[PATCH] Fix Oops in MXB driver (v4l2 subsystem)
From: Michael Hunold
Date: Mon Apr 04 2005 - 05:03:44 EST
Hi Linus, Andrew,
the attached patch fixes a NULL pointer dereference Oops in my
"Multimedia eXtension Board" driver.
The tda9840 i2c driver dereferences the argument pointer, but the MXB
driver is supplying a NULL pointer for one of the commands. The patch
makes this one command behave like the others, ie. it expects an int
argument.
Please apply.
Thanks!
Michael Hunold.
diff -ura a/drivers/media/video/mxb.c linux-2.6.11.6/drivers/media/video/mxb.c
--- a/drivers/media/video/mxb.c 2005-04-04 11:31:06.000000000 +0200
+++ linux-2.6.11.6/drivers/media/video/mxb.c 2005-04-04 11:17:28.000000000 +0200
@@ -731,7 +731,7 @@
t->signal = 0xffff;
t->afc = 0;
- byte = mxb->tda9840->driver->command(mxb->tda9840,TDA9840_DETECT, NULL);
+ mxb->tda9840->driver->command(mxb->tda9840,TDA9840_DETECT, &byte);
t->audmode = mxb->cur_mode;
if( byte < 0 ) {
diff -ura a/drivers/media/video/tda9840.c linux-2.6.11.6/drivers/media/video/tda9840.c
--- a/drivers/media/video/tda9840.c 2005-04-04 11:31:23.000000000 +0200
+++ linux-2.6.11.6/drivers/media/video/tda9840.c 2005-04-04 11:21:50.000000000 +0200
@@ -120,7 +120,8 @@
dprintk("i2c_smbus_write_byte() failed, ret:%d\n", result);
break;
- case TDA9840_DETECT:
+ case TDA9840_DETECT: {
+ int *ret = (int *)arg;
byte = i2c_smbus_read_byte_data(client, STEREO_ADJUST);
if (byte == -1) {
@@ -134,8 +135,10 @@
}
dprintk("TDA9840_DETECT: byte: 0x%02x\n", byte);
- return ((byte & 0x60) >> 5);
-
+ *ret = ((byte & 0x60) >> 5);
+ result = 0;
+ break;
+ }
case TDA9840_TEST:
dprintk("TDA9840_TEST: 0x%02x\n", byte);