diff mbox series

media: dmxdev: fix repeated initialization of ringbuffer in dvb_dvr_open()

Message ID 20250406165802.100305-1-superman.xpt@gmail.com
State New
Headers show
Series media: dmxdev: fix repeated initialization of ringbuffer in dvb_dvr_open() | expand

Commit Message

Penglei Jiang April 6, 2025, 4:58 p.m. UTC 
The dvb_dvr_open() function has an issue where it repeatedly
initializes the data and queue fields of the dvb_ringbuffer.
We should not reinitialize the queue field in the open function,
and if the data field is not empty, the initialization process
should be skipped.

Reported-by: syzbot+4e21d5f67b886a692b55@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67917ed8.050a0220.15cac.02eb.GAE@google.com
Tested-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
---
 drivers/media/dvb-core/dmxdev.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 6063782e937a..82fd060430cd 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -113,6 +113,17 @@  static struct dmx_frontend *get_fe(struct dmx_demux *demux, int type)
 	return NULL;
 }
 
+static void dvb_ringbuffer_init_noqueue(struct dvb_ringbuffer *ringbuffer,
+		void *data, size_t len)
+{
+	ringbuffer->pread = 0;
+	ringbuffer->pwrite = 0;
+	ringbuffer->data = data;
+	ringbuffer->size = len;
+	ringbuffer->error = 0;
+	spin_lock_init(&(ringbuffer->lock));
+}
+
 static int dvb_dvr_open(struct inode *inode, struct file *file)
 {
 	struct dvb_device *dvbdev = file->private_data;
@@ -156,7 +167,7 @@  static int dvb_dvr_open(struct inode *inode, struct file *file)
 		}
 	}
 
-	if (need_ringbuffer) {
+	if (need_ringbuffer && !dmxdev->dvr_buffer.data) {
 		void *mem;
 
 		if (!dvbdev->readers) {
@@ -168,7 +179,8 @@  static int dvb_dvr_open(struct inode *inode, struct file *file)
 			mutex_unlock(&dmxdev->mutex);
 			return -ENOMEM;
 		}
-		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+		dvb_ringbuffer_init_noqueue(
+			&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
 		if (dmxdev->may_do_mmap)
 			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
 				     file->f_flags & O_NONBLOCK);