[PATCH] media: dvb-core: Fix a possible null-pointer dereference due to data race in dvbdmx_write()

[PATCH] media: dvb-core: Fix a possible null-pointer dereference due to data race in dvbdmx_write()

[Tuo Li]

The struct field dmx_demux.frontend is often protected by the lock 
dvb_demux.mutex when is accessed. Here is an example in 
dvbdmx_connect_frontend():

  mutex_lock(&dvbdemux->mutex);

  demux->frontend = frontend;
  mutex_unlock(&dvbdemux->mutex);

However, the variable demux->frontend is accessed without holding the lock
dvbdemux->mutex in dvbdmx_write():

  if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))

In my opinion, this may be a harmful race, because if demux->fontend is set
to NULL right after the first condition is checked, a null-pointer 
dereference can occur when accessing the field demux->frontend->source.

To fix this possible null-pointer dereference caused by data race, a lock
and unlock pair is added when accessing the variable demux->frontend.

Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
 drivers/media/dvb-core/dvb_demux.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 7c4d86bfdd6c..d26738e3310a 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1140,9 +1140,13 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 {
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 	void *p;
-
-	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
+	
+	mutex_lock(&dvbdemux->mutex);
+	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
+		mutex_unlock(&dvbdemux->mutex);
 		return -EINVAL;
+	}
+	mutex_unlock(&dvbdemux->mutex);
 
 	p = memdup_user(buf, count);
 	if (IS_ERR(p))
-- 
2.34.1

[PATCH] media: dvb-core: Fix a possible null-pointer dereference due to data race in dvbdmx_write()

[Tuo Li]

The struct field dmx_demux.frontend is often protected by the lock
dvb_demux.mutex when is accessed. Here is an example in
dvbdmx_connect_frontend():

  mutex_lock(&dvbdemux->mutex);

  demux->frontend = frontend;
  mutex_unlock(&dvbdemux->mutex);

However, the variable demux->frontend is accessed without holding the lock
dvbdemux->mutex in dvbdmx_write():

  if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))

In my opinion, this may be a harmful race, because if demux->fontend is set
to NULL right after the first condition is checked, a null-pointer
dereference can occur when accessing the field demux->frontend->source.

To fix this possible null-pointer dereference caused by data race, a lock
and unlock pair is added when accessing the variable demux->frontend.

Reported-by: BassCheck <bass@buaa.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
 drivers/media/dvb-core/dvb_demux.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 7c4d86bfdd6c..791db667e2ed 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1141,8 +1141,11 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 	void *p;
 
-	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
+	mutex_lock(&dvbdemux->mutex);
+	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
+		mutex_unlock(&dvbdemux->mutex);
 		return -EINVAL;
+	}
 
 	p = memdup_user(buf, count);
 	if (IS_ERR(p))
-- 
2.34.1

Re: [PATCH] media: dvb-core: Fix a possible null-pointer dereference due to data race in dvbdmx_write()

[Dan Carpenter]

Hi Tuo,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Tuo-Li/media-dvb-core-Fix-a-possible-null-pointer-dereference-due-to-data-race-in-dvbdmx_write/20231108-200849
base:   git://linuxtv.org/media_tree.git master
patch link:    https://lore.kernel.org/r/20231108091300.3124649-1-islituo%40gmail.com
patch subject: [PATCH] media: dvb-core: Fix a possible null-pointer dereference due to data race in dvbdmx_write()
config: x86_64-randconfig-161-20231108 (https://download.01.org/0day-ci/archive/20231109/202311090845.BlIvG8kE-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce: (https://download.01.org/0day-ci/archive/20231109/202311090845.BlIvG8kE-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202311090845.BlIvG8kE-lkp@intel.com/

smatch warnings:
drivers/media/dvb-core/dvb_demux.c:1163 dvbdmx_write() warn: inconsistent returns '&dvbdemux->mutex'.

vim +1163 drivers/media/dvb-core/dvb_demux.c

947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1139  static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t count)
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1140  {
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1141  	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1142  	void *p;
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1143  
eebefd4eafaa5d drivers/media/dvb-core/dvb_demux.c     Tuo Li         2023-11-08  1144  	mutex_lock(&dvbdemux->mutex);
eebefd4eafaa5d drivers/media/dvb-core/dvb_demux.c     Tuo Li         2023-11-08  1145  	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
eebefd4eafaa5d drivers/media/dvb-core/dvb_demux.c     Tuo Li         2023-11-08  1146  		mutex_unlock(&dvbdemux->mutex);
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1147  		return -EINVAL;
eebefd4eafaa5d drivers/media/dvb-core/dvb_demux.c     Tuo Li         2023-11-08  1148  	}
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1149  
c6cfe05532cf6e drivers/media/dvb/dvb-core/dvb_demux.c Julia Lawall   2010-05-22  1150  	p = memdup_user(buf, count);
c6cfe05532cf6e drivers/media/dvb/dvb-core/dvb_demux.c Julia Lawall   2010-05-22  1151  	if (IS_ERR(p))
c6cfe05532cf6e drivers/media/dvb/dvb-core/dvb_demux.c Julia Lawall   2010-05-22  1152  		return PTR_ERR(p);

Need to drop the lock before returning.

947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1153  	if (mutex_lock_interruptible(&dvbdemux->mutex)) {

Wait, what?  Why are we taking the lock a second time?  This won't work.

947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1154  		kfree(p);
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1155  		return -ERESTARTSYS;
947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1156  	}
947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1157  	dvb_dmx_swfilter(dvbdemux, p, count);
947a080037c6ae drivers/media/dvb/dvb-core/dvb_demux.c Al Viro        2008-06-22  1158  	kfree(p);
3593cab5d62c4c drivers/media/dvb/dvb-core/dvb_demux.c Ingo Molnar    2006-02-07  1159  	mutex_unlock(&dvbdemux->mutex);
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1160  
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1161  	if (signal_pending(current))
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1162  		return -EINTR;
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16 @1163  	return count;
^1da177e4c3f41 drivers/media/dvb/dvb-core/dvb_demux.c Linus Torvalds 2005-04-16  1164  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki