From: Hans de Goede <hdegoede@xxxxxxxxxx> commit 7e90057f125c8c852940b848e06e7a72f050fc6f upstream. Fix 2 unlocked ucsi_run_command calls: 1. ucsi_handle_connector_change() contains one ucsi_send_command() call, which takes the ppm_lock for it; and one ucsi_run_command() call which relies on the caller have taking the ppm_lock. ucsi_handle_connector_change() does not take the lock, so the second (ucsi_run_command) calls should also be ucsi_send_command(). 2. ucsi_get_pdos() gets called from ucsi_handle_connector_change() which does not hold the ppm_lock, so it also must use ucsi_send_command(). This commit also adds a WARN_ON(!mutex_is_locked(&ucsi->ppm_lock)); to ucsi_run_command() to avoid similar problems getting re-introduced in the future. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx> Acked-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx> Reviewed-by: Guenter Roeck <linux@xxxxxxxxxxxx> Link: https://lore.kernel.org/r/20200809141904.4317-3-hdegoede@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/typec/ucsi/ucsi.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -152,6 +152,8 @@ static int ucsi_run_command(struct ucsi u8 length; int ret; + WARN_ON(!mutex_is_locked(&ucsi->ppm_lock)); + ret = ucsi_exec_command(ucsi, command); if (ret < 0) return ret; @@ -502,7 +504,7 @@ static void ucsi_get_pdos(struct ucsi_co command |= UCSI_GET_PDOS_PARTNER_PDO(is_partner); command |= UCSI_GET_PDOS_NUM_PDOS(UCSI_MAX_PDOS - 1); command |= UCSI_GET_PDOS_SRC_PDOS; - ret = ucsi_run_command(ucsi, command, con->src_pdos, + ret = ucsi_send_command(ucsi, command, con->src_pdos, sizeof(con->src_pdos)); if (ret < 0) { dev_err(ucsi->dev, "UCSI_GET_PDOS failed (%d)\n", ret); @@ -681,7 +683,7 @@ static void ucsi_handle_connector_change */ command = UCSI_GET_CAM_SUPPORTED; command |= UCSI_CONNECTOR_NUMBER(con->num); - ucsi_run_command(con->ucsi, command, NULL, 0); + ucsi_send_command(con->ucsi, command, NULL, 0); } if (con->status.change & UCSI_CONSTAT_PARTNER_CHANGE)