Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1308211lqa; Mon, 29 Apr 2024 05:07:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVJHkWSiHtMLbfvW70uhnl6p8nyQPABFwDMmKdT4yUvNQ4D6cEhfcWJQW0S17emsgnX95vbPpbUN1OEOEsPhD1sdGq0EQih/eCPeFmi3g== X-Google-Smtp-Source: AGHT+IHs9W8cuFUWGxZ56qdhvlE/GYvgMLhz7ASgOtf1/cG9gdc/Z4Cf6vP1fnB2XQ1zKJXLigiB X-Received: by 2002:a05:620a:2916:b0:790:9666:5c8a with SMTP id m22-20020a05620a291600b0079096665c8amr12253468qkp.19.1714392454274; Mon, 29 Apr 2024 05:07:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714392454; cv=pass; d=google.com; s=arc-20160816; b=Tl0KzjfHuNHptg5H3dXA6IFBv1XjccRC10DHSB9UnJ75thQBLOSbja8sMALF0tdo5A NQN0AoyIMYzZU8i8deDMWmLov7XHFalkgEuhUJMDujRu8eZ5eR+5WtvrE13wK8Ddtit8 lGWIWhFSXSVo4jOfZjVvzpQAOdxIP8C4iH8JTcuO01sxLEZ/71YIupQMimbkQ2doje9q kejkmHfSqNKdNu5YiIzTfMoqmISYECSagJIU398DdzLp5tbwvaiDJb+lSkNjO63q4mDV Np1cFhLiC4/647hc+J0hBW87OuLayQbi7C9v+Vl/fbab+BIFUMGz7K3dUP8FwW+Dgl1T P9gg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=lmRvyBj3fTwPbxW8uOlNfTPo1HiDV6JDOgkZuJDXyLk=; fh=AzckHNHz0vetYkudKF92Pz4CCYiAq10oSfe01iwXpGM=; b=mhSmfk5IXFctTd7rxM727iZ9aWBl0npHEH1Sr5fy6e14L3wJvplgUdCRIZ/yPziWYy q9mkqDhf4MN7a7peR0ptkebgyXO9+fVPtm9x1ark4NH52teUtnobPY/MB9QQ4y2LeIqY H7PEQz8xAYlWjLrbsKoK1KJbZdOH4KJ/OLz3DfirvH++rHacLWB5J8QEJDHrH+KKue1U CJAhWyjsf5RYn45IfXMGmxmD76v03NdXjtKySimD6Le7uNHqWiYAawSE12fDegPrMhUx tDPWCICBth2L9W/vdC3iczeColWs1uEfchubB0Cx0/I6XemGVrzszwQ5LDS4V+K7z3GA ciyQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bwuLoxnx; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-161907-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161907-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id i1-20020a37c201000000b0079078374f27si17385353qkm.84.2024.04.29.05.07.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Apr 2024 05:07:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161907-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bwuLoxnx; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-161907-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161907-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6042B1C21476 for ; Mon, 29 Apr 2024 08:28:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 07043175B6; Mon, 29 Apr 2024 08:28:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="bwuLoxnx" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3CDF15E8B; Mon, 29 Apr 2024 08:28:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.19 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714379315; cv=none; b=jHv5mJHkqiMprVCreZcsN/0vDO5ssadi0GBZYTjPjLFxleEKG2aliffYa0AiM+J1PvrW/kdaX2/dj/C9vCTg2RgOUf1aFscYTTbLKtXCwuKeu8yQEkIbVVR9Fg0Mfby+v8jMY+TqnqIsK3RgskSRulH/Gw6P0YTzKuO+qNHZ0oc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714379315; c=relaxed/simple; bh=z2vGEtEwQgWYrDDKbib2/oFVDFE3vbryndLEEjqI+h4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=X9jFs3B6AN1o9epEvMgfQyzsQlSGhTeEs1IgJFJw29tDTlF0bTlnQ1kCpGmH0QgbHVxIcBQCvtwvZNTl1Q+MaTg1tMPYOIc0R2z8PPxtfqgNA8Zlj5OrPTT6nsExmiUtwYEsRtZcAGqR9r1cI85W434QZsU0bkvR5/CLGU5pVc4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=bwuLoxnx; arc=none smtp.client-ip=198.175.65.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1714379313; x=1745915313; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=z2vGEtEwQgWYrDDKbib2/oFVDFE3vbryndLEEjqI+h4=; b=bwuLoxnxAnAlxIlL1JfwrgBlhOdTSTKkbgT9jPMO9/xH67EvAzROrMtv zMoDtVsdOL5Jvc+9gmD0Hw/irhxeaCKWCoS2Gc4m4Ol+eUmSzZPTI3oTc +NmhHiuFH755gkGz6EnZynuUYQ0RvK25hB9xJu0dPUbPYPy6pP8u2mVPx cd+Wj4EgJLxRk/+vYdr7nzlv/wW4XKRRVxFwBXXFPgg6YcWYga0xGs/4k NVxwulwRaFOpB2NMCwsFEEnTOhapBroYscAoicuaBkrMupOjbu6eJQg1u BufHorP7+VC0X0qO/VVW/M9N+EzF9vk/AxXhmubZj4lMugejnfPXsHfMP w==; X-CSE-ConnectionGUID: Te/HxkeLS3GFaXWM/stO3g== X-CSE-MsgGUID: f2fIcHTOQ0qXoc2PFQnNrQ== X-IronPort-AV: E=McAfee;i="6600,9927,11057"; a="9891912" X-IronPort-AV: E=Sophos;i="6.07,239,1708416000"; d="scan'208";a="9891912" Received: from orviesa004.jf.intel.com ([10.64.159.144]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Apr 2024 01:28:33 -0700 X-CSE-ConnectionGUID: 9ZPXB2RdRpGWbqzfc7mywA== X-CSE-MsgGUID: eLtAfOSETzuGh3LyL8mFPg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,239,1708416000"; d="scan'208";a="30862918" Received: from kuha.fi.intel.com ([10.237.72.185]) by orviesa004.jf.intel.com with SMTP; 29 Apr 2024 01:28:30 -0700 Received: by kuha.fi.intel.com (sSMTP sendmail emulation); Mon, 29 Apr 2024 11:28:28 +0300 