From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
To: Hans de Goede <hdegoede@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 2/3] usb: ucsi: Fix ucsi->connector race
Date: Tue, 7 Mar 2023 09:46:46 +0200 [thread overview]
Message-ID: <ZAbr5hdNf/jChLF0@kuha.fi.intel.com> (raw)
In-Reply-To: <20230306103359.6591-3-hdegoede@redhat.com>
Hi Hans,
On Mon, Mar 06, 2023 at 11:33:58AM +0100, Hans de Goede wrote:
> ucsi_init() which runs from a workqueue sets ucsi->connector and
> on an error will clear it again.
>
> ucsi->connector gets dereferenced by ucsi_resume(), this checks for
> ucsi->connector being NULL in case ucsi_init() has not finished yet;
> or in case ucsi_init() has failed.
>
> ucsi_init() setting ucsi->connector and then clearing it again on
> an error creates a race where the check in ucsi_resume() may pass,
> only to have ucsi->connector free-ed underneath it when ucsi_init()
> hits an error.
>
> Fix this race by making ucsi_init() store the connector array in
> a local variable and only assign it to ucsi->connector on success.
>
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This does not apply anymore on top of Greg's usb-next. I think you
need to rebase. While at it, I have one nit below...
> ---
> drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++------------
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 8cbbb002fefe..15a2c91581a8 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1039,9 +1039,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con)
> return NULL;
> }
>
> -static int ucsi_register_port(struct ucsi *ucsi, int index)
> +static int ucsi_register_port(struct ucsi *ucsi, int index, struct ucsi_connector *con)
If con->num was set before this function is called, you don't need
"index" at all:
static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con)
> {
> - struct ucsi_connector *con = &ucsi->connector[index];
> struct typec_capability *cap = &con->typec_cap;
> enum typec_accessory *accessory = cap->accessory;
> enum usb_role u_role = USB_ROLE_NONE;
> @@ -1204,7 +1203,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
> */
> static int ucsi_init(struct ucsi *ucsi)
> {
> - struct ucsi_connector *con;
> + struct ucsi_connector *con, *connector;
> u64 command, ntfy;
> int ret;
> int i;
> @@ -1235,16 +1234,15 @@ static int ucsi_init(struct ucsi *ucsi)
> }
>
> /* Allocate the connectors. Released in ucsi_unregister() */
> - ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1,
> - sizeof(*ucsi->connector), GFP_KERNEL);
> - if (!ucsi->connector) {
> + connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL);
> + if (!connector) {
> ret = -ENOMEM;
> goto err_reset;
> }
>
> /* Register all connectors */
> for (i = 0; i < ucsi->cap.num_connectors; i++) {
> - ret = ucsi_register_port(ucsi, i);
Assign it here:
connector[i].num = i + 1;
> + ret = ucsi_register_port(ucsi, i, &connector[i]);
> if (ret)
> goto err_unregister;
> }
> @@ -1256,11 +1254,12 @@ static int ucsi_init(struct ucsi *ucsi)
> if (ret < 0)
> goto err_unregister;
>
> + ucsi->connector = connector;
> ucsi->ntfy = ntfy;
> return 0;
>
> err_unregister:
> - for (con = ucsi->connector; con->port; con++) {
> + for (con = connector; con->port; con++) {
> ucsi_unregister_partner(con);
> ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON);
> ucsi_unregister_port_psy(con);
> @@ -1269,10 +1268,7 @@ static int ucsi_init(struct ucsi *ucsi)
> typec_unregister_port(con->port);
> con->port = NULL;
> }
> -
> - kfree(ucsi->connector);
> - ucsi->connector = NULL;
> -
> + kfree(connector);
> err_reset:
> memset(&ucsi->cap, 0, sizeof(ucsi->cap));
> ucsi_reset_ppm(ucsi);
thanks,
--
heikki
next prev parent reply other threads:[~2023-03-07 7:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-06 10:33 [PATCH v2 0/3] usb: ucsi: 3 bug fixes Hans de Goede
2023-03-06 10:33 ` [PATCH v2 1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() Hans de Goede
2023-03-07 7:32 ` Heikki Krogerus
2023-03-07 9:17 ` Heikki Krogerus
2023-03-07 9:28 ` Greg Kroah-Hartman
2023-03-06 10:33 ` [PATCH v2 2/3] usb: ucsi: Fix ucsi->connector race Hans de Goede
2023-03-07 7:46 ` Heikki Krogerus [this message]
2023-03-06 10:33 ` [PATCH v2 3/3] usb: ucsi_acpi: Increase the command completion timeout Hans de Goede
2023-03-07 7:47 ` Heikki Krogerus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAbr5hdNf/jChLF0@kuha.fi.intel.com \
--to=heikki.krogerus@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.