4843a543fa
If reg_r() fails, then gspca_dev->usb_buf was left uninitialized, and some drivers used the contents of that buffer in logic. This caused several syzbot errors: https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82 I analyzed the gspca drivers and zeroed the buffer where needed. Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
439 lines
10 KiB
C
439 lines
10 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* spca1528 subdriver
|
|
*
|
|
* Copyright (C) 2010-2011 Jean-Francois Moine (http://moinejf.free.fr)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#define MODULE_NAME "spca1528"
|
|
|
|
#include "gspca.h"
|
|
#include "jpeg.h"
|
|
|
|
MODULE_AUTHOR("Jean-Francois Moine <http://moinejf.free.fr>");
|
|
MODULE_DESCRIPTION("SPCA1528 USB Camera Driver");
|
|
MODULE_LICENSE("GPL");
|
|
|
|
/* specific webcam descriptor */
|
|
struct sd {
|
|
struct gspca_dev gspca_dev; /* !! must be the first item */
|
|
|
|
u8 pkt_seq;
|
|
|
|
u8 jpeg_hdr[JPEG_HDR_SZ];
|
|
};
|
|
|
|
static const struct v4l2_pix_format vga_mode[] = {
|
|
/* (does not work correctly)
|
|
{176, 144, V4L2_PIX_FMT_JPEG, V4L2_FIELD_NONE,
|
|
.bytesperline = 176,
|
|
.sizeimage = 176 * 144 * 5 / 8 + 590,
|
|
.colorspace = V4L2_COLORSPACE_JPEG,
|
|
.priv = 3},
|
|
*/
|
|
{320, 240, V4L2_PIX_FMT_JPEG, V4L2_FIELD_NONE,
|
|
.bytesperline = 320,
|
|
.sizeimage = 320 * 240 * 4 / 8 + 590,
|
|
.colorspace = V4L2_COLORSPACE_JPEG,
|
|
.priv = 2},
|
|
{640, 480, V4L2_PIX_FMT_JPEG, V4L2_FIELD_NONE,
|
|
.bytesperline = 640,
|
|
.sizeimage = 640 * 480 * 3 / 8 + 590,
|
|
.colorspace = V4L2_COLORSPACE_JPEG,
|
|
.priv = 1},
|
|
};
|
|
|
|
/* read <len> bytes to gspca usb_buf */
|
|
static void reg_r(struct gspca_dev *gspca_dev,
|
|
u8 req,
|
|
u16 index,
|
|
int len)
|
|
{
|
|
#if USB_BUF_SZ < 64
|
|
#error "USB buffer too small"
|
|
#endif
|
|
struct usb_device *dev = gspca_dev->dev;
|
|
int ret;
|
|
|
|
if (gspca_dev->usb_err < 0)
|
|
return;
|
|
ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
|
|
req,
|
|
USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
|
|
0x0000, /* value */
|
|
index,
|
|
gspca_dev->usb_buf, len,
|
|
500);
|
|
gspca_dbg(gspca_dev, D_USBI, "GET %02x 0000 %04x %02x\n", req, index,
|
|
gspca_dev->usb_buf[0]);
|
|
if (ret < 0) {
|
|
pr_err("reg_r err %d\n", ret);
|
|
gspca_dev->usb_err = ret;
|
|
/*
|
|
* Make sure the buffer is zeroed to avoid uninitialized
|
|
* values.
|
|
*/
|
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
|
}
|
|
}
|
|
|
|
static void reg_w(struct gspca_dev *gspca_dev,
|
|
u8 req,
|
|
u16 value,
|
|
u16 index)
|
|
{
|
|
struct usb_device *dev = gspca_dev->dev;
|
|
int ret;
|
|
|
|
if (gspca_dev->usb_err < 0)
|
|
return;
|
|
gspca_dbg(gspca_dev, D_USBO, "SET %02x %04x %04x\n", req, value, index);
|
|
ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
|
|
req,
|
|
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
|
|
value, index,
|
|
NULL, 0, 500);
|
|
if (ret < 0) {
|
|
pr_err("reg_w err %d\n", ret);
|
|
gspca_dev->usb_err = ret;
|
|
}
|
|
}
|
|
|
|
static void reg_wb(struct gspca_dev *gspca_dev,
|
|
u8 req,
|
|
u16 value,
|
|
u16 index,
|
|
u8 byte)
|
|
{
|
|
struct usb_device *dev = gspca_dev->dev;
|
|
int ret;
|
|
|
|
if (gspca_dev->usb_err < 0)
|
|
return;
|
|
gspca_dbg(gspca_dev, D_USBO, "SET %02x %04x %04x %02x\n",
|
|
req, value, index, byte);
|
|
gspca_dev->usb_buf[0] = byte;
|
|
ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
|
|
req,
|
|
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
|
|
value, index,
|
|
gspca_dev->usb_buf, 1, 500);
|
|
if (ret < 0) {
|
|
pr_err("reg_w err %d\n", ret);
|
|
gspca_dev->usb_err = ret;
|
|
}
|
|
}
|
|
|
|
static void wait_status_0(struct gspca_dev *gspca_dev)
|
|
{
|
|
int i, w;
|
|
|
|
i = 16;
|
|
w = 0;
|
|
do {
|
|
reg_r(gspca_dev, 0x21, 0x0000, 1);
|
|
if (gspca_dev->usb_buf[0] == 0)
|
|
return;
|
|
w += 15;
|
|
msleep(w);
|
|
} while (--i > 0);
|
|
gspca_err(gspca_dev, "wait_status_0 timeout\n");
|
|
gspca_dev->usb_err = -ETIME;
|
|
}
|
|
|
|
static void wait_status_1(struct gspca_dev *gspca_dev)
|
|
{
|
|
int i;
|
|
|
|
i = 10;
|
|
do {
|
|
reg_r(gspca_dev, 0x21, 0x0001, 1);
|
|
msleep(10);
|
|
if (gspca_dev->usb_buf[0] == 1) {
|
|
reg_wb(gspca_dev, 0x21, 0x0000, 0x0001, 0x00);
|
|
reg_r(gspca_dev, 0x21, 0x0001, 1);
|
|
return;
|
|
}
|
|
} while (--i > 0);
|
|
gspca_err(gspca_dev, "wait_status_1 timeout\n");
|
|
gspca_dev->usb_err = -ETIME;
|
|
}
|
|
|
|
static void setbrightness(struct gspca_dev *gspca_dev, s32 val)
|
|
{
|
|
reg_wb(gspca_dev, 0xc0, 0x0000, 0x00c0, val);
|
|
}
|
|
|
|
static void setcontrast(struct gspca_dev *gspca_dev, s32 val)
|
|
{
|
|
reg_wb(gspca_dev, 0xc1, 0x0000, 0x00c1, val);
|
|
}
|
|
|
|
static void sethue(struct gspca_dev *gspca_dev, s32 val)
|
|
{
|
|
reg_wb(gspca_dev, 0xc2, 0x0000, 0x0000, val);
|
|
}
|
|
|
|
static void setcolor(struct gspca_dev *gspca_dev, s32 val)
|
|
{
|
|
reg_wb(gspca_dev, 0xc3, 0x0000, 0x00c3, val);
|
|
}
|
|
|
|
static void setsharpness(struct gspca_dev *gspca_dev, s32 val)
|
|
{
|
|
reg_wb(gspca_dev, 0xc4, 0x0000, 0x00c4, val);
|
|
}
|
|
|
|
/* this function is called at probe time */
|
|
static int sd_config(struct gspca_dev *gspca_dev,
|
|
const struct usb_device_id *id)
|
|
{
|
|
gspca_dev->cam.cam_mode = vga_mode;
|
|
gspca_dev->cam.nmodes = ARRAY_SIZE(vga_mode);
|
|
gspca_dev->cam.npkt = 128; /* number of packets per ISOC message */
|
|
/*fixme: 256 in ms-win traces*/
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* this function is called at probe and resume time */
|
|
static int sd_init(struct gspca_dev *gspca_dev)
|
|
{
|
|
