tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[media] v4l2-event: Remove pending events from fh event queue when unsubscribing

The kev pointers inside the pending events queue (the available queue) of the
fh point to data inside the sev, unsubscribing frees the sev, thus making these
pointers point to freed memory!

This patch fixes these dangling pointers in the available queue by removing
all matching pending events on unsubscription.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

authored by

Hans de Goede and committed by
Mauro Carvalho Chehab 78c87e86 b36b5059

+6
+6
drivers/media/video/v4l2-event.c
··· 285 285 { 286 286 struct v4l2_subscribed_event *sev; 287 287 unsigned long flags; 288 + int i; 288 289 289 290 if (sub->type == V4L2_EVENT_ALL) { 290 291 v4l2_event_unsubscribe_all(fh); ··· 296 295 297 296 sev = v4l2_event_subscribed(fh, sub->type, sub->id); 298 297 if (sev != NULL) { 298 + /* Remove any pending events for this subscription */ 299 + for (i = 0; i < sev->in_use; i++) { 300 + list_del(&sev->events[sev_pos(sev, i)].list); 301 + fh->navailable--; 302 + } 299 303 list_del(&sev->list); 300 304 sev->fh = NULL; 301 305 }