On Thursday, October 27, 2011 13:18:00 Hans de Goede wrote:
> The kev pointers inside the pending events queue (the available queue) of the
> fh point to data inside the sev, unsubscribing frees the sev, thus making 
> these
> pointers point to freed memory!
> 
> This patch fixes these dangling pointers in the available queue by removing
> all matching pending events on unsubscription.

The idea is fine, but the implementation is inefficient.

Instead of the list_for_each_entry_safe you can just do:

        for (i = 0; i < sev->in_use; i++) {
                list_del(&sev->events[sev_pos(sev, i)].list);
                fh->navailable--;
        }

It's untested, but this should do the trick.

Regards,

        Hans

> 
> Signed-off-by: Hans de Goede <hdego...@redhat.com>
> ---
>  drivers/media/video/v4l2-event.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/media/video/v4l2-event.c 
> b/drivers/media/video/v4l2-event.c
> index 9f56f18..01cbb7f 100644
> --- a/drivers/media/video/v4l2-event.c
> +++ b/drivers/media/video/v4l2-event.c
> @@ -284,6 +284,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
>                          struct v4l2_event_subscription *sub)
>  {
>       struct v4l2_subscribed_event *sev;
> +     struct v4l2_kevent *kev, *next;
>       unsigned long flags;
>  
>       if (sub->type == V4L2_EVENT_ALL) {
> @@ -295,6 +296,13 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh,
>  
>       sev = v4l2_event_subscribed(fh, sub->type, sub->id);
>       if (sev != NULL) {
> +             /* Remove any pending events for this subscription */
> +             list_for_each_entry_safe(kev, next, &fh->available, list) {
> +                     if (kev->sev == sev) {
> +                             list_del(&kev->list);
> +                             fh->navailable--;
> +                     }
> +             }
>               list_del(&sev->list);
>               sev->fh = NULL;
>       }
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to