linux/drivers/media/usb/gspca/gspca.h
Hans Verkuil 4f4e6644cd media: gscpa/stv06xx: fix memory leak
For two of the supported sensors the stv06xx driver allocates memory which
is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
the probe() fails, then it isn't freed and so this leaks memory.

Add a new probe_error() op that drivers can use to free any allocated
memory in case there was a probe failure.

Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
of the memory leak.

Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2021-04-09 13:19:38 +02:00

244 lines
7.5 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef GSPCAV2_H
#define GSPCAV2_H
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/usb.h>
#include <linux/videodev2.h>
#include <media/v4l2-common.h>
#include <media/v4l2-ctrls.h>
#include <media/v4l2-device.h>
#include <media/videobuf2-v4l2.h>
#include <media/videobuf2-vmalloc.h>
#include <linux/mutex.h>
/* GSPCA debug codes */
#define D_PROBE 1
#define D_CONF 2
#define D_STREAM 3
#define D_FRAM 4
#define D_PACK 5
#define D_USBI 6
#define D_USBO 7
extern int gspca_debug;
#define gspca_dbg(gspca_dev, level, fmt, ...) \
v4l2_dbg(level, gspca_debug, &(gspca_dev)->v4l2_dev, \
fmt, ##__VA_ARGS__)
#define gspca_err(gspca_dev, fmt, ...) \
v4l2_err(&(gspca_dev)->v4l2_dev, fmt, ##__VA_ARGS__)
#define GSPCA_MAX_FRAMES 16 /* maximum number of video frame buffers */
/* image transfers */
#define MAX_NURBS 4 /* max number of URBs */
/* used to list framerates supported by a camera mode (resolution) */
struct framerates {
const u8 *rates;
int nrates;
};
/* device information - set at probe time */
struct cam {
const struct v4l2_pix_format *cam_mode; /* size nmodes */
const struct framerates *mode_framerates; /* must have size nmodes,
* just like cam_mode */
u32 bulk_size; /* buffer size when image transfer by bulk */
u32 input_flags; /* value for ENUM_INPUT status flags */
u8 nmodes; /* size of cam_mode */
u8 no_urb_create; /* don't create transfer URBs */
u8 bulk_nurbs; /* number of URBs in bulk mode
* - cannot be > MAX_NURBS
* - when 0 and bulk_size != 0 means
* 1 URB and submit done by subdriver */
u8 bulk; /* image transfer by 0:isoc / 1:bulk */
u8 npkt; /* number of packets in an ISOC message
* 0 is the default value: 32 packets */
u8 needs_full_bandwidth;/* Set this flag to notify the bandwidth calc.
* code that the cam fills all image buffers to
* the max, even when using compression. */
};
struct gspca_dev;
struct gspca_frame;
/* subdriver operations */
typedef int (*cam_op) (struct gspca_dev *);
typedef void (*cam_v_op) (struct gspca_dev *);
typedef int (*cam_cf_op) (struct gspca_dev *, const struct usb_device_id *);
typedef int (*cam_get_jpg_op) (struct gspca_dev *,
struct v4l2_jpegcompression *);
typedef int (*cam_set_jpg_op) (struct gspca_dev *,
const struct v4l2_jpegcompression *);
typedef int (*cam_get_reg_op) (struct gspca_dev *,
struct v4l2_dbg_register *);
typedef int (*cam_set_reg_op) (struct gspca_dev *,
const struct v4l2_dbg_register *);
typedef int (*cam_chip_info_op) (struct gspca_dev *,
struct v4l2_dbg_chip_info *);
typedef void (*cam_streamparm_op) (struct gspca_dev *,
struct v4l2_streamparm *);
typedef void (*cam_pkt_op) (struct gspca_dev *gspca_dev,
u8 *data,
int len);
typedef int (*cam_int_pkt_op) (struct gspca_dev *gspca_dev,
u8 *data,
int len);
typedef void (*cam_format_op) (struct gspca_dev *gspca_dev,
struct v4l2_format *fmt);
typedef int (*cam_frmsize_op) (struct gspca_dev *gspca_dev,
struct v4l2_frmsizeenum *fsize);
/* subdriver description */
struct sd_desc {
/* information */
const char *name; /* sub-driver name */
/* mandatory operations */
cam_cf_op config; /* called on probe */
cam_op init; /* called on probe and resume */
cam_op init_controls; /* called on probe */
cam_v_op probe_error; /* called if probe failed, do cleanup here */
cam_op start; /* called on stream on after URBs creation */
cam_pkt_op pkt_scan;
/* optional operations */
