On Thursday, October 27, 2011 13:18:00 Hans de Goede wrote:
> The kev pointers inside the pending events queue (the available queue) of the
> fh point to data inside the sev, unsubscribing frees the sev, thus making these
> pointers point to freed memory!
>
> This patch fixes these dangling pointers in the available queue by removing
> all matching pending events on unsubscription.
The idea is fine, but the implementation is inefficient.
Instead of the list_for_each_entry_safe you can just do:
for (i = 0; i < sev->in_use; i++) {
list_del(&sev->events[sev_pos(sev, i)].list);
fh->navailable--;
}
It's untested, but this should do the trick.
Regards,
Hans
>
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
> ---
> drivers/media/video/v4l2-event.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/v4l2-event.c b/drivers/media/video/v4l2-event.c
> index 9f56f18..01cbb7f 100644
> --- a/drivers/media/video/v4l2-event.c
> +++ b/drivers/media/video/v4l2-event.c
> @@ -284,6 +284,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
> struct v4l2_event_subscription *sub)
> {
> struct v4l2_subscribed_event *sev;
> + struct v4l2_kevent *kev, *next;
> unsigned long flags;
>
> if (sub->type == V4L2_EVENT_ALL) {
> @@ -295,6 +296,13 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
>
> sev = v4l2_event_subscribed(fh, sub->type, sub->id);
> if (sev != NULL) {
> + /* Remove any pending events for this subscription */
> + list_for_each_entry_safe(kev, next, &fh->available, list) {
> + if (kev->sev == sev) {
> + list_del(&kev->list);
> + fh->navailable--;
> + }
> + }
> list_del(&sev->list);
> sev->fh = NULL;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
