diff options
| author | Mario Limonciello (AMD) <superm1@kernel.org> | 2025-12-16 06:22:02 -0600 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-12-17 14:54:23 +0100 |
| commit | 14ad4c10d5bdd413ff9a914260e89b5f54b7a2c7 (patch) | |
| tree | 8afa3ce6fbf9d3def9b499cb73d3a6c9b70346ed /tools/perf/scripts/python/git@git.tavy.me:linux.git | |
| parent | c84117912bddd9e5d87e68daf182410c98181407 (diff) | |
usb: typec: ucsi: Fix null pointer dereference in ucsi_sync_control_common
Add missing null check for cci parameter before dereferencing it in
ucsi_sync_control_common(). The function can be called with cci=NULL
from ucsi_acknowledge(), which leads to a null pointer dereference
when accessing *cci in the condition check.
The crash occurs because the code checks if cci is not null before
calling ucsi->ops->read_cci(ucsi, cci), but then immediately
dereferences cci without a null check in the following condition:
(*cci & UCSI_CCI_COMMAND_COMPLETE).
KASAN trace:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:ucsi_sync_control_common+0x2ae/0x4e0 [typec_ucsi]
Cc: stable <stable@kernel.org>
Fixes: 667ecac55861 ("usb: typec: ucsi: return CCI and message from sync_control callback")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Link: https://patch.msgid.link/20251216122210.5457-1-superm1@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'tools/perf/scripts/python/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions