Re: Patch "usb: typec: ucsi: Check for notifications after init" has been added to the 6.8-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Sasha,

On Sun, Apr 07, 2024 at 08:53:40AM -0400, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     usb: typec: ucsi: Check for notifications after init
> 
> to the 6.8-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary


This patch contains an out of bounds memory access and should not
be included in the stable backports until a fix is available.

A fix is already queued in Greg's usb-linus branch.

Please drop the above patch from all stable trees for now.

Sorry for the inconvenience.

> The filename of the patch is:
>      usb-typec-ucsi-check-for-notifications-after-init.patch
> and it can be found in the queue-6.8 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@xxxxxxxxxxxxxxx> know about it.
> 
> 
> 
> commit 903bfed719f3e87b607956bbe4d855c71831a43a
> Author: Christian A. Ehrhardt <lk@xxxxxxx>
> Date:   Wed Mar 20 08:39:23 2024 +0100
> 
>     usb: typec: ucsi: Check for notifications after init
>     
>     [ Upstream commit 808a8b9e0b87bbc72bcc1f7ddfe5d04746e7ce56 ]
>     
>     The completion notification for the final SET_NOTIFICATION_ENABLE
>     command during initialization can include a connector change
>     notification.  However, at the time this completion notification is
>     processed, the ucsi struct is not ready to handle this notification.
>     As a result the notification is ignored and the controller
>     never sends an interrupt again.
>     
>     Re-check CCI for a pending connector state change after
>     initialization is complete. Adjust the corresponding debug
>     message accordingly.
>     
>     Fixes: 71a1fa0df2a3 ("usb: typec: ucsi: Store the notification mask")
>     Cc: stable@xxxxxxxxxxxxxxx
>     Signed-off-by: Christian A. Ehrhardt <lk@xxxxxxx>
>     Reviewed-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
>     Tested-by: Neil Armstrong <neil.armstrong@xxxxxxxxxx> # on SM8550-QRD
>     Link: https://lore.kernel.org/r/20240320073927.1641788-3-lk@xxxxxxx
>     Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>     Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 0bfe5e906e543..96da828f556a9 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -962,7 +962,7 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>  	struct ucsi_connector *con = &ucsi->connector[num - 1];
>  
>  	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
> -		dev_dbg(ucsi->dev, "Bogus connector change event\n");
> +		dev_dbg(ucsi->dev, "Early connector change event\n");
>  		return;
>  	}
>  
> @@ -1393,6 +1393,7 @@ static int ucsi_init(struct ucsi *ucsi)
>  {
>  	struct ucsi_connector *con, *connector;
>  	u64 command, ntfy;
> +	u32 cci;
>  	int ret;
>  	int i;
>  
> @@ -1445,6 +1446,13 @@ static int ucsi_init(struct ucsi *ucsi)
>  
>  	ucsi->connector = connector;
>  	ucsi->ntfy = ntfy;
> +
> +	ret = ucsi->ops->read(ucsi, UCSI_CCI, &cci, sizeof(cci));
> +	if (ret)
> +		return ret;
> +	if (UCSI_CCI_CONNECTOR(READ_ONCE(cci)))
> +		ucsi_connector_change(ucsi, cci);
> +
>  	return 0;
>  
>  err_unregister:
> 


Best regards
Christian





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux