From nobody Thu Apr 16 04:17:42 2026 Received: from mail-dy1-f182.google.com (mail-dy1-f182.google.com [74.125.82.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87AAD277CA5 for ; Fri, 3 Apr 2026 02:37:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775183829; cv=none; b=WnGtn2vJ+WmAGr31TWMOZeiiuEp4xg0x605sbrRD84VV/Hl6nYj2RlhByYE78yGkEHqGfAWTfzOsIjBwF8phvNMPRNky0w1WgW/JS2a6iOAUtRRyyL8eWuGc4XQSmfjbSlyI29Sw5c8rEEFkUbN8z0tRry5jOfik2z35NnaJk+o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775183829; c=relaxed/simple; bh=x1ZFqXPg08O8CIdkeGxwHnmW3vI6NSISVaARNwC7Hyg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=RqxFU6tpjDp2HqO7xfaNZqrXDSp/4XVt9zMtgVjXBtDXFeA3hjZhp3iS90jBvofyjyxzG0rCsl484vb2G1hSIYF01tKYvJUP8NUB4ya4o6JOjHCpvukrDva/HOb+RpHSFUImwwvHK+FXoUT48xC7rOtZSDXZWVb5mPkoUr+vwSQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kBEdEe98; arc=none smtp.client-ip=74.125.82.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kBEdEe98" Received: by mail-dy1-f182.google.com with SMTP id 5a478bee46e88-2c5b3d8eab1so754369eec.1 for ; Thu, 02 Apr 2026 19:37:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775183828; x=1775788628; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+M/fFjyuX7BH6FG6ugPKx8MXXjIS/+A8oqVRnCk5TSg=; b=kBEdEe98UjnN6ZV40xND+IYwqOSfxcnR4iUuLN+DKRus8k664bm8KvhMfqhvPJlbOc kfXDWJ/2FIG2lOHnhSFeB3RhBIu03IZ4+6L2rsgyIWjzCrsiEtPvM0VYBRiYD052CF5s qX09CuJ7tFIcTzmJtRT4qOlI5oOWTF9QZdFUcz1uhJpLAWzYUDyk0Ft2UAF8eqajUC0Z Z8NiegjViq29w7RdUab7rrd1JZPSBXBU0586RQy6Zg/nsRvTn1a3gUkVDSR7mnRiOTBq 63hp7mRx7qS3NZeG+G4ozEAGmmr2Dqyff83ECo2kiFnXLWptvQsyRfHrSNbLIl6Xr5oh e2fQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775183828; x=1775788628; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+M/fFjyuX7BH6FG6ugPKx8MXXjIS/+A8oqVRnCk5TSg=; b=tJGYc9oiwOyf3tcOgzw0kLPAXDPSGJs0kmv5H8/73l2C87INLHtPJGonQAWorU6diu F6owKriY8TVn7YNKPa1t3XsHoBLCkCyyeM4+byaPeRjIkyhsvDLxQTYrpd3E6rhaCr7H LFWMigi2eaOtZqe627k/UXctrXl0kqzJwvjHVyz6+yBWlwXzcKKr60xOsAk7oZP1h1Yk korZ4MUIGQRWWGDyhSTeFCUM9No/v8frwR4JYQuNtIbshVttMIubJCWduxOqgc6l0AMn 3XkbpYdx9QDAtUlFcWDKSZJRhodrXZdN0FMDwD7f65g4nJJGrihVsG7GDNmPzEMR1Xa5 PK4w== X-Forwarded-Encrypted: i=1; AJvYcCXS3qZy/XJ2tbS23VPA8DXBJlH1vxjflI+zv7HOqEhk8AE0s8QCzHKbhyS/EF5BE8AhJigsgUEdHV2ot6s=@vger.kernel.org X-Gm-Message-State: AOJu0Yx2KiZx9Z4FGJs6sGOIUZfJz2dktRUNm7DmA9e5Xi5PfTsQL9cb OqQxkkr5LGHQSO8wSUDsa/2T4MKPMe0eh0x+sIXl4zVVAabdmx+aWQ9b X-Gm-Gg: AeBDieuV6dnx7yL768rw40fTi+X2AIjrj6f9Qqqyhj37BZuo/kHLu1Rghgq78CcofxV AT2PNwy8puhWrvJG369ppLy2ZnkhXyTwK4yJFVy4JAod+ZLVWe3hDozluJEY2GX1CyBmBA421rF jgyHT8CTRAsqZ2MduzwhvQcRGBbr9PUWmoXxwBx+xx+vF6z8dyDxhf/M9+nDhtGewLd5/ZZznlG wRG+EkRtUC9R8Co/UW+9HoQDjbz0vm0+OgPVVODXYhqkaFQGbElKli73Pb92KSjUbxARskslYPa qsYN8Lt3lfPwJIn6M0e6+nY+2udJ/usKCV4k3HhI45k9BEyycHYTcU6AnFXH1QwDa54r+4Mn8Qa +Ty7js9xZ8OmmpryZJmWNDlZ7v7ht3ZZ+hfYZHMvFCPu29OV1wlQxLMKrsxuHevPQ1Gv31espIt Yv5i4KLLcJv8Ph8+yG4T8U9U4v8+XS4XGy1T5sVeZ31ExjN7jWnaxIXaTLVtyebzIw9uk4tujjG c2wvoTFEMbfSXZYtdv6WCl8doSZXPVTmwfbPz26/4KHUhNEPYyWJ2q5feSkbS29/NxqfCEF21YU 2YB6JjPUP1C2ldSitik1Oh8= X-Received: by 2002:a05:7301:4090:b0:2c0:c5e4:605f with SMTP id 5a478bee46e88-2cbfbe7dd2emr767363eec.24.1775183827454; Thu, 02 Apr 2026 19:37:07 -0700 (PDT) Received: from 2045L.localdomain (85.sub-72-110-99.myvzw.com. [72.110.99.85]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2cc63960a56sm203483eec.13.2026.04.02.19.37.