Hi Hans,
On Mon, Mar 06, 2023 at 11:33:58AM +0100, Hans de Goede wrote:
> ucsi_init() which runs from a workqueue sets ucsi->connector and
> on an error will clear it again.
>
> ucsi->connector gets dereferenced by ucsi_resume(), this checks for
> ucsi->connector being NULL in case ucsi_init() has not finished yet;
> or in case ucsi_init() has failed.
>
> ucsi_init() setting ucsi->connector and then clearing it again on
> an error creates a race where the check in ucsi_resume() may pass,
> only to have ucsi->connector free-ed underneath it when ucsi_init()
> hits an error.
>
> Fix this race by making ucsi_init() store the connector array in
> a local variable and only assign it to ucsi->connector on success.
>
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
This does not apply anymore on top of Greg's usb-next. I think you
need to rebase. While at it, I have one nit below...
> ---
> drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++------------
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 8cbbb002fefe..15a2c91581a8 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1039,9 +1039,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con)
> return NULL;
> }
>
> -static int ucsi_register_port(struct ucsi *ucsi, int index)
> +static int ucsi_register_port(struct ucsi *ucsi, int index, struct ucsi_connector *con)
If con->num was set before this function is called, you don't need
"index" at all:
static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con)
> {
> - struct ucsi_connector *con = &ucsi->connector[index];
> struct typec_capability *cap = &con->typec_cap;
> enum typec_accessory *accessory = cap->accessory;
> enum usb_role u_role = USB_ROLE_NONE;
> @@ -1204,7 +1203,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
> */
> static int ucsi_init(struct ucsi *ucsi)
> {
> - struct ucsi_connector *con;
> + struct ucsi_connector *con, *connector;
> u64 command, ntfy;
> int ret;
> int i;
> @@ -1235,16 +1234,15 @@ static int ucsi_init(struct ucsi *ucsi)
> }
>
> /* Allocate the connectors. Released in ucsi_unregister() */
> - ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1,
> - sizeof(*ucsi->connector), GFP_KERNEL);
> - if (!ucsi->connector) {
> + connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL);
> + if (!connector) {
> ret = -ENOMEM;
> goto err_reset;
> }
>
> /* Register all connectors */
> for (i = 0; i < ucsi->cap.num_connectors; i++) {
> - ret = ucsi_register_port(ucsi, i);
Assign it here:
connector[i].num = i + 1;
> + ret = ucsi_register_port(ucsi, i, &connector[i]);
> if (ret)
> goto err_unregister;
> }
> @@ -1256,11 +1254,12 @@ static int ucsi_init(struct ucsi *ucsi)
> if (ret < 0)
> goto err_unregister;
>
> + ucsi->connector = connector;
> ucsi->ntfy = ntfy;
> return 0;
>
> err_unregister:
> - for (con = ucsi->connector; con->port; con++) {
> + for (con = connector; con->port; con++) {
> ucsi_unregister_partner(con);
> ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON);
> ucsi_unregister_port_psy(con);
> @@ -1269,10 +1268,7 @@ static int ucsi_init(struct ucsi *ucsi)
> typec_unregister_port(con->port);
> con->port = NULL;
> }
> -
> - kfree(ucsi->connector);
> - ucsi->connector = NULL;
> -
> + kfree(connector);
> err_reset:
> memset(&ucsi->cap, 0, sizeof(ucsi->cap));
> ucsi_reset_ppm(ucsi);
thanks,
--
heikki
