Re: VIVID/VIMC and media fuzzing

[Dmitry Vyukov]

On Fri, Dec 7, 2018 at 8:22 PM Helen Koike  wrote:
> >>> You also mentioned that one of the devices requires some complex setup
> >>> via configfs. Is this interface described somewhere? Do you think it's
> >>> more profitable to pre-setup some fixed configuration for each test
> >>> process? Or just give the setup interface to fuzzer and let it do
> >>> random setup? Or both?
> >>
> >> That's the vimc driver, but the configfs code isn't in yet.
> >
> > I'll try to submit it later this week (with documentation) :)
>
> I submitted the first version at:
> https://www.spinics.net/lists/linux-media/msg144244.html
> As soon as it is updated we can add it to fuzzer. I believe some
> pre-setup/fixed configuration would work.
>
> I don't know much about fuzzer's code, if you could give me some
> pointers I can help with that.

Hi Helen,

Great!

It may be easier to think about this on 2 levels:
The first is _what_ we want to do. For this, imagine you are writing a
stress test for the subsystem as a C program that does some fixed
setup and then executes random syscalls related to the subsystem and
acting on the devices using rand() to select syscalls and arguments.
What setup would you do for this? What syscalls would you issue?

The second is then how to fit this into syzkaller.
The setup part in syzkaller is also just custom C code. E.g. this
setups network devices for test process:
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L154-L301
There is a little bit of trickery because this code is also used to
generate C reproducers for crashes, and it also needs to preferably
support multiple independent test processes (namely this code has
procid=0..N variable and needs to setup e.g. /dev/loopN device
corresponding to current procid). E.g. for vivid we use
"vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2".
But overall it's just C code.

For the main stress/fuzzing we have these declarative descriptions,
which are hopefully mostly self-explanatory:
https://github.com/google/syzkaller/blob/master/sys/linux/video4linux.txt
If there is something missing, we need to add missing parts. And maybe
even give fuzzer the configfs interface too to mess with (it can open
specified files and do, say, writes with complex inputs, both binary
and text based).

Also, will we gain something by enabling the following ones inside of a VM:
# CONFIG_V4L_PLATFORM_DRIVERS is not set
# CONFIG_V4L_MEM2MEM_DRIVERS is not set
? Or, it's just physical hardware drivers?
FTR, here are configs that syzbot uses:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-selinux.cmdline
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream.sysctl

Thanks

Re: [PATCH 2/3] media: ov2640: make VIDIOC_SUBDEV_G_FMT ioctl work with V4L2_SUBDEV_FORMAT_TRY

[kbuild test robot]

Hi Akinobu,

I love your patch! Yet something to improve:

[auto build test ERROR on linuxtv-media/master]
[also build test ERROR on v4.20-rc5 next-20181207]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Akinobu-Mita/media-ov2640-fix-two-problems/20181208-165345
base:   git://linuxtv.org/media_tree.git master
config: x86_64-randconfig-x011-201848 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64 

All error/warnings (new ones prefixed by >>):

   drivers/media//i2c/ov2640.c: In function 'ov2640_get_fmt':
>> drivers/media//i2c/ov2640.c:930:8: error: implicit declaration of function 
>> 'v4l2_subdev_get_try_format'; did you mean 'v4l2_subdev_notify_event'? 
>> [-Werror=implicit-function-declaration]
  mf = v4l2_subdev_get_try_format(sd, cfg, 0);
   ^~
   v4l2_subdev_notify_event
>> drivers/media//i2c/ov2640.c:930:6: warning: assignment makes pointer from 
>> integer without a cast [-Wint-conversion]
  mf = v4l2_subdev_get_try_format(sd, cfg, 0);
 ^
   drivers/media//i2c/ov2640.c: In function 'ov2640_init_cfg':
>> drivers/media//i2c/ov2640.c:1007:3: warning: initialization makes pointer 
>> from integer without a cast [-Wint-conversion]
  v4l2_subdev_get_try_format(sd, cfg, 0);
  ^~
   cc1: some warnings being treated as errors

vim +930 drivers/media//i2c/ov2640.c

   917  
   918  static int ov2640_get_fmt(struct v4l2_subdev *sd,
   919  struct v4l2_subdev_pad_config *cfg,
   920  struct v4l2_subdev_format *format)
   921  {
   922  struct v4l2_mbus_framefmt *mf = >format;
   923  struct i2c_client  *client = v4l2_get_subdevdata(sd);
   924  struct ov2640_priv *priv = to_ov2640(client);
   925  
   926  if (format->pad)
   927  return -EINVAL;
   928  
   929  if (format->which == V4L2_SUBDEV_FORMAT_TRY) {
 > 930  mf = v4l2_subdev_get_try_format(sd, cfg, 0);
   931  format->format = *mf;
   932  
   933  return 0;
   934  }
   935  
   936  mf->width   = priv->win->width;
   937  mf->height  = priv->win->height;
   938  mf->code= priv->cfmt_code;
   939  mf->colorspace  = V4L2_COLORSPACE_SRGB;
   940  mf->field   = V4L2_FIELD_NONE;
   941  
   942  return 0;
   943  }
   944  
   945  static int ov2640_set_fmt(struct v4l2_subdev *sd,
   946  struct v4l2_subdev_pad_config *cfg,
   947  struct v4l2_subdev_format *format)
   948  {
   949  struct v4l2_mbus_framefmt *mf = >format;
   950  struct i2c_client *client = v4l2_get_subdevdata(sd);
   951  struct ov2640_priv *priv = to_ov2640(client);
   952  const struct ov2640_win_size *win;
   953  int ret = 0;
   954  
   955  if (format->pad)
   956  return -EINVAL;
   957  
   958  mutex_lock(>lock);
   959  
   960  /* select suitable win */
   961  win = ov2640_select_win(mf->width, mf->height);
   962  mf->width   = win->width;
   963  mf->height  = win->height;
   964  
   965  mf->field   = V4L2_FIELD_NONE;
   966  mf->colorspace  = V4L2_COLORSPACE_SRGB;
   967  
   968  switch (mf->code) {
   969  case MEDIA_BUS_FMT_RGB565_2X8_BE:
   970  case MEDIA_BUS_FMT_RGB565_2X8_LE:
   971  case MEDIA_BUS_FMT_YUYV8_2X8:
   972  case MEDIA_BUS_FMT_UYVY8_2X8:
   973  case MEDIA_BUS_FMT_YVYU8_2X8:
   974  case MEDIA_BUS_FMT_VYUY8_2X8:
   975  break;
   976  default:
   977  mf->code = MEDIA_BUS_FMT_UYVY8_2X8;
   978  break;
   979  }
   980  
   981  if (format->which == V4L2_SUBDEV_FORMAT_ACTIVE) {
   982  struct ov2640_priv *priv = to_ov2640(client);
   983  
   984  if (priv->streaming) {
   985  ret = -EBUSY;
   986  goto out;
   987  }
   988  /* select win */
   989  priv->win = win;
   990  /* select format */
   991  priv->cfmt_code = mf->code;
   992  } else {
   993  cfg->try_fmt = *mf;
   994  }
   995  out:
   996  mutex_unlock(>lock);
   997  
   998  return ret;
   999  }
  1000  
  1001  static int ov2640_init_cfg(struct v4l2_subdev *sd,
  1002 struct v4l2_subdev_pad_config