From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 30 Aug 2024 14:02:22 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v4.19.321~54
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=67634fdcd74885d461586eb9b61a13d7092f2791;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 00799486ed2..5377c044d8a 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -25,3 +25,4 @@ drm-amdgpu-align-pp_power_profile_mode-with-kernel-docs.patch
 drm-amdgpu-swsmu-always-force-a-state-reprogram-on-init.patch
 drm-vmwgfx-fix-prime-with-external-buffers.patch
 tracing-have-format-file-honor-event_file_fl_freed.patch
+usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
diff --git a/queue-6.6/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch b/queue-6.6/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
new file mode 100644
index 00000000000..c7fee3d552b
--- /dev/null
+++ b/queue-6.6/usb-typec-fix-up-incorrectly-backported-usb-typec-tcpm-unregister-existing-source-caps-before-re-registration.patch
@@ -0,0 +1,74 @@
+From d18d5143d6b474d84a5a7823194e9f413619352d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Aug 2024 15:47:42 +0200
+Subject: usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source
+caps before re-registration"), quilt, and git, applied the diff to the
+incorrect function, which would cause bad problems if exercised in a
+device with these capabilities.
+
+Fix this all up (including the follow-up fix in commit 04c05d50fa79
+("usb: typec: tcpm: fix use-after-free case in
+tcpm_register_source_caps") to be in the correct function.
+
+Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
+Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration")
+Reported-by: Charles Yo <charlesyo@google.com>
+Cc: Kyle Tso <kyletso@google.com>
+Cc: Amit Sunil Dhamne <amitsd@google.com>
+Cc: Ondrej Jirman <megi@xff.cz>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(str
+ {
+ 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ 	struct usb_power_delivery_capabilities_desc caps = { };
+-	struct usb_power_delivery_capabilities *cap;
++	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
+ 
+ 	if (!port->partner_pd)
+ 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(str
+ 	memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
+ 	caps.role = TYPEC_SOURCE;
+ 
++	if (cap) {
++		usb_power_delivery_unregister_capabilities(cap);
++		port->partner_source_caps = NULL;
++	}
++
+ 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ 	if (IS_ERR(cap))
+ 		return PTR_ERR(cap);
+@@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struc
+ {
+ 	struct usb_power_delivery_desc desc = { port->negotiated_rev };
+ 	struct usb_power_delivery_capabilities_desc caps = { };
+-	struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
++	struct usb_power_delivery_capabilities *cap;
+ 
+ 	if (!port->partner_pd)
+ 		port->partner_pd = usb_power_delivery_register(NULL, &desc);
+@@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struc
+ 	memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
+ 	caps.role = TYPEC_SINK;
+ 
+-	if (cap) {
+-		usb_power_delivery_unregister_capabilities(cap);
+-		port->partner_source_caps = NULL;
+-	}
+-
+ 	cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ 	if (IS_ERR(cap))
+ 		return PTR_ERR(cap);