[PATCH] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

[PATCH] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

[Jens Axboe]

dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty. Since
dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same
DVR device share it), this orphans any existing waitqueue entries from
io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.

The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions. Replace
the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.

Cc: stable@vger.kernel.org
Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer")
Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/
Signed-off-by: Jens Axboe <axboe@kernel.dk>

---

Linus, if you could pick this up directly, that would be great. I've
spent weeks pinging Mauro and the dvb/media list, and have yet to hear
ANYTHING back. This bug has been known for 1 year. As any user can crash
the kernel with this, it'd be prudent to get it fixed. IMHO, but
apparently less so the dvb folks opinion.

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index c946c8ea6e39..9c3e9f7859d8 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
 			mutex_unlock(&dmxdev->mutex);
 			return -ENOMEM;
 		}
-		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+		dmxdev->dvr_buffer.data = mem;
+		dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+		dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
 		if (dmxdev->may_do_mmap)
 			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
 				     &dmxdev->mutex,

-- 
Jens Axboe

Re: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

[Jens Axboe]

On 2/25/26 8:54 AM, Patchwork Integration wrote:
> Dear Jens Axboe:
> 
> Thanks for your patches! Unfortunately the Media CI robot detected some
> issues:
> 
> # Test media-patchstyle:./0001-media-dvb-core-fix-wrong-reinitialization-of-ringbuf.patch media style
> WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
> #25: 
> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> 
> total: 0 errors, 1 warnings, 10 lines checked
> 
> ERROR: Fails one or more mandatory checkpatch tests
> 
> # Test checkpatch:./0001-media-dvb-core-fix-wrong-reinitialization-of-ringbuf.patch checkpatch
> WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
> #25: 
> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> 
> total: 0 errors, 1 warnings, 0 checks, 10 lines checked

Add the Closes if you want, I'm not resending this patch. Already wasted
way too much time on an issue that you guys have known about for a year
and did NOTHING about. I sent a fix, take it or fix it yourself.

-- 
Jens Axboe