Hi,
On 3/8/23 14:28, Heikki Krogerus wrote:
> On Tue, Mar 07, 2023 at 11:34:20AM +0100, Hans de Goede wrote:
>> ucsi_init() which runs from a workqueue sets ucsi->connector and
>> on an error will clear it again.
>>
>> ucsi->connector gets dereferenced by ucsi_resume(), this checks for
>> ucsi->connector being NULL in case ucsi_init() has not finished yet;
>> or in case ucsi_init() has failed.
>>
>> ucsi_init() setting ucsi->connector and then clearing it again on
>> an error creates a race where the check in ucsi_resume() may pass,
>> only to have ucsi->connector free-ed underneath it when ucsi_init()
>> hits an error.
>>
>> Fix this race by making ucsi_init() store the connector array in
>> a local variable and only assign it to ucsi->connector on success.
>>
>> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
>> ---
>> Changes in v3:
>> - Assign connector[i].index before calling ucsi_register_port() instead of
>> passing i to ucsi_register_port()
>
> You forgot to rebase this. It does not apply.
Ugh my bad, sorry about that. I'll send out a v4 fixing this.
Regards,
Hans
