| Message ID | 20230306103359.6591-1-hdegoede@redhat.com |
|---|---|
| Headers | show |
| Series | usb: ucsi: 3 bug fixes | expand |
On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote: > When ucsi_init() fails, ucsi->connector is NULL, yet in case of > ucsi_acpi we may still get events which cause the ucs_acpi code to call > ucsi_connector_change(), which then derefs the NULL ucsi->connector > pointer. > > Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init() > has succeeded, so that ucsi_connector_change() ignores the events > because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > Changes in v2: > -Delay setting ucsi->ntfy in ucsi_init() instead of adding a NULL pointer > check to ucsi_connector_change() > --- > drivers/usb/typec/ucsi/ucsi.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 1cf8947c6d66..8cbbb002fefe 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1205,7 +1205,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) > static int ucsi_init(struct ucsi *ucsi) > { > struct ucsi_connector *con; > - u64 command; > + u64 command, ntfy; > int ret; > int i; > > @@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Enable basic notifications */ > - ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; > - command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; > + ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; > + command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; > ret = ucsi_send_command(ucsi, command, NULL, 0); > if (ret < 0) > goto err_reset; > @@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Enable all notifications */ > - ucsi->ntfy = UCSI_ENABLE_NTFY_ALL; > - command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; > + ntfy = UCSI_ENABLE_NTFY_ALL; > + command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; > ret = ucsi_send_command(ucsi, command, NULL, 0); > if (ret < 0) > goto err_unregister; > > + ucsi->ntfy = ntfy; > return 0; > > err_unregister: > -- > 2.39.1
Hi Hans, On Mon, Mar 06, 2023 at 11:33:58AM +0100, Hans de Goede wrote: > ucsi_init() which runs from a workqueue sets ucsi->connector and > on an error will clear it again. > > ucsi->connector gets dereferenced by ucsi_resume(), this checks for > ucsi->connector being NULL in case ucsi_init() has not finished yet; > or in case ucsi_init() has failed. > > ucsi_init() setting ucsi->connector and then clearing it again on > an error creates a race where the check in ucsi_resume() may pass, > only to have ucsi->connector free-ed underneath it when ucsi_init() > hits an error. > > Fix this race by making ucsi_init() store the connector array in > a local variable and only assign it to ucsi->connector on success. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> This does not apply anymore on top of Greg's usb-next. I think you need to rebase. While at it, I have one nit below... > --- > drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++------------ > 1 file changed, 8 insertions(+), 12 deletions(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 8cbbb002fefe..15a2c91581a8 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1039,9 +1039,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con) > return NULL; > } > > -static int ucsi_register_port(struct ucsi *ucsi, int index) > +static int ucsi_register_port(struct ucsi *ucsi, int index, struct ucsi_connector *con) If con->num was set before this function is called, you don't need "index" at all: static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con) > { > - struct ucsi_connector *con = &ucsi->connector[index]; > struct typec_capability *cap = &con->typec_cap; > enum typec_accessory *accessory = cap->accessory; > enum usb_role u_role = USB_ROLE_NONE; > @@ -1204,7 +1203,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) > */ > static int ucsi_init(struct ucsi *ucsi) > { > - struct ucsi_connector *con; > + struct ucsi_connector *con, *connector; > u64 command, ntfy; > int ret; > int i; > @@ -1235,16 +1234,15 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Allocate the connectors. Released in ucsi_unregister() */ > - ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1, > - sizeof(*ucsi->connector), GFP_KERNEL); > - if (!ucsi->connector) { > + connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL); > + if (!connector) { > ret = -ENOMEM; > goto err_reset; > } > > /* Register all connectors */ > for (i = 0; i < ucsi->cap.num_connectors; i++) { > - ret = ucsi_register_port(ucsi, i); Assign it here: connector[i].num = i + 1; > + ret = ucsi_register_port(ucsi, i, &connector[i]); > if (ret) > goto err_unregister; > } > @@ -1256,11 +1254,12 @@ static int ucsi_init(struct ucsi *ucsi) > if (ret < 0) > goto err_unregister; > > + ucsi->connector = connector; > ucsi->ntfy = ntfy; > return 0; > > err_unregister: > - for (con = ucsi->connector; con->port; con++) { > + for (con = connector; con->port; con++) { > ucsi_unregister_partner(con); > ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON); > ucsi_unregister_port_psy(con); > @@ -1269,10 +1268,7 @@ static int ucsi_init(struct ucsi *ucsi) > typec_unregister_port(con->port); > con->port = NULL; > } > - > - kfree(ucsi->connector); > - ucsi->connector = NULL; > - > + kfree(connector); > err_reset: > memset(&ucsi->cap, 0, sizeof(ucsi->cap)); > ucsi_reset_ppm(ucsi); thanks,
Hi Hans, On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote: > When ucsi_init() fails, ucsi->connector is NULL, yet in case of > ucsi_acpi we may still get events which cause the ucs_acpi code to call > ucsi_connector_change(), which then derefs the NULL ucsi->connector > pointer. > > Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init() > has succeeded, so that ucsi_connector_change() ignores the events > because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> There is now a bug report for this in the kernel.org bugzilla. Can you add a Link tag pointing to it so the it gets updated automagically: Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106 Thanks, > --- > Changes in v2: > -Delay setting ucsi->ntfy in ucsi_init() instead of adding a NULL pointer > check to ucsi_connector_change() > --- > drivers/usb/typec/ucsi/ucsi.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 1cf8947c6d66..8cbbb002fefe 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1205,7 +1205,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) > static int ucsi_init(struct ucsi *ucsi) > { > struct ucsi_connector *con; > - u64 command; > + u64 command, ntfy; > int ret; > int i; > > @@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Enable basic notifications */ > - ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; > - command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; > + ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; > + command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; > ret = ucsi_send_command(ucsi, command, NULL, 0); > if (ret < 0) > goto err_reset; > @@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Enable all notifications */ > - ucsi->ntfy = UCSI_ENABLE_NTFY_ALL; > - command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; > + ntfy = UCSI_ENABLE_NTFY_ALL; > + command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; > ret = ucsi_send_command(ucsi, command, NULL, 0); > if (ret < 0) > goto err_unregister; > > + ucsi->ntfy = ntfy; > return 0; > > err_unregister: > -- > 2.39.1
On Tue, Mar 07, 2023 at 11:17:05AM +0200, Heikki Krogerus wrote: > Hi Hans, > > On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote: > > When ucsi_init() fails, ucsi->connector is NULL, yet in case of > > ucsi_acpi we may still get events which cause the ucs_acpi code to call > > ucsi_connector_change(), which then derefs the NULL ucsi->connector > > pointer. > > > > Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init() > > has succeeded, so that ucsi_connector_change() ignores the events > > because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask. > > > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > > Cc: stable@vger.kernel.org > > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > > There is now a bug report for this in the kernel.org bugzilla. Can you > add a Link tag pointing to it so the it gets updated automagically: > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106 My tools should pick this up, thanks. greg k-h