review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	David Härdeman <david@hardeman.nu>
	Mon, 1 May 2017 13:32:34 +0000 (10:32 -0300)
committer	Mauro Carvalho Chehab <mchehab@s-opensource.com>
	Thu, 18 May 2017 09:19:29 +0000 (06:19 -0300)
commit	0f7c4063f8cd78b1a1e4858be39d3144cf7315dc
tree	46a38c30a923f797bd6522b528ba80437aa35e69	tree \| snapshot
parent	b2aceb739b5af6a8abc5ea6ab9e6a0409a3b5b1d	commit \| diff

[media] ir-lirc-codec: let lirc_dev handle the lirc_buffer

ir_lirc_register() currently creates its own lirc_buffer before
passing the lirc_driver to lirc_register_driver().

When a module is later unloaded, ir_lirc_unregister() gets called
which performs a call to lirc_unregister_driver() and then free():s
the lirc_buffer.

The problem is that:

a) there can still be a userspace app holding an open lirc fd
when lirc_unregister_driver() returns; and

b) the lirc_buffer contains "wait_queue_head_t wait_poll" which
is potentially used as long as any userspace app is still around.

The result is an oops which can be triggered quite easily by a
userspace app monitoring its lirc fd using epoll() and not closing
the fd promptly on device removal.

The minimalistic fix is to let lirc_dev create the lirc_buffer since
lirc_dev will then also free the buffer once it believes it is safe to
do so.

Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

drivers/media/rc/ir-lirc-codec.c		diff \| blob \| history
drivers/media/rc/lirc_dev.c		diff \| blob \| history