[PATCH 6.6] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration"), quilt, and git, applied the diff to the incorrect function, which would cause bad problems if exercised in a device with these capabilities.
Fix this all up (including the follow-up fix in commit 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") to be in the correct function.
Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") Reported-by: Charles Yo charlesyo@google.com Cc: Kyle Tso kyletso@google.com Cc: Amit Sunil Dhamne amitsd@google.com Cc: Ondrej Jirman megi@xff.cz Cc: Heikki Krogerus heikki.krogerus@linux.intel.com Cc: Dmitry Baryshkov dmitry.baryshkov@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org ---
Note, this is also needed for 6.1, I'll fix up the git ids when committing it to the stable tree there as well.
drivers/usb/typec/tcpm/tcpm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 7db9c382c354..e053b6e99b9e 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { }; - struct usb_power_delivery_capabilities *cap; + struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(struct tcpm_port *port) memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); caps.role = TYPEC_SOURCE;
+ if (cap) { + usb_power_delivery_unregister_capabilities(cap); + port->partner_source_caps = NULL; + } + cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap); @@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { }; - struct usb_power_delivery_capabilities *cap = port->partner_source_caps; + struct usb_power_delivery_capabilities *cap;
if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps); caps.role = TYPEC_SINK;
- if (cap) { - usb_power_delivery_unregister_capabilities(cap); - port->partner_source_caps = NULL; - } - cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap);
On Fri, Aug 30, 2024 at 04:00:09PM +0200, Greg Kroah-Hartman wrote:
In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration"), quilt, and git, applied the diff to the incorrect function, which would cause bad problems if exercised in a device with these capabilities.
Fix this all up (including the follow-up fix in commit 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") to be in the correct function.
Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") Reported-by: Charles Yo charlesyo@google.com Cc: Kyle Tso kyletso@google.com Cc: Amit Sunil Dhamne amitsd@google.com Cc: Ondrej Jirman megi@xff.cz Cc: Heikki Krogerus heikki.krogerus@linux.intel.com Cc: Dmitry Baryshkov dmitry.baryshkov@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Acked-by: Heikki Krogerus heikki.krogerus@linux.intel.com
Note, this is also needed for 6.1, I'll fix up the git ids when committing it to the stable tree there as well.
drivers/usb/typec/tcpm/tcpm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 7db9c382c354..e053b6e99b9e 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { };
- struct usb_power_delivery_capabilities *cap;
- struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(struct tcpm_port *port) memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); caps.role = TYPEC_SOURCE;
- if (cap) {
usb_power_delivery_unregister_capabilities(cap);port->partner_source_caps = NULL;- }
- cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap);
@@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) { struct usb_power_delivery_desc desc = { port->negotiated_rev }; struct usb_power_delivery_capabilities_desc caps = { };
- struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
- struct usb_power_delivery_capabilities *cap;
if (!port->partner_pd) port->partner_pd = usb_power_delivery_register(NULL, &desc); @@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struct tcpm_port *port) memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps); caps.role = TYPEC_SINK;
- if (cap) {
usb_power_delivery_unregister_capabilities(cap);port->partner_source_caps = NULL;- }
- cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); if (IS_ERR(cap)) return PTR_ERR(cap);
-- 2.46.0
On Mon, Sep 02, 2024 at 09:25:44AM +0300, Heikki Krogerus wrote:
On Fri, Aug 30, 2024 at 04:00:09PM +0200, Greg Kroah-Hartman wrote:
In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration"), quilt, and git, applied the diff to the incorrect function, which would cause bad problems if exercised in a device with these capabilities.
Fix this all up (including the follow-up fix in commit 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") to be in the correct function.
Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps") Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration") Reported-by: Charles Yo charlesyo@google.com Cc: Kyle Tso kyletso@google.com Cc: Amit Sunil Dhamne amitsd@google.com Cc: Ondrej Jirman megi@xff.cz Cc: Heikki Krogerus heikki.krogerus@linux.intel.com Cc: Dmitry Baryshkov dmitry.baryshkov@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Acked-by: Heikki Krogerus heikki.krogerus@linux.intel.com
Thanks for the review!
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Heikki Krogerus