On Wednesday 02 November 2011 11:13:22 Hans de Goede wrote:
> The kev pointers inside the pending events queue (the available queue) of
> the fh point to data inside the sev, unsubscribing frees the sev, thus
> making these pointers point to freed memory!
>
> This patch fixes these dangling pointers in the available queue by removing
> all matching pending events on unsubscription.
>
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Acked-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
> ---
> drivers/media/video/v4l2-event.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/v4l2-event.c
> b/drivers/media/video/v4l2-event.c index 9f56f18..4d01f17 100644
> --- a/drivers/media/video/v4l2-event.c
> +++ b/drivers/media/video/v4l2-event.c
> @@ -285,6 +285,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
> {
> struct v4l2_subscribed_event *sev;
> unsigned long flags;
> + int i;
>
> if (sub->type == V4L2_EVENT_ALL) {
> v4l2_event_unsubscribe_all(fh);
> @@ -295,6 +296,11 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
>
> sev = v4l2_event_subscribed(fh, sub->type, sub->id);
> if (sev != NULL) {
> + /* Remove any pending events for this subscription */
> + for (i = 0; i < sev->in_use; i++) {
> + list_del(&sev->events[sev_pos(sev, i)].list);
> + fh->navailable--;
> + }
> list_del(&sev->list);
> sev->fh = NULL;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
