When reviewing a patch updating the qcom-pmic typec driver, I noticed
that the error handling is broken and can lead to use-after-free.
This series addresses the use-after-free and also fixes the error
handling in the pdphy_start() callback which failed to disable its
supply in all error paths.
The latter fix is not marked for stable on purpose as its not a critical
fix (I'm sure autosel will disagree).
Johan
Johan Hovold (2):
usb: typec: qcom-pmic: fix use-after-free on late probe errors
usb: typec: qcom-pmic: fix pdphy start() error handling
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
2 files changed, 13 insertions(+), 6 deletions(-)
--
2.43.2
Move disabling of the vdd-pdphy supply to the start() function which
enabled it for symmetry and to make sure that it is disabled as intended
in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
qcom_pmic_typec_pdphy_enable() fails).
Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
index 6560f4fc98d5..5b7f52b74a40 100644
--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
+++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
@@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
done:
- if (ret) {
- regulator_disable(pmic_typec_pdphy->vdd_pdphy);
+ if (ret)
dev_err(dev, "pdphy_enable fail %d\n", ret);
- }
return ret;
}
@@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
if (ret)
- return ret;
+ goto err_disable_vdd_pdhy;
for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
enable_irq(pmic_typec_pdphy->irq_data[i].irq);
return 0;
+
+err_disable_vdd_pdhy:
+ regulator_disable(pmic_typec_pdphy->vdd_pdphy);
+
+ return ret;
}
static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
--
2.43.2
On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <[email protected]>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
Reviewed-by: Dmitry Baryshkov <[email protected]>
--
With best wishes
Dmitry
On 18/04/2024 15:57, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <[email protected]>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> index 6560f4fc98d5..5b7f52b74a40 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
>
> qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
> done:
> - if (ret) {
> - regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> + if (ret)
> dev_err(dev, "pdphy_enable fail %d\n", ret);
> - }
>
> return ret;
> }
> @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
>
> ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
> if (ret)
> - return ret;
> + goto err_disable_vdd_pdhy;
>
> for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
> enable_irq(pmic_typec_pdphy->irq_data[i].irq);
>
> return 0;
> +
> +err_disable_vdd_pdhy:
> + regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +
> + return ret;
> }
>
> static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
Reviewed-by: Bryan O'Donoghue <[email protected]>
On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <[email protected]>
Reviewed-by: Heikki Krogerus <[email protected]>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> index 6560f4fc98d5..5b7f52b74a40 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
>
> qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
> done:
> - if (ret) {
> - regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> + if (ret)
> dev_err(dev, "pdphy_enable fail %d\n", ret);
> - }
>
> return ret;
> }
> @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
>
> ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
> if (ret)
> - return ret;
> + goto err_disable_vdd_pdhy;
>
> for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
> enable_irq(pmic_typec_pdphy->irq_data[i].irq);
>
> return 0;
> +
> +err_disable_vdd_pdhy:
> + regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +
> + return ret;
> }
>
> static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
> --
> 2.43.2
--
heikki