mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 4f4e6644cd
			
		
	
	
		4f4e6644cd
		
	
	
	
	
		
			
			For two of the supported sensors the stv06xx driver allocates memory which is stored in sd->sensor_priv. This memory is freed on a disconnect, but if the probe() fails, then it isn't freed and so this leaks memory. Add a new probe_error() op that drivers can use to free any allocated memory in case there was a probe failure. Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause of the memory leak. Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
		
			
				
	
	
		
			244 lines
		
	
	
		
			7.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			244 lines
		
	
	
		
			7.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /* SPDX-License-Identifier: GPL-2.0 */
 | |
| #ifndef GSPCAV2_H
 | |
| #define GSPCAV2_H
 | |
| 
 | |
| #include <linux/module.h>
 | |
| #include <linux/kernel.h>
 | |
| #include <linux/usb.h>
 | |
| #include <linux/videodev2.h>
 | |
| #include <media/v4l2-common.h>
 | |
| #include <media/v4l2-ctrls.h>
 | |
| #include <media/v4l2-device.h>
 | |
| #include <media/videobuf2-v4l2.h>
 | |
| #include <media/videobuf2-vmalloc.h>
 | |
| #include <linux/mutex.h>
 | |
| 
 | |
| 
 | |
| 
 | |
| /* GSPCA debug codes */
 | |
| 
 | |
| #define D_PROBE  1
 | |
| #define D_CONF   2
 | |
| #define D_STREAM 3
 | |
| #define D_FRAM   4
 | |
| #define D_PACK   5
 | |
| #define D_USBI   6
 | |
| #define D_USBO   7
 | |
| 
 | |
| extern int gspca_debug;
 | |
| 
 | |
| 
 | |
| #define gspca_dbg(gspca_dev, level, fmt, ...)			\
 | |
| 	v4l2_dbg(level, gspca_debug, &(gspca_dev)->v4l2_dev,	\
 | |
| 		 fmt, ##__VA_ARGS__)
 | |
| 
 | |
| #define gspca_err(gspca_dev, fmt, ...)				\
 | |
| 	v4l2_err(&(gspca_dev)->v4l2_dev, fmt, ##__VA_ARGS__)
 | |
| 
 | |
| #define GSPCA_MAX_FRAMES 16	/* maximum number of video frame buffers */
 | |
| /* image transfers */
 | |
| #define MAX_NURBS 4		/* max number of URBs */
 | |
| 
 | |
| 
 | |
| /* used to list framerates supported by a camera mode (resolution) */
 | |
| struct framerates {
 | |
| 	const u8 *rates;
 | |
| 	int nrates;
 | |
| };
 | |
| 
 | |
| /* device information - set at probe time */
 | |
| struct cam {
 | |
| 	const struct v4l2_pix_format *cam_mode;	/* size nmodes */
 | |
| 	const struct framerates *mode_framerates; /* must have size nmodes,
 | |
| 						   * just like cam_mode */
 | |
| 	u32 bulk_size;		/* buffer size when image transfer by bulk */
 | |
| 	u32 input_flags;	/* value for ENUM_INPUT status flags */
 | |
| 	u8 nmodes;		/* size of cam_mode */
 | |
| 	u8 no_urb_create;	/* don't create transfer URBs */
 | |
| 	u8 bulk_nurbs;		/* number of URBs in bulk mode
 | |
| 				 * - cannot be > MAX_NURBS
 | |
| 				 * - when 0 and bulk_size != 0 means
 | |
| 				 *   1 URB and submit done by subdriver */
 | |
| 	u8 bulk;		/* image transfer by 0:isoc / 1:bulk */
 | |
| 	u8 npkt;		/* number of packets in an ISOC message
 | |
| 				 * 0 is the default value: 32 packets */
 | |
| 	u8 needs_full_bandwidth;/* Set this flag to notify the bandwidth calc.
 | |
| 				 * code that the cam fills all image buffers to
 | |
| 				 * the max, even when using compression. */
 | |
| };
 | |
| 
 | |
| struct gspca_dev;
 | |
| struct gspca_frame;
 | |
| 
 | |
| /* subdriver operations */
 | |
| typedef int (*cam_op) (struct gspca_dev *);
 | |
| typedef void (*cam_v_op) (struct gspca_dev *);
