projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e37b383) | patch
usb: typec: ucsi: Fix connector status writing past buffer size
authorLucas De Marchi <lucas.demarchi@intel.com>
Tue, 3 Dec 2024 20:00:10 +0000 (12:00 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 4 Dec 2024 15:30:28 +0000 (16:30 +0100)
commit33ead7e538183b1348ba60af90027240a10de751
tree71d5c818d99e85dbc749cc1bcb26cc18281a47edtree
parente37b383df91ba9bde9c6a31bf3ea9072561c5126commit | diff
usb: typec: ucsi: Fix connector status writing past buffer size

Similar to commit 65c4c9447bfc ("usb: typec: ucsi: Fix a missing bits to
bytes conversion in ucsi_init()"), there was a missing conversion from
bits to bytes. Here the outcome is worse though: since the value is
lower than UCSI_MAX_DATA_LENGTH, instead of bailing out with an error,
it writes past the buffer size.

The error is then seen in other places like below:

Oops: general protection fault, probably for non-canonical address 0x891e812cd0ed968: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 UID: 110 PID: 906 Comm: prometheus-node Not tainted 6.13.0-rc1-xe #1
Hardware name: Intel Corporation Lunar Lake Client Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3222.D84.2410171025 10/17/2024
RIP: 0010:power_supply_get_property+0x3e/0xe0
Code: 85 c0 7e 4f 4c 8b 07 89 f3 49 89 d4 49 8b 48 20 48 85 c9 74 72 49 8b 70 18 31 d2 31 c0 eb 0b 83 c2 01 48 63 c2 48 39 c8 73 5d <3b> 1c 86 75 f0 49 8b 40 28 4c 89 e2 89 de ff d0 0f 1f 00 5b 41 5c
RSP: 0018:ffffc900017dfa50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000011 RCX: c963b02c06092008
RDX: 0000000000000000 RSI: 0891e812cd0ed968 RDI: ffff888121dd6800
RBP: ffffc900017dfa68 R08: ffff88810a4024b8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc900017dfa78
R13: ffff888121dd6800 R14: ffff888138ad2c00 R15: ffff88810c57c528
FS:  00007713a2ffd6c0(0000) GS:ffff88846f380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0004b1000 CR3: 0000000121ce8003 CR4: 0000000000f72ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 ? show_regs+0x6c/0x80
 ? die_addr+0x37/0xa0
 ? exc_general_protection+0x1c1/0x440
 ? asm_exc_general_protection+0x27/0x30
 ? power_supply_get_property+0x3e/0xe0
 power_supply_hwmon_read+0x50/0xe0
 hwmon_attr_show+0x46/0x170
 dev_attr_show+0x1a/0x70
 sysfs_kf_seq_show+0xaa/0x120
 kernfs_seq_show+0x41/0x60

Just use the buffer size as argument to fix it.

Fixes: 226ff2e681d0 ("usb: typec: ucsi: Convert connector specific commands to bitmaps")
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reported-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Closes: https://lore.kernel.org/all/SJ1PR11MB6129CCD82CD78D8EE6E27EF4B9362@SJ1PR11MB6129.namprd11.prod.outlook.com/
Suggested-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Tested-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Link: https://lore.kernel.org/r/20241203200010.2821132-1-lucas.demarchi@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/typec/ucsi/ucsi.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)