From nobody Tue Apr  7 04:33:35 2026
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com
 [209.85.167.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0424639A07C
	for <linux-kernel@vger.kernel.org>; Mon, 16 Mar 2026 13:34:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773668093; cv=none;
 b=oiNYaREGbIdRaR/rudFobTbD4/1UX29hGe6GeL13OuEQojymth86MzH+SVhYCGrk2id6MqGUCHZdRAUROy+WzVm0cRV3P3VBhlLi7DvHnDtAugZiDPu2MnOSEWfzM3B9gPok+2Z1TCFo3ZDh+BX40380r39OS7vabfaFaPrG258=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773668093; c=relaxed/simple;
	bh=ZqtbkN9X0RvpKTXiACrFylvAxPZu6LxQ+9wsTyXgq08=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=PxtA5PuFDCUubiCSFUg6ImGD/9QPMv37O0uXj4o7tKL5l4V51WSq3+PVcIBU1gAKmiOQSNJid1/8lUpbEIBEGmHS0jyEh93wvzeGb7qTaBn0kgkfdyTX0iFYl3z6127i1zXgN8aPbzSfT0NRyM9NUS6PVoQRPa4CeXxbhEFl/dc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=OiceH/G3; arc=none smtp.client-ip=209.85.167.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="OiceH/G3"
Received: by mail-lf1-f51.google.com with SMTP id
 2adb3069b0e04-5a13a06fc85so5378580e87.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 16 Mar 2026 06:34:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1773668089; x=1774272889;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=6bVigAWa0kFOUeMtknvqHxM/1nuFW2KCUzcM3K92o58=;
        b=OiceH/G3ab3NHy4p9dksCLz87q+QYv+FiEsntgzWKueMN5vYbyP9orrP9UX2Xzto0u
         LDoVdTrPD9WdPgiscOumwGAW8wmTPpwM8t2Mmy1IRQLVP3iR0TcfFxvibHh+wdO4PjFn
         r3qFu2eI1CszRbOqG6Cx3dhTnfug9ZbmS3SsI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773668089; x=1774272889;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=6bVigAWa0kFOUeMtknvqHxM/1nuFW2KCUzcM3K92o58=;
        b=ZcInHkQkRxXd12oUuombmhVY2RIWE5yZeUEnTVQlkclxWU7J2C5Rjoq31KuBVVzQhd
         hjlZt9xWoNAEIZpZXdmETwGk8F4N4h6jQzWwU+zPeGIADC3R4CnB9bU9+WQ8ZMEecYSO
         PQL2mWrx/l2s1cWQ2HDJbhv85Smhz4LD6O8ROlm+/T5tkk2VNnxXKp2CjO7Hrmj3lnr2
         PPOUDsvpCQ/fE9gKoVlfqo2qtS00HkSnIJF/bhGy7ntOsHPJID49cVP+F3o5Fr70ywPK
         LrFBYqerPi9gTLjcUbzH7eLKhoCMLUtzqPHysYs7xJV7q+7n6mqJi09r2eYsfT4s7MrE
         07FQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWrMGv7c0T2XytGBJpmEgHj9C12BP9/DVVIrLp4LSYL7yWJuqnC+dTYMQBGSgzPadP/o97KEvgzdl1kQc4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzmkMIMV3TEKnVl88OqFVXj0NigpMcFQuKlUue51oP2X/g+DJQG
	cIoeGRww+i8uj9WOFMRkBt5aJCJhTdx6KhckWJ6+ccPVjp6LflhG/015EQ2UJMrPAX/Vdl0R7Vu
	tTlvaubBk
X-Gm-Gg: ATEYQzzD2arndW6r70VEShzN6AU9PTNBScVpLNRHx1FP1Nr/ark3evWJUB9UjD4ezaA
	mMzGP2o3DoaQpXCvbyYsBgsCZsTpSm5xKzu+OxtTaVg+Fk1Gu/dlo2YVeAG8XrTvG37SjlrZUie
	3xLgTqP33s4kUUgxykAerNyY670DiaUTLYf4xz63TFUh6XwYooP9TcjSvCk+zBqWbEaN5rzGGrB
	lEtJesEZS1GBTHaJmhGhz1TF23r/TVynrzzMDQT8N49xkRJFe/gh1ATKb5IBEnHlRBx5/ubwjEB
	kB4QhZBRiM+EAHKGrNJMjP4xPQ3NxfdKG/6hXdkk03Ex72o3CjuIFPlNukXJIde2b1vu4LSfIgL
	0LToyqSOntnvAt9z9pIGcxhRw3l1dm+usikoloX/GdcQhCKfWtdVIWXzSVVgSv16We6LfJ9det5
	osXVFDfedmeTy5g2/iWRB9+mgMJYbrnoZnluz5WmW/33xPFaSrKuc+3jW7WNpC44WRNHUozIU+e
	w==
X-Received: by 2002:ac2:50a5:0:b0:5a1:1496:920 with SMTP id
 2adb3069b0e04-5a162b124bamr3566254e87.26.1773668089070;
        Mon, 16 Mar 2026 06:34:49 -0700 (PDT)
Received: from ribalda.c.googlers.com (27.69.88.34.bc.googleusercontent.com.
 [34.88.69.27])
        by smtp.gmail.com with ESMTPSA id
 2adb3069b0e04-5a156366a7fsm3481473e87.76.2026.03.16.06.34.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 16 Mar 2026 06:34:48 -0700 (PDT)
From: Ricardo Ribalda <ribalda@chromium.org>
Date: Mon, 16 Mar 2026 13:34:46 +0000
Subject: [PATCH v3 3/4] media: uvcvideo: Introduce allow_privacy_override
 module parameter
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260316-uvcdynctrl-v3-3-19cd4657e1f3@chromium.org>
References: <20260316-uvcdynctrl-v3-0-19cd4657e1f3@chromium.org>
In-Reply-To: <20260316-uvcdynctrl-v3-0-19cd4657e1f3@chromium.org>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
 Hans de Goede <hansg@kernel.org>,
 Mauro Carvalho Chehab <mchehab@kernel.org>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-usb@vger.kernel.org, Ricardo Ribalda <ribalda@chromium.org>
X-Mailer: b4 0.14.3

