mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-27 22:24:11 +08:00
4843a543fa
If reg_r() fails, then gspca_dev->usb_buf was left uninitialized, and some drivers used the contents of that buffer in logic. This caused several syzbot errors: https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82 I analyzed the gspca drivers and zeroed the buffer where needed. Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
479 lines
12 KiB
C
479 lines
12 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Driver for USB webcams based on Konica chipset. This
|
|
* chipset is used in Intel YC76 camera.
|
|
*
|
|
* Copyright (C) 2010 Hans de Goede <hdegoede@redhat.com>
|
|
*
|
|
* Based on the usbvideo v4l1 konicawc driver which is:
|
|
*
|
|
* Copyright (C) 2002 Simon Evans <spse@secret.org.uk>
|
|
*
|
|
* The code for making gspca work with a webcam with 2 isoc endpoints was
|
|
* taken from the benq gspca subdriver which is:
|
|
*
|
|
* Copyright (C) 2009 Jean-Francois Moine (http://moinejf.free.fr)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#define MODULE_NAME "konica"
|
|
|
|
#include <linux/input.h>
|
|
#include "gspca.h"
|
|
|
|
MODULE_AUTHOR("Hans de Goede <hdegoede@redhat.com>");
|
|
MODULE_DESCRIPTION("Konica chipset USB Camera Driver");
|
|
MODULE_LICENSE("GPL");
|
|
|
|
#define WHITEBAL_REG 0x01
|
|
#define BRIGHTNESS_REG 0x02
|
|
#define SHARPNESS_REG 0x03
|
|
#define CONTRAST_REG 0x04
|
|
#define SATURATION_REG 0x05
|
|
|
|
/* specific webcam descriptor */
|
|
struct sd {
|
|
struct gspca_dev gspca_dev; /* !! must be the first item */
|
|
struct urb *last_data_urb;
|
|
u8 snapshot_pressed;
|
|
};
|
|
|
|
|
|
/* .priv is what goes to register 8 for this mode, known working values:
|
|
0x00 -> 176x144, cropped
|
|
0x01 -> 176x144, cropped
|
|
0x02 -> 176x144, cropped
|
|
0x03 -> 176x144, cropped
|
|
0x04 -> 176x144, binned
|
|
0x05 -> 320x240
|
|
0x06 -> 320x240
|
|
0x07 -> 160x120, cropped
|
|
0x08 -> 160x120, cropped
|
|
0x09 -> 160x120, binned (note has 136 lines)
|
|
0x0a -> 160x120, binned (note has 136 lines)
|
|
0x0b -> 160x120, cropped
|
|
*/
|
|
static const struct v4l2_pix_format vga_mode[] = {
|
|
{160, 120, V4L2_PIX_FMT_KONICA420, V4L2_FIELD_NONE,
|
|
.bytesperline = 160,
|
|
.sizeimage = 160 * 136 * 3 / 2 + 960,
|
|
.colorspace = V4L2_COLORSPACE_SRGB,
|
|
.priv = 0x0a},
|
|
{176, 144, V4L2_PIX_FMT_KONICA420, V4L2_FIELD_NONE,
|
|
.bytesperline = 176,
|
|
.sizeimage = 176 * 144 * 3 / 2 + 960,
|
|
.colorspace = V4L2_COLORSPACE_SRGB,
|
|
.priv = 0x04},
|
|
{320, 240, V4L2_PIX_FMT_KONICA420, V4L2_FIELD_NONE,
|
|
.bytesperline = 320,
|
|
.sizeimage = 320 * 240 * 3 / 2 + 960,
|
|
.colorspace = V4L2_COLORSPACE_SRGB,
|
|
.priv = 0x05},
|
|
};
|
|
|
|
static void sd_isoc_irq(struct urb *urb);
|
|
|
|
static void reg_w(struct gspca_dev *gspca_dev, u16 value, u16 index)
|
|
{
|
|
struct usb_device *dev = gspca_dev->dev;
|
|
int ret;
|
|
|
|
if (gspca_dev->usb_err < 0)
|
|
return;
|
|
ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
|
|
0x02,
|
|
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
|
|
value,
|
|
index,
|
|
NULL,
|
|
0,
|
|
1000);
|
|
if (ret < 0) {
|
|
pr_err("reg_w err writing %02x to %02x: %d\n",
|
|
value, index, ret);
|
|
gspca_dev->usb_err = ret;
|
|
}
|
|
}
|
|
|
|
static void reg_r(struct gspca_dev *gspca_dev, u16 value, u16 index)
|
|
{
|
|
struct usb_device *dev = gspca_dev->dev;
|
|
int ret;
|
|
|
|
if (gspca_dev->usb_err < 0)
|
|
return;
|
|
ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
|
|
0x03,
|
|
USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
|
|
value,
|
|
index,
|
|
gspca_dev->usb_buf,
|
|
2,
|
|
1000);
|
|
if (ret < 0) {
|
|
pr_err("reg_r err %d\n", ret);
|
|
gspca_dev->usb_err = ret;
|
|
/*
|
|
* Make sure the buffer is zeroed to avoid uninitialized
|
|
* values.
