| Message ID | 20230307103421.8686-1-hdegoede@redhat.com |
|---|---|
| Headers | show |
| Series | usb: ucsi: 3 bug fixes | expand |
On Tue, Mar 07, 2023 at 11:34:20AM +0100, Hans de Goede wrote: > ucsi_init() which runs from a workqueue sets ucsi->connector and > on an error will clear it again. > > ucsi->connector gets dereferenced by ucsi_resume(), this checks for > ucsi->connector being NULL in case ucsi_init() has not finished yet; > or in case ucsi_init() has failed. > > ucsi_init() setting ucsi->connector and then clearing it again on > an error creates a race where the check in ucsi_resume() may pass, > only to have ucsi->connector free-ed underneath it when ucsi_init() > hits an error. > > Fix this race by making ucsi_init() store the connector array in > a local variable and only assign it to ucsi->connector on success. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > Changes in v3: > - Assign connector[i].index before calling ucsi_register_port() instead of > passing i to ucsi_register_port() > --- > drivers/usb/typec/ucsi/ucsi.c | 22 +++++++++------------- > 1 file changed, 9 insertions(+), 13 deletions(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 8cbbb002fefe..086b50968983 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1039,9 +1039,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con) > return NULL; > } > > -static int ucsi_register_port(struct ucsi *ucsi, int index) > +static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con) > { > - struct ucsi_connector *con = &ucsi->connector[index]; > struct typec_capability *cap = &con->typec_cap; > enum typec_accessory *accessory = cap->accessory; > enum usb_role u_role = USB_ROLE_NONE; > @@ -1062,7 +1061,6 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) > init_completion(&con->complete); > mutex_init(&con->lock); > INIT_LIST_HEAD(&con->partner_tasks); > - con->num = index + 1; > con->ucsi = ucsi; > > cap->fwnode = ucsi_find_fwnode(con); > @@ -1204,7 +1202,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) > */ > static int ucsi_init(struct ucsi *ucsi) > { > - struct ucsi_connector *con; > + struct ucsi_connector *con, *connector; > u64 command, ntfy; > int ret; > int i; > @@ -1235,16 +1233,16 @@ static int ucsi_init(struct ucsi *ucsi) > } > > /* Allocate the connectors. Released in ucsi_unregister() */ > - ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1, > - sizeof(*ucsi->connector), GFP_KERNEL); > - if (!ucsi->connector) { > + connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL); > + if (!connector) { > ret = -ENOMEM; > goto err_reset; > } > > /* Register all connectors */ > for (i = 0; i < ucsi->cap.num_connectors; i++) { > - ret = ucsi_register_port(ucsi, i); > + connector[i].num = i + 1; > + ret = ucsi_register_port(ucsi, &connector[i]); > if (ret) > goto err_unregister; > } > @@ -1256,11 +1254,12 @@ static int ucsi_init(struct ucsi *ucsi) > if (ret < 0) > goto err_unregister; > > + ucsi->connector = connector; > ucsi->ntfy = ntfy; > return 0; > > err_unregister: > - for (con = ucsi->connector; con->port; con++) { > + for (con = connector; con->port; con++) { > ucsi_unregister_partner(con); > ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON); > ucsi_unregister_port_psy(con); > @@ -1269,10 +1268,7 @@ static int ucsi_init(struct ucsi *ucsi) > typec_unregister_port(con->port); > con->port = NULL; > } > - > - kfree(ucsi->connector); > - ucsi->connector = NULL; > - > + kfree(connector); > err_reset: > memset(&ucsi->cap, 0, sizeof(ucsi->cap)); > ucsi_reset_ppm(ucsi); > -- > 2.39.1
On Tue, Mar 07, 2023 at 11:34:20AM +0100, Hans de Goede wrote: > ucsi_init() which runs from a workqueue sets ucsi->connector and > on an error will clear it again. > > ucsi->connector gets dereferenced by ucsi_resume(), this checks for > ucsi->connector being NULL in case ucsi_init() has not finished yet; > or in case ucsi_init() has failed. > > ucsi_init() setting ucsi->connector and then clearing it again on > an error creates a race where the check in ucsi_resume() may pass, > only to have ucsi->connector free-ed underneath it when ucsi_init() > hits an error. > > Fix this race by making ucsi_init() store the connector array in > a local variable and only assign it to ucsi->connector on success. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > --- > Changes in v3: > - Assign connector[i].index before calling ucsi_register_port() instead of > passing i to ucsi_register_port() You forgot to rebase this. It does not apply. thanks,
Hi, On 3/8/23 14:28, Heikki Krogerus wrote: > On Tue, Mar 07, 2023 at 11:34:20AM +0100, Hans de Goede wrote: >> ucsi_init() which runs from a workqueue sets ucsi->connector and >> on an error will clear it again. >> >> ucsi->connector gets dereferenced by ucsi_resume(), this checks for >> ucsi->connector being NULL in case ucsi_init() has not finished yet; >> or in case ucsi_init() has failed. >> >> ucsi_init() setting ucsi->connector and then clearing it again on >> an error creates a race where the check in ucsi_resume() may pass, >> only to have ucsi->connector free-ed underneath it when ucsi_init() >> hits an error. >> >> Fix this race by making ucsi_init() store the connector array in >> a local variable and only assign it to ucsi->connector on success. >> >> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") >> Cc: stable@vger.kernel.org >> Signed-off-by: Hans de Goede <hdegoede@redhat.com> >> --- >> Changes in v3: >> - Assign connector[i].index before calling ucsi_register_port() instead of >> passing i to ucsi_register_port() > > You forgot to rebase this. It does not apply. Ugh my bad, sorry about that. I'll send out a v4 fixing this. Regards, Hans