reg_w(gspca_dev, 0x00, 0x0001, 0x2067);
|
|
reg_w(gspca_dev, 0x00, 0x00d0, 0x206b);
|
|
reg_w(gspca_dev, 0x00, 0x0000, 0x206c);
|
|
reg_w(gspca_dev, 0x00, 0x0001, 0x2069);
|
|
msleep(8);
|
|
reg_w(gspca_dev, 0x00, 0x00c0, 0x206b);
|
|
reg_w(gspca_dev, 0x00, 0x0000, 0x206c);
|
|
reg_w(gspca_dev, 0x00, 0x0001, 0x2069);
|
|
|
|
reg_r(gspca_dev, 0x20, 0x0000, 1);
|
|
reg_r(gspca_dev, 0x20, 0x0000, 5);
|
|
reg_r(gspca_dev, 0x23, 0x0000, 64);
|
|
gspca_dbg(gspca_dev, D_PROBE, "%s%s\n", &gspca_dev->usb_buf[0x1c],
|
|
&gspca_dev->usb_buf[0x30]);
|
|
reg_r(gspca_dev, 0x23, 0x0001, 64);
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
/* function called at start time before URB creation */
|
|
static int sd_isoc_init(struct gspca_dev *gspca_dev)
|
|
{
|
|
u8 mode;
|
|
|
|
reg_r(gspca_dev, 0x00, 0x2520, 1);
|
|
wait_status_0(gspca_dev);
|
|
reg_w(gspca_dev, 0xc5, 0x0003, 0x0000);
|
|
wait_status_1(gspca_dev);
|
|
|
|
wait_status_0(gspca_dev);
|
|
mode = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
|
|
reg_wb(gspca_dev, 0x25, 0x0000, 0x0004, mode);
|
|
reg_r(gspca_dev, 0x25, 0x0004, 1);
|
|
reg_wb(gspca_dev, 0x27, 0x0000, 0x0000, 0x06); /* 420 */
|
|
reg_r(gspca_dev, 0x27, 0x0000, 1);
|
|
|
|
/* not useful..
|
|
gspca_dev->alt = 4; * use alternate setting 3 */
|
|
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
/* -- start the camera -- */
|
|
static int sd_start(struct gspca_dev *gspca_dev)
|
|
{
|
|
struct sd *sd = (struct sd *) gspca_dev;
|
|
|
|
/* initialize the JPEG header */
|
|
jpeg_define(sd->jpeg_hdr, gspca_dev->pixfmt.height,
|
|
gspca_dev->pixfmt.width,
|
|
0x22); /* JPEG 411 */
|
|
|
|
/* the JPEG quality shall be 85% */
|
|
jpeg_set_qual(sd->jpeg_hdr, 85);
|
|
|
|
reg_r(gspca_dev, 0x00, 0x2520, 1);
|
|
msleep(8);
|
|
|
|
/* start the capture */
|
|
wait_status_0(gspca_dev);
|
|
reg_w(gspca_dev, 0x31, 0x0000, 0x0004); /* start request */
|
|
wait_status_1(gspca_dev);
|
|
wait_status_0(gspca_dev);
|
|
msleep(200);
|
|
|
|
sd->pkt_seq = 0;
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
static void sd_stopN(struct gspca_dev *gspca_dev)
|
|
{
|
|
/* stop the capture */
|
|
wait_status_0(gspca_dev);
|
|
reg_w(gspca_dev, 0x31, 0x0000, 0x0000); /* stop request */
|
|
wait_status_1(gspca_dev);
|
|
wait_status_0(gspca_dev);
|
|
}
|
|
|
|
/* move a packet adding 0x00 after 0xff */
|
|
static void add_packet(struct gspca_dev *gspca_dev,
|
|
u8 *data,
|
|
int len)
|
|
{
|
|
int i;
|
|
|
|
i = 0;
|
|
do {
|
|
if (data[i] == 0xff) {
|
|
gspca_frame_add(gspca_dev, INTER_PACKET,
|
|
data, i + 1);
|
|
len -= i;
|
|
data += i;
|
|
*data = 0x00;
|
|
i = 0;
|
|
}
|
|
} while (++i < len);
|
|
gspca_frame_add(gspca_dev, INTER_PACKET, data, len);
|
|
}
|
|
|
|
static void sd_pkt_scan(struct gspca_dev *gspca_dev,
|
|
u8 *data, /* isoc packet */
|
|
int len) /* iso packet length */
|
|
{
|
|
struct sd *sd = (struct sd *) gspca_dev;
|
|
static const u8 ffd9[] = {0xff, 0xd9};
|
|
|
|
/* image packets start with:
|
|
* 02 8n
|
|
* with <n> bit:
|
|
* 0x01: even (0) / odd (1) image
|
|
* 0x02: end of image when set
|
|
*/
|
|
if (len < 3)
|
|
return; /* empty packet */
|
|
if (*data == 0x02) {
|
|
if (data[1] & 0x02) {
|
|
sd->pkt_seq = !(data[1] & 1);
|
|
add_packet(gspca_dev, data + 2, len - 2);
|
|
gspca_frame_add(gspca_dev, LAST_PACKET,
|
|
ffd9, 2);
|
|
return;
|
|
}
|
|
if ((data[1] & 1) != sd->pkt_seq)
|
|
goto err;
|
|
if (gspca_dev->last_packet_type == LAST_PACKET)
|
|
gspca_frame_add(gspca_dev, FIRST_PACKET,
|
|
sd->jpeg_hdr, JPEG_HDR_SZ);
|
|
add_packet(gspca_dev, data + 2, len - 2);
|
|
return;
|
|
}
|
|
err:
|
|
gspca_dev->last_packet_type = DISCARD_PACKET;
|
|
}
|
|
|
|
static int sd_s_ctrl(struct v4l2_ctrl *ctrl)
|
|
{
|
|
struct gspca_dev *gspca_dev =
|
|
container_of(ctrl->handler, struct gspca_dev, ctrl_handler);
|
|
|
|
gspca_dev->usb_err = 0;
|
|
|
|
if (!gspca_dev->streaming)
|
|
return 0;
|
|
|
|
switch (ctrl->id) {
|
|
case V4L2_CID_BRIGHTNESS:
|
|
setbrightness(gspca_dev, ctrl->val);
|
|
break;
|
|
case V4L2_CID_CONTRAST:
|
|
setcontrast(gspca_dev, ctrl->val);
|
|
break;
|
|
case V4L2_CID_HUE:
|
|
sethue(gspca_dev, ctrl->val);
|
|
break;
|
|
case V4L2_CID_SATURATION:
|
|
setcolor(gspca_dev, ctrl->val);
|
|
break;
|
|
case V4L2_CID_SHARPNESS:
|
|
setsharpness(gspca_dev, ctrl->val);
|
|
break;
|
|
}
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
static const struct v4l2_ctrl_ops sd_ctrl_ops = {
|
|
.s_ctrl = sd_s_ctrl,
|
|
};
|
|
|
|
static int sd_init_controls(struct gspca_dev *gspca_dev)
|
|
{
|
|
struct v4l2_ctrl_handler *hdl = &gspca_dev->ctrl_handler;
|
|
|
|
gspca_dev->vdev.ctrl_handler = hdl;
|
|
v4l2_ctrl_handler_init(hdl, 5);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_BRIGHTNESS, 0, 255, 1, 128);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_CONTRAST, 0, 8, 1, 1);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_HUE, 0, 255, 1, 0);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_SATURATION, 0, 8, 1, 1);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_SHARPNESS, 0, 255, 1, 0);
|
|
|
|
if (hdl->error) {
|
|
pr_err("Could not initialize controls\n");
|
|
return hdl->error;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* sub-driver description */
|
|
static const struct sd_desc sd_desc = {
|
|
.name = MODULE_NAME,
|
|
.config = sd_config,
|
|
.init = sd_init,
|
|
.init_controls = sd_init_controls,
|
|
.isoc_init = sd_isoc_init,
|
|
.start = sd_start,
|
|
.stopN = sd_stopN,
|
|
.pkt_scan = sd_pkt_scan,
|
|
};
|
|
|
|
/* -- module initialisation -- */
|
|
static const struct usb_device_id device_table[] = {
|
|
{USB_DEVICE(0x04fc, 0x1528)},
|
|
{}
|
|
};
|
|
MODULE_DEVICE_TABLE(usb, device_table);
|
|
|
|
/* -- device connect -- */
|
|
static int sd_probe(struct usb_interface *intf,
|
|
const struct usb_device_id *id)
|
|
{
|
|
/* the video interface for isochronous transfer is 1 */
|
|
if (intf->cur_altsetting->desc.bInterfaceNumber != 1)
|
|
return -ENODEV;
|
|
|
|
return gspca_dev_probe2(intf, id, &sd_desc, sizeof(struct sd),
|
|
THIS_MODULE);
|
|
}
|
|
|
|
static struct usb_driver sd_driver = {
|
|
.name = MODULE_NAME,
|
|
.id_table = device_table,
|
|
.probe = sd_probe,
|
|
.disconnect = gspca_disconnect,
|
|
#ifdef CONFIG_PM
|
|
.suspend = gspca_suspend,
|
|
.resume = gspca_resume,
|
|
.reset_resume = gspca_resume,
|
|
#endif
|
|
};
|
|
|
|
module_usb_driver(sd_driver);
|