Linux Kernel Shared Waitqueue Orphaning Vulnerability in DVB Core

A vulnerability in the Linux kernel's DVB core can lead to issues with shared waitqueues when the DVR device is reopened. The problem arises because the dvb_dvr_open() function incorrectly reinitializes the ringbuffer's waitqueue, orphaning existing entries from io_uring poll or epoll. This leaves the entries with outdated pointers while the waitqueue head is reset, causing potential disruptions in event polling. The issue affects the Linux kernel stable tree.

Impact

Exploiting this vulnerability can disrupt event polling for applications using io_uring or epoll, potentially leading to missed events or incorrect event handling.

Reproduction

The vulnerability can be reproduced by opening a DVR device, which initializes a shared waitqueue. Then, reopening the same DVR device triggers the dvb_ringbuffer_init() function, which resets the waitqueue head to empty. This process orphans the existing waitqueue entries from io_uring poll or epoll, leaving them with stale pointers while the list head is reset.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.