[media] V4L: sh_mobile_ceu_camera: fix Oops when USERPTR mapping fails

If vb2_dma_contig_get_userptr() fails on a videobuffer, driver's
.buf_init() method will not be called and the list will not be
initialised. Trying to remove an uninitialised element from a list leads
to a NULL-dereference.

Signed-off-by: Guennadi Liakhovetski <[email protected]>
Tested-by: Bastian Hecht <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>

diff --git a/drivers/media/video/sh_mobile_ceu_camera.c b/drivers/media/video/sh_mobile_ceu_camera.c
index f86550703f8ec4b672719966b86d2b9113787ec0..e54089802b6b906027b36369984f126d9d8e8830 100644 (file)
--- a/drivers/media/video/sh_mobile_ceu_camera.c
+++ b/drivers/media/video/sh_mobile_ceu_camera.c
@@ -422,8 +422,12 @@ static void sh_mobile_ceu_videobuf_release(struct vb2_buffer *vb)
                pcdev->active = NULL;
        }
 
-       /* Doesn't hurt also if the list is empty */
-       list_del_init(&buf->queue);
+       /*
+        * Doesn't hurt also if the list is empty, but it hurts, if queuing the
+        * buffer failed, and .buf_init() hasn't been called
+        */
+       if (buf->queue.next)
+               list_del_init(&buf->queue);
 
        spin_unlock_irq(&pcdev->lock);
 }