Stanse found a potential null dereference in cx18_dvb_start_feed
and cx18_dvb_stop_feed. There is a check for stream being NULL,
but it is dereferenced earlier. Move the dereference after the
check.
Signed-off-by: Jiri Slaby <[email protected]>
---
drivers/media/video/cx18/cx18-dvb.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/media/video/cx18/cx18-dvb.c b/drivers/media/video/cx18/cx18-dvb.c
index 71ad2d1..0ad5b63 100644
--- a/drivers/media/video/cx18/cx18-dvb.c
+++ b/drivers/media/video/cx18/cx18-dvb.c
@@ -213,10 +213,14 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
{
struct dvb_demux *demux = feed->demux;
struct cx18_stream *stream = (struct cx18_stream *) demux->priv;
- struct cx18 *cx = stream->cx;
+ struct cx18 *cx;
int ret;
u32 v;
+ if (!stream)
+ return -EINVAL;
+
+ cx = stream->cx;
CX18_DEBUG_INFO("Start feed: pid = 0x%x index = %d\n",
feed->pid, feed->index);
@@ -253,9 +257,6 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
if (!demux->dmx.frontend)
return -EINVAL;
- if (!stream)
- return -EINVAL;
-
mutex_lock(&stream->dvb.feedlock);
if (stream->dvb.feeding++ == 0) {
CX18_DEBUG_INFO("Starting Transport DMA\n");
@@ -279,13 +280,14 @@ static int cx18_dvb_stop_feed(struct dvb_demux_feed *feed)
{
struct dvb_demux *demux = feed->demux;
struct cx18_stream *stream = (struct cx18_stream *)demux->priv;
- struct cx18 *cx = stream->cx;
+ struct cx18 *cx;
int ret = -EINVAL;
- CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
- feed->pid, feed->index);
-
if (stream) {
+ cx = stream->cx;
+ CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
+ feed->pid, feed->index);
+
mutex_lock(&stream->dvb.feedlock);
if (--stream->dvb.feeding == 0) {
CX18_DEBUG_INFO("Stopping Transport DMA\n");
--
1.6.5.7
On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
> Stanse found a potential null dereference in cx18_dvb_start_feed
> and cx18_dvb_stop_feed. There is a check for stream being NULL,
> but it is dereferenced earlier. Move the dereference after the
> check.
>
> Signed-off-by: Jiri Slaby <[email protected]>
Reviewed-by: Andy Walls <[email protected]>
Acked-by: Andy Walls <[email protected]>
Regards,
Andy
> ---
> drivers/media/video/cx18/cx18-dvb.c | 18 ++++++++++--------
> 1 files changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/media/video/cx18/cx18-dvb.c b/drivers/media/video/cx18/cx18-dvb.c
> index 71ad2d1..0ad5b63 100644
> --- a/drivers/media/video/cx18/cx18-dvb.c
> +++ b/drivers/media/video/cx18/cx18-dvb.c
> @@ -213,10 +213,14 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
> {
> struct dvb_demux *demux = feed->demux;
> struct cx18_stream *stream = (struct cx18_stream *) demux->priv;
> - struct cx18 *cx = stream->cx;
> + struct cx18 *cx;
> int ret;
> u32 v;
>
> + if (!stream)
> + return -EINVAL;
> +
> + cx = stream->cx;
> CX18_DEBUG_INFO("Start feed: pid = 0x%x index = %d\n",
> feed->pid, feed->index);
>
> @@ -253,9 +257,6 @@ static int cx18_dvb_start_feed(struct dvb_demux_feed *feed)
> if (!demux->dmx.frontend)
> return -EINVAL;
>
> - if (!stream)
> - return -EINVAL;
> -
> mutex_lock(&stream->dvb.feedlock);
> if (stream->dvb.feeding++ == 0) {
> CX18_DEBUG_INFO("Starting Transport DMA\n");
> @@ -279,13 +280,14 @@ static int cx18_dvb_stop_feed(struct dvb_demux_feed *feed)
> {
> struct dvb_demux *demux = feed->demux;
> struct cx18_stream *stream = (struct cx18_stream *)demux->priv;
> - struct cx18 *cx = stream->cx;
> + struct cx18 *cx;
> int ret = -EINVAL;
>
> - CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
> - feed->pid, feed->index);
> -
> if (stream) {
> + cx = stream->cx;
> + CX18_DEBUG_INFO("Stop feed: pid = 0x%x index = %d\n",
> + feed->pid, feed->index);
> +
> mutex_lock(&stream->dvb.feedlock);
> if (--stream->dvb.feeding == 0) {
> CX18_DEBUG_INFO("Stopping Transport DMA\n");
On 01/12/2010 12:48 AM, Andy Walls wrote:
> On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
>> Stanse found a potential null dereference in cx18_dvb_start_feed
>> and cx18_dvb_stop_feed. There is a check for stream being NULL,
>> but it is dereferenced earlier. Move the dereference after the
>> check.
>>
>> Signed-off-by: Jiri Slaby <[email protected]>
>
> Reviewed-by: Andy Walls <[email protected]>
> Acked-by: Andy Walls <[email protected]>
You definitely know the code better, have you checked that it can happen
at all? I mean may demux->priv be NULL?
On Tue, 2010-01-12 at 12:28 +0100, Jiri Slaby wrote:
> On 01/12/2010 12:48 AM, Andy Walls wrote:
> > On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
> >> Stanse found a potential null dereference in cx18_dvb_start_feed
> >> and cx18_dvb_stop_feed. There is a check for stream being NULL,
> >> but it is dereferenced earlier. Move the dereference after the
> >> check.
> >>
> >> Signed-off-by: Jiri Slaby <[email protected]>
> >
> > Reviewed-by: Andy Walls <[email protected]>
> > Acked-by: Andy Walls <[email protected]>
>
> You definitely know the code better, have you checked that it can happen
> at all? I mean may demux->priv be NULL?
I'm wasn't sure, and that's the one reason I didn't NAK the patch.
I can tell you no one has ever reported an Ooops or Bug due to that
condition.
I know the cx18 code very well. However, I am less familiar with the
dvb core code and any bad behavior that may exist there. When relying
on data structures the dvb core accesses I would have to research what
could happen in the dvb core to possibly generate that condition.
Since I'm busy this week with work related to my day job (nothing to do
with Linux), it was easiest to let the NULL check stay in for now.
If you don't mind a delay of until Sunday or so to get the patch applied
to the V4L-DVB tree, I can take the patch and work it in my normal path
through Mauro. Let me know.
Regards,
Andy
On 01/13/2010 12:32 PM, Andy Walls wrote:
> If you don't mind a delay of until Sunday or so to get the patch applied
> to the V4L-DVB tree, I can take the patch and work it in my normal path
> through Mauro. Let me know.
I have no problem with that.
thanks,
--
js
On Tue, Jan 12, 2010 at 3:28 PM, Jiri Slaby <[email protected]> wrote:
> On 01/12/2010 12:48 AM, Andy Walls wrote:
>> On Sun, 2010-01-10 at 09:56 +0100, Jiri Slaby wrote:
>>> Stanse found a potential null dereference in cx18_dvb_start_feed
>>> and cx18_dvb_stop_feed. There is a check for stream being NULL,
>>> but it is dereferenced earlier. Move the dereference after the
>>> check.
>>>
>>> Signed-off-by: Jiri Slaby <[email protected]>
>>
>> Reviewed-by: Andy Walls <[email protected]>
>> Acked-by: Andy Walls <[email protected]>
>
> You definitely know the code better, have you checked that it can happen
> at all? I mean may demux->priv be NULL?
It is highly unlikely that demux->priv becoming NULL. The only time
that could happen would be when there is a dvb register failed. But in
which case, it wouldn't reach the stage where you want to start/stop a
stream.
Regards,
Manu