From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90A13280CFB; Mon, 13 Apr 2026 16:43:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098606; cv=none; b=spfg3MGiYYdB8ME7oAcaS564GEtFGzB5OCWrmb2ghkiSPV7AbPwuKc7Pa92Yw2ZfH6rQP4WpEsNkfcXPsud5dRDRBRt7oUNhnNgRXsAbGuKk74lkuOxK3baS07Y+QkaOtPg7ebCkVMNM7P+G6X5kfBMQbFu2zvZ9JYHU/FLDcLI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098606; c=relaxed/simple; bh=oQNeWZQPaxjR9lmCPByzCR5AWCDK+ZbhNeDz8hGa+08=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ucjxmF1XMclsa6dvEbaV1Da+N8zcuGq5huDeO0+2eZ0WBpvMydii/QWtPiPFeGcqYmSHlUlKa7JtKISdil3tjZObsoQU9r3ZshZqzhvZMww7xmJKyAPmAgwHLSfc6SOKIw8nJQdYdsY4n0wsq3vXvOfOhx519BwtcdO5vkIheys= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=iz85atJL; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="iz85atJL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2832CC2BCAF; Mon, 13 Apr 2026 16:43:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776098606; bh=oQNeWZQPaxjR9lmCPByzCR5AWCDK+ZbhNeDz8hGa+08=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iz85atJLKUT5YHKAF1wlm9AVkp4UGyfk5WsJ8UFPQ80XwehGUQOopTFGz1Mtj7dEJ 4xzViKuP24UyG84X5uJuocuIrc1bA92fXq8HNa5Hg3Q0jpOF7kVC4ytFPArNvYQQrQ rEhGNNKs1juq0urMvR2m3maOGE2H8h89KmJis1KE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com, Jens Axboe , Linus Torvalds Subject: [PATCH 5.10 019/491] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Date: Mon, 13 Apr 2026 17:54:24 +0200 Message-ID: <20260413155819.773734345@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155819.042779211@linuxfoundation.org> References: <20260413155819.042779211@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream. dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock. Cc: stable@vger.kernel.org Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer") Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/ Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/media/dvb-core/dmxdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/media/dvb-core/dmxdev.c +++ b/drivers/media/dvb-core/dmxdev.c @@ -178,7 +178,9 @@ static int dvb_dvr_open(struct inode *in mutex_unlock(&dmxdev->mutex); return -ENOMEM; } - dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE); + dmxdev->dvr_buffer.data = mem; + dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE; + dvb_ringbuffer_reset(&dmxdev->dvr_buffer); if (dmxdev->may_do_mmap) dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr", file->f_flags & O_NONBLOCK);