On Mon, 4 Jul 2011, Guennadi Liakhovetski wrote: > If vb2_dma_contig_get_userptr() fails on a videobuffer, driver's > .buf_init() method will not be called and the list will not be > initialised. Trying to remove an uninitialised element from a list leads > to a NULL-dereference. > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@xxxxxx> Tested on mackerel. Tested-by: Bastian Hecht <hechtb@xxxxxxxxx> Thanks, Bastian > --- > drivers/media/video/sh_mobile_ceu_camera.c | 8 ++++++-- > 1 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/video/sh_mobile_ceu_camera.c b/drivers/media/video/sh_mobile_ceu_camera.c > index 3ae5c9c..a851a3e 100644 > --- a/drivers/media/video/sh_mobile_ceu_camera.c > +++ b/drivers/media/video/sh_mobile_ceu_camera.c > @@ -421,8 +421,12 @@ static void sh_mobile_ceu_videobuf_release(struct vb2_buffer *vb) > pcdev->active = NULL; > } > > - /* Doesn't hurt also if the list is empty */ > - list_del_init(&buf->queue); > + /* > + * Doesn't hurt also if the list is empty, but it hurts, if queuing the > + * buffer failed, and .buf_init() hasn't been called > + */ > + if (buf->queue.next) > + list_del_init(&buf->queue); > > spin_unlock_irq(&pcdev->lock); > } > -- > 1.7.2.5 > -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
