[PATCH 2/2] media: uvcvideo: require entities to have a non-zero ID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Per UVC 1.5 specification, units and terminals must have a non-zero ID.

So, deny allocating an entity with a 0 ID.

This also prevents some syzkaller reproducers from triggering warnings due
to a backward chain which is considered finished as the source ID is 0.
Later on, that entity is found, but its pads are not valid.

[   26.840968] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   27.051040] usb 1-1: Using ep0 maxpacket: 8
[   27.071823] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config
[   27.151406] usb 1-1: config 0 descriptor??
[   27.656382] usb 1-1: Found UVC 0.00 device <unnamed> (0bd3:0d55)
[   27.663246] pubrepro2 (533) used greatest stack depth: 10776 bytes left
[   27.720063] uvcvideo 1-1:0.0: Entity type for entity Output 255 was not initialized!
[   27.741991] ------------[ cut here ]------------
[   27.744566] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1144 media_create_pad_link+0x2bc/0x2e0
[   27.749558] Modules linked in:
[   27.751791] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
[   27.756432] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[   27.760678] Workqueue: usb_hub_wq hub_event
[   27.762941] RIP: 0010:media_create_pad_link+0x2bc/0x2e0
[   27.765711] Code: c0 eb 10 4c 89 f7 4c 89 fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 <0f> 0b eb 0a 0f 0b eb 06 0f 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66
[   27.775169] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
[   27.779654] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccad
[   27.784120] RDX: 0000000000000a4e RSI: 0000000000000000 RDI: ffff888004b940b8
[   27.789098] RBP: 0000000000000000 R08: 0001ffffffffffff R09: 0000000000000000
[   27.793848] R10: 0000000000000014 R11: 0001888004b940b8 R12: 0000000000000003
[   27.797876] R13: ffff888004f27080 R14: ffff888004b94080 R15: 0000000000000000
[   27.804270] FS:  0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
[   27.808541] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   27.812003] CR2: 0000578d13848018 CR3: 0000000004b40000 CR4: 0000000000750ef0
[   27.816142] PKRU: 55555554
[   27.817778] Call Trace:
[   27.819195]  <TASK>
[   27.820492]  ? __warn+0xc4/0x210
[   27.823079]  ? media_create_pad_link+0x2bc/0x2e0
[   27.826014]  ? report_bug+0x11b/0x1a0
[   27.827976]  ? handle_bug+0x3d/0x70
[   27.830074]  ? exc_invalid_op+0x1a/0x50
[   27.832903]  ? asm_exc_invalid_op+0x1a/0x20
[   27.836194]  ? media_create_pad_link+0x4d/0x2e0
[   27.840070]  ? media_create_pad_link+0x2bc/0x2e0
[   27.842879]  ? media_create_pad_link+0x4d/0x2e0
[   27.847327]  ? _raw_spin_unlock+0x1e/0x40
[   27.849827]  ? __v4l2_device_register_subdev+0x202/0x210
[   27.852753]  uvc_mc_register_entities+0x358/0x400
[   27.855335]  uvc_register_chains+0x1fd/0x290
[   27.857622]  uvc_probe+0x380e/0x3dc0
[   27.859547]  ? __lock_acquire+0x5aa/0x26e0
[   27.861876]  ? find_held_lock+0x33/0xa0
[   27.864068]  ? kernfs_activate+0x70/0x80
[   27.866231]  ? usb_match_dynamic_id+0x1b/0x70
[   27.869323]  ? find_held_lock+0x33/0xa0
[   27.871595]  ? usb_match_dynamic_id+0x55/0x70
[   27.874363]  ? lock_release+0x124/0x260
[   27.877941]  ? usb_match_one_id_intf+0xa2/0x100
[   27.881568]  usb_probe_interface+0x1ba/0x330
[   27.884095]  really_probe+0x1ba/0x4c0
[   27.887244]  __driver_probe_device+0xb2/0x180
[   27.891340]  driver_probe_device+0x5a/0x100
[   27.895146]  __device_attach_driver+0xe9/0x160
[   27.899163]  ? __pfx___device_attach_driver+0x10/0x10
[   27.902074]  bus_for_each_drv+0xa9/0x100
[   27.904215]  __device_attach+0xed/0x190
[   27.906374]  device_initial_probe+0xe/0x20
[   27.908604]  bus_probe_device+0x4d/0xd0
[   27.910876]  device_add+0x308/0x590
[   27.912874]  usb_set_configuration+0x7b6/0xaf0
[   27.915194]  usb_generic_driver_probe+0x36/0x80
[   27.917720]  usb_probe_device+0x7b/0x130
[   27.919813]  really_probe+0x1ba/0x4c0
[   27.921836]  __driver_probe_device+0xb2/0x180
[   27.924258]  driver_probe_device+0x5a/0x100
[   27.926471]  __device_attach_driver+0xe9/0x160
[   27.928865]  ? __pfx___device_attach_driver+0x10/0x10
[   27.931675]  bus_for_each_drv+0xa9/0x100
[   27.933829]  __device_attach+0xed/0x190
[   27.935994]  device_initial_probe+0xe/0x20
[   27.938287]  bus_probe_device+0x4d/0xd0
[   27.940356]  device_add+0x308/0x590
[   27.942538]  usb_new_device+0x347/0x610
[   27.944599]  hub_event+0x156b/0x1e30
[   27.946522]  ? process_scheduled_works+0x48b/0xaf0
[   27.949049]  process_scheduled_works+0x5a3/0xaf0
[   27.951579]  worker_thread+0x3cf/0x560
[   27.953644]  ? kthread+0x109/0x1b0
[   27.955506]  kthread+0x197/0x1b0
[   27.957290]  ? __pfx_worker_thread+0x10/0x10
[   27.959574]  ? __pfx_kthread+0x10/0x10
[   27.961654]  ret_from_fork+0x32/0x40
[   27.963630]  ? __pfx_kthread+0x10/0x10
[   27.965636]  ret_from_fork_asm+0x1a/0x30
[   27.967739]  </TASK>

Reported-by: syzbot+0584f746fde3d52b4675@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675
Reported-by: syzbot+dd320d114deb3f5bb79b@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b
Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxx>
---
 drivers/media/usb/uvc/uvc_driver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index a6973b0ba676..be3e77308ecb 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -783,6 +783,10 @@ static struct uvc_entity *uvc_alloc_entity(struct uvc_device *dev, u16 type,
 	unsigned int size;
 	unsigned int i;
 
+	/* Per UVC 1.5 spec, the ID should be non-zero */
+	if (id == 0)
+		return NULL;
+
 	/* Per UVC 1.5 spec, the ID is unique */
 	if (uvc_entity_by_id(dev, id))
 		return NULL;
-- 
2.34.1





[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux