* [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors
@ 2024-04-18 14:57 Johan Hovold
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
0 siblings, 2 replies; 9+ messages in thread
From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw
To: Bryan O'Donoghue, Heikki Krogerus
Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman,
Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel,
Johan Hovold
When reviewing a patch updating the qcom-pmic typec driver, I noticed
that the error handling is broken and can lead to use-after-free.
This series addresses the use-after-free and also fixes the error
handling in the pdphy_start() callback which failed to disable its
supply in all error paths.
The latter fix is not marked for stable on purpose as its not a critical
fix (I'm sure autosel will disagree).
Johan
Johan Hovold (2):
usb: typec: qcom-pmic: fix use-after-free on late probe errors
usb: typec: qcom-pmic: fix pdphy start() error handling
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
2 files changed, 13 insertions(+), 6 deletions(-)
--
2.43.2
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors
2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold
@ 2024-04-18 14:57 ` Johan Hovold
2024-04-18 17:45 ` Dmitry Baryshkov
` (2 more replies)
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
1 sibling, 3 replies; 9+ messages in thread
From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw
To: Bryan O'Donoghue, Heikki Krogerus
Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman,
Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel,
Johan Hovold, stable
Make sure to stop and deregister the port in case of late probe errors
to avoid use-after-free issues when the underlying memory is released by
devres.
Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
Cc: stable@vger.kernel.org # 6.5
Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
---
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
index e48412cdcb0f..d3958c061a97 100644
--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
+++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
@@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
ret = tcpm->port_start(tcpm, tcpm->tcpm_port);
if (ret)
- goto fwnode_remove;
+ goto port_unregister;
ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port);
if (ret)
- goto fwnode_remove;
+ goto port_stop;
return 0;
+port_stop:
+ tcpm->port_stop(tcpm);
+port_unregister:
+ tcpm_unregister_port(tcpm->tcpm_port);
fwnode_remove:
fwnode_remove_software_node(tcpm->tcpc.fwnode);
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling
2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
@ 2024-04-18 14:57 ` Johan Hovold
2024-04-18 18:00 ` Dmitry Baryshkov
` (2 more replies)
1 sibling, 3 replies; 9+ messages in thread
From: Johan Hovold @ 2024-04-18 14:57 UTC (permalink / raw
To: Bryan O'Donoghue, Heikki Krogerus
Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman,
Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel,
Johan Hovold
Move disabling of the vdd-pdphy supply to the start() function which
enabled it for symmetry and to make sure that it is disabled as intended
in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
qcom_pmic_typec_pdphy_enable() fails).
Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
---
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
index 6560f4fc98d5..5b7f52b74a40 100644
--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
+++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
@@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
done:
- if (ret) {
- regulator_disable(pmic_typec_pdphy->vdd_pdphy);
+ if (ret)
dev_err(dev, "pdphy_enable fail %d\n", ret);
- }
return ret;
}
@@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
if (ret)
- return ret;
+ goto err_disable_vdd_pdhy;
for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
enable_irq(pmic_typec_pdphy->irq_data[i].irq);
return 0;
+
+err_disable_vdd_pdhy:
+ regulator_disable(pmic_typec_pdphy->vdd_pdphy);
+
+ return ret;
}
static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
@ 2024-04-18 17:45 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:13 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Dmitry Baryshkov @ 2024-04-18 17:45 UTC (permalink / raw
To: Johan Hovold
Cc: Bryan O'Donoghue, Heikki Krogerus, Bjorn Andersson,
Konrad Dybcio, Greg Kroah-Hartman, linux-arm-msm, linux-usb,
linux-kernel, stable
On Thu, Apr 18, 2024 at 04:57:29PM +0200, Johan Hovold wrote:
> Make sure to stop and deregister the port in case of late probe errors
> to avoid use-after-free issues when the underlying memory is released by
> devres.
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Cc: stable@vger.kernel.org # 6.5
> Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
--
With best wishes
Dmitry
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
@ 2024-04-18 18:00 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:20 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Dmitry Baryshkov @ 2024-04-18 18:00 UTC (permalink / raw
To: Johan Hovold
Cc: Bryan O'Donoghue, Heikki Krogerus, Bjorn Andersson,
Konrad Dybcio, Greg Kroah-Hartman, linux-arm-msm, linux-usb,
linux-kernel
On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
--
With best wishes
Dmitry
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
2024-04-18 17:45 ` Dmitry Baryshkov
@ 2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:13 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Bryan O'Donoghue @ 2024-04-18 23:41 UTC (permalink / raw
To: Johan Hovold, Heikki Krogerus
Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman,
Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel, stable
On 18/04/2024 15:57, Johan Hovold wrote:
> Make sure to stop and deregister the port in case of late probe errors
> to avoid use-after-free issues when the underlying memory is released by
> devres.
