Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID[EOL][EOL]Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero[EOL]unique ID.[EOL][EOL]```[EOL]Each Unit and Terminal within the video function is assigned a unique[EOL]identification number, the Unit ID (UID) or Terminal ID (TID), contained in[EOL]the bUnitID or bTerminalID field of the descriptor. The value 0x00 is[EOL]reserved for undefined ID,[EOL]```[EOL][EOL]If we add a new entity with id 0 or a duplicated ID, it will be marked[EOL]as UVC_INVALID_ENTITY_ID.[EOL][EOL]In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require[EOL]entities to have a non-zero unique ID"), we ignored all the invalid units,[EOL]this broke a lot of non-compatible cameras. Hopefully we are more lucky[EOL]this time.[EOL][EOL]This also prevents some syzkaller reproducers from triggering warnings due[EOL]to a chain of entities referring to themselves. In one particular case, an[EOL]Output Unit is connected to an Input Unit, both with the same ID of 1. But[EOL]when looking up for the source ID of the Output Unit, that same entity is[EOL]found instead of the input entity, which leads to such warnings.[EOL][EOL]In another case, a backward chain was considered finished as the source ID[EOL]was 0. Later on, that entity was found, but its pads were not valid.[EOL][EOL]Here is a sample stack trace for one of those cases.[EOL][EOL][   20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd[EOL][   20.830206] usb 1-1: Using ep0 maxpacket: 8[EOL][   20.833501] usb 1-1: config 0 descriptor??[EOL][   21.038518] usb 1-1: string descriptor 0 read error: -71[EOL][   21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)[EOL][   21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized![EOL][   21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized![EOL][   21.042218] ------------[ cut here ]------------[EOL][   21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0[EOL][   21.043195] Modules linked in:[EOL][   21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444[EOL][   21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014[EOL][   21.044639] Workqueue: usb_hub_wq hub_event[EOL][   21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0[EOL][   21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00[EOL][   21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246[EOL][   21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1[EOL][   21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290[EOL][   21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000[EOL][   21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003[EOL][   21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000[EOL][   21.049648] FS:  0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000[EOL][   21.050271] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL][   21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0[EOL][   21.051136] PKRU: 55555554[EOL][   21.051331] Call Trace:[EOL][   21.051480]  <TASK>[EOL][   21.051611]  ? __warn+0xc4/0x210[EOL][   21.051861]  ? media_create_pad_link+0x2c4/0x2e0[EOL][   21.052252]  ? report_bug+0x11b/0x1a0[EOL][   21.052540]  ? trace_hardirqs_on+0x31/0x40[EOL][   21.052901]  ? handle_bug+0x3d/0x70[EOL][   21.053197]  ? exc_invalid_op+0x1a/0x50[EOL][   21.053511]  ? asm_exc_invalid_op+0x1a/0x20[EOL][   21.053924]  ? media_create_pad_link+0x91/0x2e0[EOL][   21.054364]  ? media_create_pad_link+0x2c4/0x2e0[EOL][   21.054834]  ? media_create_pad_link+0x91/0x2e0[EOL][   21.055131]  ? _raw_spin_unlock+0x1e/0x40[EOL][   21.055441]  ? __v4l2_device_register_subdev+0x202/0x210[EOL][   21.055837]  uvc_mc_register_entities+0x358/0x400[EOL][   21.056144]  uvc_register_chains+0x1[EOL]---truncated---