[0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors

When reviewing a patch updating the qcom-pmic typec driver, I noticed
that the error handling is broken and can lead to use-after-free.

This series addresses the use-after-free and also fixes the error
handling in the pdphy_start() callback which failed to disable its
supply in all error paths.

The latter fix is not marked for stable on purpose as its not a critical
fix (I'm sure autosel will disagree).

Johan


Johan Hovold (2):
  usb: typec: qcom-pmic: fix use-after-free on late probe errors
  usb: typec: qcom-pmic: fix pdphy start() error handling

 drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c       |  8 ++++++--
 drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
 2 files changed, 13 insertions(+), 6 deletions(-)

On 18/04/2024 15:57, Johan Hovold wrote:
> Make sure to stop and deregister the port in case of late probe errors
> to avoid use-after-free issues when the underlying memory is released by
> devres.
> 
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Cc: stable@vger.kernel.org	# 6.5
> Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
>   drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> index e48412cdcb0f..d3958c061a97 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
>   
>   	ret = tcpm->port_start(tcpm, tcpm->tcpm_port);
>   	if (ret)
> -		goto fwnode_remove;
> +		goto port_unregister;
>   
>   	ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port);
>   	if (ret)
> -		goto fwnode_remove;
> +		goto port_stop;
>   
>   	return 0;
>   
> +port_stop:
> +	tcpm->port_stop(tcpm);
> +port_unregister:
> +	tcpm_unregister_port(tcpm->tcpm_port);
>   fwnode_remove:
>   	fwnode_remove_software_node(tcpm->tcpc.fwnode);
>   

Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

On 18/04/2024 15:57, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
> 
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
>   drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
>   1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> index 6560f4fc98d5..5b7f52b74a40 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
>   
>   	qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
>   done:
> -	if (ret) {
> -		regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +	if (ret)
>   		dev_err(dev, "pdphy_enable fail %d\n", ret);
> -	}
>   
>   	return ret;
>   }
> @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
>   
>   	ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
>   	if (ret)
> -		return ret;
> +		goto err_disable_vdd_pdhy;
>   
>   	for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
>   		enable_irq(pmic_typec_pdphy->irq_data[i].irq);
>   
>   	return 0;
> +
> +err_disable_vdd_pdhy:
> +	regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +
> +	return ret;
>   }
>   
>   static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)

Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>