| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240912074132.722855-1-lk@c--e.de>
Date: Thu, 12 Sep 2024 09:41:32 +0200
From: "Christian A. Ehrhardt" <lk@...e.de>
To: linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: "Christian A. Ehrhardt" <lk@...e.de>,
Anurag Bijea <icaliberdev@...il.com>,
Christian Heusel <christian@...sel.eu>,
Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
Jameson Thies <jthies@...gle.com>,
Abhishek Pandit-Subedi <abhishekpandit@...omium.org>
Subject: [PATCH v5] usb: typec: ucsi: Fix busy loop on ASUS VivoBooks
If the busy indicator is set, all other fields in CCI should be
clear according to the spec. However, some UCSI implementations do
not follow this rule and report bogus data in CCI along with the
busy indicator. Ignore the contents of CCI if the busy indicator is
set.
If a command timeout is hit it is possible that the EVENT_PENDING
bit is cleared while connector work is still scheduled which can
cause the EVENT_PENDING bit to go out of sync with scheduled connector
work. Check and set the EVENT_PENDING bit on entry to
ucsi_handle_connector_change() to fix this.
Finally, check UCSI_CCI_BUSY before the return code of ->sync_control.
This ensures that the command is cancelled even if ->sync_control
returns an error (most likely -ETIMEDOUT).
Reported-by: Anurag Bijea <icaliberdev@...il.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219108
Bisected-by: Christian Heusel <christian@...sel.eu>
Tested-by: Anurag Bijea <icaliberdev@...il.com>
Fixes: de52aca4d9d5 ("usb: typec: ucsi: Never send a lone connector change ack")
Cc: stable@...r.kernel.org
Signed-off-by: Christian A. Ehrhardt <lk@...e.de>
---
V1 -> V2: Split out the ucsi_acpi.c part
V2 -> V3: Dropped the ucsi_acpi.c part due to conflicts
V3 -> V4: Additional fix for command cancelling
V4 -> V5: Rebased onto usb-next
drivers/usb/typec/ucsi/ucsi.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 35dce4057c25..e0f3925e401b 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -38,6 +38,10 @@
void ucsi_notify_common(struct ucsi *ucsi, u32 cci)
{
+ /* Ignore bogus data in CCI if busy indicator is set. */
+ if (cci & UCSI_CCI_BUSY)
+ return;
+
if (UCSI_CCI_CONNECTOR(cci))
ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci));
@@ -103,15 +107,13 @@ static int ucsi_run_command(struct ucsi *ucsi, u64 command, u32 *cci,
return -EINVAL;
ret = ucsi->ops->sync_control(ucsi, command);
- if (ret)
- return ret;
-
- ret = ucsi->ops->read_cci(ucsi, cci);
- if (ret)
- return ret;
+ if (ucsi->ops->read_cci(ucsi, cci))
+ return -EIO;
if (*cci & UCSI_CCI_BUSY)
return ucsi_run_command(ucsi, UCSI_CANCEL, cci, NULL, 0, false) ?: -EBUSY;
+ if (ret)
+ return ret;
if (!(*cci & UCSI_CCI_COMMAND_COMPLETE))
return -EIO;
@@ -1197,6 +1199,10 @@ static void ucsi_handle_connector_change(struct work_struct *work)
mutex_lock(&con->lock);
+ if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
+ dev_err_once(ucsi->dev, "%s entered without EVENT_PENDING\n",
+ __func__);
+
command = UCSI_GET_CONNECTOR_STATUS | UCSI_CONNECTOR_NUMBER(con->num);
ret = ucsi_send_command_common(ucsi, command, &con->status,
--
2.43.0
Powered by blists - more mailing lists