|
|
*/
|
|
memset(gspca_dev->usb_buf, 0, 2);
|
|
}
|
|
}
|
|
|
|
static void konica_stream_on(struct gspca_dev *gspca_dev)
|
|
{
|
|
reg_w(gspca_dev, 1, 0x0b);
|
|
}
|
|
|
|
static void konica_stream_off(struct gspca_dev *gspca_dev)
|
|
{
|
|
reg_w(gspca_dev, 0, 0x0b);
|
|
}
|
|
|
|
/* this function is called at probe time */
|
|
static int sd_config(struct gspca_dev *gspca_dev,
|
|
const struct usb_device_id *id)
|
|
{
|
|
gspca_dev->cam.cam_mode = vga_mode;
|
|
gspca_dev->cam.nmodes = ARRAY_SIZE(vga_mode);
|
|
gspca_dev->cam.no_urb_create = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* this function is called at probe and resume time */
|
|
static int sd_init(struct gspca_dev *gspca_dev)
|
|
{
|
|
int i;
|
|
|
|
/*
|
|
* The konica needs a freaking large time to "boot" (approx 6.5 sec.),
|
|
* and does not want to be bothered while doing so :|
|
|
* Register 0x10 counts from 1 - 3, with 3 being "ready"
|
|
*/
|
|
msleep(6000);
|
|
for (i = 0; i < 20; i++) {
|
|
reg_r(gspca_dev, 0, 0x10);
|
|
if (gspca_dev->usb_buf[0] == 3)
|
|
break;
|
|
msleep(100);
|
|
}
|
|
reg_w(gspca_dev, 0, 0x0d);
|
|
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
static int sd_start(struct gspca_dev *gspca_dev)
|
|
{
|
|
struct sd *sd = (struct sd *) gspca_dev;
|
|
struct urb *urb;
|
|
int i, n, packet_size;
|
|
struct usb_host_interface *alt;
|
|
struct usb_interface *intf;
|
|
|
|
intf = usb_ifnum_to_if(sd->gspca_dev.dev, sd->gspca_dev.iface);
|
|
alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
|
|
if (!alt) {
|
|
pr_err("Couldn't get altsetting\n");
|
|
return -EIO;
|
|
}
|
|
|
|
if (alt->desc.bNumEndpoints < 2)
|
|
return -ENODEV;
|
|
|
|
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
|
|
|
|
n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
|
|
reg_w(gspca_dev, n, 0x08);
|
|
|
|
konica_stream_on(gspca_dev);
|
|
|
|
if (gspca_dev->usb_err)
|
|
return gspca_dev->usb_err;
|
|
|
|
/* create 4 URBs - 2 on endpoint 0x83 and 2 on 0x082 */
|
|
#if MAX_NURBS < 4
|
|
#error "Not enough URBs in the gspca table"
|
|
#endif
|
|
#define SD_NPKT 32
|
|
for (n = 0; n < 4; n++) {
|
|
i = n & 1 ? 0 : 1;
|
|
packet_size =
|
|
le16_to_cpu(alt->endpoint[i].desc.wMaxPacketSize);
|
|
urb = usb_alloc_urb(SD_NPKT, GFP_KERNEL);
|
|
if (!urb)
|
|
return -ENOMEM;
|
|
gspca_dev->urb[n] = urb;
|
|
urb->transfer_buffer = usb_alloc_coherent(gspca_dev->dev,
|
|
packet_size * SD_NPKT,
|
|
GFP_KERNEL,
|
|
&urb->transfer_dma);
|
|
if (urb->transfer_buffer == NULL) {
