Background:
I am still having lockup problems with the ov511 driver and the
creative labs webcam III usb camera. I am running 2.4.0-test1-ac19
with the "1.17" patch for the ov511. I have been cruising the code
looking for suspicious memory accesses and found the following
questionable code. My lockup symptoms seems to indicate some kernel mode
code is walking across vital system structures, so I have been scrutinizing
any pointer operations in the ov511 driver. Could someone please comment?
Question:
how does the userspace / kernel interface resolve the following
seemingly glaring error? A struct video_device is not even
close to a struct usb_ov511. The cast seems like it is a
perfect place for accessing all kinds of memory off the end
of the struct video_device. I can see a cast in the other direction,
as a struct usb_ov511 contains a struct video_device (although there
are better and safer ways to protect against structure reorganization
problems).
The same type of code exists in the ibmcam interface... is this correct
or a copy of an error?
Does the userspace/kernel interface change the struct video_device *
to a struct usb_ov511 *?
Would it not be much clearer to have defined the open argument
as a void pointer, with a comment that the actual pointer depends
on the type of device?
// from ov511.c (several other instances of the same cast occur)
static int ov511_open(struct video_device *dev, int flags)
{
// lpg FIXME ... the cast below looks wonky
struct usb_ov511 *ov511 = (struct usb_ov511 *)dev;
int i, err = 0;
MOD_INC_USE_COUNT;
PDEBUG(4, "opening");
down(&ov511->lock); // lpg access suspicious
....
// definitions of structures involved in the suspicious cast
// video_device definition from /usr/src/linux/include/linux/videodev.h
struct video_device
{
char name[32];
int type;
int hardware;
int (*open)(struct video_device *, int mode);
void (*close)(struct video_device *);
long (*read)(struct video_device *, char *, unsigned long, int noblock);
/* Do we need a write method ? */
long (*write)(struct video_device *, const char *, unsigned long, int
noblock);
#if LINUX_VERSION_CODE >= 0x020100
unsigned int (*poll)(struct video_device *, struct file *, poll_table *);
#endif
int (*ioctl)(struct video_device *, unsigned int , void *);
int (*mmap)(struct video_device *, const char *, unsigned long);
int (*initialize)(struct video_device *);
void *priv; /* Used to be 'private' but that upsets C++ */
int busy;
int minor;
devfs_handle_t devfs_handle;
};
// from /usr/src/linux/drivers/usb/ov511.h
struct usb_ov511 {
struct video_device vdev;
/* Device structure */
struct usb_device *dev;
int customid;
int desc;
unsigned char iface;
int brightness;
int colour;
int contrast;
int hue;
int whiteness;
struct semaphore lock;
int user; /* user count for exclusive use */
int streaming; /* Are we streaming Isochronous? */
int grabbing; /* Are we grabbing? */
int compress; /* Should the next frame be compressed? */
char *fbuf; /* Videodev buffer area */
int sub_flag; /* Pix Array subcapture on flag */
int subx; /* Pix Array subcapture x offset */
int suby; /* Pix Array subcapture y offset */
int subw; /* Pix Array subcapture width */
int subh; /* Pix Array subcapture height */
int curframe; /* Current receiving sbuf */
struct ov511_frame frame[OV511_NUMFRAMES];
int cursbuf; /* Current receiving sbuf */
struct ov511_sbuf sbuf[OV511_NUMSBUF];
/* Scratch space from the Isochronous pipe */
unsigned char scratch[SCRATCH_BUF_SIZE];
int scratchlen;
wait_queue_head_t wq; /* Processes waiting */
int snap_enabled; /* Snapshot mode enabled */
int bridge; /* Type of bridge (OV511 or OV511+) */
int sensor; /* Type of image sensor chip */
int packet_size; /* Frame size per isoc desc */
/* proc interface */
struct semaphore param_lock; /* params lock for this camera */
struct proc_dir_entry *proc_entry; /* /proc/ov511/videoX */
};
=======================================================
Lawrence Glaister VE7IT email: [EMAIL PROTECTED]
1462 Madrona Drive http://jfm.bc.ca
Nanoose Bay BC Canada
V9P 9C9
=======================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
