[1/1] media: video/cx18, fix potential null dereference
Commit Message
Stanse found a potential null dereference in cx18_dvb_start_feed
and cx18_dvb_stop_feed. There is a check for stream being NULL,
but it is dereferenced earlier. Move the dereference after the
check.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/media/video/cx18/cx18-dvb.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
Comments
On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
> Stanse found a potential null dereference in cx18_dvb_start_feed
> and cx18_dvb_stop_feed. There is a check for stream being NULL,
> but it is dereferenced earlier. Move the dereference after the
> check.
>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reviewed-by: Andy Walls <awalls@radix.net>
Acked-by: Andy Walls <awalls@radix.net>
Regards,
Andy
> ---
> drivers/media/video/cx18/cx18-dvb.c | 18 ++++++++++--------
> 1 files changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/media/video/cx18/cx18-dvb.c b/drivers/media/video/cx18/cx18-dvb.c
> index 71ad2d1..0ad5b63 100644
> --- a/drivers/media/video/cx18/cx18-dvb.c
> +++ b/drivers/media/video/cx18/cx18-dvb.c
> @@ -213,10 +213,14 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
> {
> struct dvb_demux *demux = feed->demux;
> struct cx18_stream *stream = (struct cx18_stream *) demux->priv;
> - struct cx18 *cx = stream->cx;
> + struct cx18 *cx;
> int ret;
> u32 v;
>
> + if (!stream)
> + return -EINVAL;
> +
> + cx = stream->cx;
> CX18_DEBUG_INFO("Start feed: pid = 0x%x index = %d\n",
> feed->pid, feed->index);
>
> @@ -253,9 +257,6 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
> if (!demux->dmx.frontend)
> return -EINVAL;
>
> - if (!stream)
> - return -EINVAL;
> -
> mutex_lock(&stream->dvb.feedlock);
> if (stream->dvb.feeding++ == 0) {
> CX18_DEBUG_INFO("Starting Transport DMA\n");
> @@ -279,13 +280,14 @@ static int cx18_dvb_stop_feed(struct dvb_demux_feed *feed)
> {
> struct dvb_demux *demux = feed->demux;
> struct cx18_stream *stream = (struct cx18_stream *)demux->priv;
> - struct cx18 *cx = stream->cx;
> + struct cx18 *cx;
> int ret = -EINVAL;
>
> - CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
> - feed->pid, feed->index);
> -
> if (stream) {
> + cx = stream->cx;
> + CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
> + feed->pid, feed->index);
> +
> mutex_lock(&stream->dvb.feedlock);
> if (--stream->dvb.feeding == 0) {
> CX18_DEBUG_INFO("Stopping Transport DMA\n");
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On 01/12/2010 12:48 AM, Andy Walls wrote:
> On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
>> Stanse found a potential null dereference in cx18_dvb_start_feed
>> and cx18_dvb_stop_feed. There is a check for stream being NULL,
>> but it is dereferenced earlier. Move the dereference after the
>> check.
>>
>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
>
> Reviewed-by: Andy Walls <awalls@radix.net>
> Acked-by: Andy Walls <awalls@radix.net>
You definitely know the code better, have you checked that it can happen
at all? I mean may demux->priv be NULL?
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, 2010-01-12 at 12:28 +0100, Jiri Slaby wrote:
> On 01/12/2010 12:48 AM, Andy Walls wrote:
> > On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
> >> Stanse found a potential null dereference in cx18_dvb_start_feed
> >> and cx18_dvb_stop_feed. There is a check for stream being NULL,
> >> but it is dereferenced earlier. Move the dereference after the
> >> check.
> >>
> >> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> >
> > Reviewed-by: Andy Walls <awalls@radix.net>
> > Acked-by: Andy Walls <awalls@radix.net>
>
> You definitely know the code better, have you checked that it can happen
> at all? I mean may demux->priv be NULL?
I'm wasn't sure, and that's the one reason I didn't NAK the patch.
I can tell you no one has ever reported an Ooops or Bug due to that
condition.
I know the cx18 code very well. However, I am less familiar with the
dvb core code and any bad behavior that may exist there. When relying
on data structures the dvb core accesses I would have to research what
could happen in the dvb core to possibly generate that condition.
Since I'm busy this week with work related to my day job (nothing to do
with Linux), it was easiest to let the NULL check stay in for now.
If you don't mind a delay of until Sunday or so to get the patch applied
to the V4L-DVB tree, I can take the patch and work it in my normal path
through Mauro. Let me know.
Regards,
Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On 01/13/2010 12:32 PM, Andy Walls wrote:
> If you don't mind a delay of until Sunday or so to get the patch applied
> to the V4L-DVB tree, I can take the patch and work it in my normal path
> through Mauro. Let me know.
I have no problem with that.
thanks,
On Tue, Jan 12, 2010 at 3:28 PM, Jiri Slaby <jirislaby@gmail.com> wrote:
> On 01/12/2010 12:48 AM, Andy Walls wrote:
>> On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
>>> Stanse found a potential null dereference in cx18_dvb_start_feed
>>> and cx18_dvb_stop_feed. There is a check for stream being NULL,
>>> but it is dereferenced earlier. Move the dereference after the
>>> check.
>>>
>>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
>>
>> Reviewed-by: Andy Walls <awalls@radix.net>
>> Acked-by: Andy Walls <awalls@radix.net>
>
> You definitely know the code better, have you checked that it can happen
> at all? I mean may demux->priv be NULL?
It is highly unlikely that demux->priv becoming NULL. The only time
that could happen would be when there is a dvb register failed. But in
which case, it wouldn't reach the stage where you want to start/stop a
stream.
Regards,
Manu
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
@@ -213,10 +213,14 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
{
struct dvb_demux *demux = feed->demux;
struct cx18_stream *stream = (struct cx18_stream *) demux->priv;
- struct cx18 *cx = stream->cx;
+ struct cx18 *cx;
int ret;
u32 v;
+ if (!stream)
+ return -EINVAL;
+
+ cx = stream->cx;
CX18_DEBUG_INFO("Start feed: pid = 0x%x index = %d\n",
feed->pid, feed->index);
@@ -253,9 +257,6 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
if (!demux->dmx.frontend)
return -EINVAL;
- if (!stream)
- return -EINVAL;
-
mutex_lock(&stream->dvb.feedlock);
if (stream->dvb.feeding++ == 0) {
CX18_DEBUG_INFO("Starting Transport DMA\n");
@@ -279,13 +280,14 @@ static int cx18_dvb_stop_feed(struct dvb_demux_feed *feed)
{
struct dvb_demux *demux = feed->demux;
struct cx18_stream *stream = (struct cx18_stream *)demux->priv;
- struct cx18 *cx = stream->cx;
+ struct cx18 *cx;
int ret = -EINVAL;
- CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
- feed->pid, feed->index);
-
if (stream) {
+ cx = stream->cx;
+ CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
+ feed->pid, feed->index);
+
mutex_lock(&stream->dvb.feedlock);
if (--stream->dvb.feeding == 0) {
CX18_DEBUG_INFO("Stopping Transport DMA\n");