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 19:37:07 -0700 (PDT) From: Gui-Dong Han To: Mauro Carvalho Chehab Cc: Hans Verkuil , Darshan Rathod , Qianfeng Rong , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Gui-Dong Han , stable@vger.kernel.org Subject: [PATCH RESEND v2] media: dvb_demux: fix potential TOCTOU race conditions Date: Fri, 3 Apr 2026 10:36:30 +0800 Message-ID: <20260403023630.248450-1-hanguidong02@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The dvb_demux functions handle frontend connectivity without holding dvbdemux->mutex during checks, leading to TOCTOU race conditions. In dvbdmx_write(), a concurrent dvbdmx_disconnect_frontend() can set demux->frontend to NULL after the check, causing a potential NULL pointer dereference. In dvbdmx_connect_frontend(), a concurrent connection could set the frontend between the check and the lock. This allows the second caller to overwrite the existing frontend, leading to resource leaks. The dvb_demux module should use its own mutex to ensure thread safety for these internal state checks. Fix this by extending the lock scope. Move the frontend state checks inside the dvbdemux->mutex critical section to ensure the state remains stable during the operation. This possible bug was found by our experimental static analysis tool, which analyzes lock usage to detect TOCTOU issues. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Gui-Dong Han --- v2: * Remove unnecessary parentheses to fix checkpatch --strict warning, as reported by Media CI robot. --- drivers/media/dvb-core/dvb_demux.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dv= b_demux.c index 7c4d86bfdd6c..38ffbbfef1f5 100644 --- a/drivers/media/dvb-core/dvb_demux.c +++ b/drivers/media/dvb-core/dvb_demux.c @@ -1141,15 +1141,18 @@ static int dvbdmx_write(struct dmx_demux *demux, co= nst char __user *buf, size_t struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; void *p; =20 - if ((!demux->frontend) || (demux->frontend->source !=3D DMX_MEMORY_FE)) + if (mutex_lock_interruptible(&dvbdemux->mutex)) + return -ERESTARTSYS; + + if (!demux->frontend || demux->frontend->source !=3D DMX_MEMORY_FE) { + mutex_unlock(&dvbdemux->mutex); return -EINVAL; + } =20 p =3D memdup_user(buf, count); - if (IS_ERR(p)) + if (IS_ERR(p)) { + mutex_unlock(&dvbdemux->mutex); return PTR_ERR(p); - if (mutex_lock_interruptible(&dvbdemux->mutex)) { - kfree(p); - return -ERESTARTSYS; } dvb_dmx_swfilter(dvbdemux, p, count); kfree(p); @@ -1202,11 +1205,13 @@ static int dvbdmx_connect_frontend(struct dmx_demux= *demux, { struct dvb_demux *dvbdemux =3D (struct dvb_demux *)demux; =20 - if (demux->frontend) - return -EINVAL; - mutex_lock(&dvbdemux->mutex); =20 + if (demux->frontend) { + mutex_unlock(&dvbdemux->mutex); + return -EINVAL; + } + demux->frontend =3D frontend; mutex_unlock(&dvbdemux->mutex); return 0; --=20 2.43.0