Commit 78c87e86 authored Oct 26, 2011 by Hans de Goede Committed by Mauro Carvalho Chehab Nov 08, 2011

[media] v4l2-event: Remove pending events from fh event queue when unsubscribing



The kev pointers inside the pending events queue (the available queue) of the
fh point to data inside the sev, unsubscribing frees the sev, thus making these
pointers point to freed memory!

This patch fixes these dangling pointers in the available queue by removing
all matching pending events on unsubscription.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

parent b36b5059

drivers/media/video/v4l2-event.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -285,6 +285,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
		{
		struct v4l2_subscribed_event *sev;
		unsigned long flags;
		int i;

		if (sub->type == V4L2_EVENT_ALL) {
		v4l2_event_unsubscribe_all(fh);
		@@ -295,6 +296,11 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,

		sev = v4l2_event_subscribed(fh, sub->type, sub->id);
		if (sev != NULL) {
		/* Remove any pending events for this subscription */
		for (i = 0; i < sev->in_use; i++) {
		list_del(&sev->events[sev_pos(sev, i)].list);
		fh->navailable--;
		}
		list_del(&sev->list);
		sev->fh = NULL;
		}