Re: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors

From: kbuild test robot
Date: Thu Apr 11 2019 - 10:52:33 EST

Next message: Tony Lindgren: "Re: [PATCH v6 04/12] firmware: ti_sci: Add RM mapping table for am654"
Previous message: Dan Williams: "Re: [PATCH v5 1/6] libnvdimm: nd_region flush callback support"
In reply to: Young Xiao: "[PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors"
Next in thread: Young Xiao: "[PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Young,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linuxtv-media/master]
[also build test ERROR on v5.1-rc4 next-20190410]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url: https://github.com/0day-ci/linux/commits/Young-Xiao/USB-s2255-stkwebcam-fix-oops-with-malicious-USB-descriptors/20190411-213648
base: git://linuxtv.org/media_tree.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 8.1.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=8.1.0 make.cross ARCH=xtensa

All errors (new ones prefixed by >>):

drivers/media/usb/s2255/s2255drv.c: In function 's2255_probe':
>> drivers/media/usb/s2255/s2255drv.c:2270:3: error: label 'error' used but not defined
goto error;
^~~~
--
drivers/media/usb/stkwebcam/stk-webcam.c: In function 'stk_camera_probe':
>> drivers/media/usb/stkwebcam/stk-webcam.c:1355:3: error: 'retval' undeclared (first use in this function); did you mean 'regval'?
retval = -EINVAL;
^~~~~~
regval
drivers/media/usb/stkwebcam/stk-webcam.c:1355:3: note: each undeclared identifier is reported only once for each function it appears in

vim +/error +2270 drivers/media/usb/s2255/s2255drv.c

2219
2220 /* standard usb probe function */
2221 static int s2255_probe(struct usb_interface *interface,
2222 const struct usb_device_id *id)
2223 {
2224 struct s2255_dev *dev = NULL;
2225 struct usb_host_interface *iface_desc;
2226 struct usb_endpoint_descriptor *endpoint;
2227 int i;
2228 int retval = -ENOMEM;
2229 __le32 *pdata;
2230 int fw_size;
2231
2232 /* allocate memory for our device state and initialize it to zero */
2233 dev = kzalloc(sizeof(struct s2255_dev), GFP_KERNEL);
2234 if (dev == NULL) {
2235 s2255_dev_err(&interface->dev, "out of memory\n");
2236 return -ENOMEM;
2237 }
2238
2239 dev->cmdbuf = kzalloc(S2255_CMDBUF_SIZE, GFP_KERNEL);
2240 if (dev->cmdbuf == NULL) {
2241 s2255_dev_err(&interface->dev, "out of memory\n");
2242 goto errorFWDATA1;
2243 }
2244
2245 atomic_set(&dev->num_channels, 0);
2246 dev->pid = id->idProduct;
2247 dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL);
2248 if (!dev->fw_data)
2249 goto errorFWDATA1;
2250 mutex_init(&dev->lock);
2251 mutex_init(&dev->cmdlock);
2252 /* grab usb_device and save it */
2253 dev->udev = usb_get_dev(interface_to_usbdev(interface));
2254 if (dev->udev == NULL) {
2255 dev_err(&interface->dev, "null usb device\n");
2256 retval = -ENODEV;
2257 goto errorUDEV;
2258 }
2259 dev_dbg(&interface->dev, "dev: %p, udev %p interface %p\n",
2260 dev, dev->udev, interface);
2261 dev->interface = interface;
2262 /* set up the endpoint information */
2263 iface_desc = interface->cur_altsetting;
2264 dev_dbg(&interface->dev, "num EP: %d\n",
2265 iface_desc->desc.bNumEndpoints);
2266
2267 if (iface_desc->desc.bNumEndpoints < 1) {
2268 dev_err(&interface->dev, "Invalid number of endpoints\n");
2269 retval = -EINVAL;
> 2270 goto error;
2271 }
2272
2273 for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
2274 endpoint = &iface_desc->endpoint[i].desc;
2275 if (!dev->read_endpoint && usb_endpoint_is_bulk_in(endpoint)) {
2276 /* we found the bulk in endpoint */
2277 dev->read_endpoint = endpoint->bEndpointAddress;
2278 }
2279 }
2280
2281 if (!dev->read_endpoint) {
2282 dev_err(&interface->dev, "Could not find bulk-in endpoint\n");
2283 goto errorEP;
2284 }
2285 timer_setup(&dev->timer, s2255_timer, 0);
2286 init_waitqueue_head(&dev->fw_data->wait_fw);
2287 for (i = 0; i < MAX_CHANNELS; i++) {
2288 struct s2255_vc *vc = &dev->vc[i];
2289 vc->idx = i;
2290 vc->dev = dev;
2291 init_waitqueue_head(&vc->wait_setmode);
2292 init_waitqueue_head(&vc->wait_vidstatus);
2293 spin_lock_init(&vc->qlock);
2294 mutex_init(&vc->vb_lock);
2295 }
2296
2297 dev->fw_data->fw_urb = usb_alloc_urb(0, GFP_KERNEL);
2298 if (!dev->fw_data->fw_urb)
2299 goto errorFWURB;
2300
2301 dev->fw_data->pfw_data = kzalloc(CHUNK_SIZE, GFP_KERNEL);
2302 if (!dev->fw_data->pfw_data) {
2303 dev_err(&interface->dev, "out of memory!\n");
2304 goto errorFWDATA2;
2305 }
2306 /* load the first chunk */
2307 if (request_firmware(&dev->fw_data->fw,
2308 FIRMWARE_FILE_NAME, &dev->udev->dev)) {
2309 dev_err(&interface->dev, "sensoray 2255 failed to get firmware\n");
2310 goto errorREQFW;
2311 }
2312 /* check the firmware is valid */
2313 fw_size = dev->fw_data->fw->size;
2314 pdata = (__le32 *) &dev->fw_data->fw->data[fw_size - 8];
2315
2316 if (*pdata != S2255_FW_MARKER) {
2317 dev_err(&interface->dev, "Firmware invalid.\n");
2318 retval = -ENODEV;
2319 goto errorFWMARKER;
2320 } else {
2321 /* make sure firmware is the latest */
2322 __le32 *pRel;
2323 pRel = (__le32 *) &dev->fw_data->fw->data[fw_size - 4];
2324 pr_info("s2255 dsp fw version %x\n", le32_to_cpu(*pRel));
2325 dev->dsp_fw_ver = le32_to_cpu(*pRel);
2326 if (dev->dsp_fw_ver < S2255_CUR_DSP_FWVER)
2327 pr_info("s2255: f2255usb.bin out of date.\n");
2328 if (dev->pid == 0x2257 &&
2329 dev->dsp_fw_ver < S2255_MIN_DSP_COLORFILTER)
2330 pr_warn("2257 needs firmware %d or above.\n",
2331 S2255_MIN_DSP_COLORFILTER);
2332 }
2333 usb_reset_device(dev->udev);
2334 /* load 2255 board specific */
2335 retval = s2255_board_init(dev);
2336 if (retval)
2337 goto errorBOARDINIT;
2338 s2255_fwload_start(dev);
2339 /* loads v4l specific */
2340 retval = s2255_probe_v4l(dev);
2341 if (retval)
2342 goto errorBOARDINIT;
2343 dev_info(&interface->dev, "Sensoray 2255 detected\n");
2344 return 0;
2345 errorBOARDINIT:
2346 s2255_board_shutdown(dev);
2347 errorFWMARKER:
2348 release_firmware(dev->fw_data->fw);
2349 errorREQFW:
2350 kfree(dev->fw_data->pfw_data);
2351 errorFWDATA2:
2352 usb_free_urb(dev->fw_data->fw_urb);
2353 errorFWURB:
2354 del_timer_sync(&dev->timer);
2355 errorEP:
2356 usb_put_dev(dev->udev);
2357 errorUDEV:
2358 kfree(dev->fw_data);
2359 mutex_destroy(&dev->lock);
2360 errorFWDATA1:
2361 kfree(dev->cmdbuf);
2362 kfree(dev);
2363 pr_warn("Sensoray 2255 driver load failed: 0x%x\n", retval);
2364 return retval;
2365 }
2366

---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation

Attachment: .config.gz
Description: application/gzip

Next message: Tony Lindgren: "Re: [PATCH v6 04/12] firmware: ti_sci: Add RM mapping table for am654"
Previous message: Dan Williams: "Re: [PATCH v5 1/6] libnvdimm: nd_region flush callback support"
In reply to: Young Xiao: "[PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors"
Next in thread: Young Xiao: "[PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]