[PATCH] V4L: Fix read() bugs in bttv driver
authorNickolay V. Shmyrev <nshmyrev@yandex.ru>
Thu, 1 Dec 2005 08:51:32 +0000 (00:51 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Thu, 1 Dec 2005 23:48:57 +0000 (15:48 -0800)
Fix read() bugs in bttv driver.

Signed-off-by: Nickolay V. Shmyrev <nshmyrev@yandex.ru>
Signed-off-by: Michael H. Schimek <mschimek@gmx.at>
Signed-off-by: Mauro Carvalho Chehab <mchehab@brturbo.com.br>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/media/video/bttv-driver.c
drivers/media/video/video-buf.c

index 5bc522259d36ab6c73709f4a558ac4a1c7c9a990..f9d581cd31dbc02c58cb8754719d2db9cebf210e 100644 (file)
@@ -2952,6 +2952,8 @@ static unsigned int bttv_poll(struct file *file, poll_table *wait)
                        fh->cap.read_buf->memory = V4L2_MEMORY_USERPTR;
                        field = videobuf_next_field(&fh->cap);
                        if (0 != fh->cap.ops->buf_prepare(&fh->cap,fh->cap.read_buf,field)) {
+                               kfree (fh->cap.read_buf);
+                               fh->cap.read_buf = NULL;
                                up(&fh->cap.lock);
                                return POLLERR;
                        }
index acfd3a103f35ccdfa6cf31c44877d1f217262679..bd34f81dbc697827ccf35f96a330844fecacddfc 100644 (file)
@@ -753,10 +753,9 @@ videobuf_read_zerocopy(struct videobuf_queue *q, char __user *data,
        int retval;
 
        /* setup stuff */
-       retval = -ENOMEM;
        q->read_buf = videobuf_alloc(q->msize);
        if (NULL == q->read_buf)
-               goto done;
+               return -ENOMEM;
 
        q->read_buf->memory = V4L2_MEMORY_USERPTR;
        q->read_buf->baddr  = (unsigned long)data;
@@ -819,8 +818,11 @@ ssize_t videobuf_read_one(struct videobuf_queue *q,
                q->read_buf->memory = V4L2_MEMORY_USERPTR;
                field = videobuf_next_field(q);
                retval = q->ops->buf_prepare(q,q->read_buf,field);
-               if (0 != retval)
+               if (0 != retval) {
+                       kfree (q->read_buf);
+                       q->read_buf = NULL;
                        goto done;
+               }
                spin_lock_irqsave(q->irqlock,flags);
                q->ops->buf_queue(q,q->read_buf);
                spin_unlock_irqrestore(q->irqlock,flags);