As reported by one of our users here:

There is a bug when the dwc2 core receives USB data packets that are
between 1 and 4 bytes in length - 4 bytes are always written to memory
where the non-packet bytes are garbage.

This is easily reproducible by
- Plugging a UVC-compliant webcam into a Raspberry Pi gen 1, 2 or 3 product
- Running "v4l2-ctl -d 0 --all"

The camera's control ranges (brightness/contrast etc) are all queried
by 1- or 2-byte control IN transfers. As 4 bytes get written to the
URB's buffer, this results in the uvcvideo data struct containing the
control information getting corrupted like so:

contrast 0x00980901 (int)    : min=0 max=64 step=1 default=57343 value=32
saturation 0x00980902 (int)    : min=0 max=128 step=1 default=57343 value=105
hue 0x00980903 (int)    : min=-40 max=40 step=1 default=-8193 value=0
white_balance_temperature_auto 0x0098090c (bool)   : default=1 value=1
gamma 0x00980910 (int)    : min=72 max=500 step=1 default=57343 value=100

We've implemented a downstream fix for dwc_otg[1] that just forces use
of the dword alignment buffer mechanism (aka DMA bounce buffer), but
dwc2 only uses a bounce buffer for split-IN transfers.

I have two questions:
1) Does this bug occur on non-Pi hardware?
2) What's the easiest way to patch this for dwc2?


Reply via email to