From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC8F02C0298; Mon, 23 Mar 2026 14:55:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277747; cv=none; b=BiMUhHGyn7fv9nsHX+wmbUpAuDT5ZLgLechWf/I7c91wa6rfFeuwlPFE4m0BtCX94JTY61vssFCw1XkdI2P9Qz/2Kwq7bG5i8S2S3kmOXQr/Qz+nQUWTBCXUr0dW9kXyjEqCmRmRrL2Ri3Y7iiGXD25ghpY1m47ZazRnVEraX9Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277747; c=relaxed/simple; bh=x2eO0y+1lwg/9q7cvRA7qsLzgCdJmMrxcp7GeVH7vVo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pFb8iXQHA0foKP1/4JzRhjEmC3CQaWDnGeILuQ6U4vS5A9hkseLY3yqR6OkwQh/QK0MgS0BE4jfFSfDC8Q8RWqS0REU7TiFxY+EB1sIXepZLXPC8wMPwbuZN4GzQOv6FE+YAIrTmYJVNU38MJaIhSfSJoMecrDOsmgBHwIWSr5g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=2Q3NNGZN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="2Q3NNGZN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3895DC2BCB1; Mon, 23 Mar 2026 14:55:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774277747; bh=x2eO0y+1lwg/9q7cvRA7qsLzgCdJmMrxcp7GeVH7vVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Q3NNGZN6AIukrxffogMPRbqjE5f77KK4U4Zbj1hIH/KnR9dehnlkWAyEonNLK6eX ckPtoTCn/l1CFrgrcBO1rzjh0PGG1U38BGt9t2pvPFHYy5F9S2YeCozaYOdsBk/lo7 0PK7IKC6yR7RpMw8qEz0HHS/tqKGmR0BJ/UnStio= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com, Jens Axboe , Linus Torvalds Subject: [PATCH 6.6 088/567] media: dvb-core: fix wrong reinitialization of ringbuffer on reopen Date: Mon, 23 Mar 2026 14:40:08 +0100 Message-ID: <20260323134536.009491420@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260323134533.749096647@linuxfoundation.org> References: <20260323134533.749096647@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream. dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock. Cc: stable@vger.kernel.org Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer") Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/ Signed-off-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/media/dvb-core/dmxdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/media/dvb-core/dmxdev.c +++ b/drivers/media/dvb-core/dmxdev.c @@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *in mutex_unlock(&dmxdev->mutex); return -ENOMEM; } - dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE); + dmxdev->dvr_buffer.data = mem; + dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE; + dvb_ringbuffer_reset(&dmxdev->dvr_buffer); if (dmxdev->may_do_mmap) dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr", file->f_flags & O_NONBLOCK);