usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source
caps before re-registration"), quilt, and git, applied the diff to the
incorrect function, which would cause bad problems if exercised in a
device with these capabilities.

Fix this all up (including the follow-up fix in commit 04c05d50fa79
("usb: typec: tcpm: fix use-after-free case in
tcpm_register_source_caps") to be in the correct function.

Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration")
Reported-by: Charles Yo <charlesyo@xxxxxxxxxx>
Cc: Kyle Tso <kyletso@xxxxxxxxxx>
Cc: Amit Sunil Dhamne <amitsd@xxxxxxxxxx>
Cc: Ondrej Jirman <megi@xxxxxx>
Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
Cc: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/usb/typec/tcpm/tcpm.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(str
 {
 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
 	struct usb_power_delivery_capabilities_desc caps = { };
-	struct usb_power_delivery_capabilities *cap;
+	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
 
 	if (!port->partner_pd)
 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
@@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(str
 	memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
 	caps.role = TYPEC_SOURCE;
 
+	if (cap) {
+		usb_power_delivery_unregister_capabilities(cap);
+		port->partner_source_caps = NULL;
+	}
+
 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
 	if (IS_ERR(cap))
 		return PTR_ERR(cap);
@@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struc
 {
 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
 	struct usb_power_delivery_capabilities_desc caps = { };
-	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
+	struct usb_power_delivery_capabilities *cap;
 
 	if (!port->partner_pd)
 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
@@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struc
 	memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
 	caps.role = TYPEC_SINK;
 
-	if (cap) {
-		usb_power_delivery_unregister_capabilities(cap);
-		port->partner_source_caps = NULL;
-	}
-
 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
 	if (IS_ERR(cap))
 		return PTR_ERR(cap);


Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are

queue-6.6/alsa-seq-skip-event-type-filtering-for-ump-events.patch
queue-6.6/wifi-wfx-repair-open-network-ap-mode.patch
queue-6.6/of-add-cleanup.h-based-auto-release-via-__free-device_node-markings.patch
queue-6.6/mptcp-pm-fix-id-0-endp-usage-after-multiple-re-creations.patch
queue-6.6/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
queue-6.6/mptcp-pm-skip-connecting-to-already-established-sf.patch
queue-6.6/mptcp-pm-reuse-id-0-after-delete-and-re-add.patch
queue-6.6/tracing-have-format-file-honor-event_file_fl_freed.patch
queue-6.6/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch
queue-6.6/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch
queue-6.6/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch
queue-6.6/mptcp-pm-add_addr-0-is-not-a-new-address.patch
queue-6.6/mptcp-pm-do-not-remove-already-closed-subflows.patch
queue-6.6/mptcp-pm-send-ack-on-an-active-subflow.patch
queue-6.6/mptcp-pm-reset-mpc-endp-id-when-re-added.patch
queue-6.6/drm-amdgpu-align-pp_power_profile_mode-with-kernel-docs.patch
queue-6.6/drm-amdgpu-swsmu-always-force-a-state-reprogram-on-init.patch
queue-6.6/net-mana-fix-race-of-mana_hwc_post_rx_wqe-and-new-hwc-response.patch
queue-6.6/mptcp-close-subflow-when-receiving-tcp-fin.patch
queue-6.6/btrfs-run-delayed-iputs-when-flushing-delalloc.patch
queue-6.6/selftests-mptcp-join-check-re-re-adding-id-0-endp.patch
queue-6.6/drm-vmwgfx-fix-prime-with-external-buffers.patch
queue-6.6/selftests-mptcp-join-no-extra-msg-if-no-counter.patch
queue-6.6/wifi-mwifiex-duplicate-static-structs-used-in-driver-instances.patch
queue-6.6/selftests-mptcp-join-check-removing-id-0-endpoint.patch
queue-6.6/mptcp-sched-check-both-backup-in-retrans.patch
queue-6.6/loongarch-remove-the-unused-dma-direct.h.patch
queue-6.6/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux