Re: [PATCH] usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Mon, Apr 26, 2021 at 12:26:05PM -0700, Jack Pham wrote:
> Forgot to Cc: Abhilash who introduced the PDO code
> 
> On Mon, Apr 26, 2021 at 12:18:25PM -0700, Jack Pham wrote:
> > commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects
> > in PD mode") introduced retrieval of the PDOs when connected to a
> > PD-capable source. But only the first 4 PDOs are received since
> > that is the maximum number that can be fetched at a time given the
> > MESSAGE_IN length limitation (16 bytes). However, as per the PD spec
> > a connected source may advertise up to a maximum of 7 PDOs.
> > 
> > If such a source is connected it's possible the UCSI FW could have
> > negotiated a power contract with one of the PDOs at index greater
> > than 4, and would be reflected in the request data object's (RDO)
> > object position field. This would result in an out-of-bounds access
> > when the rdo_index() is used to index into the src_pdos array in
> > ucsi_psy_get_voltage_now().
> > 
> > We can resolve this by instead retrieving and storing up to the
> > maximum of 7 PDOs in the con->src_pdos array. This would involve
> > two calls to the GET_PDOS command.

This makes sense to me. A few nitpicks below. Besides those:

Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>

> > Fixes: 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class")
> > Fixes: 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
> > ---
> >  drivers/usb/typec/ucsi/ucsi.c | 41 +++++++++++++++++++++++++++--------
> >  drivers/usb/typec/ucsi/ucsi.h |  6 +++--
> >  2 files changed, 36 insertions(+), 11 deletions(-)
> > 
> > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> > index 244270755ae6..ac214b855986 100644
> > --- a/drivers/usb/typec/ucsi/ucsi.c
> > +++ b/drivers/usb/typec/ucsi/ucsi.c
> > @@ -495,7 +495,8 @@ static void ucsi_unregister_altmodes(struct ucsi_connector *con, u8 recipient)
> >  	}
> >  }
> >  
> > -static void ucsi_get_pdos(struct ucsi_connector *con, int is_partner)
> > +static int ucsi_get_pdos(struct ucsi_connector *con, int is_partner,
> > +		u32 *pdos, int offset, int num_pdos)

That should be aligned properly.

> >  {
> >  	struct ucsi *ucsi = con->ucsi;
> >  	u64 command;
> > @@ -503,17 +504,39 @@ static void ucsi_get_pdos(struct ucsi_connector *con, int is_partner)
> >  
> >  	command = UCSI_COMMAND(UCSI_GET_PDOS) | UCSI_CONNECTOR_NUMBER(con->num);
> >  	command |= UCSI_GET_PDOS_PARTNER_PDO(is_partner);
> > -	command |= UCSI_GET_PDOS_NUM_PDOS(UCSI_MAX_PDOS - 1);
> > +	command |= UCSI_GET_PDOS_PDO_OFFSET(offset);
> > +	command |= UCSI_GET_PDOS_NUM_PDOS(num_pdos - 1);
> >  	command |= UCSI_GET_PDOS_SRC_PDOS;
> > -	ret = ucsi_send_command(ucsi, command, con->src_pdos,
> > -			       sizeof(con->src_pdos));
> > -	if (ret < 0) {
> > +	ret = ucsi_send_command(ucsi, command, pdos + offset,
> > +			num_pdos * sizeof(u32));

That too. I think if you run scripts/checkpatch.pl it will complain
about those.

> > +	if (ret < 0)
> >  		dev_err(ucsi->dev, "UCSI_GET_PDOS failed (%d)\n", ret);
> > +	if (ret == 0 && offset == 0)
> > +		dev_warn(ucsi->dev, "UCSI_GET_PDOS returned 0 bytes\n");
> > +
> > +	return ret;
> > +}
> > +
> > +static void ucsi_get_src_pdos(struct ucsi_connector *con, int is_partner)
> > +{
> > +	int ret;
> > +
> > +	/* UCSI max payload means only getting at most 4 PDOs at a time */
> > +	ret = ucsi_get_pdos(con, 1, con->src_pdos, 0, UCSI_MAX_PDOS);
> > +	if (ret < 0)
> >  		return;
> > -	}
> > +
> >  	con->num_pdos = ret / sizeof(u32); /* number of bytes to 32-bit PDOs */
> > -	if (ret == 0)
> > -		dev_warn(ucsi->dev, "UCSI_GET_PDOS returned 0 bytes\n");
> > +	if (con->num_pdos < UCSI_MAX_PDOS)
> > +		return;
> > +
> > +	/* get the remaining PDOs, if any */
> > +	ret = ucsi_get_pdos(con, 1, con->src_pdos, UCSI_MAX_PDOS,
> > +			PDO_MAX_OBJECTS - UCSI_MAX_PDOS);
> > +	if (ret < 0)
> > +		return;
> > +
> > +	con->num_pdos += ret / sizeof(u32);
> >  }
> >  
> >  static void ucsi_pwr_opmode_change(struct ucsi_connector *con)
> > @@ -522,7 +545,7 @@ static void ucsi_pwr_opmode_change(struct ucsi_connector *con)
> >  	case UCSI_CONSTAT_PWR_OPMODE_PD:
> >  		con->rdo = con->status.request_data_obj;
> >  		typec_set_pwr_opmode(con->port, TYPEC_PWR_MODE_PD);
> > -		ucsi_get_pdos(con, 1);
> > +		ucsi_get_src_pdos(con, 1);
> >  		break;
> >  	case UCSI_CONSTAT_PWR_OPMODE_TYPEC1_5:
> >  		con->rdo = 0;
> > diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
> > index 3920e20a9e9e..cee666790907 100644
> > --- a/drivers/usb/typec/ucsi/ucsi.h
> > +++ b/drivers/usb/typec/ucsi/ucsi.h
> > @@ -8,6 +8,7 @@
> >  #include <linux/power_supply.h>
> >  #include <linux/types.h>
> >  #include <linux/usb/typec.h>
> > +#include <linux/usb/pd.h>
> >  #include <linux/usb/role.h>
> >  
> >  /* -------------------------------------------------------------------------- */
> > @@ -134,7 +135,9 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num);
> >  
> >  /* GET_PDOS command bits */
> >  #define UCSI_GET_PDOS_PARTNER_PDO(_r_)		((u64)(_r_) << 23)
> > +#define UCSI_GET_PDOS_PDO_OFFSET(_r_)		((u64)(_r_) << 24)
> >  #define UCSI_GET_PDOS_NUM_PDOS(_r_)		((u64)(_r_) << 32)
> > +#define UCSI_MAX_PDOS				(4)
> >  #define UCSI_GET_PDOS_SRC_PDOS			((u64)1 << 34)
> >  
> >  /* -------------------------------------------------------------------------- */
> > @@ -302,7 +305,6 @@ struct ucsi {
> >  
> >  #define UCSI_MAX_SVID		5
> >  #define UCSI_MAX_ALTMODES	(UCSI_MAX_SVID * 6)
> > -#define UCSI_MAX_PDOS		(4)
> >  
> >  #define UCSI_TYPEC_VSAFE5V	5000
> >  #define UCSI_TYPEC_1_5_CURRENT	1500
> > @@ -330,7 +332,7 @@ struct ucsi_connector {
> >  	struct power_supply *psy;
> >  	struct power_supply_desc psy_desc;
> >  	u32 rdo;
> > -	u32 src_pdos[UCSI_MAX_PDOS];
> > +	u32 src_pdos[PDO_MAX_OBJECTS];
> >  	int num_pdos;
> >  
> >  	struct usb_role_switch *usb_role_sw;

thanks,

-- 
heikki



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux