diff options
| author | David Härdeman <david@hardeman.nu> | 2017-05-01 16:32:34 +0300 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2017-05-18 12:19:29 +0300 |
| commit | 0f7c4063f8cd78b1a1e4858be39d3144cf7315dc (patch) | |
| tree | 46a38c30a923f797bd6522b528ba80437aa35e69 /crypto/anubis.c | |
| parent | b2aceb739b5af6a8abc5ea6ab9e6a0409a3b5b1d (diff) | |
| download | linux-0f7c4063f8cd78b1a1e4858be39d3144cf7315dc.tar.xz | |
[media] ir-lirc-codec: let lirc_dev handle the lirc_buffer
ir_lirc_register() currently creates its own lirc_buffer before
passing the lirc_driver to lirc_register_driver().
When a module is later unloaded, ir_lirc_unregister() gets called
which performs a call to lirc_unregister_driver() and then free():s
the lirc_buffer.
The problem is that:
a) there can still be a userspace app holding an open lirc fd
when lirc_unregister_driver() returns; and
b) the lirc_buffer contains "wait_queue_head_t wait_poll" which
is potentially used as long as any userspace app is still around.
The result is an oops which can be triggered quite easily by a
userspace app monitoring its lirc fd using epoll() and not closing
the fd promptly on device removal.
The minimalistic fix is to let lirc_dev create the lirc_buffer since
lirc_dev will then also free the buffer once it believes it is safe to
do so.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'crypto/anubis.c')
0 files changed, 0 insertions, 0 deletions