It's causing problems upstream.
+++ /dev/null
-From 0e2ee70291e64a30fe36960c85294726d34a103e Mon Sep 17 00:00:00 2001
-From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Date: Wed, 20 Aug 2025 16:08:16 +0000
-Subject: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
-
-From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-
-commit 0e2ee70291e64a30fe36960c85294726d34a103e upstream.
-
-Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
-unique ID.
-
-```
-Each Unit and Terminal within the video function is assigned a unique
-identification number, the Unit ID (UID) or Terminal ID (TID), contained in
-the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
-reserved for undefined ID,
-```
-
-If we add a new entity with id 0 or a duplicated ID, it will be marked
-as UVC_INVALID_ENTITY_ID.
-
-In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require
-entities to have a non-zero unique ID"), we ignored all the invalid units,
-this broke a lot of non-compatible cameras. Hopefully we are more lucky
-this time.
-
-This also prevents some syzkaller reproducers from triggering warnings due
-to a chain of entities referring to themselves. In one particular case, an
-Output Unit is connected to an Input Unit, both with the same ID of 1. But
-when looking up for the source ID of the Output Unit, that same entity is
-found instead of the input entity, which leads to such warnings.
-
-In another case, a backward chain was considered finished as the source ID
-was 0. Later on, that entity was found, but its pads were not valid.
-
-Here is a sample stack trace for one of those cases.
-
-[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
-[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
-[ 20.833501] usb 1-1: config 0 descriptor??
-[ 21.038518] usb 1-1: string descriptor 0 read error: -71
-[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
-[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
-[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
-[ 21.042218] ------------[ cut here ]------------
-[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
-[ 21.043195] Modules linked in:
-[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
-[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
-[ 21.044639] Workqueue: usb_hub_wq hub_event
-[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
-[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
-[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
-[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
-[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
-[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
-[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
-[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
-[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
-[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
-[ 21.051136] PKRU: 55555554
-[ 21.051331] Call Trace:
-[ 21.051480] <TASK>
-[ 21.051611] ? __warn+0xc4/0x210
-[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
-[ 21.052252] ? report_bug+0x11b/0x1a0
-[ 21.052540] ? trace_hardirqs_on+0x31/0x40
-[ 21.052901] ? handle_bug+0x3d/0x70
-[ 21.053197] ? exc_invalid_op+0x1a/0x50
-[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
-[ 21.053924] ? media_create_pad_link+0x91/0x2e0
-[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
-[ 21.054834] ? media_create_pad_link+0x91/0x2e0
-[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
-[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
-[ 21.055837] uvc_mc_register_entities+0x358/0x400
-[ 21.056144] uvc_register_chains+0x1fd/0x290
-[ 21.056413] uvc_probe+0x380e/0x3dc0
-[ 21.056676] ? __lock_acquire+0x5aa/0x26e0
-[ 21.056946] ? find_held_lock+0x33/0xa0
-[ 21.057196] ? kernfs_activate+0x70/0x80
-[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70
-[ 21.057811] ? find_held_lock+0x33/0xa0
-[ 21.058047] ? usb_match_dynamic_id+0x55/0x70
-[ 21.058330] ? lock_release+0x124/0x260
-[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100
-[ 21.058997] usb_probe_interface+0x1ba/0x330
-[ 21.059399] really_probe+0x1ba/0x4c0
-[ 21.059662] __driver_probe_device+0xb2/0x180
-[ 21.059944] driver_probe_device+0x5a/0x100
-[ 21.060170] __device_attach_driver+0xe9/0x160
-[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10
-[ 21.060872] bus_for_each_drv+0xa9/0x100
-[ 21.061312] __device_attach+0xed/0x190
-[ 21.061812] device_initial_probe+0xe/0x20
-[ 21.062229] bus_probe_device+0x4d/0xd0
-[ 21.062590] device_add+0x308/0x590
-[ 21.062912] usb_set_configuration+0x7b6/0xaf0
-[ 21.063403] usb_generic_driver_probe+0x36/0x80
-[ 21.063714] usb_probe_device+0x7b/0x130
-[ 21.063936] really_probe+0x1ba/0x4c0
-[ 21.064111] __driver_probe_device+0xb2/0x180
-[ 21.064577] driver_probe_device+0x5a/0x100
-[ 21.065019] __device_attach_driver+0xe9/0x160
-[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10
-[ 21.065820] bus_for_each_drv+0xa9/0x100
-[ 21.066094] __device_attach+0xed/0x190
-[ 21.066535] device_initial_probe+0xe/0x20
-[ 21.066992] bus_probe_device+0x4d/0xd0
-[ 21.067250] device_add+0x308/0x590
-[ 21.067501] usb_new_device+0x347/0x610
-[ 21.067817] hub_event+0x156b/0x1e30
-[ 21.068060] ? process_scheduled_works+0x48b/0xaf0
-[ 21.068337] process_scheduled_works+0x5a3/0xaf0
-[ 21.068668] worker_thread+0x3cf/0x560
-[ 21.068932] ? kthread+0x109/0x1b0
-[ 21.069133] kthread+0x197/0x1b0
-[ 21.069343] ? __pfx_worker_thread+0x10/0x10
-[ 21.069598] ? __pfx_kthread+0x10/0x10
-[ 21.069908] ret_from_fork+0x32/0x40
-[ 21.070169] ? __pfx_kthread+0x10/0x10
-[ 21.070424] ret_from_fork_asm+0x1a/0x30
-[ 21.070737] </TASK>
-
-Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675
-Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b
-Reported-by: Youngjun Lee <yjjuny.lee@samsung.com>
-Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads")
-Cc: stable@vger.kernel.org
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Co-developed-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Reviewed-by: Hans de Goede <hansg@kernel.org>
-Signed-off-by: Hans de Goede <hansg@kernel.org>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++++++--------------
- drivers/media/usb/uvc/uvcvideo.h | 2 +
- 2 files changed, 48 insertions(+), 27 deletions(-)
-
---- a/drivers/media/usb/uvc/uvc_driver.c
-+++ b/drivers/media/usb/uvc/uvc_driver.c
-@@ -413,6 +413,9 @@ struct uvc_entity *uvc_entity_by_id(stru
- {
- struct uvc_entity *entity;
-
-+ if (id == UVC_INVALID_ENTITY_ID)
-+ return NULL;
-+
- list_for_each_entry(entity, &dev->entities, list) {
- if (entity->id == id)
- return entity;
-@@ -1029,14 +1032,27 @@ static const u8 uvc_media_transport_inpu
- UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT;
- static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING;
-
--static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id,
-- unsigned int num_pads, unsigned int extra_size)
-+static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type,
-+ u16 id, unsigned int num_pads,
-+ unsigned int extra_size)
- {
- struct uvc_entity *entity;
- unsigned int num_inputs;
- unsigned int size;
- unsigned int i;
-
-+ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */
-+ if (id == 0) {
-+ dev_err(&dev->intf->dev, "Found Unit with invalid ID 0\n");
-+ id = UVC_INVALID_ENTITY_ID;
-+ }
-+
-+ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */
-+ if (uvc_entity_by_id(dev, id)) {
-+ dev_err(&dev->intf->dev, "Found multiple Units with ID %u\n", id);
-+ id = UVC_INVALID_ENTITY_ID;
-+ }
-+
- extra_size = roundup(extra_size, sizeof(*entity->pads));
- if (num_pads)
- num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
-@@ -1046,7 +1062,7 @@ static struct uvc_entity *uvc_alloc_enti
- + num_inputs;
- entity = kzalloc(size, GFP_KERNEL);
- if (entity == NULL)
-- return NULL;
-+ return ERR_PTR(-ENOMEM);
-
- entity->id = id;
- entity->type = type;
-@@ -1136,10 +1152,10 @@ static int uvc_parse_vendor_control(stru
- break;
- }
-
-- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],
-- p + 1, 2*n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT,
-+ buffer[3], p + 1, 2 * n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->guid, &buffer[4], 16);
- unit->extension.bNumControls = buffer[20];
