From 98522a7be97f2b23451342e36c39f412f0461e24 Mon Sep 17 00:00:00 2001
From: Jean-Francois Moine <moinejf@free.fr>
Date: Tue, 18 Nov 2008 06:33:08 -0300
Subject: V4L/DVB (9689): gspca: Memory leak when disconnect while streaming.

As a side effect, the sd routine stop0 is called on disconnect.
This permits the subdriver to free its resources.

Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/video/gspca/gspca.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

(limited to 'drivers/media/video/gspca/gspca.c')

diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index e48fbfc8ad05..f28d2f4aceac 100644
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -646,15 +646,14 @@ static void gspca_stream_off(struct gspca_dev *gspca_dev)
 {
 	gspca_dev->streaming = 0;
 	atomic_set(&gspca_dev->nevent, 0);
-	if (gspca_dev->present) {
-		if (gspca_dev->sd_desc->stopN)
-			gspca_dev->sd_desc->stopN(gspca_dev);
-		destroy_urbs(gspca_dev);
-		gspca_set_alt0(gspca_dev);
-		if (gspca_dev->sd_desc->stop0)
-			gspca_dev->sd_desc->stop0(gspca_dev);
-		PDEBUG(D_STREAM, "stream off OK");
-	}
+	if (gspca_dev->present
+	    && gspca_dev->sd_desc->stopN)
+		gspca_dev->sd_desc->stopN(gspca_dev);
+	destroy_urbs(gspca_dev);
+	gspca_set_alt0(gspca_dev);
+	if (gspca_dev->sd_desc->stop0)
+		gspca_dev->sd_desc->stop0(gspca_dev);
+	PDEBUG(D_STREAM, "stream off OK");
 }
 
 static void gspca_set_default_mode(struct gspca_dev *gspca_dev)
-- 
cgit v1.2.3


From 5c4fa002b1c7b40f65fa911ae17a823ec9e26ab2 Mon Sep 17 00:00:00 2001
From: Jean-Francois Moine <moinejf@free.fr>
Date: Tue, 18 Nov 2008 15:52:31 -0300
Subject: V4L/DVB (9690): gspca: Lock the subdrivers via module_get/put.

The previous subdriver protection against rmmod was done via the
file operations table in the device descriptor. On device disconnection
while streaming, the device structure was freed at close time, and the
module_put still used the module name in the freed area.
Now, explicit module get/put are done on open and close.

Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/video/gspca/gspca.c | 13 ++++++++++---
 drivers/media/video/gspca/gspca.h |  2 +-
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'drivers/media/video/gspca/gspca.c')

diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index f28d2f4aceac..a565f3764837 100644
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -874,6 +874,13 @@ static int dev_open(struct inode *inode, struct file *file)
 		ret = -EBUSY;
 		goto out;
 	}
+
+	/* protect the subdriver against rmmod */
+	if (!try_module_get(gspca_dev->module)) {
+		ret = -ENODEV;
+		goto out;
+	}
+
 	gspca_dev->users++;
 
 	/* one more user */
@@ -920,6 +927,7 @@ static int dev_close(struct inode *inode, struct file *file)
 		gspca_dev->memory = GSPCA_MEMORY_NO;
 	}
 	file->private_data = NULL;
+	module_put(gspca_dev->module);
 	mutex_unlock(&gspca_dev->queue_lock);
 
 	PDEBUG(D_STREAM, "close done");
@@ -1870,9 +1878,8 @@ int gspca_dev_probe(struct usb_interface *intf,
 	/* init video stuff */
 	memcpy(&gspca_dev->vdev, &gspca_template, sizeof gspca_template);
 	gspca_dev->vdev.parent = &dev->dev;
-	memcpy(&gspca_dev->fops, &dev_fops, sizeof gspca_dev->fops);
-	gspca_dev->vdev.fops = &gspca_dev->fops;
-	gspca_dev->fops.owner = module;		/* module protection */
+	gspca_dev->vdev.fops = &dev_fops;
+	gspca_dev->module = module;
 	gspca_dev->present = 1;
 	ret = video_register_device(&gspca_dev->vdev,
 				  VFL_TYPE_GRABBER,
diff --git a/drivers/media/video/gspca/gspca.h b/drivers/media/video/gspca/gspca.h
index c35d7b97112f..2ae1ad7c1483 100644
--- a/drivers/media/video/gspca/gspca.h
+++ b/drivers/media/video/gspca/gspca.h
@@ -121,7 +121,7 @@ struct gspca_frame {
 
 struct gspca_dev {
 	struct video_device vdev;	/* !! must be the first item */
-	struct file_operations fops;
+	struct module *module;		/* subdriver handling the device */
 	struct usb_device *dev;
 	struct kref kref;
 	struct file *capt_file;		/* file doing video capture */
-- 
cgit v1.2.3


From e07a1d8ab20a059fefbfd1558db43701bca560d7 Mon Sep 17 00:00:00 2001
From: Jean-Francois Moine <moinejf@free.fr>
Date: Wed, 19 Nov 2008 06:37:53 -0300
Subject: V4L/DVB (9691): gspca: Move the video device to a separate area.

