| Message ID | 20230228090305.9335-1-hdegoede@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() | expand |
On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote: > When ucsi_init() fails, ucsi->connector is NULL, yet in case of > ucsi_acpi we may still get events which cause the ucs_acpi code to call > ucsi_connector_change(), which then derefs the NULL ucsi->connector > pointer. > > Fix this by adding a check for ucsi->connector being NULL, as is > already done in ucsi_resume() for similar reasons. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > --- > drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 1cf8947c6d66..e762897cb25a 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) > */ > void ucsi_connector_change(struct ucsi *ucsi, u8 num) > { > - struct ucsi_connector *con = &ucsi->connector[num - 1]; > + struct ucsi_connector *con; > + > + /* Check for ucsi_init() failure */ > + if (!ucsi->connector) > + return; > + > + con = &ucsi->connector[num - 1]; What prevents ->connector from changing to NULL right after you check this and before you dereference it again? thanks, greg k-h
On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote: > When ucsi_init() fails, ucsi->connector is NULL, yet in case of > ucsi_acpi we may still get events which cause the ucs_acpi code to call > ucsi_connector_change(), which then derefs the NULL ucsi->connector > pointer. > > Fix this by adding a check for ucsi->connector being NULL, as is > already done in ucsi_resume() for similar reasons. > > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > Cc: stable@vger.kernel.org > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > --- > drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 1cf8947c6d66..e762897cb25a 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) > */ > void ucsi_connector_change(struct ucsi *ucsi, u8 num) > { > - struct ucsi_connector *con = &ucsi->connector[num - 1]; > + struct ucsi_connector *con; > + > + /* Check for ucsi_init() failure */ > + if (!ucsi->connector) > + return; > + > + con = &ucsi->connector[num - 1]; > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > dev_dbg(ucsi->dev, "Bogus connector change event\n"); I think we should try to rely on that ucsi->ntfy. Would this work: diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index fe1963e328378..0da1e9c66971a 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) */ void ucsi_connector_change(struct ucsi *ucsi, u8 num) { - struct ucsi_connector *con = &ucsi->connector[num - 1]; - if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { dev_dbg(ucsi->dev, "Bogus connector change event\n"); return; } if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) - schedule_work(&con->work); + schedule_work(&ucsi->connector[num - 1].work); } EXPORT_SYMBOL_GPL(ucsi_connector_change); @@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi) ucsi->connector = NULL; err_reset: + ucsi->ntfy = 0; memset(&ucsi->cap, 0, sizeof(ucsi->cap)); ucsi_reset_ppm(ucsi); err:
Hi, On 2/28/23 11:05, Heikki Krogerus wrote: > On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote: >> When ucsi_init() fails, ucsi->connector is NULL, yet in case of >> ucsi_acpi we may still get events which cause the ucs_acpi code to call >> ucsi_connector_change(), which then derefs the NULL ucsi->connector >> pointer. >> >> Fix this by adding a check for ucsi->connector being NULL, as is >> already done in ucsi_resume() for similar reasons. >> >> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") >> Cc: stable@vger.kernel.org >> Signed-off-by: Hans de Goede <hdegoede@redhat.com> >> --- >> drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c >> index 1cf8947c6d66..e762897cb25a 100644 >> --- a/drivers/usb/typec/ucsi/ucsi.c >> +++ b/drivers/usb/typec/ucsi/ucsi.c >> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) >> */ >> void ucsi_connector_change(struct ucsi *ucsi, u8 num) >> { >> - struct ucsi_connector *con = &ucsi->connector[num - 1]; >> + struct ucsi_connector *con; >> + >> + /* Check for ucsi_init() failure */ >> + if (!ucsi->connector) >> + return; >> + >> + con = &ucsi->connector[num - 1]; >> >> if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { >> dev_dbg(ucsi->dev, "Bogus connector change event\n"); > > I think we should try to rely on that ucsi->ntfy. Would this work: > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index fe1963e328378..0da1e9c66971a 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) > */ > void ucsi_connector_change(struct ucsi *ucsi, u8 num) > { > - struct ucsi_connector *con = &ucsi->connector[num - 1]; > - > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > dev_dbg(ucsi->dev, "Bogus connector change event\n"); > return; > } > > if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) > - schedule_work(&con->work); > + schedule_work(&ucsi->connector[num - 1].work); > } > EXPORT_SYMBOL_GPL(ucsi_connector_change); > This hunk is not necessary, the con pointer pointing to lala land is not an issue as long as we don't deref it. The &ucsi->connector[num - 1]; does not deref ucsi->connector it it simply adds an offset to it and stores that in con (the backtrace I got pointed to the schedule_work call). But I guess your way does make it more obvious that we don't deref ucsi->connector. > @@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi) > ucsi->connector = NULL; > > err_reset: > + ucsi->ntfy = 0; > memset(&ucsi->cap, 0, sizeof(ucsi->cap)); > ucsi_reset_ppm(ucsi); > err: In would expect this to fix things, but I only have access to the monitor triggering this on Mondays, so I can only 100% confirm next Monday. Note this does open the race I try to fix in patch 2/3 again. So what should be done here is to make ntfy a local variable and only store it in ucsi->ntfy on success. Regards, Hans
On Tue, Feb 28, 2023 at 11:15:46AM +0100, Hans de Goede wrote: > Hi, > > On 2/28/23 11:05, Heikki Krogerus wrote: > > On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote: > >> When ucsi_init() fails, ucsi->connector is NULL, yet in case of > >> ucsi_acpi we may still get events which cause the ucs_acpi code to call > >> ucsi_connector_change(), which then derefs the NULL ucsi->connector > >> pointer. > >> > >> Fix this by adding a check for ucsi->connector being NULL, as is > >> already done in ucsi_resume() for similar reasons. > >> > >> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") > >> Cc: stable@vger.kernel.org > >> Signed-off-by: Hans de Goede <hdegoede@redhat.com> > >> --- > >> drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- > >> 1 file changed, 7 insertions(+), 1 deletion(-) > >> > >> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > >> index 1cf8947c6d66..e762897cb25a 100644 > >> --- a/drivers/usb/typec/ucsi/ucsi.c > >> +++ b/drivers/usb/typec/ucsi/ucsi.c > >> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) > >> */ > >> void ucsi_connector_change(struct ucsi *ucsi, u8 num) > >> { > >> - struct ucsi_connector *con = &ucsi->connector[num - 1]; > >> + struct ucsi_connector *con; > >> + > >> + /* Check for ucsi_init() failure */ > >> + if (!ucsi->connector) > >> + return; > >> + > >> + con = &ucsi->connector[num - 1]; > >> > >> if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > >> dev_dbg(ucsi->dev, "Bogus connector change event\n"); > > > > I think we should try to rely on that ucsi->ntfy. Would this work: > > > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > > index fe1963e328378..0da1e9c66971a 100644 > > --- a/drivers/usb/typec/ucsi/ucsi.c > > +++ b/drivers/usb/typec/ucsi/ucsi.c > > @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) > > */ > > void ucsi_connector_change(struct ucsi *ucsi, u8 num) > > { > > - struct ucsi_connector *con = &ucsi->connector[num - 1]; > > - > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > > dev_dbg(ucsi->dev, "Bogus connector change event\n"); > > return; > > } > > > > if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) > > - schedule_work(&con->work); > > + schedule_work(&ucsi->connector[num - 1].work); > > } > > EXPORT_SYMBOL_GPL(ucsi_connector_change); > > > > This hunk is not necessary, the con pointer pointing to lala land is > not an issue as long as we don't deref it. The &ucsi->connector[num - 1]; > does not deref ucsi->connector it it simply adds an offset to it and > stores that in con (the backtrace I got pointed to the schedule_work call). > > But I guess your way does make it more obvious that we don't > deref ucsi->connector. > > > @@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi) > > ucsi->connector = NULL; > > > > err_reset: > > + ucsi->ntfy = 0; > > memset(&ucsi->cap, 0, sizeof(ucsi->cap)); > > ucsi_reset_ppm(ucsi); > > err: > > In would expect this to fix things, but I only have access to the monitor > triggering this on Mondays, so I can only 100% confirm next Monday. > > Note this does open the race I try to fix in patch 2/3 again. > > So what should be done here is to make ntfy a local variable and only > store it in ucsi->ntfy on success. OK. thanks,
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 1cf8947c6d66..e762897cb25a 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) */ void ucsi_connector_change(struct ucsi *ucsi, u8 num) { - struct ucsi_connector *con = &ucsi->connector[num - 1]; + struct ucsi_connector *con; + + /* Check for ucsi_init() failure */ + if (!ucsi->connector) + return; + + con = &ucsi->connector[num - 1]; if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { dev_dbg(ucsi->dev, "Bogus connector change event\n");
When ucsi_init() fails, ucsi->connector is NULL, yet in case of ucsi_acpi we may still get events which cause the ucs_acpi code to call ucsi_connector_change(), which then derefs the NULL ucsi->connector pointer. Fix this by adding a check for ucsi->connector being NULL, as is already done in ucsi_resume() for similar reasons. Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)