| Message ID | 2024083008-granddad-unmoving-828c@gregkh (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [6.6] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration" | expand |
On Fri, Aug 30, 2024 at 04:00:09PM +0200, Greg Kroah-Hartman wrote: > In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source > caps before re-registration"), quilt, and git, applied the diff to the > incorrect function, which would cause bad problems if exercised in a > device with these capabilities. > > Fix this all up (including the follow-up fix in commit 04c05d50fa79 > ("usb: typec: tcpm: fix use-after-free case in > tcpm_register_source_caps") to be in the correct function. > > Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") > Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") > Reported-by: Charles Yo <charlesyo@google.com> > Cc: Kyle Tso <kyletso@google.com> > Cc: Amit Sunil Dhamne <amitsd@google.com> > Cc: Ondrej Jirman <megi@xff.cz> > Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > > Note, this is also needed for 6.1, I'll fix up the git ids when > committing it to the stable tree there as well. > > drivers/usb/typec/tcpm/tcpm.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c > index 7db9c382c354..e053b6e99b9e 100644 > --- a/drivers/usb/typec/tcpm/tcpm.c > +++ b/drivers/usb/typec/tcpm/tcpm.c > @@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port) > { > struct usb_power_delivery_desc desc = { port->negotiated_rev }; > struct usb_power_delivery_capabilities_desc caps = { }; > - struct usb_power_delivery_capabilities *cap; > + struct usb_power_delivery_capabilities *cap = port->partner_source_caps; > > if (!port->partner_pd) > port->partner_pd = usb_power_delivery_register(NULL, &desc); > @@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(struct tcpm_port *port) > memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); > caps.role = TYPEC_SOURCE; > > + if (cap) { > + usb_power_delivery_unregister_capabilities(cap); > + port->partner_source_caps = NULL; > + } > + > cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); > if (IS_ERR(cap)) > return PTR_ERR(cap); > @@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) > { > struct usb_power_delivery_desc desc = { port->negotiated_rev }; > struct usb_power_delivery_capabilities_desc caps = { }; > - struct usb_power_delivery_capabilities *cap = port->partner_source_caps; > + struct usb_power_delivery_capabilities *cap; > > if (!port->partner_pd) > port->partner_pd = usb_power_delivery_register(NULL, &desc); > @@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) > memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps); > caps.role = TYPEC_SINK; > > - if (cap) { > - usb_power_delivery_unregister_capabilities(cap); > - port->partner_source_caps = NULL; > - } > - > cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); > if (IS_ERR(cap)) > return PTR_ERR(cap); > -- > 2.46.0
On Mon, Sep 02, 2024 at 09:25:44AM +0300, Heikki Krogerus wrote: > On Fri, Aug 30, 2024 at 04:00:09PM +0200, Greg Kroah-Hartman wrote: > > In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source > > caps before re-registration"), quilt, and git, applied the diff to the > > incorrect function, which would cause bad problems if exercised in a > > device with these capabilities. > > > > Fix this all up (including the follow-up fix in commit 04c05d50fa79 > > ("usb: typec: tcpm: fix use-after-free case in > > tcpm_register_source_caps") to be in the correct function. > > > > Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") > > Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") > > Reported-by: Charles Yo <charlesyo@google.com> > > Cc: Kyle Tso <kyletso@google.com> > > Cc: Amit Sunil Dhamne <amitsd@google.com> > > Cc: Ondrej Jirman <megi@xff.cz> > > Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> > > Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Thanks for the review!
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 7db9c382c354..e053b6e99b9e 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { }; - struct usb_power_delivery_capabilities *cap; + struct usb_power_delivery_capabilities *cap = port->partner_source_caps; if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(struct tcpm_port *port) memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); caps.role = TYPEC_SOURCE; + if (cap) { + usb_power_delivery_unregister_capabilities(cap); + port->partner_source_caps = NULL; + } + cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap); @@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { }; - struct usb_power_delivery_capabilities *cap = port->partner_source_caps; + struct usb_power_delivery_capabilities *cap; if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps); caps.role = TYPEC_SINK; - if (cap) { - usb_power_delivery_unregister_capabilities(cap); - port->partner_source_caps = NULL; - } - cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap);
In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration"), quilt, and git, applied the diff to the incorrect function, which would cause bad problems if exercised in a device with these capabilities. Fix this all up (including the follow-up fix in commit 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") to be in the correct function. Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") Reported-by: Charles Yo <charlesyo@google.com> Cc: Kyle Tso <kyletso@google.com> Cc: Amit Sunil Dhamne <amitsd@google.com> Cc: Ondrej Jirman <megi@xff.cz> Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Note, this is also needed for 6.1, I'll fix up the git ids when committing it to the stable tree there as well. drivers/usb/typec/tcpm/tcpm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)