-@@ -1249,10 +1265,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],
-- 1, n + p);
-- if (term == NULL)
-- return -ENOMEM;
-+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT,
-+ buffer[3], 1, n + p);
-+ if (IS_ERR(term))
-+ return PTR_ERR(term);
-
- if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {
- term->camera.bControlSize = n;
-@@ -1308,10 +1324,10 @@ static int uvc_parse_standard_control(st
- return 0;
- }
-
-- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],
-- 1, 0);
-- if (term == NULL)
-- return -ENOMEM;
-+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT,
-+ buffer[3], 1, 0);
-+ if (IS_ERR(term))
-+ return PTR_ERR(term);
-
- memcpy(term->baSourceID, &buffer[7], 1);
-
-@@ -1332,9 +1348,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
-+ p + 1, 0);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->baSourceID, &buffer[5], p);
-
-@@ -1356,9 +1373,9 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->baSourceID, &buffer[4], 1);
- unit->processing.wMaxMultiplier =
-@@ -1387,9 +1404,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
-+ p + 1, n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->guid, &buffer[4], 16);
- unit->extension.bNumControls = buffer[20];
-@@ -1528,9 +1546,10 @@ static int uvc_gpio_parse(struct uvc_dev
- return dev_err_probe(&dev->intf->dev, irq,
- "No IRQ for privacy GPIO\n");
-
-- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
-- if (!unit)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT,
-+ UVC_EXT_GPIO_UNIT_ID, 0, 1);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- unit->gpio.gpio_privacy = gpio_privacy;
- unit->gpio.irq = irq;
---- a/drivers/media/usb/uvc/uvcvideo.h
-+++ b/drivers/media/usb/uvc/uvcvideo.h
-@@ -41,6 +41,8 @@
- #define UVC_EXT_GPIO_UNIT 0x7ffe
- #define UVC_EXT_GPIO_UNIT_ID 0x100
-
-+#define UVC_INVALID_ENTITY_ID 0xffff
-+
- /* ------------------------------------------------------------------------
- * GUIDs
- */
scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch
media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch
media-rc-fix-races-with-imon_disconnect.patch
-media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch
kvm-arm64-fix-softirq-masking-in-fpsimd-register-saving-sequence.patch
udp-fix-memory-accounting-leak.patch
media-tunner-xc5000-refactor-firmware-load.patch
+++ /dev/null
-From 0e2ee70291e64a30fe36960c85294726d34a103e Mon Sep 17 00:00:00 2001
-From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Date: Wed, 20 Aug 2025 16:08:16 +0000
-Subject: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
-
-From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-
-commit 0e2ee70291e64a30fe36960c85294726d34a103e upstream.
-
-Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
-unique ID.
-
-```
-Each Unit and Terminal within the video function is assigned a unique
-identification number, the Unit ID (UID) or Terminal ID (TID), contained in
-the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
-reserved for undefined ID,
-```
-
-If we add a new entity with id 0 or a duplicated ID, it will be marked
-as UVC_INVALID_ENTITY_ID.
-
-In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require
-entities to have a non-zero unique ID"), we ignored all the invalid units,
-this broke a lot of non-compatible cameras. Hopefully we are more lucky
-this time.
-
-This also prevents some syzkaller reproducers from triggering warnings due
-to a chain of entities referring to themselves. In one particular case, an
-Output Unit is connected to an Input Unit, both with the same ID of 1. But
-when looking up for the source ID of the Output Unit, that same entity is
-found instead of the input entity, which leads to such warnings.
-
-In another case, a backward chain was considered finished as the source ID
-was 0. Later on, that entity was found, but its pads were not valid.
-
-Here is a sample stack trace for one of those cases.
-
-[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
-[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
-[ 20.833501] usb 1-1: config 0 descriptor??
