From: Len Brown <len.brown@intel.com>
To: Adrian Bunk <bunk@stusta.de>
Cc: ACPI Developers <acpi-devel@lists.sourceforge.net>,
linux-kernel@vger.kernel.org, Luming Yu <luming.yu@intel.com>
Subject: Re: drivers/acpi/video.c: null pointer dereference
Date: 30 Mar 2005 22:26:55 -0500 [thread overview]
Message-ID: <1112239614.2175.68.camel@d845pe> (raw)
In-Reply-To: <20050324203744.GB3966@stusta.de>
[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]
On Thu, 2005-03-24 at 15:37, Adrian Bunk wrote:
> The Coverity checker found the following null pointer dereference in
> drivers/acpi/video.c:
>
> <-- snip -->
>
> ...
> static int
> acpi_video_switch_output(
> ...
> {
> ...
> struct acpi_video_device *dev=NULL;
> ...
> list_for_each_safe(node, next, &video->video_device_list) {
> struct acpi_video_device * dev = container_of(node,
> struct acpi_video_device, entry);
> ...
> }
> ...
> switch (event) {
> case ACPI_VIDEO_NOTIFY_CYCLE:
> case ACPI_VIDEO_NOTIFY_NEXT_OUTPUT:
> acpi_video_device_set_state(dev, 0);
> acpi_video_device_set_state(dev_next, 0x80000001);
> break;
> case ACPI_VIDEO_NOTIFY_PREV_OUTPUT:
> acpi_video_device_set_state(dev, 0);
> acpi_video_device_set_state(dev_prev, 0x80000001);
> ...
>
> <-- snip -->
>
>
> Two different variables of the same name within 40 lines of code are a
> good indication that something's wrong...
>
>
> The outer "dev" variable is never assigned any value different from
> NULL.
>
> acpi_video_device_set_state dereferences this variable.
>
>
> cu
> Adrian
Looks like we should do this:
[-- Attachment #2: video.patch --]
[-- Type: text/plain, Size: 599 bytes --]
===== drivers/acpi/video.c 1.8 vs edited =====
--- 1.8/drivers/acpi/video.c 2005-01-06 02:06:20 -05:00
+++ edited/drivers/acpi/video.c 2005-03-24 15:44:33 -05:00
@@ -1585,7 +1585,7 @@
ACPI_FUNCTION_TRACE("acpi_video_switch_output");
list_for_each_safe(node, next, &video->video_device_list) {
- struct acpi_video_device * dev = container_of(node, struct acpi_video_device, entry);
+ dev = container_of(node, struct acpi_video_device, entry);
status = acpi_video_device_get_state(dev, &state);
if (state & 0x2){
dev_next = container_of(node->next, struct acpi_video_device, entry);
prev parent reply other threads:[~2005-03-31 3:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-24 20:37 drivers/acpi/video.c: null pointer dereference Adrian Bunk
2005-03-31 3:26 ` Len Brown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1112239614.2175.68.camel@d845pe \
--to=len.brown@intel.com \
--cc=acpi-devel@lists.sourceforge.net \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luming.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox