From patchwork Mon Jul 4 15:15:14 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guennadi Liakhovetski X-Patchwork-Id: 942512 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.4) with ESMTP id p64FFFlP023943 for ; Mon, 4 Jul 2011 15:16:10 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755851Ab1GDPPQ (ORCPT ); Mon, 4 Jul 2011 11:15:16 -0400 Received: from moutng.kundenserver.de ([212.227.17.10]:54312 "EHLO moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754319Ab1GDPPP (ORCPT ); Mon, 4 Jul 2011 11:15:15 -0400 Received: from axis700.grange (dslb-094-221-101-201.pools.arcor-ip.net [94.221.101.201]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0Lz0c4-1RYlNa2w4W-014fgJ; Mon, 04 Jul 2011 17:15:14 +0200 Received: by axis700.grange (Postfix, from userid 1000) id 287CF189B89; Mon, 4 Jul 2011 17:15:14 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by axis700.grange (Postfix) with ESMTP id 2691C189B84; Mon, 4 Jul 2011 17:15:14 +0200 (CEST) Date: Mon, 4 Jul 2011 17:15:14 +0200 (CEST) From: Guennadi Liakhovetski X-X-Sender: lyakh@axis700.grange To: Linux Media Mailing List cc: Bastian Hecht Subject: [PATCH] V4L: sh_mobile_ceu_camera: fix Oops when USERPTR mapping fails Message-ID: MIME-Version: 1.0 X-Provags-ID: V02:K0:4aQu0sayJzzETZ6+Oa13jc5FpCAmWYnZFJjZ2vnJ17B JyRPLTm+9JbLvw1zZ+gzR9K3pISzkHYKjd9LoQCQPS+4bfwMfA AX0o25IpW1VPK9mffBz3J3E44iCHfBCRXsJsZllugtFJ5ttKGX tkIPrjPLEpjA6tizyeFh/C1W8w9Z/qEBVKb3+lmCtTU+vOSK7v mOGCT4Lk+UQxqf/N2e6AMeVt+yfBAWuonZ+rA9D6lA= Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Mon, 04 Jul 2011 15:19:15 +0000 (UTC) If vb2_dma_contig_get_userptr() fails on a videobuffer, driver's .buf_init() method will not be called and the list will not be initialised. Trying to remove an uninitialised element from a list leads to a NULL-dereference. Signed-off-by: Guennadi Liakhovetski --- drivers/media/video/sh_mobile_ceu_camera.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/video/sh_mobile_ceu_camera.c b/drivers/media/video/sh_mobile_ceu_camera.c index 3ae5c9c..a851a3e 100644 --- a/drivers/media/video/sh_mobile_ceu_camera.c +++ b/drivers/media/video/sh_mobile_ceu_camera.c @@ -421,8 +421,12 @@ static void sh_mobile_ceu_videobuf_release(struct vb2_buffer *vb) pcdev->active = NULL; } - /* Doesn't hurt also if the list is empty */ - list_del_init(&buf->queue); + /* + * Doesn't hurt also if the list is empty, but it hurts, if queuing the + * buffer failed, and .buf_init() hasn't been called + */ + if (buf->queue.next) + list_del_init(&buf->queue); spin_unlock_irq(&pcdev->lock); }