-[ 21.038518] usb 1-1: string descriptor 0 read error: -71
-[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
-[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
-[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
-[ 21.042218] ------------[ cut here ]------------
-[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
-[ 21.043195] Modules linked in:
-[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
-[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
-[ 21.044639] Workqueue: usb_hub_wq hub_event
-[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
-[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
-[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
-[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
-[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
-[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
-[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
-[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
-[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
-[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
-[ 21.051136] PKRU: 55555554
-[ 21.051331] Call Trace:
-[ 21.051480] <TASK>
-[ 21.051611] ? __warn+0xc4/0x210
-[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
-[ 21.052252] ? report_bug+0x11b/0x1a0
-[ 21.052540] ? trace_hardirqs_on+0x31/0x40
-[ 21.052901] ? handle_bug+0x3d/0x70
-[ 21.053197] ? exc_invalid_op+0x1a/0x50
-[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
-[ 21.053924] ? media_create_pad_link+0x91/0x2e0
-[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
-[ 21.054834] ? media_create_pad_link+0x91/0x2e0
-[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
-[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
-[ 21.055837] uvc_mc_register_entities+0x358/0x400
-[ 21.056144] uvc_register_chains+0x1fd/0x290
-[ 21.056413] uvc_probe+0x380e/0x3dc0
-[ 21.056676] ? __lock_acquire+0x5aa/0x26e0
-[ 21.056946] ? find_held_lock+0x33/0xa0
-[ 21.057196] ? kernfs_activate+0x70/0x80
-[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70
-[ 21.057811] ? find_held_lock+0x33/0xa0
-[ 21.058047] ? usb_match_dynamic_id+0x55/0x70
-[ 21.058330] ? lock_release+0x124/0x260
-[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100
-[ 21.058997] usb_probe_interface+0x1ba/0x330
-[ 21.059399] really_probe+0x1ba/0x4c0
-[ 21.059662] __driver_probe_device+0xb2/0x180
-[ 21.059944] driver_probe_device+0x5a/0x100
-[ 21.060170] __device_attach_driver+0xe9/0x160
-[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10
-[ 21.060872] bus_for_each_drv+0xa9/0x100
-[ 21.061312] __device_attach+0xed/0x190
-[ 21.061812] device_initial_probe+0xe/0x20
-[ 21.062229] bus_probe_device+0x4d/0xd0
-[ 21.062590] device_add+0x308/0x590
-[ 21.062912] usb_set_configuration+0x7b6/0xaf0
-[ 21.063403] usb_generic_driver_probe+0x36/0x80
-[ 21.063714] usb_probe_device+0x7b/0x130
-[ 21.063936] really_probe+0x1ba/0x4c0
-[ 21.064111] __driver_probe_device+0xb2/0x180
-[ 21.064577] driver_probe_device+0x5a/0x100
-[ 21.065019] __device_attach_driver+0xe9/0x160
-[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10
-[ 21.065820] bus_for_each_drv+0xa9/0x100
-[ 21.066094] __device_attach+0xed/0x190
-[ 21.066535] device_initial_probe+0xe/0x20
-[ 21.066992] bus_probe_device+0x4d/0xd0
-[ 21.067250] device_add+0x308/0x590
-[ 21.067501] usb_new_device+0x347/0x610
-[ 21.067817] hub_event+0x156b/0x1e30
-[ 21.068060] ? process_scheduled_works+0x48b/0xaf0
-[ 21.068337] process_scheduled_works+0x5a3/0xaf0
-[ 21.068668] worker_thread+0x3cf/0x560
-[ 21.068932] ? kthread+0x109/0x1b0
-[ 21.069133] kthread+0x197/0x1b0
-[ 21.069343] ? __pfx_worker_thread+0x10/0x10
-[ 21.069598] ? __pfx_kthread+0x10/0x10
-[ 21.069908] ret_from_fork+0x32/0x40
-[ 21.070169] ? __pfx_kthread+0x10/0x10
-[ 21.070424] ret_from_fork_asm+0x1a/0x30
-[ 21.070737] </TASK>
-
-Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675
-Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b
-Reported-by: Youngjun Lee <yjjuny.lee@samsung.com>
-Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads")
-Cc: stable@vger.kernel.org
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
-Co-developed-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Reviewed-by: Hans de Goede <hansg@kernel.org>
-Signed-off-by: Hans de Goede <hansg@kernel.org>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++++++--------------
- drivers/media/usb/uvc/uvcvideo.h | 2 +
- 2 files changed, 48 insertions(+), 27 deletions(-)
-
---- a/drivers/media/usb/uvc/uvc_driver.c
