[bug report] media: videobuf: fix epoll() by calling poll_wait first

linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: hverkuil-cisco@xs4all.nl
Cc: linux-media@vger.kernel.org
Subject: [bug report] media: videobuf: fix epoll() by calling poll_wait first
Date: Wed, 4 Sep 2019 11:00:11 +0300	[thread overview]
Message-ID: <20190904080011.GA22685@mwanda> (raw)

Hello Hans Verkuil,

The patch bb436cbeb918: "media: videobuf: fix epoll() by calling
poll_wait first" from Feb 7, 2019, leads to the following static
checker warning:

	drivers/media/v4l2-core/videobuf-core.c:1126 videobuf_poll_stream()
	warn: passing bogus address: '&buf->done'

drivers/media/v4l2-core/videobuf-core.c
  1118  __poll_t videobuf_poll_stream(struct file *file,
  1119                                struct videobuf_queue *q,
  1120                                poll_table *wait)
  1121  {
  1122          __poll_t req_events = poll_requested_events(wait);
  1123          struct videobuf_buffer *buf = NULL;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  1124          __poll_t rc = 0;
  1125  
  1126          poll_wait(file, &buf->done, wait);
                                ^^^^^^^^^^
This will totally crash, because &buf->done is (void *)72 so it's
non-NULL.  It's weird that this code was merged in Feb and no one has
complained about it...

  1127          videobuf_queue_lock(q);
  1128          if (q->streaming) {
  1129                  if (!list_empty(&q->stream))
  1130                          buf = list_entry(q->stream.next,
  1131                                           struct videobuf_buffer, stream);
  1132          } else if (req_events & (EPOLLIN | EPOLLRDNORM)) {
  1133                  if (!q->reading)
  1134                          __videobuf_read_start(q);
  1135                  if (!q->reading) {
  1136                          rc = EPOLLERR;
  1137                  } else if (NULL == q->read_buf) {
  1138                          q->read_buf = list_entry(q->stream.next,

regards,
dan carpenter

                 reply	other threads:[~2019-09-04  8:00 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190904080011.GA22685@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).