On Fri, Apr 28, 2017 at 07:04:09PM +0200, David Härdeman wrote: >ir_lirc_register() currently creates its own lirc_buffer before >passing the lirc_driver to lirc_register_driver(). > >When a module is later unloaded, ir_lirc_unregister() gets called >which performs a call to lirc_unregister_driver() and then free():s >the lirc_buffer. > >The problem is that: > >a) there can still be a userspace app holding an open lirc fd > when lirc_unregister_driver() returns; and > >b) the lirc_buffer contains "wait_queue_head_t wait_poll" which > is potentially used as long as any userspace app is still around. > >The result is an oops which can be triggered quite easily by a >userspace app monitoring its lirc fd using epoll() and not closing >the fd promptly on device removal. > >The minimalistic fix is to let lirc_dev create the lirc_buffer since >lirc_dev will then also free the buffer once it believes it is safe to >do so. > >I'm pretty certain that any driver which creates its own lirc_buffer >is quite likely to be buggy as well, but that seems to only concern >staging. > >Signed-off-by: David Härdeman <david@xxxxxxxxxxx> And there should probably be a CC: stable@xxxxxxxxxxxxxxx here... >--- > drivers/media/rc/ir-lirc-codec.c | 23 +++++------------------ > 1 file changed, 5 insertions(+), 18 deletions(-)
