From nobody Sat Feb 7 11:38:17 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E36B13A35DF for ; Tue, 20 Jan 2026 12:11:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768911086; cv=none; b=PBSanwdmCsHhqtKlKX5UH/yQJ1F+7BtBfnLRcigSfeZl5EE9Z9HtdF08XLTQTnzzBnyjvrk6a+KT4b3NIJ4ESw4OLFjOMTReVWfIygJqen/6/DJdjotcbDhTHbCNdjaA9TNmyESJqReWB7hcFkUJ/1pvWA3zZDPatGyyX7OCQIg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768911086; c=relaxed/simple; bh=x1ZFqXPg08O8CIdkeGxwHnmW3vI6NSISVaARNwC7Hyg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jQE61X6kHUVjmBeh0/Qsei7Sts9Nb7GgXCjJSXjxsrZCq2FUtigPM8GJ9cMuIY+HjNbdklhJousmlEbcJohiAfpE/IIoPr1AmeQ4+ZstO/10OGjiWnxfO0M0sCxOXBut4deInRwjY+mseTwVMIcJHIhBLoTmOhFrfVsNZjWQVv4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZqP8j3ze; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZqP8j3ze" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-7b75e366866so1518331b3a.2 for ; Tue, 20 Jan 2026 04:11:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768911083; x=1769515883; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+M/fFjyuX7BH6FG6ugPKx8MXXjIS/+A8oqVRnCk5TSg=; b=ZqP8j3zeuAmEfLBUtIhLGvIqC8jOaoKyGwx4VFMlvVZzCJkSGGOLAegOrg+7NxwXPH pxpTQ8R15fd+fEaWbUBIF/0m9FgK/FFAl4ZYjgTpCJXRd3HPRTVZ5kuHrt7GFVaI/12s T++WxC9s48Jz+LYI3p87y4B7nl/URW6aSQ7tH130tf4q/meEGgGdalfJl1klSJ8Zlav2 iHrkZmBlpk4PocnNHuxhm7GvYlADVecYU2A5x5VTmqgjaWrSjbgfSUd6CPuP89DovQkZ n9RwHIl77hVIguIsvpDRkjBqzLx03lDYv++QHzm+JhP5djmSkL+Vvv4xpFIMwdENIKJ9 gXZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768911083; x=1769515883; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+M/fFjyuX7BH6FG6ugPKx8MXXjIS/+A8oqVRnCk5TSg=; b=ixxCwwCPvzJx5gClNrk39wYlCUzlInA0cyRvWsrq3haHsGJMK49101/N3VaQlgKjx+ SzExkekKcm1N1a4dQUHob+RJv0vzXZXu5fki1obYSW7Vmp6LIkbYRZt99KPbHcvQlofx leLWWWuP68av16/klyO8BOXxb+ASIjbmITdeD4bdqlkKw7HorXYfbZYSEnQD4yRg/gYc BbrMxdxC0RGID0Giq3UVqyp6rbUkUyQ3aRk8DMhryLn0OG9EPGJk4wfbVgFjoIvlxzZ1 YbE4bXpl/39nCqXPh4azjGrYsoOaPpJ0hIBjdfTDRh8Ru8pwgX/8jzVgt9mqUwYhyB+t Ucnw== X-Forwarded-Encrypted: i=1; AJvYcCWNNUvITm0poS8Zra6DDwwLsIqKdoc/AB0KXQEK/fq+0qB4YY0kcEY1zLn549LRzFy1NriAdMtT8SpS7PM=@vger.kernel.org X-Gm-Message-State: AOJu0YxQHnIykltOyqedln7qaw7zsjTNGhMVbDXpGUPFGc3VpYmUmIlv jRUuVcLel3bgV+Fu+BQEUascoVEnRFEr3r2i3umbGSA4b5Q/+GNPDD2U X-Gm-Gg: AZuq6aJ7BFOCVSbl1VCLtzOHvTpF6+rrbe6DIuyWRROToy6E4ZmM4gKr6ebNAUdeQ/N 5oFC085BCb02hruWo1Tcm2giycFtQT0PZTeKNY5Hrzim96o/mylv5TMp4xuOVDEdGVBqo+GnQqY NB1b2hHshHhNNRrm4jQlVU7ASzFc/XlfFZt/F4EaiqKFPNMpEoZQGqYMu7IMjEYGQRngv0jI04i ELXwRPyHuvXrLGAew7R0GWptdYSRvGbOyE32mMxk5oEfzvkTLIig6hKGXobyVtBKM6eAcVNsYE3 fesfwGP1RKlkYgF/4oPDHvzcMfCcfwfKYmppA/VMwITRuhN/1birheVDwxR4qXBZ3FjzEErILlj AbiicSeSO+lCEFut0T+u+k+96N+8Tq9Fl3Wze+vanX1Duihq4J4nSxAhtnTvg/XNp0LQTE7hN5T BFVr2WP1h+QI0+Yn6IAoiMfM48guxZVFEeYCT0nV+5uin3rbI65VxK3xn2dsM+XuYghPGA9Bwo4 crXCFbNL2HIIsvyVPhfi9syYtvJpXQw4JDD1z2p8+6u8CpfKVlRUhzEdQ== X-Received: by 2002:a05:6a00:180e:b0:7fb:e662:5b9 with SMTP id d2e1a72fcca58-81fe880897amr1744566b3a.31.1768911082919; Tue, 20 Jan 2026 04:11:22 -0800 (PST) Received: from 2045D.localdomain (70.sub-75-229-220.myvzw.com. [75.229.220.70]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81fa10bdc65sm12150178b3a.21.2026.01.20.04.11.