 | |
| typedef int (*cam_cf_op) (struct gspca_dev *, const struct usb_device_id *);
 | |
| typedef int (*cam_get_jpg_op) (struct gspca_dev *,
 | |
| 				struct v4l2_jpegcompression *);
 | |
| typedef int (*cam_set_jpg_op) (struct gspca_dev *,
 | |
| 				const struct v4l2_jpegcompression *);
 | |
| typedef int (*cam_get_reg_op) (struct gspca_dev *,
 | |
| 				struct v4l2_dbg_register *);
 | |
| typedef int (*cam_set_reg_op) (struct gspca_dev *,
 | |
| 				const struct v4l2_dbg_register *);
 | |
| typedef int (*cam_chip_info_op) (struct gspca_dev *,
 | |
| 				struct v4l2_dbg_chip_info *);
 | |
| typedef void (*cam_streamparm_op) (struct gspca_dev *,
 | |
| 				  struct v4l2_streamparm *);
 | |
| typedef void (*cam_pkt_op) (struct gspca_dev *gspca_dev,
 | |
| 				u8 *data,
 | |
| 				int len);
 | |
| typedef int (*cam_int_pkt_op) (struct gspca_dev *gspca_dev,
 | |
| 				u8 *data,
 | |
| 				int len);
 | |
| typedef void (*cam_format_op) (struct gspca_dev *gspca_dev,
 | |
| 				struct v4l2_format *fmt);
 | |
| typedef int (*cam_frmsize_op) (struct gspca_dev *gspca_dev,
 | |
| 				struct v4l2_frmsizeenum *fsize);
 | |
| 
 | |
| /* subdriver description */
 | |
| struct sd_desc {
 | |
| /* information */
 | |
| 	const char *name;	/* sub-driver name */
 | |
| /* mandatory operations */
 | |
| 	cam_cf_op config;	/* called on probe */
 | |
| 	cam_op init;		/* called on probe and resume */
 | |
| 	cam_op init_controls;	/* called on probe */
 | |
| 	cam_v_op probe_error;	/* called if probe failed, do cleanup here */
 | |
| 	cam_op start;		/* called on stream on after URBs creation */
 | |
| 	cam_pkt_op pkt_scan;
 | |
| /* optional operations */
 | |
| 	cam_op isoc_init;	/* called on stream on before getting the EP */
 | |
| 	cam_op isoc_nego;	/* called when URB submit failed with NOSPC */
 | |
| 	cam_v_op stopN;		/* called on stream off - main alt */
 | |
| 	cam_v_op stop0;		/* called on stream off & disconnect - alt 0 */
 | |
| 	cam_v_op dq_callback;	/* called when a frame has been dequeued */
 | |
| 	cam_get_jpg_op get_jcomp;
 | |
| 	cam_set_jpg_op set_jcomp;
 | |
| 	cam_streamparm_op get_streamparm;
 | |
| 	cam_streamparm_op set_streamparm;
 | |
| 	cam_format_op try_fmt;
 | |
| 	cam_frmsize_op enum_framesizes;
 | |
| #ifdef CONFIG_VIDEO_ADV_DEBUG
 | |
| 	cam_set_reg_op set_register;
 | |
| 	cam_get_reg_op get_register;
 | |
| 	cam_chip_info_op get_chip_info;
 | |
| #endif
 | |
| #if IS_ENABLED(CONFIG_INPUT)
 | |
| 	cam_int_pkt_op int_pkt_scan;
 | |
| 	/* other_input makes the gspca core create gspca_dev->input even when
 | |
| 	   int_pkt_scan is NULL, for cams with non interrupt driven buttons */
 | |
| 	u8 other_input;
 | |
| #endif
 | |
| };
 | |
| 
 | |
| /* packet types when moving from iso buf to frame buf */
 | |
| enum gspca_packet_type {
 | |
| 	DISCARD_PACKET,
 | |
| 	FIRST_PACKET,
 | |
| 	INTER_PACKET,
 | |
| 	LAST_PACKET
 | |
| };
 | |
| 
 | |
| struct gspca_buffer {
 | |
| 	struct vb2_v4l2_buffer vb;
 | |
| 	struct list_head list;
 | |
| };
 | |
| 
 | |
| static inline struct gspca_buffer *to_gspca_buffer(struct vb2_buffer *vb2)
 | |
| {
 | |
| 	return container_of(vb2, struct gspca_buffer, vb.vb2_buf);
 | |
| }
 | |
| 
 | |
| struct gspca_dev {
 | |
| 	struct video_device vdev;	/* !! must be the first item */
 | |
| 	struct module *module;		/* subdriver handling the device */
 | |
| 	struct v4l2_device v4l2_dev;
