diff mbox

saa7134: Fix crash when device is closed before streamoff

Message ID 1379697328-9990-1-git-send-email-simon.farnsworth@onelan.co.uk (mailing list archive)
State New, archived
Headers show

Commit Message

Simon Farnsworth Sept. 20, 2013, 5:15 p.m. UTC 
pm_qos_remove_request was not called on video_release, resulting in the PM
core's list of requests being corrupted when the file handle was freed.

This has no immediate symptoms, but later in operation, the kernel will
panic as the PM core dereferences a dangling pointer.

Signed-off-by: Simon Farnsworth <simon.farnsworth@onelan.co.uk>
Cc: stable@vger.kernel.org
---

I didn't notice this when I first implemented the pm_qos_request as the
userspace I was using always called streamoff before closing the
device. I've since changed userspace components, and hit the kernel panic.

 drivers/media/pci/saa7134/saa7134-video.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Hans Verkuil Sept. 30, 2013, 12:19 p.m. UTC | #1 
On 09/20/2013 07:15 PM, Simon Farnsworth wrote:
> pm_qos_remove_request was not called on video_release, resulting in the PM
> core's list of requests being corrupted when the file handle was freed.
> 
> This has no immediate symptoms, but later in operation, the kernel will
> panic as the PM core dereferences a dangling pointer.
> 
> Signed-off-by: Simon Farnsworth <simon.farnsworth@onelan.co.uk>
> Cc: stable@vger.kernel.org

Acked-by: Hans Verkuil <hans.verkuil@cisco.com>

Regards,

	Hans

> ---
> 
> I didn't notice this when I first implemented the pm_qos_request as the
> userspace I was using always called streamoff before closing the
> device. I've since changed userspace components, and hit the kernel panic.
> 
>  drivers/media/pci/saa7134/saa7134-video.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c
> index e12bbd8..fb60da8 100644
> --- a/drivers/media/pci/saa7134/saa7134-video.c
> +++ b/drivers/media/pci/saa7134/saa7134-video.c
> @@ -1455,6 +1455,7 @@ static int video_release(struct file *file)
>  
>  	/* stop video capture */
>  	if (res_check(fh, RESOURCE_VIDEO)) {
> +		pm_qos_remove_request(&dev->qos_request);
>  		videobuf_streamoff(&fh->cap);
>  		res_free(dev,fh,RESOURCE_VIDEO);
>  	}
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c
index e12bbd8..fb60da8 100644
--- a/drivers/media/pci/saa7134/saa7134-video.c
+++ b/drivers/media/pci/saa7134/saa7134-video.c
@@ -1455,6 +1455,7 @@  static int video_release(struct file *file)
 
 	/* stop video capture */
 	if (res_check(fh, RESOURCE_VIDEO)) {
+		pm_qos_remove_request(&dev->qos_request);
 		videobuf_streamoff(&fh->cap);
 		res_free(dev,fh,RESOURCE_VIDEO);
 	}