From f4b727b3ae0cc244f803a8a0c532df06ad846a1b Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Sun, 2 May 2010 11:42:45 -0300 Subject: [PATCH] V4L/DVB: tm6000: Fix a panic if buffer become NULL Changing a video standard takes a long time to happen on tm6000, since it needs to load another firmware, and the i2c implementation on this device is really slow. When the driver tries to change the video standard, a kernel panic is produced: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] tm6000_irq_callback+0x57f/0xac2 [tm6000] ... Kernel panic - not syncing: Fatal exception in interrupt By inspecting it with gdb: (gdb) list *tm6000_irq_callback+0x57f 0x348a is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:202). 197 /* FIXME: move to tm6000-isoc */ 198 static int last_line = -2, start_line = -2, last_field = -2; 199 200 /* FIXME: this is the hardcoded window size 201 */ 202 unsigned int linewidth = (*buf)->vb.width << 1; 203 204 if (!dev->isoc_ctl.cmd) { 205 c = (header >> 24) & 0xff; 206 Clearly, it was the trial to access *buf, at line 202 that caused the Panic. As ioctl is serialized, While S_STD is handled,QBUF/DQBUF won't be called. So, the driver will run out of the buffers, and *buf will become NULL. As, on tm6000, the same URB can contain more than one video buffer, it is likely to hit a condition where no new buffer is available whily copying the streams. The fix is to leave the URB copy loop, if there's no more buffers are available. The same bug could also be produced by an application that is not fast enough to request new video buffers. The same bug were reported by Bee Hock Goh . Thanks-to: Bee Hock Goh for reporting the bug Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/tm6000/tm6000-video.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/tm6000/tm6000-video.c b/drivers/staging/tm6000/tm6000-video.c index 92edb4185868..edc59424d260 100644 --- a/drivers/staging/tm6000/tm6000-video.c +++ b/drivers/staging/tm6000/tm6000-video.c @@ -397,6 +397,8 @@ HEADER: jiffies); return rc; } + if (!*buf) + return 0; } return 0; @@ -530,7 +532,7 @@ static inline int tm6000_isoc_copy(struct urb *urb) } } copied += len; - if (copied>=size) + if (copied >= size || !buf) break; // } } -- 2.20.1