[PATCH] V4L: sh_mobile_ceu_camera: fix Oops when USERPTR mapping fails

Guennadi Liakhovetski Mon, 04 Jul 2011 08:15:20 -0700

If vb2_dma_contig_get_userptr() fails on a videobuffer, driver's
.buf_init() method will not be called and the list will not be
initialised. Trying to remove an uninitialised element from a list leads
to a NULL-dereference.


Signed-off-by: Guennadi Liakhovetski <g.liakhovet...@gmx.de>
---
 drivers/media/video/sh_mobile_ceu_camera.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/video/sh_mobile_ceu_camera.c 
b/drivers/media/video/sh_mobile_ceu_camera.c
index 3ae5c9c..a851a3e 100644
--- a/drivers/media/video/sh_mobile_ceu_camera.c
+++ b/drivers/media/video/sh_mobile_ceu_camera.c
@@ -421,8 +421,12 @@ static void sh_mobile_ceu_videobuf_release(struct 
vb2_buffer *vb)
                pcdev->active = NULL;
        }
 
-       /* Doesn't hurt also if the list is empty */
-       list_del_init(&buf->queue);
+       /*
+        * Doesn't hurt also if the list is empty, but it hurts, if queuing the
+        * buffer failed, and .buf_init() hasn't been called
+        */
+       if (buf->queue.next)
+               list_del_init(&buf->queue);
 
        spin_unlock_irq(&pcdev->lock);
 }
-- 
1.7.2.5
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] V4L: sh_mobile_ceu_camera: fix Oops when USERPTR mapping fails

Reply via email to