On Wed, Jun 09, 2021 at 12:35:35AM -0700, Jack Pham wrote:
> From: Mayank Rana <mrana@xxxxxxxxxxxxxx>
>
> If ucsi_init() fails for some reason (e.g. ucsi_register_port()
> fails or general communication failure to the PPM), particularly at
> any point after the GET_CAPABILITY command had been issued, this
> results in unwinding the initialization and returning an error.
> However the ucsi structure's ucsi_capability member retains its
> current value, including likely a non-zero num_connectors.
> And because ucsi_init() itself is done in a workqueue a UCSI
> interface driver will be unaware that it failed and may think the
> ucsi_register() call was completely successful. Later, if
> ucsi_unregister() is called, due to this stale ucsi->cap value it
> would try to access the items in the ucsi->connector array which
> might not be in a proper state or not even allocated at all and
> results in NULL or invalid pointer dereference.
>
> Fix this by clearing the ucsi->cap value to 0 during the error
> path of ucsi_init() in order to prevent a later ucsi_unregister()
> from entering the connector cleanup loop.
>
> Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Mayank Rana <mrana@xxxxxxxxxxxxxx>
> Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
Acked-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> ---
> drivers/usb/typec/ucsi/ucsi.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index b433169ef6fa..b7d104c80d85 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1253,6 +1253,7 @@ static int ucsi_init(struct ucsi *ucsi)
> }
>
> err_reset:
> + memset(&ucsi->cap, 0, sizeof(ucsi->cap));
> ucsi_reset_ppm(ucsi);
> err:
> return ret;
> --
> 2.24.0
--
heikki
