From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 439502FE056; Mon, 13 Apr 2026 16:19:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097195; cv=none; b=dh5V2SRIAbyo7dttFQT2tRSzl5pWnxMzyI5JL/n0TaeRPZF/HDp3H5m3dS05CF6c4AnoTEk2p085oLZKw1iZjkdxlDPvJQcGZv0MCByuXZVYwZZbCGJdAIznyQa9UaqOJbULCS/xqsy+BDm8AhCX5ZJl5mQKOhEjaiTJoHBMGGo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097195; c=relaxed/simple; bh=tMYshgheqbIV+Dinm3LvgccbW3VmRzdTyng9rGrxtaM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fmcMkq2kFJyaO7WuhuR5ppURblo1ZLqly9QBiaTnntfwvpKR8RBxMuC+g+a/xE4hlEMa1jbTm3+F+x5tnserhBk+i6SHXGwj/Ph/B6LT6IZKtAax+uVuE0I4DQb5ufqTL/NkCNyjKQvIN7xNo7/U8oCSVZyDUn5JhpGji4+wre0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=G1O3NQHN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="G1O3NQHN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF5DBC2BCAF; Mon, 13 Apr 2026 16:19:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776097195; bh=tMYshgheqbIV+Dinm3LvgccbW3VmRzdTyng9rGrxtaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G1O3NQHNEH7z1vByhnz0TbjO+RJRDa4fSt3NDgPDfgnjR3/j8dW2y/u8ILblpxqPW 7Wa1rYKl7RIKTA9JStM6hBYJvvF1fa+dfPK+UMRS44Slxp+Cl37FLYvK305DvPt1hp HxIjQgXE1ynrDMESZ/webszbT5mcM/tBrewVVIlg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com, Jens Axboe , Linus Torvalds Subject: [PATCH 5.15 042/570] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Date: Mon, 13 Apr 2026 17:52:53 +0200 Message-ID: <20260413155832.004748536@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155830.386096114@linuxfoundation.org> References: <20260413155830.386096114@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream. dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock. Cc: stable@vger.kernel.org Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer") Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/ Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/media/dvb-core/dmxdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/media/dvb-core/dmxdev.c +++ b/drivers/media/dvb-core/dmxdev.c @@ -178,7 +178,9 @@ static int dvb_dvr_open(struct inode *in mutex_unlock(&dmxdev->mutex); return -ENOMEM; } - dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE); + dmxdev->dvr_buffer.data = mem; + dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE; + dvb_ringbuffer_reset(&dmxdev->dvr_buffer); if (dmxdev->may_do_mmap) dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr", file->f_flags & O_NONBLOCK);