Re: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Young,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linuxtv-media/master]
[also build test ERROR on v5.1-rc4 next-20190410]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Young-Xiao/USB-s2255-stkwebcam-fix-oops-with-malicious-USB-descriptors/20190411-213648
base:   git://linuxtv.org/media_tree.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 8.1.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=8.1.0 make.cross ARCH=xtensa 

All errors (new ones prefixed by >>):

   drivers/media/usb/s2255/s2255drv.c: In function 's2255_probe':
>> drivers/media/usb/s2255/s2255drv.c:2270:3: error: label 'error' used but not defined
      goto error;
      ^~~~
--
   drivers/media/usb/stkwebcam/stk-webcam.c: In function 'stk_camera_probe':
>> drivers/media/usb/stkwebcam/stk-webcam.c:1355:3: error: 'retval' undeclared (first use in this function); did you mean 'regval'?
      retval = -EINVAL;
      ^~~~~~
      regval
   drivers/media/usb/stkwebcam/stk-webcam.c:1355:3: note: each undeclared identifier is reported only once for each function it appears in

vim +/error +2270 drivers/media/usb/s2255/s2255drv.c

  2219	
  2220	/* standard usb probe function */
  2221	static int s2255_probe(struct usb_interface *interface,
  2222			       const struct usb_device_id *id)
  2223	{
  2224		struct s2255_dev *dev = NULL;
  2225		struct usb_host_interface *iface_desc;
  2226		struct usb_endpoint_descriptor *endpoint;
  2227		int i;
  2228		int retval = -ENOMEM;
  2229		__le32 *pdata;
  2230		int fw_size;
  2231	
  2232		/* allocate memory for our device state and initialize it to zero */
  2233		dev = kzalloc(sizeof(struct s2255_dev), GFP_KERNEL);
  2234		if (dev == NULL) {
  2235			s2255_dev_err(&interface->dev, "out of memory\n");
  2236			return -ENOMEM;
  2237		}
  2238	
  2239		dev->cmdbuf = kzalloc(S2255_CMDBUF_SIZE, GFP_KERNEL);
  2240		if (dev->cmdbuf == NULL) {
  2241			s2255_dev_err(&interface->dev, "out of memory\n");
  2242			goto errorFWDATA1;
  2243		}
  2244	
  2245		atomic_set(&dev->num_channels, 0);
  2246		dev->pid = id->idProduct;
  2247		dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL);
  2248		if (!dev->fw_data)
  2249			goto errorFWDATA1;
  2250		mutex_init(&dev->lock);
  2251		mutex_init(&dev->cmdlock);
  2252		/* grab usb_device and save it */
  2253		dev->udev = usb_get_dev(interface_to_usbdev(interface));
  2254		if (dev->udev == NULL) {
  2255			dev_err(&interface->dev, "null usb device\n");
  2256			retval = -ENODEV;
  2257			goto errorUDEV;
  2258		}
  2259		dev_dbg(&interface->dev, "dev: %p, udev %p interface %p\n",
  2260			dev, dev->udev, interface);
  2261		dev->interface = interface;
  2262		/* set up the endpoint information  */
  2263		iface_desc = interface->cur_altsetting;
  2264		dev_dbg(&interface->dev, "num EP: %d\n",
  2265			iface_desc->desc.bNumEndpoints);
  2266	
  2267		if (iface_desc->desc.bNumEndpoints < 1) {
  2268			dev_err(&interface->dev, "Invalid number of endpoints\n");
  2269			retval = -EINVAL;
> 2270			goto error;
  2271		}
  2272	
  2273		for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
  2274			endpoint = &iface_desc->endpoint[i].desc;
  2275			if (!dev->read_endpoint && usb_endpoint_is_bulk_in(endpoint)) {
  2276				/* we found the bulk in endpoint */
  2277				dev->read_endpoint = endpoint->bEndpointAddress;
  2278			}
  2279		}
  2280	
  2281		if (!dev->read_endpoint) {
  2282			dev_err(&interface->dev, "Could not find bulk-in endpoint\n");
  2283			goto errorEP;
  2284		}
  2285		timer_setup(&dev->timer, s2255_timer, 0);
  2286		init_waitqueue_head(&dev->fw_data->wait_fw);
  2287		for (i = 0; i < MAX_CHANNELS; i++) {
  2288			struct s2255_vc *vc = &dev->vc[i];
  2289			vc->idx = i;
  2290			vc->dev = dev;
  2291			init_waitqueue_head(&vc->wait_setmode);
  2292			init_waitqueue_head(&vc->wait_vidstatus);
  2293			spin_lock_init(&vc->qlock);
  2294			mutex_init(&vc->vb_lock);
  2295		}
  2296	
  2297		dev->fw_data->fw_urb = usb_alloc_urb(0, GFP_KERNEL);
  2298		if (!dev->fw_data->fw_urb)
  2299			goto errorFWURB;
  2300	
  2301		dev->fw_data->pfw_data = kzalloc(CHUNK_SIZE, GFP_KERNEL);
  2302		if (!dev->fw_data->pfw_data) {
  2303			dev_err(&interface->dev, "out of memory!\n");
  2304			goto errorFWDATA2;
  2305		}
  2306		/* load the first chunk */
  2307		if (request_firmware(&dev->fw_data->fw,
  2308				     FIRMWARE_FILE_NAME, &dev->udev->dev)) {
  2309			dev_err(&interface->dev, "sensoray 2255 failed to get firmware\n");
  2310			goto errorREQFW;
  2311		}
  2312		/* check the firmware is valid */
  2313		fw_size = dev->fw_data->fw->size;
  2314		pdata = (__le32 *) &dev->fw_data->fw->data[fw_size - 8];
  2315	
  2316		if (*pdata != S2255_FW_MARKER) {
  2317			dev_err(&interface->dev, "Firmware invalid.\n");
  2318			retval = -ENODEV;
  2319			goto errorFWMARKER;
  2320		} else {
  2321			/* make sure firmware is the latest */
  2322			__le32 *pRel;
  2323			pRel = (__le32 *) &dev->fw_data->fw->data[fw_size - 4];
  2324			pr_info("s2255 dsp fw version %x\n", le32_to_cpu(*pRel));
  2325			dev->dsp_fw_ver = le32_to_cpu(*pRel);
  2326			if (dev->dsp_fw_ver < S2255_CUR_DSP_FWVER)
  2327				pr_info("s2255: f2255usb.bin out of date.\n");
  2328			if (dev->pid == 0x2257 &&
  2329					dev->dsp_fw_ver < S2255_MIN_DSP_COLORFILTER)
  2330				pr_warn("2257 needs firmware %d or above.\n",
  2331					S2255_MIN_DSP_COLORFILTER);
  2332		}
  2333		usb_reset_device(dev->udev);
  2334		/* load 2255 board specific */
  2335		retval = s2255_board_init(dev);
  2336		if (retval)
  2337			goto errorBOARDINIT;
  2338		s2255_fwload_start(dev);
  2339		/* loads v4l specific */
  2340		retval = s2255_probe_v4l(dev);
  2341		if (retval)
  2342			goto errorBOARDINIT;
  2343		dev_info(&interface->dev, "Sensoray 2255 detected\n");
  2344		return 0;
  2345	errorBOARDINIT:
  2346		s2255_board_shutdown(dev);
  2347	errorFWMARKER:
  2348		release_firmware(dev->fw_data->fw);
  2349	errorREQFW:
  2350		kfree(dev->fw_data->pfw_data);
  2351	errorFWDATA2:
  2352		usb_free_urb(dev->fw_data->fw_urb);
  2353	errorFWURB:
  2354		del_timer_sync(&dev->timer);
  2355	errorEP:
  2356		usb_put_dev(dev->udev);
  2357	errorUDEV:
  2358		kfree(dev->fw_data);
  2359		mutex_destroy(&dev->lock);
  2360	errorFWDATA1:
  2361		kfree(dev->cmdbuf);
  2362		kfree(dev);
  2363		pr_warn("Sensoray 2255 driver load failed: 0x%x\n", retval);
  2364		return retval;
  2365	}
  2366	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

Attachment: .config.gz
Description: application/gzip


[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux