android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

usb: typec: ucsi: Fix command cancellation

Browse Source 
commit c4a8bfabefed706bb9150867db528ceefd5cb5fe upstream.

The Cancel command was passed to the write callback as the
offset instead of as the actual command which caused NULL
pointer dereference.

Reported-by: Stephan Bolten <stephan.bolten@gmx.net>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217517
Fixes: 094902bc6a ("usb: typec: ucsi: Always cancel the command if PPM reports BUSY condition")
Cc: stable@vger.kernel.org
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Message-ID: <20230606115802.79339-1-heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Heikki Krogerus 2023-06-06 14:58:02 +03:00 committed by Greg Kroah-Hartman
parent b352f7b6a6
commit 2bf8ea2e9e
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/usb/typec/ucsi/ucsi.c
View File

@ -132,10 +132,8 @@ static int ucsi_exec_command(struct ucsi *ucsi, u64 cmd)
if (ret) if (ret)
return ret; return ret;
if (cci & UCSI_CCI_BUSY) { if (cmd != UCSI_CANCEL && cci & UCSI_CCI_BUSY)
ucsi->ops->async_write(ucsi, UCSI_CANCEL, NULL, 0); return ucsi_exec_command(ucsi, UCSI_CANCEL);
return -EBUSY;
}
if (!(cci & UCSI_CCI_COMMAND_COMPLETE)) if (!(cci & UCSI_CCI_COMMAND_COMPLETE))
return -EIO; return -EIO;
@ -149,6 +147,11 @@ static int ucsi_exec_command(struct ucsi *ucsi, u64 cmd)
return ucsi_read_error(ucsi); return ucsi_read_error(ucsi);
} }
if (cmd == UCSI_CANCEL && cci & UCSI_CCI_CANCEL_COMPLETE) {
ret = ucsi_acknowledge_command(ucsi);
return ret ? ret : -EBUSY;
}
return UCSI_CCI_LENGTH(cci); return UCSI_CCI_LENGTH(cci);
} }