The video device was part of the gspca device. On device disconnection
while streaming, the device structure is freed at close time.
In this case, the remaining close job on the video device run out of
allocated memory.

Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/video/gspca/gspca.c | 28 +++++++++++++---------------
 drivers/media/video/gspca/gspca.h |  2 +-
 2 files changed, 14 insertions(+), 16 deletions(-)

(limited to 'drivers/media/video/gspca/gspca.c')

diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index a565f3764837..748a87e82e44 100644
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -862,7 +862,7 @@ static int dev_open(struct inode *inode, struct file *file)
 	int ret;
 
 	PDEBUG(D_STREAM, "%s open", current->comm);
-	gspca_dev = (struct gspca_dev *) video_devdata(file);
+	gspca_dev = video_drvdata(file);
 	if (mutex_lock_interruptible(&gspca_dev->queue_lock))
 		return -ERESTARTSYS;
 	if (!gspca_dev->present) {
@@ -890,10 +890,10 @@ static int dev_open(struct inode *inode, struct file *file)
 #ifdef GSPCA_DEBUG
 	/* activate the v4l2 debug */
 	if (gspca_debug & D_V4L2)
-		gspca_dev->vdev.debug |= V4L2_DEBUG_IOCTL
+		gspca_dev->vdev->debug |= V4L2_DEBUG_IOCTL
 					| V4L2_DEBUG_IOCTL_ARG;
 	else
-		gspca_dev->vdev.debug &= ~(V4L2_DEBUG_IOCTL
+		gspca_dev->vdev->debug &= ~(V4L2_DEBUG_IOCTL
 					| V4L2_DEBUG_IOCTL_ARG);
 #endif
 	ret = 0;
@@ -1755,11 +1755,6 @@ out:
 	return ret;
 }
 
-static void dev_release(struct video_device *vfd)
-{
-	/* nothing */
-}
-
 static struct file_operations dev_fops = {
 	.owner = THIS_MODULE,
 	.open = dev_open,
@@ -1807,7 +1802,7 @@ static struct video_device gspca_template = {
 	.name = "gspca main driver",
 	.fops = &dev_fops,
 	.ioctl_ops = &dev_ioctl_ops,
-	.release = dev_release,		/* mandatory */
+	.release = video_device_release,
 	.minor = -1,
 };
 
@@ -1876,16 +1871,18 @@ int gspca_dev_probe(struct usb_interface *intf,
 	init_waitqueue_head(&gspca_dev->wq);
 
 	/* init video stuff */
-	memcpy(&gspca_dev->vdev, &gspca_template, sizeof gspca_template);
-	gspca_dev->vdev.parent = &dev->dev;
-	gspca_dev->vdev.fops = &dev_fops;
+	gspca_dev->vdev = video_device_alloc();
+	memcpy(gspca_dev->vdev, &gspca_template, sizeof gspca_template);
+	gspca_dev->vdev->parent = &dev->dev;
 	gspca_dev->module = module;
 	gspca_dev->present = 1;
-	ret = video_register_device(&gspca_dev->vdev,
+	video_set_drvdata(gspca_dev->vdev, gspca_dev);
+	ret = video_register_device(gspca_dev->vdev,
 				  VFL_TYPE_GRABBER,
 				  video_nr);
 	if (ret < 0) {
 		err("video_register_device err %d", ret);
+		video_device_release(gspca_dev->vdev);
 		goto out;
 	}
 
@@ -1893,7 +1890,8 @@ int gspca_dev_probe(struct usb_interface *intf,
 	PDEBUG(D_PROBE, "probe ok");
 	return 0;
 out:
-	kref_put(&gspca_dev->kref, gspca_delete);
+	kfree(gspca_dev->usb_buf);
+	kfree(gspca_dev);
 	return ret;
 }
 EXPORT_SYMBOL(gspca_dev_probe);
@@ -1911,7 +1909,7 @@ void gspca_disconnect(struct usb_interface *intf)
 	usb_set_intfdata(intf, NULL);
 
 /* We don't want people trying to open up the device */
-	video_unregister_device(&gspca_dev->vdev);
+	video_unregister_device(gspca_dev->vdev);
 
 	gspca_dev->present = 0;
 	gspca_dev->streaming = 0;
diff --git a/drivers/media/video/gspca/gspca.h b/drivers/media/video/gspca/gspca.h
index 2ae1ad7c1483..d25e8d69373b 100644
--- a/drivers/media/video/gspca/gspca.h
+++ b/drivers/media/video/gspca/gspca.h
@@ -120,7 +120,7 @@ struct gspca_frame {
 };
 
 struct gspca_dev {
-	struct video_device vdev;	/* !! must be the first item */
+	struct video_device *vdev;
 	struct module *module;		/* subdriver handling the device */
 	struct usb_device *dev;
 	struct kref kref;
-- 
cgit v1.2.3