-+++ b/drivers/media/usb/uvc/uvc_driver.c
-@@ -134,6 +134,9 @@ struct uvc_entity *uvc_entity_by_id(stru
- {
- struct uvc_entity *entity;
-
-+ if (id == UVC_INVALID_ENTITY_ID)
-+ return NULL;
-+
- list_for_each_entry(entity, &dev->entities, list) {
- if (entity->id == id)
- return entity;
-@@ -757,14 +760,27 @@ static const u8 uvc_media_transport_inpu
- UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT;
- static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING;
-
--static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id,
-- unsigned int num_pads, unsigned int extra_size)
-+static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type,
-+ u16 id, unsigned int num_pads,
-+ unsigned int extra_size)
- {
- struct uvc_entity *entity;
- unsigned int num_inputs;
- unsigned int size;
- unsigned int i;
-
-+ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */
-+ if (id == 0) {
-+ dev_err(&dev->intf->dev, "Found Unit with invalid ID 0\n");
-+ id = UVC_INVALID_ENTITY_ID;
-+ }
-+
-+ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */
-+ if (uvc_entity_by_id(dev, id)) {
-+ dev_err(&dev->intf->dev, "Found multiple Units with ID %u\n", id);
-+ id = UVC_INVALID_ENTITY_ID;
-+ }
-+
- extra_size = roundup(extra_size, sizeof(*entity->pads));
- if (num_pads)
- num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
-@@ -774,7 +790,7 @@ static struct uvc_entity *uvc_alloc_enti
- + num_inputs;
- entity = kzalloc(size, GFP_KERNEL);
- if (entity == NULL)
-- return NULL;
-+ return ERR_PTR(-ENOMEM);
-
- entity->id = id;
- entity->type = type;
-@@ -865,10 +881,10 @@ static int uvc_parse_vendor_control(stru
- break;
- }
-
-- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],
-- p + 1, 2*n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT,
-+ buffer[3], p + 1, 2 * n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->guid, &buffer[4], 16);
- unit->extension.bNumControls = buffer[20];
-@@ -978,10 +994,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],
-- 1, n + p);
-- if (term == NULL)
-- return -ENOMEM;
-+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT,
-+ buffer[3], 1, n + p);
-+ if (IS_ERR(term))
-+ return PTR_ERR(term);
-
- if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {
- term->camera.bControlSize = n;
-@@ -1038,10 +1054,10 @@ static int uvc_parse_standard_control(st
- return 0;
- }
-
-- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],
-- 1, 0);
-- if (term == NULL)
-- return -ENOMEM;
-+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT,
-+ buffer[3], 1, 0);
-+ if (IS_ERR(term))
-+ return PTR_ERR(term);
-
- memcpy(term->baSourceID, &buffer[7], 1);
-
-@@ -1062,9 +1078,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
-+ p + 1, 0);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->baSourceID, &buffer[5], p);
-
-@@ -1086,9 +1103,9 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->baSourceID, &buffer[4], 1);
- unit->processing.wMaxMultiplier =
-@@ -1117,9 +1134,10 @@ static int uvc_parse_standard_control(st
- return -EINVAL;
- }
-
-- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);
-- if (unit == NULL)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
-+ p + 1, n);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- memcpy(unit->guid, &buffer[4], 16);
- unit->extension.bNumControls = buffer[20];
-@@ -1260,9 +1278,10 @@ static int uvc_gpio_parse(struct uvc_dev
- return dev_err_probe(&dev->intf->dev, irq,
- "No IRQ for privacy GPIO\n");
-
-- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
-- if (!unit)
-- return -ENOMEM;
-+ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT,
-+ UVC_EXT_GPIO_UNIT_ID, 0, 1);
-+ if (IS_ERR(unit))
-+ return PTR_ERR(unit);
-
- unit->gpio.gpio_privacy = gpio_privacy;
- unit->gpio.irq = irq;
---- a/drivers/media/usb/uvc/uvcvideo.h
-+++ b/drivers/media/usb/uvc/uvcvideo.h
-@@ -41,6 +41,8 @@
- #define UVC_EXT_GPIO_UNIT 0x7ffe
- #define UVC_EXT_GPIO_UNIT_ID 0x100
-
-+#define UVC_INVALID_ENTITY_ID 0xffff
-+
- /* ------------------------------------------------------------------------
- * Driver specific constants.
- */
scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch
media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch
media-rc-fix-races-with-imon_disconnect.patch
-media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch
asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch
kvm-arm64-fix-softirq-masking-in-fpsimd-register-saving-sequence.patch
media-tunner-xc5000-refactor-firmware-load.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
