Searched hist:"0 f7c4063" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/drivers/media/rc/ |
| H A D | lirc_dev.c | 0f7c4063 Mon May 01 08:32:34 CDT 2017 David Härdeman <david@hardeman.nu> [media] ir-lirc-codec: let lirc_dev handle the lirc_buffer
ir_lirc_register() currently creates its own lirc_buffer before
passing the lirc_driver to lirc_register_driver().
When a module is later unloaded, ir_lirc_unregister() gets called
which performs a call to lirc_unregister_driver() and then free():s
the lirc_buffer.
The problem is that:
a) there can still be a userspace app holding an open lirc fd
when lirc_unregister_driver() returns; and
b) the lirc_buffer contains "wait_queue_head_t wait_poll" which
is potentially used as long as any userspace app is still around.
The result is an oops which can be triggered quite easily by a
userspace app monitoring its lirc fd using epoll() and not closing
the fd promptly on device removal.
The minimalistic fix is to let lirc_dev create the lirc_buffer since
lirc_dev will then also free the buffer once it believes it is safe to
do so.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
0f7c4063 Mon May 01 08:32:34 CDT 2017 David Härdeman <david@hardeman.nu> [media] ir-lirc-codec: let lirc_dev handle the lirc_buffer
ir_lirc_register() currently creates its own lirc_buffer before
passing the lirc_driver to lirc_register_driver().
When a module is later unloaded, ir_lirc_unregister() gets called
which performs a call to lirc_unregister_driver() and then free():s
the lirc_buffer.
The problem is that:
a) there can still be a userspace app holding an open lirc fd
when lirc_unregister_driver() returns; and
b) the lirc_buffer contains "wait_queue_head_t wait_poll" which
is potentially used as long as any userspace app is still around.
The result is an oops which can be triggered quite easily by a
userspace app monitoring its lirc fd using epoll() and not closing
the fd promptly on device removal.
The minimalistic fix is to let lirc_dev create the lirc_buffer since
lirc_dev will then also free the buffer once it believes it is safe to
do so.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|