cam_op isoc_init; /* called on stream on before getting the EP */
cam_op isoc_nego; /* called when URB submit failed with NOSPC */
cam_v_op stopN; /* called on stream off - main alt */
cam_v_op stop0; /* called on stream off & disconnect - alt 0 */
cam_v_op dq_callback; /* called when a frame has been dequeued */
cam_get_jpg_op get_jcomp;
cam_set_jpg_op set_jcomp;
cam_streamparm_op get_streamparm;
cam_streamparm_op set_streamparm;
cam_format_op try_fmt;
cam_frmsize_op enum_framesizes;
#ifdef CONFIG_VIDEO_ADV_DEBUG
cam_set_reg_op set_register;
cam_get_reg_op get_register;
cam_chip_info_op get_chip_info;
#endif
#if IS_ENABLED(CONFIG_INPUT)
cam_int_pkt_op int_pkt_scan;
/* other_input makes the gspca core create gspca_dev->input even when
int_pkt_scan is NULL, for cams with non interrupt driven buttons */
u8 other_input;
#endif
};
/* packet types when moving from iso buf to frame buf */
enum gspca_packet_type {
DISCARD_PACKET,
FIRST_PACKET,
INTER_PACKET,
LAST_PACKET
};
struct gspca_buffer {
struct vb2_v4l2_buffer vb;
struct list_head list;
};
static inline struct gspca_buffer *to_gspca_buffer(struct vb2_buffer *vb2)
{
return container_of(vb2, struct gspca_buffer, vb.vb2_buf);
}
struct gspca_dev {
struct video_device vdev; /* !! must be the first item */
struct module *module; /* subdriver handling the device */
struct v4l2_device v4l2_dev;
struct usb_device *dev;
#if IS_ENABLED(CONFIG_INPUT)
struct input_dev *input_dev;
char phys[64]; /* physical device path */
#endif
struct cam cam; /* device information */
const struct sd_desc *sd_desc; /* subdriver description */
struct v4l2_ctrl_handler ctrl_handler;
/* autogain and exposure or gain control cluster, these are global as
the autogain/exposure functions in autogain_functions.c use them */
struct {
struct v4l2_ctrl *autogain;
struct v4l2_ctrl *exposure;
struct v4l2_ctrl *gain;
int exp_too_low_cnt, exp_too_high_cnt;
};
#define USB_BUF_SZ 64
__u8 *usb_buf; /* buffer for USB exchanges */
struct urb *urb[MAX_NURBS];
#if IS_ENABLED(CONFIG_INPUT)
struct urb *int_urb;
#endif
u8 *image; /* image being filled */
u32 image_len; /* current length of image */
__u8 last_packet_type;
__s8 empty_packet; /* if (-1) don't check empty packets */
bool streaming;
__u8 curr_mode; /* current camera mode */
struct v4l2_pix_format pixfmt; /* current mode parameters */
__u32 sequence; /* frame sequence number */
struct vb2_queue queue;
spinlock_t qlock;
struct list_head buf_list;
wait_queue_head_t wq; /* wait queue */
struct mutex usb_lock; /* usb exchange protection */
int usb_err; /* USB error - protected by usb_lock */
u16 pkt_size; /* ISOC packet size */
#ifdef CONFIG_PM
char frozen; /* suspend - resume */
#endif
bool present;
char memory; /* memory type (V4L2_MEMORY_xxx) */
__u8 iface; /* USB interface number */
__u8 alt; /* USB alternate setting */
int xfer_ep; /* USB transfer endpoint address */
u8 audio; /* presence of audio device */
/* (*) These variables are proteced by both usb_lock and queue_lock,
that is any code setting them is holding *both*, which means that
any code getting them needs to hold at least one of them */
};
int gspca_dev_probe(struct usb_interface *intf,
const struct usb_device_id *id,
const struct sd_desc *sd_desc,
int dev_size,
struct module *module);
int gspca_dev_probe2(struct usb_interface *intf,
const struct usb_device_id *id,
const struct sd_desc *sd_desc,
int dev_size,
struct module *module);
void gspca_disconnect(struct usb_interface *intf);
void gspca_frame_add(struct gspca_dev *gspca_dev,
enum gspca_packet_type packet_type,
const u8 *data,
int len);
#ifdef CONFIG_PM
int gspca_suspend(struct usb_interface *intf, pm_message_t message);
int gspca_resume(struct usb_interface *intf);
#endif
int gspca_expo_autogain(struct gspca_dev *gspca_dev, int avg_lum,
int desired_avg_lum, int deadzone, int gain_knee, int exposure_knee);
int gspca_coarse_grained_expo_autogain(struct gspca_dev *gspca_dev,
int avg_lum, int desired_avg_lum, int deadzone);
#endif /* GSPCAV2_H */