diff mbox series

[1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change()

Message ID 20230228090305.9335-1-hdegoede@redhat.com (mailing list archive)
State New, archived
Headers show
Series [1/3] usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() | expand

Commit Message

Hans de Goede Feb. 28, 2023, 9:03 a.m. UTC
When ucsi_init() fails, ucsi->connector is NULL, yet in case of
ucsi_acpi we may still get events which cause the ucs_acpi code to call
ucsi_connector_change(), which then derefs the NULL ucsi->connector
pointer.

Fix this by adding a check for ucsi->connector being NULL, as is
already done in ucsi_resume() for similar reasons.

Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Greg Kroah-Hartman Feb. 28, 2023, 9:28 a.m. UTC | #1
On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> pointer.
> 
> Fix this by adding a check for ucsi->connector being NULL, as is
> already done in ucsi_resume() for similar reasons.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 1cf8947c6d66..e762897cb25a 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
>   */
>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>  {
> -	struct ucsi_connector *con = &ucsi->connector[num - 1];
> +	struct ucsi_connector *con;
> +
> +	/* Check for ucsi_init() failure */
> +	if (!ucsi->connector)
> +		return;
> +
> +	con = &ucsi->connector[num - 1];

What prevents ->connector from changing to NULL right after you check
this and before you dereference it again?

thanks,

greg k-h
Heikki Krogerus Feb. 28, 2023, 10:05 a.m. UTC | #2
On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> pointer.
> 
> Fix this by adding a check for ucsi->connector being NULL, as is
> already done in ucsi_resume() for similar reasons.
> 
> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index 1cf8947c6d66..e762897cb25a 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
>   */
>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>  {
> -	struct ucsi_connector *con = &ucsi->connector[num - 1];
> +	struct ucsi_connector *con;
> +
> +	/* Check for ucsi_init() failure */
> +	if (!ucsi->connector)
> +		return;
> +
> +	con = &ucsi->connector[num - 1];
>  
>  	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
>  		dev_dbg(ucsi->dev, "Bogus connector change event\n");

I think we should try to rely on that ucsi->ntfy. Would this work:

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index fe1963e328378..0da1e9c66971a 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
  */
 void ucsi_connector_change(struct ucsi *ucsi, u8 num)
 {
-       struct ucsi_connector *con = &ucsi->connector[num - 1];
-
        if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
                dev_dbg(ucsi->dev, "Bogus connector change event\n");
                return;
        }
 
        if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
-               schedule_work(&con->work);
+               schedule_work(&ucsi->connector[num - 1].work);
 }
 EXPORT_SYMBOL_GPL(ucsi_connector_change);
 
@@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi)
        ucsi->connector = NULL;
 
 err_reset:
+       ucsi->ntfy = 0;
        memset(&ucsi->cap, 0, sizeof(ucsi->cap));
        ucsi_reset_ppm(ucsi);
 err:
Hans de Goede Feb. 28, 2023, 10:15 a.m. UTC | #3
Hi,

On 2/28/23 11:05, Heikki Krogerus wrote:
> On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
>> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
>> ucsi_acpi we may still get events which cause the ucs_acpi code to call
>> ucsi_connector_change(), which then derefs the NULL ucsi->connector
>> pointer.
>>
>> Fix this by adding a check for ucsi->connector being NULL, as is
>> already done in ucsi_resume() for similar reasons.
>>
>> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> ---
>>  drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
>> index 1cf8947c6d66..e762897cb25a 100644
>> --- a/drivers/usb/typec/ucsi/ucsi.c
>> +++ b/drivers/usb/typec/ucsi/ucsi.c
>> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
>>   */
>>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>>  {
>> -	struct ucsi_connector *con = &ucsi->connector[num - 1];
>> +	struct ucsi_connector *con;
>> +
>> +	/* Check for ucsi_init() failure */
>> +	if (!ucsi->connector)
>> +		return;
>> +
>> +	con = &ucsi->connector[num - 1];
>>  
>>  	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
>>  		dev_dbg(ucsi->dev, "Bogus connector change event\n");
> 
> I think we should try to rely on that ucsi->ntfy. Would this work:
> 
> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> index fe1963e328378..0da1e9c66971a 100644
> --- a/drivers/usb/typec/ucsi/ucsi.c
> +++ b/drivers/usb/typec/ucsi/ucsi.c
> @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
>   */
>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
>  {
> -       struct ucsi_connector *con = &ucsi->connector[num - 1];
> -
>         if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
>                 dev_dbg(ucsi->dev, "Bogus connector change event\n");
>                 return;
>         }
>  
>         if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
> -               schedule_work(&con->work);
> +               schedule_work(&ucsi->connector[num - 1].work);
>  }
>  EXPORT_SYMBOL_GPL(ucsi_connector_change);
>  

This hunk is not necessary, the con pointer pointing to lala land is
not an issue as long as we don't deref it. The &ucsi->connector[num - 1];
does not deref ucsi->connector it it simply adds an offset to it and
stores that in con (the backtrace I got pointed to the schedule_work call).

But I guess your way does make it more obvious that we don't
deref ucsi->connector.

> @@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi)
>         ucsi->connector = NULL;
>  
>  err_reset:
> +       ucsi->ntfy = 0;
>         memset(&ucsi->cap, 0, sizeof(ucsi->cap));
>         ucsi_reset_ppm(ucsi);
>  err:

In would expect this to fix things, but I only have access to the monitor
triggering this on Mondays, so I can only 100% confirm next Monday.

Note this does open the race I try to fix in patch 2/3 again.

So what should be done here is to make ntfy a local variable and only
store it in ucsi->ntfy on success.

Regards,

Hans
Heikki Krogerus Feb. 28, 2023, 11:41 a.m. UTC | #4
On Tue, Feb 28, 2023 at 11:15:46AM +0100, Hans de Goede wrote:
> Hi,
> 
> On 2/28/23 11:05, Heikki Krogerus wrote:
> > On Tue, Feb 28, 2023 at 10:03:03AM +0100, Hans de Goede wrote:
> >> When ucsi_init() fails, ucsi->connector is NULL, yet in case of
> >> ucsi_acpi we may still get events which cause the ucs_acpi code to call
> >> ucsi_connector_change(), which then derefs the NULL ucsi->connector
> >> pointer.
> >>
> >> Fix this by adding a check for ucsi->connector being NULL, as is
> >> already done in ucsi_resume() for similar reasons.
> >>
> >> Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> >> ---
> >>  drivers/usb/typec/ucsi/ucsi.c | 8 +++++++-
> >>  1 file changed, 7 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> >> index 1cf8947c6d66..e762897cb25a 100644
> >> --- a/drivers/usb/typec/ucsi/ucsi.c
> >> +++ b/drivers/usb/typec/ucsi/ucsi.c
> >> @@ -842,7 +842,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
> >>   */
> >>  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
> >>  {
> >> -	struct ucsi_connector *con = &ucsi->connector[num - 1];
> >> +	struct ucsi_connector *con;
> >> +
> >> +	/* Check for ucsi_init() failure */
> >> +	if (!ucsi->connector)
> >> +		return;
> >> +
> >> +	con = &ucsi->connector[num - 1];
> >>  
> >>  	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
> >>  		dev_dbg(ucsi->dev, "Bogus connector change event\n");
> > 
> > I think we should try to rely on that ucsi->ntfy. Would this work:
> > 
> > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
> > index fe1963e328378..0da1e9c66971a 100644
> > --- a/drivers/usb/typec/ucsi/ucsi.c
> > +++ b/drivers/usb/typec/ucsi/ucsi.c
> > @@ -928,15 +928,13 @@ static void ucsi_handle_connector_change(struct work_struct *work)
> >   */
> >  void ucsi_connector_change(struct ucsi *ucsi, u8 num)
> >  {
> > -       struct ucsi_connector *con = &ucsi->connector[num - 1];
> > -
> >         if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
> >                 dev_dbg(ucsi->dev, "Bogus connector change event\n");
> >                 return;
> >         }
> >  
> >         if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
> > -               schedule_work(&con->work);
> > +               schedule_work(&ucsi->connector[num - 1].work);
> >  }
> >  EXPORT_SYMBOL_GPL(ucsi_connector_change);
> >  
> 
> This hunk is not necessary, the con pointer pointing to lala land is
> not an issue as long as we don't deref it. The &ucsi->connector[num - 1];
> does not deref ucsi->connector it it simply adds an offset to it and
> stores that in con (the backtrace I got pointed to the schedule_work call).
> 
> But I guess your way does make it more obvious that we don't
> deref ucsi->connector.
> 
> > @@ -1404,6 +1402,7 @@ static int ucsi_init(struct ucsi *ucsi)
> >         ucsi->connector = NULL;
> >  
> >  err_reset:
> > +       ucsi->ntfy = 0;
> >         memset(&ucsi->cap, 0, sizeof(ucsi->cap));
> >         ucsi_reset_ppm(ucsi);
> >  err:
> 
> In would expect this to fix things, but I only have access to the monitor
> triggering this on Mondays, so I can only 100% confirm next Monday.
> 
> Note this does open the race I try to fix in patch 2/3 again.
> 
> So what should be done here is to make ntfy a local variable and only
> store it in ucsi->ntfy on success.

OK.

thanks,
diff mbox series

Patch

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 1cf8947c6d66..e762897cb25a 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -842,7 +842,13 @@  static void ucsi_handle_connector_change(struct work_struct *work)
  */
 void ucsi_connector_change(struct ucsi *ucsi, u8 num)
 {
-	struct ucsi_connector *con = &ucsi->connector[num - 1];
+	struct ucsi_connector *con;
+
+	/* Check for ucsi_init() failure */
+	if (!ucsi->connector)
+		return;
+
+	con = &ucsi->connector[num - 1];
 
 	if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
 		dev_dbg(ucsi->dev, "Bogus connector change event\n");