On Tue, Feb 28, 2023 at 11:15:46AM +0100, Hans de Goede wrote:
Hi,
On 2/28/23 11:05, Heikki Krogerus wrote:
On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
When ucsi_init() fails, ucsi->connector is NULL, yet in case of ucsi_acpi we may still get events which cause the ucs_acpi code to call ucsi_connector_change(), which then derefs the NULL ucsi->connector pointer.
Fix this by adding a check for ucsi->connector being NULL, as is already done in ucsi_resume() for similar reasons.
Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede hdegoede@redhat.com
drivers/usb/typec/ucsi/ucsi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 1cf8947c6d66..e762897cb25a 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) */ void ucsi_connector_change(struct ucsi *ucsi, u8 num) {
- struct ucsi_connector *con = &ucsi->connector[num - 1];
- struct ucsi_connector *con;
- /* Check for ucsi_init() failure */
- if (!ucsi->connector)
return;- con = &ucsi->connector[num - 1];
if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { dev_dbg(ucsi->dev, "Bogus connector change event\n");
I think we should try to rely on that ucsi->ntfy. Would this work:
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index fe1963e328378..0da1e9c66971a 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work) */ void ucsi_connector_change(struct ucsi *ucsi, u8 num) {
struct ucsi_connector *con = &ucsi->connector[num - 1];if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { dev_dbg(ucsi->dev, "Bogus connector change event\n"); return; }if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
schedule_work(&con->work);
schedule_work(&ucsi->connector[num - 1].work);} EXPORT_SYMBOL_GPL(ucsi_connector_change);
This hunk is not necessary, the con pointer pointing to lala land is not an issue as long as we don't deref it. The &ucsi->connector[num - 1]; does not deref ucsi->connector it it simply adds an offset to it and stores that in con (the backtrace I got pointed to the schedule_work call).
But I guess your way does make it more obvious that we don't deref ucsi->connector.
@@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi) ucsi->connector = NULL; err_reset:
ucsi->ntfy = 0; memset(&ucsi->cap, 0, sizeof(ucsi->cap)); ucsi_reset_ppm(ucsi);err:
In would expect this to fix things, but I only have access to the monitor triggering this on Mondays, so I can only 100% confirm next Monday.
Note this does open the race I try to fix in patch 2/3 again.
So what should be done here is to make ntfy a local variable and only store it in ucsi->ntfy on success.
OK.
thanks,