|
|
pr_err("usb_buffer_alloc failed\n");
|
|
return -ENOMEM;
|
|
}
|
|
|
|
urb->dev = gspca_dev->dev;
|
|
urb->context = gspca_dev;
|
|
urb->transfer_buffer_length = packet_size * SD_NPKT;
|
|
urb->pipe = usb_rcvisocpipe(gspca_dev->dev,
|
|
n & 1 ? 0x81 : 0x82);
|
|
urb->transfer_flags = URB_ISO_ASAP
|
|
| URB_NO_TRANSFER_DMA_MAP;
|
|
urb->interval = 1;
|
|
urb->complete = sd_isoc_irq;
|
|
urb->number_of_packets = SD_NPKT;
|
|
for (i = 0; i < SD_NPKT; i++) {
|
|
urb->iso_frame_desc[i].length = packet_size;
|
|
urb->iso_frame_desc[i].offset = packet_size * i;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void sd_stopN(struct gspca_dev *gspca_dev)
|
|
{
|
|
struct sd *sd __maybe_unused = (struct sd *) gspca_dev;
|
|
|
|
konica_stream_off(gspca_dev);
|
|
#if IS_ENABLED(CONFIG_INPUT)
|
|
/* Don't keep the button in the pressed state "forever" if it was
|
|
pressed when streaming is stopped */
|
|
if (sd->snapshot_pressed) {
|
|
input_report_key(gspca_dev->input_dev, KEY_CAMERA, 0);
|
|
input_sync(gspca_dev->input_dev);
|
|
sd->snapshot_pressed = 0;
|
|
}
|
|
#endif
|
|
}
|
|
|
|
/* reception of an URB */
|
|
static void sd_isoc_irq(struct urb *urb)
|
|
{
|
|
struct gspca_dev *gspca_dev = (struct gspca_dev *) urb->context;
|
|
struct sd *sd = (struct sd *) gspca_dev;
|
|
struct urb *data_urb, *status_urb;
|
|
u8 *data;
|
|
int i, st;
|
|
|
|
gspca_dbg(gspca_dev, D_PACK, "sd isoc irq\n");
|
|
if (!gspca_dev->streaming)
|
|
return;
|
|
|
|
if (urb->status != 0) {
|
|
if (urb->status == -ESHUTDOWN)
|
|
return; /* disconnection */
|
|
#ifdef CONFIG_PM
|
|
if (gspca_dev->frozen)
|
|
return;
|
|
#endif
|
|
gspca_err(gspca_dev, "urb status: %d\n", urb->status);
|
|
st = usb_submit_urb(urb, GFP_ATOMIC);
|
|
if (st < 0)
|
|
pr_err("resubmit urb error %d\n", st);
|
|
return;
|
|
}
|
|
|
|
/* if this is a data URB (ep 0x82), wait */
|
|
if (urb->transfer_buffer_length > 32) {
|
|
sd->last_data_urb = urb;
|
|
return;
|
|
}
|
|
|
|
status_urb = urb;
|
|
data_urb = sd->last_data_urb;
|
|
sd->last_data_urb = NULL;
|
|
|
|
if (!data_urb || data_urb->start_frame != status_urb->start_frame) {
|
|
gspca_err(gspca_dev, "lost sync on frames\n");
|
|
goto resubmit;
|
|
}
|
|
|
|
if (data_urb->number_of_packets != status_urb->number_of_packets) {
|
|
gspca_err(gspca_dev, "no packets does not match, data: %d, status: %d\n",
|
|
data_urb->number_of_packets,
|
|
status_urb->number_of_packets);
|
|
goto resubmit;
|
|
}
|
|
|
|
for (i = 0; i < status_urb->number_of_packets; i++) {
