Patch "usb: typec: qcom-pmic: fix use-after-free on late probe errors" has been added to the 6.8-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 30 May 2024 15:01:55 -0400

This is a note to let you know that I've just added the patch titled

    usb: typec: qcom-pmic: fix use-after-free on late probe errors

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-typec-qcom-pmic-fix-use-after-free-on-late-probe.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9e23c733a7be02e7959b01bc4540baa3e7e340fa
Author: Johan Hovold <johan+linaro@xxxxxxxxxx>
Date:   Thu Apr 18 16:57:29 2024 +0200

    usb: typec: qcom-pmic: fix use-after-free on late probe errors
    
    [ Upstream commit d80eee97cb4e90768a81c856ac71d721996d86b7 ]
    
    Make sure to stop and deregister the port in case of late probe errors
    to avoid use-after-free issues when the underlying memory is released by
    devres.
    
    Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
    Cc: stable@xxxxxxxxxxxxxxx      # 6.5
    Cc: Bryan O'Donoghue <bryan.odonoghue@xxxxxxxxxx>
    Signed-off-by: Johan Hovold <johan+linaro@xxxxxxxxxx>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
    Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@xxxxxxxxxx>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240418145730.4605-2-johan+linaro@xxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
index 82e3f59ea471b..ee3557e0becab 100644
--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
+++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
@@ -94,14 +94,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
 
 	ret = tcpm->port_start(tcpm, tcpm->tcpm_port);
 	if (ret)
-		goto fwnode_remove;
+		goto port_unregister;
 
 	ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port);
 	if (ret)
-		goto fwnode_remove;
+		goto port_stop;
 
 	return 0;
 
+port_stop:
+	tcpm->port_stop(tcpm);
+port_unregister:
+	tcpm_unregister_port(tcpm->tcpm_port);
 fwnode_remove:
 	fwnode_remove_software_node(tcpm->tcpc.fwnode);
 







