Re: [PATCH] usb: ucsi: Fix null pointer dereference in ucsi_sync_control_common

Next message: Ilpo J&#xE4;rvinen: "Re: [PATCH] platform/x86/amd: Fix memory leak in wbrf_record()"
Previous message: Michael S. Tsirkin: "Re: [PATCH net] virtio_net: fix device mismatch in devm_kzalloc/devm_kfree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Fri Jan 02 2026 - 06:29:33 EST

On Fri, Dec 26, 2025 at 10:30:53PM +0000, Ivan Orlov wrote:
> Before 'ucsi_acknowledge' calls 'ucsi_sync_control_common', it sets
> 'message_in_size' to 0. However, if 'ucsi_register_device_pdos' was
> called after 'message_in_size' was set to 0, but before
>
> if (!ret && ucsi->message_in_size > 0 && *cci & ...)
>
> condition is evaluated, 'ucsi_sync_control_common' ends up dereferencing
> 'cci' which points to NULL. This is precisely what I'm observing on my
> Framework 16 laptop on the latest mainline kernel build.
>
> I don't see any synchronization primitives used to protect 'ucsi', so
> I presume just checking that 'cci' is not null here should fix the
> problem. It seems like prior to commit 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields"),
> 'data' argument was checked in this condition, and it was always set to
> NULL from 'ucsi_acknowledge'. Thus, this problem did not exist.
>
> Fixes: 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields")
> Signed-off-by: Ivan Orlov <ivan.orlov0322@xxxxxxxxx>

This has been fixed in rc3 by reverting the offending commit:

https://lore.kernel.org/lkml/20251222152204.2846-1-johan@xxxxxxxxxx/

Johan