From patchwork Tue Feb 28 09:03:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 13154549 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63293C7EE31 for ; Tue, 28 Feb 2023 09:04:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230193AbjB1JD7 (ORCPT ); Tue, 28 Feb 2023 04:03:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229689AbjB1JD6 (ORCPT ); Tue, 28 Feb 2023 04:03:58 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF86D93D0 for ; Tue, 28 Feb 2023 01:03:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677574991; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3lDVx5EyW8EHBxlsNXvmLaT5gVCmKjh9/OEv2HDjKPY=; b=aQ8IpkXi03j0nS7Qn5KpNqlxn4aLl5bmRSTfd9t21RxU2RryBxEkcAHIk/WjphBRUL1BM1 Zk6VC+smhF6R1foVjfBVSpFgnkrJ+GxPpusuyQB0HAjt6OgiO3s/7/U30uQPpmSwek9oZ6 xIG2NEdJKtptvuCjWPnZg1JpDbstGj4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-628-rIhp-ksvMx6URfrbFAg2xw-1; Tue, 28 Feb 2023 04:03:07 -0500 X-MC-Unique: rIhp-ksvMx6URfrbFAg2xw-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 674A385D063; Tue, 28 Feb 2023 09:03:07 +0000 (UTC) Received: from shalem.redhat.com (unknown [10.39.194.124]) by smtp.corp.redhat.com (Postfix) with ESMTP id 79D90492B0E; Tue, 28 Feb 2023 09:03:06 +0000 (UTC) From: Hans de Goede To: Greg Kroah-Hartman , Heikki Krogerus Cc: Hans de Goede , linux-usb@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() Date: Tue, 28 Feb 2023 10:03:03 +0100 Message-Id: <20230228090305.9335-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org When ucsi_init() fails, ucsi->connector is NULL, yet in case of ucsi_acpi we may still get events which cause the ucs_acpi code to call ucsi_connector_change(), which then derefs the NULL ucsi->connector pointer. Fix this by adding a check for ucsi->connector being NULL, as is already done in ucsi_resume() for similar reasons. Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede --- drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 1cf8947c6d66..e762897cb25a 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) */ void ucsi_connector_change(struct ucsi *ucsi, u8 num) { - struct ucsi_connector *con = &ucsi->connector[num - 1]; + struct ucsi_connector *con; + + /* Check for ucsi_init() failure */ + if (!ucsi->connector) + return; + + con = &ucsi->connector[num - 1]; if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { dev_dbg(ucsi->dev, "Bogus connector change event\n"); From patchwork Tue Feb 28 09:03:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 13154548 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 515FDC64ED6 for ; Tue, 28 Feb 2023 09:03:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229756AbjB1JDz (ORCPT ); Tue, 28 Feb 2023 04:03:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229644AbjB1JDy (ORCPT ); Tue, 28 Feb 2023 04:03:54 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD4D4A26D for ; Tue, 28 Feb 2023 01:03:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677574993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sirfqygwoRQ697x8s2eJZOuvpqe/7SKCi+yX/4Aaiqw=; b=fwAoKuhRk33Z2WpWolKJhgzQRi687X4N0mBmBBohyqJvs0tI835uNE0Na4Y2Y5bfpSzKMQ A0C6CmSGLexi9QV3CCKyifEi4PZCK3Y3L343agHnUDEwjDEZ1oLkAzLeGkWv/dVu6AH8O+ Xwhaq0lVftpYoEje2k4/z+gqCaF0ZlA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-618-csfzjiK4M_KF7a-7dT3fgg-1; Tue, 28 Feb 2023 04:03:08 -0500 X-MC-Unique: csfzjiK4M_KF7a-7dT3fgg-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 70ECF857A94; Tue, 28 Feb 2023 09:03:08 +0000 (UTC) Received: from shalem.redhat.com (unknown [10.39.194.124]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9B901492B0F; Tue, 28 Feb 2023 09:03:07 +0000 (UTC) From: Hans de Goede To: Greg Kroah-Hartman , Heikki Krogerus Cc: Hans de Goede , linux-usb@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 2/3] usb: ucsi: Fix ucsi->connector race Date: Tue, 28 Feb 2023 10:03:04 +0100 Message-Id: <20230228090305.9335-2-hdegoede@redhat.com> In-Reply-To: <20230228090305.9335-1-hdegoede@redhat.com> References: <20230228090305.9335-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org ucsi_init() which runs from a workqueue sets ucsi->connector and on an error will clear it again. ucsi->connector gets dereferenced by both ucsi_connector_change() and ucsi_resume(), both check for ucsi->connector being NULL in case ucsi_init() has not finished yet; or in case ucsi_init() has failed. ucsi_init() setting ucsi->connector and then clearing it again on an error creates a race where the check in the consumers may pass, only to have ucsi->connector free-ed underneath them when ucsi_init() hits an error. Fix this race by making ucsi_init() store the connector array in a local variable and only assign it to ucsi->connector on success. Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede --- drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index e762897cb25a..796ae230c60b 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -1045,9 +1045,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con) return NULL; } -static int ucsi_register_port(struct ucsi *ucsi, int index) +static int ucsi_register_port(struct ucsi *ucsi, int index, struct ucsi_connector *con) { - struct ucsi_connector *con = &ucsi->connector[index]; struct typec_capability *cap = &con->typec_cap; enum typec_accessory *accessory = cap->accessory; enum usb_role u_role = USB_ROLE_NONE; @@ -1210,7 +1209,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) */ static int ucsi_init(struct ucsi *ucsi) { - struct ucsi_connector *con; + struct ucsi_connector *con, *connector; u64 command; int ret; int i; @@ -1241,16 +1240,15 @@ static int ucsi_init(struct ucsi *ucsi) } /* Allocate the connectors. Released in ucsi_unregister() */ - ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1, - sizeof(*ucsi->connector), GFP_KERNEL); - if (!ucsi->connector) { + connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL); + if (!connector) { ret = -ENOMEM; goto err_reset; } /* Register all connectors */ for (i = 0; i < ucsi->cap.num_connectors; i++) { - ret = ucsi_register_port(ucsi, i); + ret = ucsi_register_port(ucsi, i, &connector[i]); if (ret) goto err_unregister; } @@ -1262,10 +1260,11 @@ static int ucsi_init(struct ucsi *ucsi) if (ret < 0) goto err_unregister; + ucsi->connector = connector; return 0; err_unregister: - for (con = ucsi->connector; con->port; con++) { + for (con = connector; con->port; con++) { ucsi_unregister_partner(con); ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON); ucsi_unregister_port_psy(con); @@ -1274,10 +1273,7 @@ static int ucsi_init(struct ucsi *ucsi) typec_unregister_port(con->port); con->port = NULL; } - - kfree(ucsi->connector); - ucsi->connector = NULL; - + kfree(connector); err_reset: memset(&ucsi->cap, 0, sizeof(ucsi->cap)); ucsi_reset_ppm(ucsi); From patchwork Tue Feb 28 09:03:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 13154550 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 513E8C64ED6 for ; Tue, 28 Feb 2023 09:04:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230172AbjB1JEA (ORCPT ); Tue, 28 Feb 2023 04:04:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230164AbjB1JD6 (ORCPT ); Tue, 28 Feb 2023 04:03:58 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87C1FA27E for ; Tue, 28 Feb 2023 01:03:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677574993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dugI5ah/rpmEloFzsd7SNav7KkzrRZ4JKHEJqiV00wk=; b=WS07IS7leAMcN/9eE7s5aBf7qW4ICjZnN6kQNWyrOVkQSlSsMM3XwQ5SYDOH6/d7tAPHJn r8fqcxnXVgpinmXlGJvlfS+lT9HO84qn48ZZlJA9uBUeKJC8Oh+CCOuj6f40x+4vuDAraw GR8byTqV1G17TssuZvbKC7SmIPCUZ8s= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-492-GWoRfH_vOgaRt3xM7_AtJA-1; Tue, 28 Feb 2023 04:03:09 -0500 X-MC-Unique: GWoRfH_vOgaRt3xM7_AtJA-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6780E382888E; Tue, 28 Feb 2023 09:03:09 +0000 (UTC) Received: from shalem.redhat.com (unknown [10.39.194.124]) by smtp.corp.redhat.com (Postfix) with ESMTP id A4726492B0E; Tue, 28 Feb 2023 09:03:08 +0000 (UTC) From: Hans de Goede To: Greg Kroah-Hartman , Heikki Krogerus Cc: Hans de Goede , linux-usb@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 3/3] usb: ucsi_acpi: Increase the command completion timeout Date: Tue, 28 Feb 2023 10:03:05 +0100 Message-Id: <20230228090305.9335-3-hdegoede@redhat.com> In-Reply-To: <20230228090305.9335-1-hdegoede@redhat.com> References: <20230228090305.9335-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Commit 130a96d698d7 ("usb: typec: ucsi: acpi: Increase command completion timeout value") increased the timeout from 5 seconds to 60 seconds due to issues related to alternate mode discovery. After the alternate mode discovery switch to polled mode the timeout was reduced, but instead of being set back to 5 seconds it was reduced to 1 second. This is causing problems when using a Lenovo ThinkPad X1 yoga gen7 connected over Type-C to a LG 27UL850-W (charging DP over Type-C). When the monitor is already connected at boot the following error is logged: "PPM init failed (-110)", /sys/class/typec is empty and on unplugging the NULL pointer deref fixed earlier in this series happens. When the monitor is connected after boot the following error is logged instead: "GET_CONNECTOR_STATUS failed (-110)". Setting the timeout back to 5 seconds fixes both cases. Fixes: e08065069fc7 ("usb: typec: ucsi: acpi: Reduce the command completion timeout") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede --- drivers/usb/typec/ucsi/ucsi_acpi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/ucsi/ucsi_acpi.c b/drivers/usb/typec/ucsi/ucsi_acpi.c index ce0c8ef80c04..62206a6b8ea7 100644 --- a/drivers/usb/typec/ucsi/ucsi_acpi.c +++ b/drivers/usb/typec/ucsi/ucsi_acpi.c @@ -78,7 +78,7 @@ static int ucsi_acpi_sync_write(struct ucsi *ucsi, unsigned int offset, if (ret) goto out_clear_bit; - if (!wait_for_completion_timeout(&ua->complete, HZ)) + if (!wait_for_completion_timeout(&ua->complete, 5 * HZ)) ret = -ETIMEDOUT; out_clear_bit: