From: Penglei Jiang <superman.xpt@gmail.com>
To: mchehab@kernel.org
Cc: standback@126.com, linux-media@vger.kernel.org,
linux-kernel@vger.kernel.org,
Penglei Jiang <superman.xpt@gmail.com>
Subject: [PATCH] media: dmxdev: fix repeated initialization of ringbuffer in dvb_dvr_open()
Date: Sun, 6 Apr 2025 09:58:02 -0700 [thread overview]
Message-ID: <20250406165802.100305-1-superman.xpt@gmail.com> (raw)
The dvb_dvr_open() function has an issue where it repeatedly
initializes the data and queue fields of the dvb_ringbuffer.
We should not reinitialize the queue field in the open function,
and if the data field is not empty, the initialization process
should be skipped.
Reported-by: syzbot+4e21d5f67b886a692b55@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67917ed8.050a0220.15cac.02eb.GAE@google.com
Tested-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
---
drivers/media/dvb-core/dmxdev.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 6063782e937a..82fd060430cd 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -113,6 +113,17 @@ static struct dmx_frontend *get_fe(struct dmx_demux *demux, int type)
return NULL;
}
+static void dvb_ringbuffer_init_noqueue(struct dvb_ringbuffer *ringbuffer,
+ void *data, size_t len)
+{
+ ringbuffer->pread = 0;
+ ringbuffer->pwrite = 0;
+ ringbuffer->data = data;
+ ringbuffer->size = len;
+ ringbuffer->error = 0;
+ spin_lock_init(&(ringbuffer->lock));
+}
+
static int dvb_dvr_open(struct inode *inode, struct file *file)
{
struct dvb_device *dvbdev = file->private_data;
@@ -156,7 +167,7 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
}
}
- if (need_ringbuffer) {
+ if (need_ringbuffer && !dmxdev->dvr_buffer.data) {
void *mem;
if (!dvbdev->readers) {
@@ -168,7 +179,8 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
mutex_unlock(&dmxdev->mutex);
return -ENOMEM;
}
- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+ dvb_ringbuffer_init_noqueue(
+ &dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
if (dmxdev->may_do_mmap)
dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
file->f_flags & O_NONBLOCK);
--
2.17.1
reply other threads:[~2025-04-06 16:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250406165802.100305-1-superman.xpt@gmail.com \
--to=superman.xpt@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=standback@126.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox