From nobody Sat Feb 7 11:38:08 2026 Received: from mail-dy1-f180.google.com (mail-dy1-f180.google.com [74.125.82.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E1DF3BC4FB for ; Tue, 20 Jan 2026 10:41:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768905710; cv=none; b=RRNhY6SAUa5+9XIyc/UnioXun3VqEGjp/JgZGolxCU1dPr5n+jvh8dgm55bzSykftS6rjP8lSRnnY8Mx/5dl3DEY9Ja3eZddu635dnhWH5SgT/DZGls/D7asMT9vTqHobrztdHgVSjruAFyStcCFdn44Lu0rSr2uuOf6ZN9pKx0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768905710; c=relaxed/simple; bh=Ohb12pnkwdIT0Jne9UD+YNvgkmu2s71UxSfrE5BWiRs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=UFBGW/QrKvbU6NLkmHTnhvIV7KPrPLYG5WWLIFweggoHT4/lWo37/0lEdl0HHUTsvIHBkgCrK8cCiwFJCBSwT423Y6yqWxXNO0RSf+O4O1FwnuiMiDyhRfKBTA7GPOeA0bmfncF391VZBkbwt6PI0utv6JZ0Xcnu32Rzd14V3QE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=S3lM8UTA; arc=none smtp.client-ip=74.125.82.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="S3lM8UTA" Received: by mail-dy1-f180.google.com with SMTP id 5a478bee46e88-2b453b17e41so3232663eec.1 for ; Tue, 20 Jan 2026 02:41:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768905708; x=1769510508; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fV/jHAHpW8XRaZZ0Qo+rv9A5isuApYKvNLSlJGZZqHI=; b=S3lM8UTAhiG+Fabdt5BFQhczEsxaAFfcpUZ2wIVXmw/QuHHMdYtpd0lrn1bzVIvpAl yVn4WiQagiDVcDGYioIbhfHAvjfIiasLDDm3jW+mN5xVn7/lS6kfDUZMpSo+HcM2UCip OJJDxDzSBUSHJK+PAHQVXGmcaJz/Ttp2DvNbSx0Hp8yEmAr+UFZhiBVQUfyhIKF02dH1 SZdQ6V+gJ+So3tZzRE9wReWX3zhjkoOW4dxQd20crlzfEDBFhG+S2SYRa/8eL7yIZwWw OBQaRIdHth7AtVwZrm+ASKUiI89vI8pBwF3lM1HwItQdTPRMvboeYpPbzC9WvnDK5qcI XJSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768905708; x=1769510508; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fV/jHAHpW8XRaZZ0Qo+rv9A5isuApYKvNLSlJGZZqHI=; b=Fr/bgdiuT987/Mn2fi6flODD8TTcvUqxymki3hKb3DrzYtGEAb/3Y+2eEL52KNMBZj Ixz2/yoVczge3p6T79qQicZ1jdAW3NDHzw0bEOMsrTlwmUC5UAu/92rx/ejYVKivnt/V 2eEFwBH1VA/rNm+6C8pKp36WFOaBVwkUY2veNDsUpT2Sj2BlzWdfHC/nuF4WfGqRmBrE G0qF4dNRxLAdqmWZPMsWAbAsAzUpzpBvMNINJt2PhkVQ7t7ScN+pjgpPU//sU3UC9Hq5 YYLFCbh11U9LWUnDpsd6KpSq6rmR8CGp1nckixZmHAbyoN0BoS7p1PYfszBU1lBT7FSw MqKw== X-Forwarded-Encrypted: i=1; AJvYcCVw5O7AeFsipzmPWolHUqDkfAZ4e6WkHVAa5LHN+xV3sG/0bh3iE0qZYs+JXFftKBc/7lf2lDpchjX42YY=@vger.kernel.org X-Gm-Message-State: AOJu0Yyo8nEhZjvuSLGLspc6p/eEXvO74IjwhfewLUvvJ29FTDCF11bU Qgm4sh3EaGp4Up3xao4zzyLLg1P7TPQcBRIUkFlsO5NaNGiajQ6a23Ru X-Gm-Gg: AZuq6aLMIZeFtNV+5ULiICEjYJMjyomE2C2nP3UlnI+y+5Uno1VExHtVvpr36qKUcTj Xjs0770jCRsFG5Be5QFIJk4iDuSEuz230ztf6F/XDdgtCBXqK/QytH8Cq7PxHzllLAHyett3Hsu 9rcEHHMfrl8hhV/keRkTzAeScIN61NrcXTmeD0a+0EkMIgtcXlUpc1vSzy7GpE4sQxe8fiWRpkN m7trkVg5xggQK9xspG//86gGqeg6SPjXhRaclMqVWCejAMCCIIQcjsJdKy5iJtQjHT+jaCcsU0j uexv+FgUl/E6PQFfIZPsYMldBbNsKb6kxKiRCtZEEKqH92UX5c6RGAsZumaLrn2fRk/tx/DTQ9D nywnetqMymVTY4R7r6GtlOjM5rgllrMKalsuyk0zSnxhdnHJdhA9w331wgRh5WamuOa7oaTZMnc vlVO5UKc4bntpbvLcP0z+XRwhgQwERzlMK15pqTERB92BRQir2VdUspwJiN0YyuY0toFPpbU0er wNqSL8K+McyLER2GZi6TSU17nLf+oCXzMzq23vwfSX9w1bNMsuao8wgYA== X-Received: by 2002:a05:7301:9e43:b0:2ae:56ef:c85d with SMTP id 5a478bee46e88-2b6b34b2b47mr9729558eec.9.1768905707610; Tue, 20 Jan 2026 02:41:47 -0800 (PST) Received: from 2045L.localdomain (70.sub-75-229-220.myvzw.com. [75.229.220.70]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b36564ffsm16521853eec.28.2026.01.20.02.41.