* [bug report] media: videobuf: fix epoll() by calling poll_wait first
@ 2019-09-04 8:00 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-09-04 8:00 UTC (permalink / raw)
To: hverkuil-cisco; +Cc: linux-media
Hello Hans Verkuil,
The patch bb436cbeb918: "media: videobuf: fix epoll() by calling
poll_wait first" from Feb 7, 2019, leads to the following static
checker warning:
drivers/media/v4l2-core/videobuf-core.c:1126 videobuf_poll_stream()
warn: passing bogus address: '&buf->done'
drivers/media/v4l2-core/videobuf-core.c
1118 __poll_t videobuf_poll_stream(struct file *file,
1119 struct videobuf_queue *q,
1120 poll_table *wait)
1121 {
1122 __poll_t req_events = poll_requested_events(wait);
1123 struct videobuf_buffer *buf = NULL;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1124 __poll_t rc = 0;
1125
1126 poll_wait(file, &buf->done, wait);
^^^^^^^^^^
This will totally crash, because &buf->done is (void *)72 so it's
non-NULL. It's weird that this code was merged in Feb and no one has
complained about it...
1127 videobuf_queue_lock(q);
1128 if (q->streaming) {
1129 if (!list_empty(&q->stream))
1130 buf = list_entry(q->stream.next,
1131 struct videobuf_buffer, stream);
1132 } else if (req_events & (EPOLLIN | EPOLLRDNORM)) {
1133 if (!q->reading)
1134 __videobuf_read_start(q);
1135 if (!q->reading) {
1136 rc = EPOLLERR;
1137 } else if (NULL == q->read_buf) {
1138 q->read_buf = list_entry(q->stream.next,
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-09-04 8:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-04 8:00 [bug report] media: videobuf: fix epoll() by calling poll_wait first Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.