mbox series

[v2,0/3] usb: ucsi: 3 bug fixes

Message ID 20230306103359.6591-1-hdegoede@redhat.com
Headers show
Series usb: ucsi: 3 bug fixes | expand

Message

Hans de Goede March 6, 2023, 10:33 a.m. UTC
Hi Heikki,

Here is v2 of my ucsi bugfix series.

Changes in v2:
-Delay setting ucsi->ntfy in ucsi_init() instead of adding a NULL pointer
 check to ucsi_connector_change()

Regards,

Hans


Hans de Goede (3):
  usb: ucsi: Fix NULL pointer deref in ucsi_connector_change()
  usb: ucsi: Fix ucsi->connector race
  usb: ucsi_acpi: Increase the command completion timeout

 drivers/usb/typec/ucsi/ucsi.c      | 31 ++++++++++++++----------------
 drivers/usb/typec/ucsi/ucsi_acpi.c |  2 +-
 2 files changed, 15 insertions(+), 18 deletions(-)

Comments

Heikki Krogerus March 7, 2023, 7:32 a.m. UTC | #1
On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote:
> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> pointer.
> 
> Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()
> has succeeded, so that ucsi_connector_change() ignores the events
> because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>

> ---
> Changes in v2:
> -Delay setting ucsi->ntfy in ucsi_init() instead of adding a NULL pointer
>  check to ucsi_connector_change()
> ---
>  drivers/usb/typec/ucsi/ucsi.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 1cf8947c6d66..8cbbb002fefe 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1205,7 +1205,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
>  static int ucsi_init(struct ucsi *ucsi)
>  {
>  	struct ucsi_connector *con;
> -	u64 command;
> +	u64 command, ntfy;
>  	int ret;
>  	int i;
>  
> @@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi)
>  	}
>  
>  	/* Enable basic notifications */
> -	ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
> -	command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
> +	ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
> +	command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
>  	ret = ucsi_send_command(ucsi, command, NULL, 0);
>  	if (ret < 0)
>  		goto err_reset;
> @@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi)
>  	}
>  
>  	/* Enable all notifications */
> -	ucsi->ntfy = UCSI_ENABLE_NTFY_ALL;
> -	command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
> +	ntfy = UCSI_ENABLE_NTFY_ALL;
> +	command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
>  	ret = ucsi_send_command(ucsi, command, NULL, 0);
>  	if (ret < 0)
>  		goto err_unregister;
>  
> +	ucsi->ntfy = ntfy;
>  	return 0;
>  
>  err_unregister:
> -- 
> 2.39.1
Heikki Krogerus March 7, 2023, 7:46 a.m. UTC | #2
Hi Hans,

On Mon, Mar 06, 2023 at 11:33:58AM +0100, Hans de Goede wrote:
> ucsi_init() which runs from a workqueue sets ucsi->connector and
> on an error will clear it again.
> 
> ucsi->connector gets dereferenced by ucsi_resume(), this checks for
> ucsi->connector being NULL in case ucsi_init() has not finished yet;
> or in case ucsi_init() has failed.
> 
> ucsi_init() setting ucsi->connector and then clearing it again on
> an error creates a race where the check in ucsi_resume() may pass,
> only to have ucsi->connector free-ed underneath it when ucsi_init()
> hits an error.
> 
> Fix this race by making ucsi_init() store the connector array in
> a local variable and only assign it to ucsi->connector on success.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

This does not apply anymore on top of Greg's usb-next. I think you
need to rebase. While at it, I have one nit below...

> ---
>  drivers/usb/typec/ucsi/ucsi.c | 20 ++++++++------------
>  1 file changed, 8 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 8cbbb002fefe..15a2c91581a8 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1039,9 +1039,8 @@ static struct fwnode_handle *ucsi_find_fwnode(struct ucsi_connector *con)
>  	return NULL;
>  }
>  
> -static int ucsi_register_port(struct ucsi *ucsi, int index)
> +static int ucsi_register_port(struct ucsi *ucsi, int index, struct ucsi_connector *con)

If con->num was set before this function is called, you don't need
"index" at all:

static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con)

