Patch "usb: typec: ucsi: Fix command cancellation" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 18 Jun 2023 14:57:23 +0200

This is a note to let you know that I've just added the patch titled

    usb: typec: ucsi: Fix command cancellation

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-typec-ucsi-fix-command-cancellation.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From c4a8bfabefed706bb9150867db528ceefd5cb5fe Mon Sep 17 00:00:00 2001
From: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
Date: Tue, 6 Jun 2023 14:58:02 +0300
Subject: usb: typec: ucsi: Fix command cancellation

From: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>

commit c4a8bfabefed706bb9150867db528ceefd5cb5fe upstream.

The Cancel command was passed to the write callback as the
offset instead of as the actual command which caused NULL
pointer dereference.

Reported-by: Stephan Bolten <stephan.bolten@xxxxxxx>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217517
Fixes: 094902bc6a3c ("usb: typec: ucsi: Always cancel the command if PPM reports BUSY condition")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
Message-ID: <20230606115802.79339-1-heikki.krogerus@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/usb/typec/ucsi/ucsi.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -132,10 +132,8 @@ static int ucsi_exec_command(struct ucsi
 	if (ret)
 		return ret;
 
-	if (cci & UCSI_CCI_BUSY) {
-		ucsi->ops->async_write(ucsi, UCSI_CANCEL, NULL, 0);
-		return -EBUSY;
-	}
+	if (cmd != UCSI_CANCEL && cci & UCSI_CCI_BUSY)
+		return ucsi_exec_command(ucsi, UCSI_CANCEL);
 
 	if (!(cci & UCSI_CCI_COMMAND_COMPLETE))
 		return -EIO;
@@ -149,6 +147,11 @@ static int ucsi_exec_command(struct ucsi
 		return ucsi_read_error(ucsi);
 	}
 
+	if (cmd == UCSI_CANCEL && cci & UCSI_CCI_CANCEL_COMPLETE) {
+		ret = ucsi_acknowledge_command(ucsi);
+		return ret ? ret : -EBUSY;
+	}
+
 	return UCSI_CCI_LENGTH(cci);
 }
 


Patches currently in stable-queue which might be from heikki.krogerus@xxxxxxxxxxxxxxx are

queue-6.1/usb-typec-ucsi-fix-command-cancellation.patch
queue-6.1/usb-typec-fix-fast_role_swap_current-show-function.patch






