On Thu, Mar 30, 2023 at 04:28:56PM +0000, Joakim Tjernlund wrote:
On Wed, 2023-03-29 at 10:03 +0200, Joakim Tjernlund wrote:
From: Hans de Goede hdegoede@redhat.com
ucsi_init() which runs from a workqueue sets ucsi->connector and on an error will clear it again.
ucsi->connector gets dereferenced by ucsi_resume(), this checks for ucsi->connector being NULL in case ucsi_init() has not finished yet; or in case ucsi_init() has failed.
ucsi_init() setting ucsi->connector and then clearing it again on an error creates a race where the check in ucsi_resume() may pass, only to have ucsi->connector free-ed underneath it when ucsi_init() hits an error.
Fix this race by making ucsi_init() store the connector array in a local variable and only assign it to ucsi->connector on success.
Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") Cc: stable@vger.kernel.org Reviewed-by: Heikki Krogerus heikki.krogerus@linux.intel.com Signed-off-by: Hans de Goede hdegoede@redhat.com Link: https://lore.kernel.org/r/20230308154244.722337-3-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 0482c34ec6f8557e06cd0f8e2d0e20e8ede6a22c) Signed-off-by: Joakim Tjernlund joakim.tjernlund@infinera.com
- This is a dry port to 6.1.x, will be some time before it will be tested.
Tested OK now on 6.1.22
Thanks, now queued up for 6.2.y and 6.1.y. Still need backports for older kernels if you want to do that...
thanks,
greg k-h