>  {
> -	struct ucsi_connector *con = &ucsi->connector[index];
>  	struct typec_capability *cap = &con->typec_cap;
>  	enum typec_accessory *accessory = cap->accessory;
>  	enum usb_role u_role = USB_ROLE_NONE;
> @@ -1204,7 +1203,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
>   */
>  static int ucsi_init(struct ucsi *ucsi)
>  {
> -	struct ucsi_connector *con;
> +	struct ucsi_connector *con, *connector;
>  	u64 command, ntfy;
>  	int ret;
>  	int i;
> @@ -1235,16 +1234,15 @@ static int ucsi_init(struct ucsi *ucsi)
>  	}
>  
>  	/* Allocate the connectors. Released in ucsi_unregister() */
> -	ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1,
> -				  sizeof(*ucsi->connector), GFP_KERNEL);
> -	if (!ucsi->connector) {
> +	connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL);
> +	if (!connector) {
>  		ret = -ENOMEM;
>  		goto err_reset;
>  	}
>  
>  	/* Register all connectors */
>  	for (i = 0; i < ucsi->cap.num_connectors; i++) {
> -		ret = ucsi_register_port(ucsi, i);

Assign it here:

                connector[i].num = i + 1;

> +		ret = ucsi_register_port(ucsi, i, &connector[i]);
>  		if (ret)
>  			goto err_unregister;
>  	}
> @@ -1256,11 +1254,12 @@ static int ucsi_init(struct ucsi *ucsi)
>  	if (ret < 0)
>  		goto err_unregister;
>  
> +	ucsi->connector = connector;
>  	ucsi->ntfy = ntfy;
>  	return 0;
>  
>  err_unregister:
> -	for (con = ucsi->connector; con->port; con++) {
> +	for (con = connector; con->port; con++) {
>  		ucsi_unregister_partner(con);
>  		ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON);
>  		ucsi_unregister_port_psy(con);
> @@ -1269,10 +1268,7 @@ static int ucsi_init(struct ucsi *ucsi)
>  		typec_unregister_port(con->port);
>  		con->port = NULL;
>  	}
> -
> -	kfree(ucsi->connector);
> -	ucsi->connector = NULL;
> -
> +	kfree(connector);
>  err_reset:
>  	memset(&ucsi->cap, 0, sizeof(ucsi->cap));
>  	ucsi_reset_ppm(ucsi);

thanks,
Heikki Krogerus March 7, 2023, 9:17 a.m. UTC | #3
Hi Hans,

On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote:
> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> pointer.
> 
> Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()
> has succeeded, so that ucsi_connector_change() ignores the events
> because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

There is now a bug report for this in the kernel.org bugzilla. Can you
add a Link tag pointing to it so the it gets updated automagically:

Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106

Thanks,

> ---
> Changes in v2:
> -Delay setting ucsi->ntfy in ucsi_init() instead of adding a NULL pointer
>  check to ucsi_connector_change()
> ---
>  drivers/usb/typec/ucsi/ucsi.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 1cf8947c6d66..8cbbb002fefe 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -1205,7 +1205,7 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
>  static int ucsi_init(struct ucsi *ucsi)
>  {
>  	struct ucsi_connector *con;
> -	u64 command;
> +	u64 command, ntfy;
>  	int ret;
>  	int i;
>  
> @@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi)
>  	}
>  
>  	/* Enable basic notifications */
> -	ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
> -	command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
> +	ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
> +	command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
>  	ret = ucsi_send_command(ucsi, command, NULL, 0);
>  	if (ret < 0)
>  		goto err_reset;
> @@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi)
>  	}
>  
>  	/* Enable all notifications */
> -	ucsi->ntfy = UCSI_ENABLE_NTFY_ALL;
> -	command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
> +	ntfy = UCSI_ENABLE_NTFY_ALL;
> +	command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
>  	ret = ucsi_send_command(ucsi, command, NULL, 0);
>  	if (ret < 0)
>  		goto err_unregister;
>  
> +	ucsi->ntfy = ntfy;
>  	return 0;
>  
>  err_unregister:
> -- 
> 2.39.1
Greg Kroah-Hartman March 7, 2023, 9:28 a.m. UTC | #4
On Tue, Mar 07, 2023 at 11:17:05AM +0200, Heikki Krogerus wrote:
> Hi Hans,
> 
> On Mon, Mar 06, 2023 at 11:33:57AM +0100, Hans de Goede wrote:
> > When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> > ucsi_acpi we may still get events which cause the ucs_acpi code to call
> > ucsi_connector_change(), which then derefs the NULL ucsi->connector
> > pointer.
> > 
> > Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()
> > has succeeded, so that ucsi_connector_change() ignores the events
> > because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.
> > 
> > Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> 
> There is now a bug report for this in the kernel.org bugzilla. Can you
> add a Link tag pointing to it so the it gets updated automagically:
> 
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106

My tools should pick this up, thanks.

greg k-h