* [bug report] media: videobuf: fix epoll() by calling poll_wait first
@ 2019-09-04 8:00 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-09-04 8:00 UTC (permalink / raw)
To: hverkuil-cisco; +Cc: linux-media
Hello Hans Verkuil,
The patch bb436cbeb918: "media: videobuf: fix epoll() by calling
poll_wait first" from Feb 7, 2019, leads to the following static
checker warning:
drivers/media/v4l2-core/videobuf-core.c:1126 videobuf_poll_stream()
warn: passing bogus address: '&buf->done'
drivers/media/v4l2-core/videobuf-core.c
1118 __poll_t videobuf_poll_stream(struct file *file,
1119 struct videobuf_queue *q,
1120 poll_table *wait)
1121 {
1122 __poll_t req_events = poll_requested_events(wait);
1123 struct videobuf_buffer *buf = NULL;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1124 __poll_t rc = 0;
1125
1126 poll_wait(file, &buf->done, wait);
^^^^^^^^^^
This will totally crash, because &buf->done is (void *)72 so it's
non-NULL. It's weird that this code was merged in Feb and no one has
complained about it...
1127 videobuf_queue_lock(q);
1128 if (q->streaming) {
1129 if (!list_empty(&q->stream))
1130 buf = list_entry(q->stream.next,
1131 struct videobuf_buffer, stream);
1132 } else if (req_events & (EPOLLIN | EPOLLRDNORM)) {
1133 if (!q->reading)
1134 __videobuf_read_start(q);
1135 if (!q->reading) {
1136 rc = EPOLLERR;
1137 } else if (NULL == q->read_buf) {
1138 q->read_buf = list_entry(q->stream.next,
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-09-04 8:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-04 8:00 [bug report] media: videobuf: fix epoll() by calling poll_wait first Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).