From: Ricardo Ribalda <ribalda@chromium.org> mainline inclusion from mainline-v5.11-rc1 commit cae79e50d1222010fde8c522410c315f74d35c40 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/7922 CVE: CVE-2025-40016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Increase the size of the id, to avoid collisions with entities implemented by the driver that are not part of the UVC device. Entities exposed by the UVC device use IDs 0-255, extra entities implemented by the driver (such as the GPIO entity) use IDs 256 and up. Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Conflicts: drivers/media/usb/uvc/uvc_driver.c drivers/media/usb/uvc/uvcvideo.h [Context conflicts] Signed-off-by: Long Li <leo.lilong@huawei.com> --- drivers/media/usb/uvc/uvc_driver.c | 2 +- drivers/media/usb/uvc/uvcvideo.h | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 12fa3ff387a8..1992f85a23a7 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1019,7 +1019,7 @@ static int uvc_parse_streaming(struct uvc_device *dev, return ret; } -static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, +static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, unsigned int num_pads, unsigned int extra_size) { struct uvc_entity *entity; diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 3edf454c164f..f90db96b614a 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -302,7 +302,12 @@ struct uvc_entity { * chain. */ unsigned int flags; - u8 id; + /* + * Entities exposed by the UVC device use IDs 0-255, extra entities + * implemented by the driver (such as the GPIO entity) use IDs 256 and + * up. + */ + u16 id; u16 type; char name[64]; -- 2.39.2