--- /dev/null
+From d18d5143d6b474d84a5a7823194e9f413619352d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Aug 2024 15:47:42 +0200
+Subject: usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+In commit cfcd544a9974 ("usb: typec: tcpm: unregister existing source
+caps before re-registration"), quilt, and git, applied the diff to the
+incorrect function, which would cause bad problems if exercised in a
+device with these capabilities.
+
+Fix this all up (including the follow-up fix in commit 4053696594d7
+("usb: typec: tcpm: fix use-after-free case in
+tcpm_register_source_caps") to be in the correct function.
+
+Fixes: 4053696594d7 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
+Fixes: cfcd544a9974 ("usb: typec: tcpm: unregister existing source caps before re-registration")
+Reported-by: Charles Yo <charlesyo@google.com>
+Cc: Kyle Tso <kyletso@google.com>
+Cc: Amit Sunil Dhamne <amitsd@google.com>
+Cc: Ondrej Jirman <megi@xff.cz>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -2397,7 +2397,7 @@ static int tcpm_register_source_caps(str
+ {
+ struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ struct usb_power_delivery_capabilities_desc caps = { };
+- struct usb_power_delivery_capabilities *cap;
++ struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
+
+ if (!port->partner_pd)
+ port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2407,6 +2407,11 @@ static int tcpm_register_source_caps(str
+ memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
+ caps.role = TYPEC_SOURCE;
+
++ if (cap) {
++ usb_power_delivery_unregister_capabilities(cap);
++ port->partner_source_caps = NULL;
++ }
++
+ cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ if (IS_ERR(cap))
+ return PTR_ERR(cap);
+@@ -2420,7 +2425,7 @@ static int tcpm_register_sink_caps(struc
+ {
+ struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ struct usb_power_delivery_capabilities_desc caps = { };
+- struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
++ struct usb_power_delivery_capabilities *cap;
+
+ if (!port->partner_pd)
+ port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2430,11 +2435,6 @@ static int tcpm_register_sink_caps(struc
+ memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
+ caps.role = TYPEC_SINK;
+
+- if (cap) {
+- usb_power_delivery_unregister_capabilities(cap);
+- port->partner_source_caps = NULL;
+- }
+-
+ cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ if (IS_ERR(cap))
+ return PTR_ERR(cap);
projects / thirdparty / kernel / stable-queue.git / commitdiff
