Commit 386e15a6 authored by Heikki Krogerus's avatar Heikki Krogerus Committed by Greg Kroah-Hartman

usb: typec: ucsi: Prevent mode overrun

Sometimes the embedded controller firmware does not
terminate the list of alternate modes that the partner
supports in its response to the GET_ALTERNATE_MODES command.
Instead the firmware returns the supported alternate modes
over and over again until the driver stops requesting them.

If that happens, the number of modes for each alternate mode
will exceed the maximum 6 that is defined in the USB Power
Delivery specification. Making sure that can't happen by
adding a check for it.

This fixes NULL pointer dereference that is caused by the
overrun.

Fixes: ad74b864 ("usb: typec: ucsi: Preliminary support for alternate modes")
Cc: stable@vger.kernel.org
Reported-by: default avatarZwane Mwaikambo <zwanem@gmail.com>
Signed-off-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20200916090034.25119-3-heikki.krogerus@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 130a96d6
...@@ -216,14 +216,18 @@ void ucsi_altmode_update_active(struct ucsi_connector *con) ...@@ -216,14 +216,18 @@ void ucsi_altmode_update_active(struct ucsi_connector *con)
con->partner_altmode[i] == altmode); con->partner_altmode[i] == altmode);
} }
static u8 ucsi_altmode_next_mode(struct typec_altmode **alt, u16 svid) static int ucsi_altmode_next_mode(struct typec_altmode **alt, u16 svid)
{ {
u8 mode = 1; u8 mode = 1;
int i; int i;
for (i = 0; alt[i]; i++) for (i = 0; alt[i]; i++) {
if (i > MODE_DISCOVERY_MAX)
return -ERANGE;
if (alt[i]->svid == svid) if (alt[i]->svid == svid)
mode++; mode++;
}
return mode; return mode;
} }
...@@ -258,8 +262,11 @@ static int ucsi_register_altmode(struct ucsi_connector *con, ...@@ -258,8 +262,11 @@ static int ucsi_register_altmode(struct ucsi_connector *con,
goto err; goto err;
} }
desc->mode = ucsi_altmode_next_mode(con->port_altmode, ret = ucsi_altmode_next_mode(con->port_altmode, desc->svid);
desc->svid); if (ret < 0)
return ret;
desc->mode = ret;
switch (desc->svid) { switch (desc->svid) {
case USB_TYPEC_DP_SID: case USB_TYPEC_DP_SID:
...@@ -292,8 +299,11 @@ static int ucsi_register_altmode(struct ucsi_connector *con, ...@@ -292,8 +299,11 @@ static int ucsi_register_altmode(struct ucsi_connector *con,
goto err; goto err;
} }
desc->mode = ucsi_altmode_next_mode(con->partner_altmode, ret = ucsi_altmode_next_mode(con->partner_altmode, desc->svid);
desc->svid); if (ret < 0)
return ret;
desc->mode = ret;
alt = typec_partner_register_altmode(con->partner, desc); alt = typec_partner_register_altmode(con->partner, desc);
if (IS_ERR(alt)) { if (IS_ERR(alt)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment