[PATCH] media: dvb-core: protect dvr_buffer reinitialization with lock

Next message: J&#xFC;rgen Gro&#xDF;: "make binrpm-pkg broken due to commit 62089b804895"
Previous message: Alexandre Courbot: "Re: [PATCH v2 0/6] rust: io: turn IoCapable into a functional trait"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Soham Kute

Date: Thu Feb 12 2026 - 07:34:59 EST

dvb_dvr_open() updates dvr_buffer fields without holding
dmxdev->lock. This can race with concurrent readers and
lead to inconsistent ringbuffer state.

Protect dvr_buffer reinitialization with spin_lock_irq()
to serialize against concurrent access.

Reported-by: syzbot+ab12f0c08dd7ab8d057c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
Signed-off-by: Soham Kute <officialsohamkute@xxxxxxxxx>
---
drivers/media/dvb-core/dmxdev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 8c6f5aafd..e5e666866 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,12 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
mutex_unlock(&dmxdev->mutex);
return -ENOMEM;
}
- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+ spin_lock_irq(&dmxdev->lock);
+ dmxdev->dvr_buffer.data = mem;
+ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+ dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
+ spin_unlock_irq(&dmxdev->lock);
+
if (dmxdev->may_do_mmap)
dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
file->f_flags & O_NONBLOCK);
--
2.34.1