 | |
| 	struct usb_device *dev;
 | |
| 
 | |
| #if IS_ENABLED(CONFIG_INPUT)
 | |
| 	struct input_dev *input_dev;
 | |
| 	char phys[64];			/* physical device path */
 | |
| #endif
 | |
| 
 | |
| 	struct cam cam;				/* device information */
 | |
| 	const struct sd_desc *sd_desc;		/* subdriver description */
 | |
| 	struct v4l2_ctrl_handler ctrl_handler;
 | |
| 
 | |
| 	/* autogain and exposure or gain control cluster, these are global as
 | |
| 	   the autogain/exposure functions in autogain_functions.c use them */
 | |
| 	struct {
 | |
| 		struct v4l2_ctrl *autogain;
 | |
| 		struct v4l2_ctrl *exposure;
 | |
| 		struct v4l2_ctrl *gain;
 | |
| 		int exp_too_low_cnt, exp_too_high_cnt;
 | |
| 	};
 | |
| 
 | |
| #define USB_BUF_SZ 64
 | |
| 	__u8 *usb_buf;				/* buffer for USB exchanges */
 | |
| 	struct urb *urb[MAX_NURBS];
 | |
| #if IS_ENABLED(CONFIG_INPUT)
 | |
| 	struct urb *int_urb;
 | |
| #endif
 | |
| 
 | |
| 	u8 *image;				/* image being filled */
 | |
| 	u32 image_len;				/* current length of image */
 | |
| 	__u8 last_packet_type;
 | |
| 	__s8 empty_packet;		/* if (-1) don't check empty packets */
 | |
| 	bool streaming;
 | |
| 
 | |
| 	__u8 curr_mode;			/* current camera mode */
 | |
| 	struct v4l2_pix_format pixfmt;	/* current mode parameters */
 | |
| 	__u32 sequence;			/* frame sequence number */
 | |
| 
 | |
| 	struct vb2_queue queue;
 | |
| 
 | |
| 	spinlock_t qlock;
 | |
| 	struct list_head buf_list;
 | |
| 
 | |
| 	wait_queue_head_t wq;		/* wait queue */
 | |
| 	struct mutex usb_lock;		/* usb exchange protection */
 | |
| 	int usb_err;			/* USB error - protected by usb_lock */
 | |
| 	u16 pkt_size;			/* ISOC packet size */
 | |
| #ifdef CONFIG_PM
 | |
| 	char frozen;			/* suspend - resume */
 | |
| #endif
 | |
| 	bool present;
 | |
| 	char memory;			/* memory type (V4L2_MEMORY_xxx) */
 | |
| 	__u8 iface;			/* USB interface number */
 | |
| 	__u8 alt;			/* USB alternate setting */
 | |
| 	int xfer_ep;			/* USB transfer endpoint address */
 | |
| 	u8 audio;			/* presence of audio device */
 | |
| 
 | |
| 	/* (*) These variables are proteced by both usb_lock and queue_lock,
 | |
| 	   that is any code setting them is holding *both*, which means that
 | |
| 	   any code getting them needs to hold at least one of them */
 | |
| };
 | |
| 
 | |
| int gspca_dev_probe(struct usb_interface *intf,
 | |
| 		const struct usb_device_id *id,
 | |
| 		const struct sd_desc *sd_desc,
 | |
| 		int dev_size,
 | |
| 		struct module *module);
 | |
| int gspca_dev_probe2(struct usb_interface *intf,
 | |
| 		const struct usb_device_id *id,
 | |
| 		const struct sd_desc *sd_desc,
 | |
| 		int dev_size,
 | |
| 		struct module *module);
 | |
| void gspca_disconnect(struct usb_interface *intf);
 | |
| void gspca_frame_add(struct gspca_dev *gspca_dev,
 | |
| 			enum gspca_packet_type packet_type,
 | |
| 			const u8 *data,
 | |
| 			int len);
 | |
| #ifdef CONFIG_PM
 | |
| int gspca_suspend(struct usb_interface *intf, pm_message_t message);
 | |
| int gspca_resume(struct usb_interface *intf);
 | |
| #endif
 | |
| int gspca_expo_autogain(struct gspca_dev *gspca_dev, int avg_lum,
 | |
| 	int desired_avg_lum, int deadzone, int gain_knee, int exposure_knee);
 | |
| int gspca_coarse_grained_expo_autogain(struct gspca_dev *gspca_dev,
 | |
| 	int avg_lum, int desired_avg_lum, int deadzone);
 | |
| 
 | |
| #endif /* GSPCAV2_H */
 |