 weeks, 3 days ago 
On Tue, Jan 20, 2026 at 6:41 PM Gui-Dong Han <hanguidong02@gmail.com> wrote:
>
> The dvb_demux functions handle frontend connectivity without holding
> dvbdemux->mutex during checks, leading to TOCTOU race conditions. In
> dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set
> demux->frontend to NULL after the check, causing a potential NULL pointer
> dereference. In dvbdmx_connect_frontend(), a concurrent connection could
> set the frontend between the check and the lock. This allows the second
> caller to overwrite the existing frontend, leading to resource leaks.
> The dvb_demux module should use its own mutex to ensure thread safety
> for these internal state checks.
>
> Fix this by extending the lock scope. Move the frontend state checks
> inside the dvbdemux->mutex critical section to ensure the state remains
> stable during the operation.
>
> This possible bug was found by our experimental static analysis tool,
> which analyzes lock usage to detect TOCTOU issues.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
> ---
>  drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
> index 290fc7961647..e9e833285f0f 100644
> --- a/drivers/media/dvb-core/dvb_demux.c
> +++ b/drivers/media/dvb-core/dvb_demux.c
> @@ -1147,15 +1147,18 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
>         struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
>         void *p;
>
> -       if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
> +       if (mutex_lock_interruptible(&dvbdemux->mutex))
> +               return -ERESTARTSYS;
> +
> +       if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {

I have fixed the redundant parentheses issue reported by the Media CI
robot. I missed this earlier because I ran checkpatch without the
--strict option locally.

v2 has been sent.

Thanks.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.