If vb2_dma_contig_get_userptr() fails on a videobuffer, driver's .buf_init() method will not be called and the list will not be initialised. Trying to remove an uninitialised element from a list leads to a NULL-dereference. Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@xxxxxx> --- drivers/media/video/sh_mobile_ceu_camera.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/video/sh_mobile_ceu_camera.c b/drivers/media/video/sh_mobile_ceu_camera.c index 3ae5c9c..a851a3e 100644 --- a/drivers/media/video/sh_mobile_ceu_camera.c +++ b/drivers/media/video/sh_mobile_ceu_camera.c @@ -421,8 +421,12 @@ static void sh_mobile_ceu_videobuf_release(struct vb2_buffer *vb) pcdev->active = NULL; } - /* Doesn't hurt also if the list is empty */ - list_del_init(&buf->queue); + /* + * Doesn't hurt also if the list is empty, but it hurts, if queuing the + * buffer failed, and .buf_init() hasn't been called + */ + if (buf->queue.next) + list_del_init(&buf->queue); spin_unlock_irq(&pcdev->lock); } -- 1.7.2.5 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
