From 78c87e863bb3350426fecd14912fd0a546c58ec0 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Wed, 26 Oct 2011 05:40:27 -0300 Subject: [media] v4l2-event: Remove pending events from fh event queue when unsubscribing The kev pointers inside the pending events queue (the available queue) of the fh point to data inside the sev, unsubscribing frees the sev, thus making these pointers point to freed memory! This patch fixes these dangling pointers in the available queue by removing all matching pending events on unsubscription. Signed-off-by: Hans de Goede Acked-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/v4l2-event.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/video/v4l2-event.c b/drivers/media/video/v4l2-event.c index 9f56f18d509f..4d01f17497f6 100644 --- a/drivers/media/video/v4l2-event.c +++ b/drivers/media/video/v4l2-event.c @@ -285,6 +285,7 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh, { struct v4l2_subscribed_event *sev; unsigned long flags; + int i; if (sub->type == V4L2_EVENT_ALL) { v4l2_event_unsubscribe_all(fh); @@ -295,6 +296,11 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh, sev = v4l2_event_subscribed(fh, sub->type, sub->id); if (sev != NULL) { + /* Remove any pending events for this subscription */ + for (i = 0; i < sev->in_use; i++) { + list_del(&sev->events[sev_pos(sev, i)].list); + fh->navailable--; + } list_del(&sev->list); sev->fh = NULL; } -- cgit v1.2.1