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 04:11:22 -0800 (PST) From: Gui-Dong Han To: mchehab@kernel.org Cc: hverkuil+cisco@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Gui-Dong Han , stable@vger.kernel.org Subject: [PATCH v2] media: dvb_demux: fix potential TOCTOU race conditions Date: Tue, 20 Jan 2026 20:11:05 +0800 Message-ID: <20260120121105.8959-1-hanguidong02@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The dvb_demux functions handle frontend connectivity without holding dvbdemux->mutex during checks, leading to TOCTOU race conditions. In dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set demux->frontend to NULL after the check, causing a potential NULL pointer dereference. In dvbdmx_connect_frontend(), a concurrent connection could set the frontend between the check and the lock. This allows the second caller to overwrite the existing frontend, leading to resource leaks. The dvb_demux module should use its own mutex to ensure thread safety for these internal state checks. Fix this by extending the lock scope. Move the frontend state checks inside the dvbdemux->mutex critical section to ensure the state remains stable during the operation. This possible bug was found by our experimental static analysis tool, which analyzes lock usage to detect TOCTOU issues. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han --- v2: * Remove unnecessary parentheses to fix checkpatch --strict warning, as reported by Media CI robot. --- drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dv= b_demux.c index 7c4d86bfdd6c..38ffbbfef1f5 100644 --- a/drivers/media/dvb-core/dvb_demux.c +++ b/drivers/media/dvb-core/dvb_demux.c @@ -1141,15 +1141,18 @@ static int dvbdmx_write(struct dmx_demux *demux, co= nst char __user *buf, size_t struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; void *p; =20 - if ((!demux->frontend) || (demux->frontend->source !=3D DMX_MEMORY_FE)) + if (mutex_lock_interruptible(&dvbdemux->mutex)) + return -ERESTARTSYS; + + if (!demux->frontend || demux->frontend->source !=3D DMX_MEMORY_FE) { + mutex_unlock(&dvbdemux->mutex); return -EINVAL; + } =20 p =3D memdup_user(buf, count); - if (IS_ERR(p)) + if (IS_ERR(p)) { + mutex_unlock(&dvbdemux->mutex); return PTR_ERR(p); - if (mutex_lock_interruptible(&dvbdemux->mutex)) { - kfree(p); - return -ERESTARTSYS; } dvb_dmx_swfilter(dvbdemux, p, count); kfree(p); @@ -1202,11 +1205,13 @@ static int dvbdmx_connect_frontend(struct dmx_demux= *demux, { struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; =20 - if (demux->frontend) - return -EINVAL; - mutex_lock(&dvbdemux->mutex); =20 + if (demux->frontend) { + mutex_unlock(&dvbdemux->mutex); + return -EINVAL; + } + demux->frontend =3D frontend; mutex_unlock(&dvbdemux->mutex); return 0; --=20 2.43.0