On Thu, Mar 30, 2023 at 04:28:56PM +0000, Joakim Tjernlund wrote:
> On Wed, 2023-03-29 at 10:03 +0200, Joakim Tjernlund wrote:
> > From: Hans de Goede <hdegoede@xxxxxxxxxx>
> >
> > ucsi_init() which runs from a workqueue sets ucsi->connector and
> > on an error will clear it again.
> >
> > ucsi->connector gets dereferenced by ucsi_resume(), this checks for
> > ucsi->connector being NULL in case ucsi_init() has not finished yet;
> > or in case ucsi_init() has failed.
> >
> > ucsi_init() setting ucsi->connector and then clearing it again on
> > an error creates a race where the check in ucsi_resume() may pass,
> > only to have ucsi->connector free-ed underneath it when ucsi_init()
> > hits an error.
> >
> > Fix this race by making ucsi_init() store the connector array in
> > a local variable and only assign it to ucsi->connector on success.
> >
> > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> > Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
> > Link: https://lore.kernel.org/r/20230308154244.722337-3-hdegoede@xxxxxxxxxx
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > (cherry picked from commit 0482c34ec6f8557e06cd0f8e2d0e20e8ede6a22c)
> > Signed-off-by: Joakim Tjernlund <joakim.tjernlund@xxxxxxxxxxxx>
> > ---
> >
> > - This is a dry port to 6.1.x, will be some time before it will be tested.
>
> Tested OK now on 6.1.22
Thanks, now queued up for 6.2.y and 6.1.y. Still need backports for
older kernels if you want to do that...
thanks,
greg k-h
