* [syzbot] [media?] INFO: trying to register non-static key in as102_dvb_dmx_start_feed
@ 2026-03-26 5:13 syzbot
2026-03-26 13:17 ` [PATCH] media: usb: as102: fix race condition between ioctl and register Edward Adam Davis
0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2026-03-26 5:13 UTC (permalink / raw)
To: linux-kernel, linux-media, mchehab, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: bbeb83d3182a Merge tag 'kbuild-fixes-7.0-3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1749d6da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45cb3c58fd963c27
dashboard link: https://syzkaller.appspot.com/bug?extid=3f395d8da879a58fb019
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151e5e16580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11334b52580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fed7fabd5bd6/disk-bbeb83d3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3776359aa4d4/vmlinux-bbeb83d3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6ea274e547d3/bzImage-bbeb83d3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3f395d8da879a58fb019@syzkaller.appspotmail.com
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 6076 Comm: syz.1.43 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0xcc/0x2e0 kernel/locking/lockdep.c:1299
__lock_acquire+0xad/0x2cf0 kernel/locking/lockdep.c:5112
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/rtmutex_api.c:533 [inline]
mutex_lock_interruptible_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:566
as102_dvb_dmx_start_feed+0x70/0x290 drivers/media/usb/as102/as102_drv.c:139
dmx_section_feed_start_filtering+0x518/0x6c0 drivers/media/dvb-core/dvb_demux.c:977
dvb_dmxdev_filter_start+0xcf4/0x10e0 drivers/media/dvb-core/dmxdev.c:760
dvb_demux_do_ioctl+0x473/0x540 drivers/media/dvb-core/dmxdev.c:1083
dvb_usercopy+0x199/0x2e0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xff/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa44073c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd63530b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa4409b5fa0 RCX: 00007fa44073c799
RDX: 0000200000000200 RSI: 00000000403c6f2b RDI: 0000000000000004
RBP: 00007fa4407d2c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa4409b5fac R14: 00007fa4409b5fa0 R15: 00007fa4409b5fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] media: usb: as102: fix race condition between ioctl and register
2026-03-26 5:13 [syzbot] [media?] INFO: trying to register non-static key in as102_dvb_dmx_start_feed syzbot
@ 2026-03-26 13:17 ` Edward Adam Davis
0 siblings, 0 replies; 2+ messages in thread
From: Edward Adam Davis @ 2026-03-26 13:17 UTC (permalink / raw)
To: syzbot+3f395d8da879a58fb019
Cc: linux-kernel, linux-media, mchehab, syzkaller-bugs
A user process first connects to the as102 USB device. During the window
of time occurring after the kernel routine for registering the as102
dvb layer device driver has completed its initialization up to the
start_feed stage, but before the sem lock initialization code has been
executed, the user process issues a combined open and ioctl sequence to
invoke the as102_dvb_dmx_start_feed() function. Since the sem lock has
not yet been initialized at this point, the issue reported in [1] is
triggered.
To resolve this, the sem lock initialization procedure has been optimized
by moving it to occur before the start_feed initialization.
[1]
INFO: trying to register non-static key.
Call Trace:
mutex_lock_interruptible_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:566
as102_dvb_dmx_start_feed+0x70/0x290 drivers/media/usb/as102/as102_drv.c:139
dmx_section_feed_start_filtering+0x518/0x6c0 drivers/media/dvb-core/dvb_demux.c:977
Reported-by: syzbot+3f395d8da879a58fb019@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3f395d8da879a58fb019
Tested-by: syzbot+3f395d8da879a58fb019@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/media/usb/as102/as102_drv.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/as102/as102_drv.c b/drivers/media/usb/as102/as102_drv.c
index 6b1d3528a0a7..e94828871635 100644
--- a/drivers/media/usb/as102/as102_drv.c
+++ b/drivers/media/usb/as102/as102_drv.c
@@ -299,6 +299,8 @@ int as102_dvb_register(struct as102_dev_t *as102_dev)
as102_dev->dvb_dmx.priv = as102_dev;
as102_dev->dvb_dmx.filternum = pid_filtering ? 16 : 256;
as102_dev->dvb_dmx.feednum = 256;
+ /* init start / stop stream mutex */
+ mutex_init(&as102_dev->sem);
as102_dev->dvb_dmx.start_feed = as102_dvb_dmx_start_feed;
as102_dev->dvb_dmx.stop_feed = as102_dvb_dmx_stop_feed;
@@ -344,9 +346,6 @@ int as102_dvb_register(struct as102_dev_t *as102_dev)
/* init bus mutex for token locking */
mutex_init(&as102_dev->bus_adap.lock);
- /* init start / stop stream mutex */
- mutex_init(&as102_dev->sem);
-
/*
* try to load as102 firmware. If firmware upload failed, we'll be
* able to upload it later.
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-26 13:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-26 5:13 [syzbot] [media?] INFO: trying to register non-static key in as102_dvb_dmx_start_feed syzbot
2026-03-26 13:17 ` [PATCH] media: usb: as102: fix race condition between ioctl and register Edward Adam Davis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox