Re: [PATCH 1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change()

Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx> · Tue, 28 Feb 2023 12:05:31 +0200

On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> pointer.
> 
> Fix this by adding a check for ucsi->connector being NULL, as is
> already done in ucsi_resume() for similar reasons.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
> ---
>  drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 1cf8947c6d66..e762897cb25a 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
>   */
>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>  {
> -	struct ucsi_connector *con = &ucsi->connector[num - 1];
> +	struct ucsi_connector *con;
> +
> +	/* Check for ucsi_init() failure */
> +	if (!ucsi->connector)
> +		return;
> +
> +	con = &ucsi->connector[num - 1];
>  
>  	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
>  		dev_dbg(ucsi->dev, "Bogus connector change event\n");

I think we should try to rely on that ucsi->ntfy. Would this work:

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index fe1963e328378..0da1e9c66971a 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
  */
 void ucsi_connector_change(struct ucsi *ucsi, u8 num)
 {
-       struct ucsi_connector *con = &ucsi->connector[num - 1];
-
        if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
                dev_dbg(ucsi->dev, "Bogus connector change event\n");
                return;
        }
 
        if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
-               schedule_work(&con->work);
+               schedule_work(&ucsi->connector[num - 1].work);
 }
 EXPORT_SYMBOL_GPL(ucsi_connector_change);
 
@@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi)
        ucsi->connector = NULL;
 
 err_reset:
+       ucsi->ntfy = 0;
        memset(&ucsi->cap, 0, sizeof(ucsi->cap));
        ucsi_reset_ppm(ucsi);
 err:


-- 
heikki