|
|
if (data_urb->iso_frame_desc[i].status ||
|
|
status_urb->iso_frame_desc[i].status) {
|
|
gspca_err(gspca_dev, "pkt %d data-status %d, status-status %d\n",
|
|
i,
|
|
data_urb->iso_frame_desc[i].status,
|
|
status_urb->iso_frame_desc[i].status);
|
|
gspca_dev->last_packet_type = DISCARD_PACKET;
|
|
continue;
|
|
}
|
|
|
|
if (status_urb->iso_frame_desc[i].actual_length != 1) {
|
|
gspca_err(gspca_dev, "bad status packet length %d\n",
|
|
status_urb->iso_frame_desc[i].actual_length);
|
|
gspca_dev->last_packet_type = DISCARD_PACKET;
|
|
continue;
|
|
}
|
|
|
|
st = *((u8 *)status_urb->transfer_buffer
|
|
+ status_urb->iso_frame_desc[i].offset);
|
|
|
|
data = (u8 *)data_urb->transfer_buffer
|
|
+ data_urb->iso_frame_desc[i].offset;
|
|
|
|
/* st: 0x80-0xff: frame start with frame number (ie 0-7f)
|
|
* otherwise:
|
|
* bit 0 0: keep packet
|
|
* 1: drop packet (padding data)
|
|
*
|
|
* bit 4 0 button not clicked
|
|
* 1 button clicked
|
|
* button is used to `take a picture' (in software)
|
|
*/
|
|
if (st & 0x80) {
|
|
gspca_frame_add(gspca_dev, LAST_PACKET, NULL, 0);
|
|
gspca_frame_add(gspca_dev, FIRST_PACKET, NULL, 0);
|
|
} else {
|
|
#if IS_ENABLED(CONFIG_INPUT)
|
|
u8 button_state = st & 0x40 ? 1 : 0;
|
|
if (sd->snapshot_pressed != button_state) {
|
|
input_report_key(gspca_dev->input_dev,
|
|
KEY_CAMERA,
|
|
button_state);
|
|
input_sync(gspca_dev->input_dev);
|
|
sd->snapshot_pressed = button_state;
|
|
}
|
|
#endif
|
|
if (st & 0x01)
|
|
continue;
|
|
}
|
|
gspca_frame_add(gspca_dev, INTER_PACKET, data,
|
|
data_urb->iso_frame_desc[i].actual_length);
|
|
}
|
|
|
|
resubmit:
|
|
if (data_urb) {
|
|
st = usb_submit_urb(data_urb, GFP_ATOMIC);
|
|
if (st < 0)
|
|
gspca_err(gspca_dev, "usb_submit_urb(data_urb) ret %d\n",
|
|
st);
|
|
}
|
|
st = usb_submit_urb(status_urb, GFP_ATOMIC);
|
|
if (st < 0)
|
|
gspca_err(gspca_dev, "usb_submit_urb(status_urb) ret %d\n", st);
|
|
}
|
|
|
|
static int sd_s_ctrl(struct v4l2_ctrl *ctrl)
|
|
{
|
|
struct gspca_dev *gspca_dev =
|
|
container_of(ctrl->handler, struct gspca_dev, ctrl_handler);
|
|
|
|
gspca_dev->usb_err = 0;
|
|
|
|
if (!gspca_dev->streaming)
|
|
return 0;
|
|
|
|
switch (ctrl->id) {
|
|
case V4L2_CID_BRIGHTNESS:
|
|
konica_stream_off(gspca_dev);
|
|
reg_w(gspca_dev, ctrl->val, BRIGHTNESS_REG);
|
|
konica_stream_on(gspca_dev);
|
|
break;
|
|
case V4L2_CID_CONTRAST:
|
|
konica_stream_off(gspca_dev);
|
|
reg_w(gspca_dev, ctrl->val, CONTRAST_REG);
|
|
konica_stream_on(gspca_dev);
