On Fri, Aug 30, 2024 at 04:00:09PM +0200, Greg Kroah-Hartman wrote:
> In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source
> caps before re-registration"), quilt, and git, applied the diff to the
> incorrect function, which would cause bad problems if exercised in a
> device with these capabilities.
>
> Fix this all up (including the follow-up fix in commit 04c05d50fa79
> ("usb: typec: tcpm: fix use-after-free case in
> tcpm_register_source_caps") to be in the correct function.
>
> Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
> Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration")
> Reported-by: Charles Yo <charlesyo@xxxxxxxxxx>
> Cc: Kyle Tso <kyletso@xxxxxxxxxx>
> Cc: Amit Sunil Dhamne <amitsd@xxxxxxxxxx>
> Cc: Ondrej Jirman <megi@xxxxxx>
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Acked-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> ---
>
> Note, this is also needed for 6.1, I'll fix up the git ids when
> committing it to the stable tree there as well.
>
> drivers/usb/typec/tcpm/tcpm.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 7db9c382c354..e053b6e99b9e 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port)
> {
> struct usb_power_delivery_desc desc = { port->negotiated_rev };
> struct usb_power_delivery_capabilities_desc caps = { };
> - struct usb_power_delivery_capabilities *cap;
> + struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
>
> if (!port->partner_pd)
> port->partner_pd = usb_power_delivery_register(NULL, &desc);
> @@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(struct tcpm_port *port)
> memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
> caps.role = TYPEC_SOURCE;
>
> + if (cap) {
> + usb_power_delivery_unregister_capabilities(cap);
> + port->partner_source_caps = NULL;
> + }
> +
> cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
> if (IS_ERR(cap))
> return PTR_ERR(cap);
> @@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struct tcpm_port *port)
> {
> struct usb_power_delivery_desc desc = { port->negotiated_rev };
> struct usb_power_delivery_capabilities_desc caps = { };
> - struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
> + struct usb_power_delivery_capabilities *cap;
>
> if (!port->partner_pd)
> port->partner_pd = usb_power_delivery_register(NULL, &desc);
> @@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struct tcpm_port *port)
> memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
> caps.role = TYPEC_SINK;
>
> - if (cap) {
> - usb_power_delivery_unregister_capabilities(cap);
> - port->partner_source_caps = NULL;
> - }
> -
> cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
> if (IS_ERR(cap))
> return PTR_ERR(cap);
> --
> 2.46.0
--
heikki
