* [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors @ 2024-04-18 14:57 Johan Hovold 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold 0 siblings, 2 replies; 9+ messages in thread From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw) To: Bryan O'Donoghue, Heikki Krogerus Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, Johan Hovold When reviewing a patch updating the qcom-pmic typec driver, I noticed that the error handling is broken and can lead to use-after-free. This series addresses the use-after-free and also fixes the error handling in the pdphy_start() callback which failed to disable its supply in all error paths. The latter fix is not marked for stable on purpose as its not a critical fix (I'm sure autosel will disagree). Johan Johan Hovold (2): usb: typec: qcom-pmic: fix use-after-free on late probe errors usb: typec: qcom-pmic: fix pdphy start() error handling drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++-- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++---- 2 files changed, 13 insertions(+), 6 deletions(-) -- 2.43.2 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors 2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold @ 2024-04-18 14:57 ` Johan Hovold 2024-04-18 17:45 ` Dmitry Baryshkov ` (2 more replies) 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold 1 sibling, 3 replies; 9+ messages in thread From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw) To: Bryan O'Donoghue, Heikki Krogerus Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, Johan Hovold, stable Make sure to stop and deregister the port in case of late probe errors to avoid use-after-free issues when the underlying memory is released by devres. Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") Cc: stable@vger.kernel.org # 6.5 Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Johan Hovold <johan+linaro@kernel.org> --- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c index e48412cdcb0f..d3958c061a97 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) ret = tcpm->port_start(tcpm, tcpm->tcpm_port); if (ret) - goto fwnode_remove; + goto port_unregister; ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port); if (ret) - goto fwnode_remove; + goto port_stop; return 0; +port_stop: + tcpm->port_stop(tcpm); +port_unregister: + tcpm_unregister_port(tcpm->tcpm_port); fwnode_remove: fwnode_remove_software_node(tcpm->tcpc.fwnode); -- 2.43.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold @ 2024-04-18 17:45 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:13 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Dmitry Baryshkov @ 2024-04-18 17:45 UTC (permalink / raw) To: Johan Hovold Cc: Bryan O'Donoghue, Heikki Krogerus, Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, linux-arm-msm, linux-usb, linux-kernel, stable On Thu, Apr 18, 2024 at 04:57:29PM +0200, Johan Hovold wrote: > Make sure to stop and deregister the port in case of late probe errors > to avoid use-after-free issues when the underlying memory is released by > devres. > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Cc: stable@vger.kernel.org # 6.5 > Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> -- With best wishes Dmitry ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold 2024-04-18 17:45 ` Dmitry Baryshkov @ 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:13 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Bryan O'Donoghue @ 2024-04-18 23:41 UTC (permalink / raw) To: Johan Hovold, Heikki Krogerus Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, stable On 18/04/2024 15:57, Johan Hovold wrote: > Make sure to stop and deregister the port in case of late probe errors > to avoid use-after-free issues when the underlying memory is released by > devres. > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Cc: stable@vger.kernel.org # 6.5 > Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > index e48412cdcb0f..d3958c061a97 100644 > --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) > > ret = tcpm->port_start(tcpm, tcpm->tcpm_port); > if (ret) > - goto fwnode_remove; > + goto port_unregister; > > ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port); > if (ret) > - goto fwnode_remove; > + goto port_stop; > > return 0; > > +port_stop: > + tcpm->port_stop(tcpm); > +port_unregister: > + tcpm_unregister_port(tcpm->tcpm_port); > fwnode_remove: > fwnode_remove_software_node(tcpm->tcpc.fwnode); > Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold 2024-04-18 17:45 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue @ 2024-04-22 11:13 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Heikki Krogerus @ 2024-04-22 11:13 UTC (permalink / raw) To: Johan Hovold Cc: Bryan O'Donoghue, Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, stable On Thu, Apr 18, 2024 at 04:57:29PM +0200, Johan Hovold wrote: > Make sure to stop and deregister the port in case of late probe errors > to avoid use-after-free issues when the underlying memory is released by > devres. > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Cc: stable@vger.kernel.org # 6.5 > Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > index e48412cdcb0f..d3958c061a97 100644 > --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c > @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) > > ret = tcpm->port_start(tcpm, tcpm->tcpm_port); > if (ret) > - goto fwnode_remove; > + goto port_unregister; > > ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port); > if (ret) > - goto fwnode_remove; > + goto port_stop; > > return 0; > > +port_stop: > + tcpm->port_stop(tcpm); > +port_unregister: > + tcpm_unregister_port(tcpm->tcpm_port); > fwnode_remove: > fwnode_remove_software_node(tcpm->tcpc.fwnode); > > -- > 2.43.2 -- heikki ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling 2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold @ 2024-04-18 14:57 ` Johan Hovold 2024-04-18 18:00 ` Dmitry Baryshkov ` (2 more replies) 1 sibling, 3 replies; 9+ messages in thread From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw) To: Bryan O'Donoghue, Heikki Krogerus Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, Johan Hovold Move disabling of the vdd-pdphy supply to the start() function which enabled it for symmetry and to make sure that it is disabled as intended in all error paths of pmic_typec_pdphy_reset() (i.e. not just when qcom_pmic_typec_pdphy_enable() fails). Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") Signed-off-by: Johan Hovold <johan+linaro@kernel.org> --- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c index 6560f4fc98d5..5b7f52b74a40 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy); done: - if (ret) { - regulator_disable(pmic_typec_pdphy->vdd_pdphy); + if (ret) dev_err(dev, "pdphy_enable fail %d\n", ret); - } return ret; } @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm, ret = pmic_typec_pdphy_reset(pmic_typec_pdphy); if (ret) - return ret; + goto err_disable_vdd_pdhy; for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++) enable_irq(pmic_typec_pdphy->irq_data[i].irq); return 0; + +err_disable_vdd_pdhy: + regulator_disable(pmic_typec_pdphy->vdd_pdphy); + + return ret; } static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm) -- 2.43.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold @ 2024-04-18 18:00 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:20 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Dmitry Baryshkov @ 2024-04-18 18:00 UTC (permalink / raw) To: Johan Hovold Cc: Bryan O'Donoghue, Heikki Krogerus, Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, linux-arm-msm, linux-usb, linux-kernel On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote: > Move disabling of the vdd-pdphy supply to the start() function which > enabled it for symmetry and to make sure that it is disabled as intended > in all error paths of pmic_typec_pdphy_reset() (i.e. not just when > qcom_pmic_typec_pdphy_enable() fails). > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> -- With best wishes Dmitry ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold 2024-04-18 18:00 ` Dmitry Baryshkov @ 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:20 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Bryan O'Donoghue @ 2024-04-18 23:41 UTC (permalink / raw) To: Johan Hovold, Heikki Krogerus Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel On 18/04/2024 15:57, Johan Hovold wrote: > Move disabling of the vdd-pdphy supply to the start() function which > enabled it for symmetry and to make sure that it is disabled as intended > in all error paths of pmic_typec_pdphy_reset() (i.e. not just when > qcom_pmic_typec_pdphy_enable() fails). > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > index 6560f4fc98d5..5b7f52b74a40 100644 > --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph > > qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy); > done: > - if (ret) { > - regulator_disable(pmic_typec_pdphy->vdd_pdphy); > + if (ret) > dev_err(dev, "pdphy_enable fail %d\n", ret); > - } > > return ret; > } > @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm, > > ret = pmic_typec_pdphy_reset(pmic_typec_pdphy); > if (ret) > - return ret; > + goto err_disable_vdd_pdhy; > > for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++) > enable_irq(pmic_typec_pdphy->irq_data[i].irq); > > return 0; > + > +err_disable_vdd_pdhy: > + regulator_disable(pmic_typec_pdphy->vdd_pdphy); > + > + return ret; > } > > static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm) Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold 2024-04-18 18:00 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue @ 2024-04-22 11:20 ` Heikki Krogerus 2 siblings, 0 replies; 9+ messages in thread From: Heikki Krogerus @ 2024-04-22 11:20 UTC (permalink / raw) To: Johan Hovold Cc: Bryan O'Donoghue, Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote: > Move disabling of the vdd-pdphy supply to the start() function which > enabled it for symmetry and to make sure that it is disabled as intended > in all error paths of pmic_typec_pdphy_reset() (i.e. not just when > qcom_pmic_typec_pdphy_enable() fails). > > Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > index 6560f4fc98d5..5b7f52b74a40 100644 > --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c > @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph > > qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy); > done: > - if (ret) { > - regulator_disable(pmic_typec_pdphy->vdd_pdphy); > + if (ret) > dev_err(dev, "pdphy_enable fail %d\n", ret); > - } > > return ret; > } > @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm, > > ret = pmic_typec_pdphy_reset(pmic_typec_pdphy); > if (ret) > - return ret; > + goto err_disable_vdd_pdhy; > > for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++) > enable_irq(pmic_typec_pdphy->irq_data[i].irq); > > return 0; > + > +err_disable_vdd_pdhy: > + regulator_disable(pmic_typec_pdphy->vdd_pdphy); > + > + return ret; > } > > static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm) > -- > 2.43.2 -- heikki ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-04-22 11:20 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold 2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold 2024-04-18 17:45 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:13 ` Heikki Krogerus 2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold 2024-04-18 18:00 ` Dmitry Baryshkov 2024-04-18 23:41 ` Bryan O'Donoghue 2024-04-22 11:20 ` Heikki Krogerus
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox