Hi Hans,
On Thursday 27 October 2011 13:18:00 Hans de Goede wrote:
> The kev pointers inside the pending events queue (the available queue) of
> the fh point to data inside the sev, unsubscribing frees the sev, thus
> making these pointers point to freed memory!
>
> This patch fixes these dangling pointers in the available queue by removing
> all matching pending events on unsubscription.
>
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Acked-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
> ---
> drivers/media/video/v4l2-event.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/v4l2-event.c
> b/drivers/media/video/v4l2-event.c index 9f56f18..01cbb7f 100644
> --- a/drivers/media/video/v4l2-event.c
> +++ b/drivers/media/video/v4l2-event.c
> @@ -284,6 +284,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
> struct v4l2_event_subscription *sub)
> {
> struct v4l2_subscribed_event *sev;
> + struct v4l2_kevent *kev, *next;
> unsigned long flags;
>
> if (sub->type == V4L2_EVENT_ALL) {
> @@ -295,6 +296,13 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
>
> sev = v4l2_event_subscribed(fh, sub->type, sub->id);
> if (sev != NULL) {
> + /* Remove any pending events for this subscription */
> + list_for_each_entry_safe(kev, next, &fh->available, list) {
> + if (kev->sev == sev) {
> + list_del(&kev->list);
> + fh->navailable--;
> + }
> + }
> list_del(&sev->list);
> sev->fh = NULL;
> }
--
Regards,
Laurent Pinchart
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