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 02:41:47 -0800 (PST) From: Gui-Dong Han To: mchehab@kernel.org Cc: hverkuil+cisco@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Gui-Dong Han , stable@vger.kernel.org Subject: [PATCH] media: dvb_demux: fix potential TOCTOU race conditions Date: Tue, 20 Jan 2026 18:41:28 +0800 Message-ID: <20260120104129.105079-1-hanguidong02@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The dvb_demux functions handle frontend connectivity without holding dvbdemux->mutex during checks, leading to TOCTOU race conditions. In dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set demux->frontend to NULL after the check, causing a potential NULL pointer dereference. In dvbdmx_connect_frontend(), a concurrent connection could set the frontend between the check and the lock. This allows the second caller to overwrite the existing frontend, leading to resource leaks. The dvb_demux module should use its own mutex to ensure thread safety for these internal state checks. Fix this by extending the lock scope. Move the frontend state checks inside the dvbdemux->mutex critical section to ensure the state remains stable during the operation. This possible bug was found by our experimental static analysis tool, which analyzes lock usage to detect TOCTOU issues. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han --- drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dv= b_demux.c index 290fc7961647..e9e833285f0f 100644 --- a/drivers/media/dvb-core/dvb_demux.c +++ b/drivers/media/dvb-core/dvb_demux.c @@ -1147,15 +1147,18 @@ static int dvbdmx_write(struct dmx_demux *demux, co= nst char __user *buf, size_t struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; void *p; =20 - if ((!demux->frontend) || (demux->frontend->source !=3D DMX_MEMORY_FE)) + if (mutex_lock_interruptible(&dvbdemux->mutex)) + return -ERESTARTSYS; + + if ((!demux->frontend) || (demux->frontend->source !=3D DMX_MEMORY_FE)) { + mutex_unlock(&dvbdemux->mutex); return -EINVAL; + } =20 p =3D memdup_user(buf, count); - if (IS_ERR(p)) + if (IS_ERR(p)) { + mutex_unlock(&dvbdemux->mutex); return PTR_ERR(p); - if (mutex_lock_interruptible(&dvbdemux->mutex)) { - kfree(p); - return -ERESTARTSYS; } dvb_dmx_swfilter(dvbdemux, p, count); kfree(p); @@ -1208,11 +1211,13 @@ static int dvbdmx_connect_frontend(struct dmx_demux= *demux, { struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; =20 - if (demux->frontend) - return -EINVAL; - mutex_lock(&dvbdemux->mutex); =20 + if (demux->frontend) { + mutex_unlock(&dvbdemux->mutex); + return -EINVAL; + } + demux->frontend =3D frontend; mutex_unlock(&dvbdemux->mutex); return 0; --=20 2.43.0