git.baikalelectronics.ru Git - kernel.git/commit

author	Hans de Goede <hdegoede@redhat.com>
	Wed, 8 Mar 2023 15:42:43 +0000 (16:42 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 6 Apr 2023 10:10:58 +0000 (12:10 +0200)
commit	2b4f26165ff37fefc9c798460bdd6408564c7dab
tree	ca60df6a77a6b7c7db718c0d8e29215c8dd657b9	tree \| snapshot
parent	dd77ee5069f813306aab3a8910b9cca2cc404bb0	commit \| diff

usb: ucsi: Fix ucsi->connector race

commit 0482c34ec6f8557e06cd0f8e2d0e20e8ede6a22c upstream.

ucsi_init() which runs from a workqueue sets ucsi->connector and
on an error will clear it again.

ucsi->connector gets dereferenced by ucsi_resume(), this checks for
ucsi->connector being NULL in case ucsi_init() has not finished yet;
or in case ucsi_init() has failed.

ucsi_init() setting ucsi->connector and then clearing it again on
an error creates a race where the check in ucsi_resume() may pass,
only to have ucsi->connector free-ed underneath it when ucsi_init()
hits an error.

Fix this race by making ucsi_init() store the connector array in
a local variable and only assign it to ucsi->connector on success.

Fixes: 614e824d831e ("usb: typec: ucsi: Simplified registration and I/O API")
Cc: stable@vger.kernel.org
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20230308154244.722337-3-hdegoede@redhat.com
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>