[lvc-project] [PATCH] media: dvb_demux: Fix potential data race in dvbdmx_write()

[Daniil Dulov]

The field frontend of the struct dmx_demux is protected by the lock mutex
of the struct dvb_demux while connecting or disconnecting the frontend.
However, demux->frontend is checked for NULL and then it is dereferenced
without holding the appropriate lock.

Thus, it is possible that the NULL check is passed, right after which
the other thread disconnects the frontend which leads to a NULL pointer
dereference.

To avoid this potential data race, aсquire the lock before accessing the
frontend field of the struct dmx_demux.

Found by Linux Verification Center (linuxtesting.org).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daniil Dulov <d.dulov at aladdin.ru>
---
 drivers/media/dvb-core/dvb_demux.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 7c4d86bfdd6c..b0dab6f78ad8 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1141,9 +1141,6 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 	struct dvb_demux *dvbdemux = (struct dvb_demux *)demux;
 	void *p;
 
-	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE))
-		return -EINVAL;
-
 	p = memdup_user(buf, count);
 	if (IS_ERR(p))
 		return PTR_ERR(p);
@@ -1151,6 +1148,13 @@ static int dvbdmx_write(struct dmx_demux *demux, const char __user *buf, size_t
 		kfree(p);
 		return -ERESTARTSYS;
 	}
+
+	if ((!demux->frontend) || (demux->frontend->source != DMX_MEMORY_FE)) {
+		mutex_unlock(&dvbdemux->mutex);
+		kfree(p);
+		return -EINVAL;
+	}
+
 	dvb_dmx_swfilter(dvbdemux, p, count);
 	kfree(p);
 	mutex_unlock(&dvbdemux->mutex);
-- 
2.34.1