[PATCH] media: usb: as102: fix race condition between ioctl and register

From: Edward Adam Davis

Date: Thu Mar 26 2026 - 09:34:08 EST

A user process first connects to the as102 USB device. During the window
of time occurring after the kernel routine for registering the as102
dvb layer device driver has completed its initialization up to the
start_feed stage, but before the sem lock initialization code has been
executed, the user process issues a combined open and ioctl sequence to
invoke the as102_dvb_dmx_start_feed() function. Since the sem lock has
not yet been initialized at this point, the issue reported in [1] is
triggered.

To resolve this, the sem lock initialization procedure has been optimized
by moving it to occur before the start_feed initialization.

[1]
INFO: trying to register non-static key.
Call Trace:
mutex_lock_interruptible_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:566
as102_dvb_dmx_start_feed+0x70/0x290 drivers/media/usb/as102/as102_drv.c:139
dmx_section_feed_start_filtering+0x518/0x6c0 drivers/media/dvb-core/dvb_demux.c:977

Reported-by: syzbot+3f395d8da879a58fb019@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=3f395d8da879a58fb019
Tested-by: syzbot+3f395d8da879a58fb019@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
drivers/media/usb/as102/as102_drv.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/as102/as102_drv.c b/drivers/media/usb/as102/as102_drv.c
index 6b1d3528a0a7..e94828871635 100644
--- a/drivers/media/usb/as102/as102_drv.c
+++ b/drivers/media/usb/as102/as102_drv.c
@@ -299,6 +299,8 @@ int as102_dvb_register(struct as102_dev_t *as102_dev)
as102_dev->dvb_dmx.priv = as102_dev;
as102_dev->dvb_dmx.filternum = pid_filtering ? 16 : 256;
as102_dev->dvb_dmx.feednum = 256;
+ /* init start / stop stream mutex */
+ mutex_init(&as102_dev->sem);
as102_dev->dvb_dmx.start_feed = as102_dvb_dmx_start_feed;
as102_dev->dvb_dmx.stop_feed = as102_dvb_dmx_stop_feed;

@@ -344,9 +346,6 @@ int as102_dvb_register(struct as102_dev_t *as102_dev)
/* init bus mutex for token locking */
mutex_init(&as102_dev->bus_adap.lock);

- /* init start / stop stream mutex */
- mutex_init(&as102_dev->sem);
-
/*
* try to load as102 firmware. If firmware upload failed, we'll be
* able to upload it later.
--
2.43.0