From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 30 Aug 2024 14:04:32 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v4.19.321~53
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=60262a9e21e6fb736a53a6af7392b73aff69b5bf;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
---

diff --git a/queue-6.1/series b/queue-6.1/series
index d542cfe6dce..5c35c9cddc8 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -18,3 +18,4 @@ mptcp-pm-add_addr-0-is-not-a-new-address.patch
 drm-amdgpu-align-pp_power_profile_mode-with-kernel-docs.patch
 drm-amdgpu-swsmu-always-force-a-state-reprogram-on-init.patch
 ata-libata-core-fix-null-pointer-dereference-on-error.patch
+usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
diff --git a/queue-6.1/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch b/queue-6.1/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
new file mode 100644
index 00000000000..66042220508
--- /dev/null
+++ b/queue-6.1/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
@@ -0,0 +1,73 @@
+From d18d5143d6b474d84a5a7823194e9f413619352d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Aug 2024 15:47:42 +0200
+Subject: usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+In commit cfcd544a9974 ("usb: typec: tcpm: unregister existing source
+caps before re-registration"), quilt, and git, applied the diff to the
+incorrect function, which would cause bad problems if exercised in a
+device with these capabilities.
+
+Fix this all up (including the follow-up fix in commit 4053696594d7
+("usb: typec: tcpm: fix use-after-free case in
+tcpm_register_source_caps") to be in the correct function.
+
+Fixes: 4053696594d7 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
+Fixes: cfcd544a9974 ("usb: typec: tcpm: unregister existing source caps before re-registration")
+Reported-by: Charles Yo <charlesyo@google.com>
+Cc: Kyle Tso <kyletso@google.com>
+Cc: Amit Sunil Dhamne <amitsd@google.com>
+Cc: Ondrej Jirman <megi@xff.cz>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -2397,7 +2397,7 @@ static int tcpm_register_source_caps(str
+ {
+ 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ 	struct usb_power_delivery_capabilities_desc caps = { };
+-	struct usb_power_delivery_capabilities *cap;
++	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
+ 
+ 	if (!port->partner_pd)
+ 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2407,6 +2407,11 @@ static int tcpm_register_source_caps(str
+ 	memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
+ 	caps.role = TYPEC_SOURCE;
+ 
++	if (cap) {
++		usb_power_delivery_unregister_capabilities(cap);
++		port->partner_source_caps = NULL;
++	}
++
+ 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ 	if (IS_ERR(cap))
+ 		return PTR_ERR(cap);
+@@ -2420,7 +2425,7 @@ static int tcpm_register_sink_caps(struc
+ {
+ 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ 	struct usb_power_delivery_capabilities_desc caps = { };
+-	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
++	struct usb_power_delivery_capabilities *cap;
+ 
+ 	if (!port->partner_pd)
+ 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2430,11 +2435,6 @@ static int tcpm_register_sink_caps(struc
+ 	memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
+ 	caps.role = TYPEC_SINK;
+ 
+-	if (cap) {
+-		usb_power_delivery_unregister_capabilities(cap);
+-		port->partner_source_caps = NULL;
+-	}
+-
+ 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ 	if (IS_ERR(cap))
+ 		return PTR_ERR(cap);