|
|
break;
|
|
case V4L2_CID_SATURATION:
|
|
konica_stream_off(gspca_dev);
|
|
reg_w(gspca_dev, ctrl->val, SATURATION_REG);
|
|
konica_stream_on(gspca_dev);
|
|
break;
|
|
case V4L2_CID_WHITE_BALANCE_TEMPERATURE:
|
|
konica_stream_off(gspca_dev);
|
|
reg_w(gspca_dev, ctrl->val, WHITEBAL_REG);
|
|
konica_stream_on(gspca_dev);
|
|
break;
|
|
case V4L2_CID_SHARPNESS:
|
|
konica_stream_off(gspca_dev);
|
|
reg_w(gspca_dev, ctrl->val, SHARPNESS_REG);
|
|
konica_stream_on(gspca_dev);
|
|
break;
|
|
}
|
|
return gspca_dev->usb_err;
|
|
}
|
|
|
|
static const struct v4l2_ctrl_ops sd_ctrl_ops = {
|
|
.s_ctrl = sd_s_ctrl,
|
|
};
|
|
|
|
static int sd_init_controls(struct gspca_dev *gspca_dev)
|
|
{
|
|
struct v4l2_ctrl_handler *hdl = &gspca_dev->ctrl_handler;
|
|
|
|
gspca_dev->vdev.ctrl_handler = hdl;
|
|
v4l2_ctrl_handler_init(hdl, 5);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_BRIGHTNESS, 0, 9, 1, 4);
|
|
/* Needs to be verified */
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_CONTRAST, 0, 9, 1, 4);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_SATURATION, 0, 9, 1, 4);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_WHITE_BALANCE_TEMPERATURE,
|
|
0, 33, 1, 25);
|
|
v4l2_ctrl_new_std(hdl, &sd_ctrl_ops,
|
|
V4L2_CID_SHARPNESS, 0, 9, 1, 4);
|
|
|
|
if (hdl->error) {
|
|
pr_err("Could not initialize controls\n");
|
|
return hdl->error;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* sub-driver description */
|
|
static const struct sd_desc sd_desc = {
|
|
.name = MODULE_NAME,
|
|
.config = sd_config,
|
|
.init = sd_init,
|
|
.init_controls = sd_init_controls,
|
|
.start = sd_start,
|
|
.stopN = sd_stopN,
|
|
#if IS_ENABLED(CONFIG_INPUT)
|
|
.other_input = 1,
|
|
#endif
|
|
};
|
|
|
|
/* -- module initialisation -- */
|
|
static const struct usb_device_id device_table[] = {
|
|
{USB_DEVICE(0x04c8, 0x0720)}, /* Intel YC 76 */
|
|
{}
|
|
};
|
|
MODULE_DEVICE_TABLE(usb, device_table);
|
|
|
|
/* -- device connect -- */
|
|
static int sd_probe(struct usb_interface *intf,
|
|
const struct usb_device_id *id)
|
|
{
|
|
return gspca_dev_probe(intf, id, &sd_desc, sizeof(struct sd),
|
|
THIS_MODULE);
|
|
}
|
|
|
|
static struct usb_driver sd_driver = {
|
|
.name = MODULE_NAME,
|
|
.id_table = device_table,
|
|
.probe = sd_probe,
|
|
.disconnect = gspca_disconnect,
|
|
#ifdef CONFIG_PM
|
|
.suspend = gspca_suspend,
|
|
.resume = gspca_resume,
|
|
.reset_resume = gspca_resume,
|
|
#endif
|
|
};
|
|
|
|
module_usb_driver(sd_driver);
|