tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

usb: typec: ucsi: Fix command cancellation

The Cancel command was passed to the write callback as the
offset instead of as the actual command which caused NULL
pointer dereference.

Reported-by: Stephan Bolten <stephan.bolten@gmx.net>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217517
Fixes: 094902bc6a3c ("usb: typec: ucsi: Always cancel the command if PPM reports BUSY condition")
Cc: stable@vger.kernel.org
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Message-ID: <20230606115802.79339-1-heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Heikki Krogerus and committed by Greg Kroah-Hartman c4a8bfab e3dbb657

+7 -4
unified split
+7 -4
drivers/usb/typec/ucsi/ucsi.c
··· 132 132 if (ret) 133 133 return ret; 134 134 135 - if (cci & UCSI_CCI_BUSY) { 136 - ucsi->ops->async_write(ucsi, UCSI_CANCEL, NULL, 0); 137 - return -EBUSY; 138 - } 135 + if (cmd != UCSI_CANCEL && cci & UCSI_CCI_BUSY) 136 + return ucsi_exec_command(ucsi, UCSI_CANCEL); 139 137 140 138 if (!(cci & UCSI_CCI_COMMAND_COMPLETE)) 141 139 return -EIO; ··· 145 147 if (cmd == UCSI_GET_ERROR_STATUS) 146 148 return -EIO; 147 149 return ucsi_read_error(ucsi); 150 + } 151 + 152 + if (cmd == UCSI_CANCEL && cci & UCSI_CCI_CANCEL_COMPLETE) { 153 + ret = ucsi_acknowledge_command(ucsi); 154 + return ret ? ret : -EBUSY; 148 155 } 149 156 150 157 return UCSI_CCI_LENGTH(cci);