Some camera modules have XU controls that can configure the behaviour of
the privacy LED.

Block mapping of those controls, unless the module is configured with
a new parameter: allow_privacy_override.

This is just an interim solution. Based on the users feedback, we will
either put the privacy controls behind a CONFIG option, or completely
block them.

Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
 drivers/media/usb/uvc/uvc_ctrl.c   | 38 ++++++++++++++++++++++++++++++++++=
++++
 drivers/media/usb/uvc/uvc_driver.c | 20 ++++++++++++++++++++
 drivers/media/usb/uvc/uvc_v4l2.c   |  7 +++++++
 drivers/media/usb/uvc/uvcvideo.h   |  2 ++
 include/linux/usb/uvc.h            |  4 ++++
 5 files changed, 71 insertions(+)

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_c=
trl.c
index b6e020b41671..3ca108b83f1d 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -3001,6 +3001,35 @@ static int uvc_ctrl_init_xu_ctrl(struct uvc_device *=
dev,
 	return ret;
 }
=20
+bool uvc_ctrl_is_privacy_control(u8 entity[16], u8 selector)
+{
+	/*
+	 * This list is not exhaustive, it is a best effort to block access to
+	 * non documented controls that can affect user's privacy.
+	 */
+	struct privacy_control {
+		u8 entity[16];
+		u8 selector;
+	} privacy_control[] =3D {
+		{
+			.entity =3D UVC_GUID_LOGITECH_USER_HW_CONTROL_V1,
+			.selector =3D 1,
+		},
+		{
+			.entity =3D UVC_GUID_LOGITECH_PERIPHERAL,
+			.selector =3D 9,
+		},
+	};
+	int i;
+
+	for (i =3D 0; i < ARRAY_SIZE(privacy_control); i++)
+		if (!memcmp(entity, privacy_control[i].entity, 16) &&
+		    selector =3D=3D privacy_control[i].selector)
+			return true;
+
+	return false;
+}
+
 int uvc_xu_ctrl_query(struct uvc_video_chain *chain,
 	struct uvc_xu_control_query *xqry)
 {
@@ -3045,6 +3074,15 @@ int uvc_xu_ctrl_query(struct uvc_video_chain *chain,
 		return -ENOENT;
 	}
=20
+	if (uvc_ctrl_is_privacy_control(entity->guid, xqry->selector) &&
+	    !uvc_allow_privacy_override_param) {
+		dev_warn_once(&chain->dev->intf->dev,
+			      "Privacy related controls can only be accessed if module paramete=
r allow_privacy_override is true\n");
+		uvc_dbg(chain->dev, CONTROL, "Blocking access to privacy related Control=
 %pUl/%u\n",
+			entity->guid, xqry->selector);
+		return -EACCES;
+	}
+
 	if (mutex_lock_interruptible(&chain->ctrl_mutex))
 		return -ERESTARTSYS;
=20
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc=
_driver.c
index b0ca81d924b6..74c9dea29d36 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -36,6 +36,7 @@ unsigned int uvc_no_drop_param =3D 1;
 static unsigned int uvc_quirks_param =3D -1;
 unsigned int uvc_dbg_param;
 unsigned int uvc_timeout_param =3D UVC_CTRL_STREAMING_TIMEOUT;
+bool uvc_allow_privacy_override_param;
=20
 static struct usb_driver uvc_driver;
=20
@@ -2505,6 +2506,25 @@ MODULE_PARM_DESC(trace, "Trace level bitmask");
 module_param_named(timeout, uvc_timeout_param, uint, 0644);
 MODULE_PARM_DESC(timeout, "Streaming control requests timeout");
=20
+static int param_set_privacy(const char *val, const struct kernel_param *k=
p)
+{
+	pr_warn_once("uvcvideo: " DEPRECATED
+		     "allow_privacy_override parameter will be eventually removed.\n");
+	return param_set_bool(val, kp);
+}
+
+static const struct kernel_param_ops param_ops_privacy =3D {
+	.set =3D param_set_privacy,
+	.get =3D param_get_bool,
+};
+
+param_check_bool(allow_privacy_override, &uvc_allow_privacy_override_param=
);
+module_param_cb(allow_privacy_override, &param_ops_privacy,
+		&uvc_allow_privacy_override_param, 0644);
+__MODULE_PARM_TYPE(allow_privacy_override, "bool");
+MODULE_PARM_DESC(allow_privacy_override,
+		 "Allow access to privacy related controls");
+
 /* ------------------------------------------------------------------------
  * Driver initialization and cleanup
  */
diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v=
4l2.c
index f9049e9c0d3a..6d4f027c8402 100644
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -133,6 +133,13 @@ static int uvc_ioctl_xu_ctrl_map(struct uvc_video_chai=
n *chain,
 		return -EINVAL;
 	}
=20
+	if (uvc_ctrl_is_privacy_control(xmap->entity, xmap->selector) &&
+	    !uvc_allow_privacy_override_param) {
+		dev_warn_once(&chain->dev->intf->dev,
+			      "Privacy related controls can only be mapped if module parameter =
allow_privacy_override is true\n");
+		return -EACCES;
+	}
+
 	map =3D kzalloc_obj(*map);
 	if (map =3D=3D NULL)
 		return -ENOMEM;
diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvi=
deo.h
index 8480d65ecb85..362110d58ca3 100644
--- a/drivers/media/usb/uvc/uvcvideo.h
+++ b/drivers/media/usb/uvc/uvcvideo.h
@@ -664,6 +664,7 @@ extern unsigned int uvc_no_drop_param;
 extern unsigned int uvc_dbg_param;
 extern unsigned int uvc_timeout_param;
 extern unsigned int uvc_hw_timestamps_param;
+extern bool uvc_allow_privacy_override_param;
=20
 #define uvc_dbg(_dev, flag, fmt, ...)					\
 do {									\
@@ -794,6 +795,7 @@ int uvc_xu_ctrl_query(struct uvc_video_chain *chain,
 		      struct uvc_xu_control_query *xqry);
=20
 void uvc_ctrl_cleanup_fh(struct uvc_fh *handle);
+bool uvc_ctrl_is_privacy_control(u8 entity[16], u8 selector);
=20
 /* Utility functions */
 struct usb_host_endpoint *uvc_find_endpoint(struct usb_host_interface *alt=
s,
diff --git a/include/linux/usb/uvc.h b/include/linux/usb/uvc.h
index dea23aabbad4..70c2a7d25236 100644
--- a/include/linux/usb/uvc.h
+++ b/include/linux/usb/uvc.h
@@ -49,6 +49,10 @@
 #define UVC_GUID_LOGITECH_PERIPHERAL \
 	{0x21, 0x2d, 0xe5, 0xff, 0x30, 0x80, 0x2c, 0x4e, \
 	 0x82, 0xd9, 0xf5, 0x87, 0xd0, 0x05, 0x40, 0xbd }
+#define UVC_GUID_LOGITECH_USER_HW_CONTROL_V1 \
+	{0x82, 0x06, 0x61, 0x63, 0x70, 0x50, 0xab, 0x49, \
+	 0xb8, 0xcc, 0xb3, 0x85, 0x5e, 0x8d, 0x22, 0x1f }
+
=20
 /* https://learn.microsoft.com/en-us/windows-hardware/drivers/stream/uvc-e=
xtensions-1-5#222-extension-unit-controls */
 #define UVC_MSXU_CONTROL_FOCUS			0x01

--=20
2.53.0.851.ga537e3e6e9-goog