Commit 8d477b4a authored by Bjorn Andersson's avatar Bjorn Andersson Committed by Yongqiang Liu
Browse files

usb: typec: ucsi: Move unregister out of atomic section 

mainline inclusion
from mainline-v6.11-rc6
commit 11bb2ffb679399f99041540cf662409905179e3a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR60S
CVE: CVE-2024-46691

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=11bb2ffb679399f99041540cf662409905179e3a



--------------------------------

Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock
non-sleeping")' moved the pmic_glink client list under a spinlock, as it
is accessed by the rpmsg/glink callback, which in turn is invoked from
IRQ context.

This means that ucsi_unregister() is now called from atomic context,
which isn't feasible as it's expecting a sleepable context. An effort is
under way to get GLINK to invoke its callbacks in a sleepable context,
but until then lets schedule the unregistration.

A side effect of this is that ucsi_unregister() can now happen
after the remote processor, and thereby the communication link with it, is
gone. pmic_glink_send() is amended with a check to avoid the resulting NULL
pointer dereference.
This does however result in the user being informed about this error by
the following entry in the kernel log:

  ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5

Fixes: 9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")
Cc: stable@vger.kernel.org
Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: default avatarNeil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: default avatarDmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: default avatarAmit Pundir <amit.pundir@linaro.org>
Reviewed-by: default avatarJohan Hovold <johan+linaro@kernel.org>
Tested-by: default avatarJohan Hovold <johan+linaro@kernel.org>
Signed-off-by: default avatarBjorn Andersson <quic_bjorande@quicinc.com>
Link: https://lore.kernel.org/r/20240820-pmic-glink-v6-11-races-v3-2-eec53c750a04@quicinc.com


Signed-off-by: default avatarBjorn Andersson <andersson@kernel.org>
Conflicts:
	drivers/usb/typec/ucsi/ucsi_glink.c
[Yongqiang: GPIO reading was before ucsi_register, Only context adaption]
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent 83581b56

drivers/soc/qcom/pmic_glink.c

+9 −1
Original line number Diff line number Diff line
@@ -115,8 +115,16 @@ EXPORT_SYMBOL_GPL(pmic_glink_client_register); 
int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len)

{

	struct pmic_glink *pg = client->pg;

	int ret;



	mutex_lock(&pg->state_lock);

	if (!pg->ept)

		ret = -ECONNRESET;

	else

		ret = rpmsg_send(pg->ept, data, len);

	mutex_unlock(&pg->state_lock);



	return rpmsg_send(pg->ept, data, len);

	return ret;

}

EXPORT_SYMBOL_GPL(pmic_glink_send);

drivers/usb/typec/ucsi/ucsi_glink.c

+22 −5
Original line number Diff line number Diff line
@@ -72,6 +72,9 @@ struct pmic_glink_ucsi { 


	struct work_struct notify_work;

	struct work_struct register_work;

	spinlock_t state_lock;

	bool ucsi_registered;

	bool pd_running;



	u8 read_buf[UCSI_BUF_SIZE];

};
@@ -254,6 +257,8 @@ static void pmic_glink_ucsi_register(struct work_struct *work) 
	struct pmic_glink_ucsi *ucsi = container_of(work, struct pmic_glink_ucsi, register_work);

	int orientation;

	int i;

	unsigned long flags;

	bool pd_running;



	for (i = 0; i < PMIC_GLINK_MAX_PORTS; i++) {

		if (!ucsi->port_orientation[i])
@@ -267,7 +272,17 @@ static void pmic_glink_ucsi_register(struct work_struct *work) 
		}

	}



	spin_lock_irqsave(&ucsi->state_lock, flags);

	pd_running = ucsi->pd_running;

	spin_unlock_irqrestore(&ucsi->state_lock, flags);



	if (!ucsi->ucsi_registered && pd_running) {

		ucsi_register(ucsi->ucsi);

		ucsi->ucsi_registered = true;

	} else if (ucsi->ucsi_registered && !pd_running) {

		ucsi_unregister(ucsi->ucsi);

		ucsi->ucsi_registered = false;

	}

}



static void pmic_glink_ucsi_callback(const void *data, size_t len, void *priv)
@@ -291,11 +306,12 @@ static void pmic_glink_ucsi_callback(const void *data, size_t len, void *priv) 
static void pmic_glink_ucsi_pdr_notify(void *priv, int state)

{

	struct pmic_glink_ucsi *ucsi = priv;

	unsigned long flags;



	if (state == SERVREG_SERVICE_STATE_UP)

	spin_lock_irqsave(&ucsi->state_lock, flags);

	ucsi->pd_running = (state == SERVREG_SERVICE_STATE_UP);

	spin_unlock_irqrestore(&ucsi->state_lock, flags);

	schedule_work(&ucsi->register_work);

	else if (state == SERVREG_SERVICE_STATE_DOWN)

		ucsi_unregister(ucsi->ucsi);

}



static void pmic_glink_ucsi_destroy(void *data)
@@ -328,6 +344,7 @@ static int pmic_glink_ucsi_probe(struct auxiliary_device *adev, 
	init_completion(&ucsi->read_ack);

	init_completion(&ucsi->write_ack);

	init_completion(&ucsi->sync_ack);

	spin_lock_init(&ucsi->state_lock);

	mutex_init(&ucsi->lock);



	ucsi->ucsi = ucsi_create(dev, &pmic_glink_ucsi_ops);