Date: Mon, 29 Apr 2024 11:28:28 +0300 From: Heikki Krogerus To: Badhri Jagan Sridharan Cc: gregkh@linuxfoundation.org, linux@roeck-us.net, kyletso@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, rdbabiera@google.com, amitsd@google.com, stable@vger.kernel.org, frank.wang@rock-chips.com, broonie@kernel.org, dmitry.baryshkov@linaro.org Subject: Re: [PATCH v3] usb: typec: tcpm: Check for port partner validity before consuming it Message-ID: References: <20240427202812.3435268-1-badhri@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240427202812.3435268-1-badhri@google.com> On Sat, Apr 27, 2024 at 08:28:12PM +0000, Badhri Jagan Sridharan wrote: > typec_register_partner() does not guarantee partner registration > to always succeed. In the event of failure, port->partner is set > to the error value or NULL. Given that port->partner validity is > not checked, this results in the following crash: > > Unable to handle kernel NULL pointer dereference at virtual address xx > pc : run_state_machine+0x1bc8/0x1c08 > lr : run_state_machine+0x1b90/0x1c08 > .. > Call trace: > run_state_machine+0x1bc8/0x1c08 > tcpm_state_machine_work+0x94/0xe4 > kthread_worker_fn+0x118/0x328 > kthread+0x1d0/0x23c > ret_from_fork+0x10/0x20 > > To prevent the crash, check for port->partner validity before > derefencing it in all the call sites. > > Cc: stable@vger.kernel.org > Fixes: c97cd0b4b54e ("usb: typec: tcpm: set initial svdm version based on pd revision") > Signed-off-by: Badhri Jagan Sridharan Reviewed-by: Heikki Krogerus > --- > drivers/usb/typec/tcpm/tcpm.c | 30 +++++++++++++++++++++++------- > 1 file changed, 23 insertions(+), 7 deletions(-) > > diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c > index ab6ed6111ed0..e1c6dffe5f8b 100644 > --- a/drivers/usb/typec/tcpm/tcpm.c > +++ b/drivers/usb/typec/tcpm/tcpm.c > @@ -1580,7 +1580,8 @@ static void svdm_consume_identity(struct tcpm_port *port, const u32 *p, int cnt) > port->partner_ident.cert_stat = p[VDO_INDEX_CSTAT]; > port->partner_ident.product = product; > > - typec_partner_set_identity(port->partner); > + if (port->partner) > + typec_partner_set_identity(port->partner); > > tcpm_log(port, "Identity: %04x:%04x.%04x", > PD_IDH_VID(vdo), > @@ -1742,6 +1743,9 @@ static void tcpm_register_partner_altmodes(struct tcpm_port *port) > struct typec_altmode *altmode; > int i; > > + if (!port->partner) > + return; > + > for (i = 0; i < modep->altmodes; i++) { > altmode = typec_partner_register_altmode(port->partner, > &modep->altmode_desc[i]); > @@ -4231,7 +4235,10 @@ static int tcpm_init_vconn(struct tcpm_port *port) > > static void tcpm_typec_connect(struct tcpm_port *port) > { > + struct typec_partner *partner; > + > if (!port->connected) { > + port->connected = true; > /* Make sure we don't report stale identity information */ > memset(&port->partner_ident, 0, sizeof(port->partner_ident)); > port->partner_desc.usb_pd = port->pd_capable; > @@ -4241,9 +4248,13 @@ static void tcpm_typec_connect(struct tcpm_port *port) > port->partner_desc.accessory = TYPEC_ACCESSORY_AUDIO; > else > port->partner_desc.accessory = TYPEC_ACCESSORY_NONE; > - port->partner = typec_register_partner(port->typec_port, > - &port->partner_desc); > - port->connected = true; > + partner = typec_register_partner(port->typec_port, &port->partner_desc); > + if (IS_ERR(partner)) { > + dev_err(port->dev, "Failed to register partner (%ld)\n", PTR_ERR(partner)); > + return; > + } > + > + port->partner = partner; > typec_partner_set_usb_power_delivery(port->partner, port->partner_pd); > } > } > @@ -4323,9 +4334,11 @@ static void tcpm_typec_disconnect(struct tcpm_port *port) > port->plug_prime = NULL; > port->cable = NULL; > if (port->connected) { > - typec_partner_set_usb_power_delivery(port->partner, NULL); > - typec_unregister_partner(port->partner); > - port->partner = NULL; > + if (port->partner) { > + typec_partner_set_usb_power_delivery(port->partner, NULL); > + typec_unregister_partner(port->partner); > + port->partner = NULL; > + } > port->connected = false; > } > } > @@ -4549,6 +4562,9 @@ static enum typec_cc_status tcpm_pwr_opmode_to_rp(enum typec_pwr_opmode opmode) > > static void tcpm_set_initial_svdm_version(struct tcpm_port *port) > { > + if (!port->partner) > + return; > + > switch (port->negotiated_rev) { > case PD_REV30: > break; > > base-commit: 3f12222a4bebeb13ce06ddecc1610ad32fa835dd > -- > 2.44.0.769.g3c40516874-goog -- heikki