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Cc: stable@vger.kernel.org # 6.5
> Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> index e48412cdcb0f..d3958c061a97 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
>
> ret = tcpm->port_start(tcpm, tcpm->tcpm_port);
> if (ret)
> - goto fwnode_remove;
> + goto port_unregister;
>
> ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port);
> if (ret)
> - goto fwnode_remove;
> + goto port_stop;
>
> return 0;
>
> +port_stop:
> + tcpm->port_stop(tcpm);
> +port_unregister:
> + tcpm_unregister_port(tcpm->tcpm_port);
> fwnode_remove:
> fwnode_remove_software_node(tcpm->tcpc.fwnode);
>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
2024-04-18 18:00 ` Dmitry Baryshkov
@ 2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:20 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Bryan O'Donoghue @ 2024-04-18 23:41 UTC (permalink / raw
To: Johan Hovold, Heikki Krogerus
Cc: Bjorn Andersson, Konrad Dybcio, Greg Kroah-Hartman,
Dmitry Baryshkov, linux-arm-msm, linux-usb, linux-kernel
On 18/04/2024 15:57, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> index 6560f4fc98d5..5b7f52b74a40 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
>
> qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
> done:
> - if (ret) {
> - regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> + if (ret)
> dev_err(dev, "pdphy_enable fail %d\n", ret);
> - }
>
> return ret;
> }
> @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
>
> ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
> if (ret)
> - return ret;
> + goto err_disable_vdd_pdhy;
>
> for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
> enable_irq(pmic_typec_pdphy->irq_data[i].irq);
>
> return 0;
> +
> +err_disable_vdd_pdhy:
> + regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +
> + return ret;
> }
>
> static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
2024-04-18 17:45 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
@ 2024-04-22 11:13 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Heikki Krogerus @ 2024-04-22 11:13 UTC (permalink / raw
To: Johan Hovold
Cc: Bryan O'Donoghue, Bjorn Andersson, Konrad Dybcio,
Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb,
linux-kernel, stable
On Thu, Apr 18, 2024 at 04:57:29PM +0200, Johan Hovold wrote:
> Make sure to stop and deregister the port in case of late probe errors
> to avoid use-after-free issues when the underlying memory is released by
> devres.
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Cc: stable@vger.kernel.org # 6.5
> Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> index e48412cdcb0f..d3958c061a97 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
> @@ -104,14 +104,18 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
>
> ret = tcpm->port_start(tcpm, tcpm->tcpm_port);
> if (ret)
> - goto fwnode_remove;
> + goto port_unregister;
>
> ret = tcpm->pdphy_start(tcpm, tcpm->tcpm_port);
> if (ret)
> - goto fwnode_remove;
> + goto port_stop;
>
> return 0;
>
> +port_stop:
> + tcpm->port_stop(tcpm);
> +port_unregister:
> + tcpm_unregister_port(tcpm->tcpm_port);
> fwnode_remove:
> fwnode_remove_software_node(tcpm->tcpc.fwnode);
>
> --
> 2.43.2
--
heikki
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
2024-04-18 18:00 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
@ 2024-04-22 11:20 ` Heikki Krogerus
2 siblings, 0 replies; 9+ messages in thread
From: Heikki Krogerus @ 2024-04-22 11:20 UTC (permalink / raw
To: Johan Hovold
Cc: Bryan O'Donoghue, Bjorn Andersson, Konrad Dybcio,
Greg Kroah-Hartman, Dmitry Baryshkov, linux-arm-msm, linux-usb,
linux-kernel
On Thu, Apr 18, 2024 at 04:57:30PM +0200, Johan Hovold wrote:
> Move disabling of the vdd-pdphy supply to the start() function which
> enabled it for symmetry and to make sure that it is disabled as intended
> in all error paths of pmic_typec_pdphy_reset() (i.e. not just when
> qcom_pmic_typec_pdphy_enable() fails).
>
> Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
> Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> index 6560f4fc98d5..5b7f52b74a40 100644
> --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
> @@ -475,10 +475,8 @@ static int qcom_pmic_typec_pdphy_enable(struct pmic_typec_pdphy *pmic_typec_pdph
>
> qcom_pmic_typec_pdphy_reset_off(pmic_typec_pdphy);
> done:
> - if (ret) {
> - regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> + if (ret)
> dev_err(dev, "pdphy_enable fail %d\n", ret);
> - }
>
> return ret;
> }
> @@ -524,12 +522,17 @@ static int qcom_pmic_typec_pdphy_start(struct pmic_typec *tcpm,
>
> ret = pmic_typec_pdphy_reset(pmic_typec_pdphy);
> if (ret)
> - return ret;
> + goto err_disable_vdd_pdhy;
>
> for (i = 0; i < pmic_typec_pdphy->nr_irqs; i++)
> enable_irq(pmic_typec_pdphy->irq_data[i].irq);
>
> return 0;
> +
> +err_disable_vdd_pdhy:
> + regulator_disable(pmic_typec_pdphy->vdd_pdphy);
> +
> + return ret;
> }
>
> static void qcom_pmic_typec_pdphy_stop(struct pmic_typec *tcpm)
> --
> 2.43.2
--
heikki
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-04-22 11:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-18 14:57 [PATCH 0/2] usb: typec: qcom-pmic: fix use-after-free on late probe errors Johan Hovold
2024-04-18 14:57 ` [PATCH 1/2] " Johan Hovold
2024-04-18 17:45 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:13 ` Heikki Krogerus
2024-04-18 14:57 ` [PATCH 2/2] usb: typec: qcom-pmic: fix pdphy start() error handling Johan Hovold
2024-04-18 18:00 ` Dmitry Baryshkov
2024-04-18 23:41 ` Bryan O'Donoghue
2024-04-22 11:20 ` Heikki Krogerus
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.