From patchwork Fri Sep 20 17:15:28 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Farnsworth X-Patchwork-Id: 2920031 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id CC7D99F1F1 for ; Fri, 20 Sep 2013 18:05:10 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9A93820322 for ; Fri, 20 Sep 2013 18:05:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 17CBF20328 for ; Fri, 20 Sep 2013 18:05:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753283Ab3ITSFE (ORCPT ); Fri, 20 Sep 2013 14:05:04 -0400 Received: from claranet-outbound-smtp01.uk.clara.net ([195.8.89.34]:34383 "EHLO claranet-outbound-smtp01.uk.clara.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752931Ab3ITSFD (ORCPT ); Fri, 20 Sep 2013 14:05:03 -0400 X-Greylist: delayed 2962 seconds by postgrey-1.27 at vger.kernel.org; Fri, 20 Sep 2013 14:05:03 EDT Received: from 110.100.155.90.in-addr.arpa ([90.155.100.110]:35679 helo=f17simon.office.onelan.co.uk) by relay01.mail.eu.clara.net (relay.clara.net [213.253.3.41]:1025) with esmtpa (authdaemon_plain:simon.farnsworth@onelan.co.uk) id 1VN4Il-0000sk-4b (return-path ); Fri, 20 Sep 2013 17:15:31 +0000 From: Simon Farnsworth To: linux-media@vger.kernel.org Cc: Simon Farnsworth , stable@vger.kernel.org Subject: [PATCH] saa7134: Fix crash when device is closed before streamoff Date: Fri, 20 Sep 2013 18:15:28 +0100 Message-Id: <1379697328-9990-1-git-send-email-simon.farnsworth@onelan.co.uk> X-Mailer: git-send-email 1.7.11.7 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP pm_qos_remove_request was not called on video_release, resulting in the PM core's list of requests being corrupted when the file handle was freed. This has no immediate symptoms, but later in operation, the kernel will panic as the PM core dereferences a dangling pointer. Signed-off-by: Simon Farnsworth Cc: stable@vger.kernel.org Acked-by: Hans Verkuil --- I didn't notice this when I first implemented the pm_qos_request as the userspace I was using always called streamoff before closing the device. I've since changed userspace components, and hit the kernel panic. drivers/media/pci/saa7134/saa7134-video.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c index e12bbd8..fb60da8 100644 --- a/drivers/media/pci/saa7134/saa7134-video.c +++ b/drivers/media/pci/saa7134/saa7134-video.c @@ -1455,6 +1455,7 @@ static int video_release(struct file *file) /* stop video capture */ if (res_check(fh, RESOURCE_VIDEO)) { + pm_qos_remove_request(&dev->qos_request); videobuf_streamoff(&fh->cap); res_free(dev,fh,RESOURCE_VIDEO); }