1. Patchew
  2. linux
  3. View series

[PATCH] usb: ucsi: Fix null pointer dereference in ucsi_sync_control_common

Ivan Orlov posted 1 patch 1 month, 1 week ago 
drivers/usb/typec/ucsi/ucsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] usb: ucsi: Fix null pointer dereference in ucsi_sync_control_common
Posted by Ivan Orlov 1 month, 1 week ago 
Before 'ucsi_acknowledge' calls 'ucsi_sync_control_common', it sets
'message_in_size' to 0. However, if 'ucsi_register_device_pdos' was
called after 'message_in_size' was set to 0, but before

  if (!ret && ucsi->message_in_size > 0 && *cci & ...)

condition is evaluated, 'ucsi_sync_control_common' ends up dereferencing
'cci' which points to NULL. This is precisely what I'm observing on my
Framework 16 laptop on the latest mainline kernel build.

I don't see any synchronization primitives used to protect 'ucsi', so
I presume just checking that 'cci' is not null here should fix the
problem. It seems like prior to commit 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields"),
'data' argument was checked in this condition, and it was always set to
NULL from 'ucsi_acknowledge'. Thus, this problem did not exist.

Fixes: 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields")
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
---
 drivers/usb/typec/ucsi/ucsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 9b3df776137a..7d1f2a702d90 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -98,7 +98,7 @@ int ucsi_sync_control_common(struct ucsi *ucsi, u64 command, u32 *cci)
 		ret = ucsi->ops->read_cci(ucsi, cci);
 
 	if (!ret && ucsi->message_in_size > 0 &&
-	    (*cci & UCSI_CCI_COMMAND_COMPLETE))
+	    cci && (*cci & UCSI_CCI_COMMAND_COMPLETE))
 		ret = ucsi->ops->read_message_in(ucsi, ucsi->message_in,
 						 ucsi->message_in_size);
 
-- 
2.43.0
Re: [PATCH] usb: ucsi: Fix null pointer dereference in ucsi_sync_control_common
Posted by Johan Hovold 1 month, 1 week ago 
On Fri, Dec 26, 2025 at 10:30:53PM +0000, Ivan Orlov wrote:
> Before 'ucsi_acknowledge' calls 'ucsi_sync_control_common', it sets
> 'message_in_size' to 0. However, if 'ucsi_register_device_pdos' was
> called after 'message_in_size' was set to 0, but before
> 
>   if (!ret && ucsi->message_in_size > 0 && *cci & ...)
> 
> condition is evaluated, 'ucsi_sync_control_common' ends up dereferencing
> 'cci' which points to NULL. This is precisely what I'm observing on my
> Framework 16 laptop on the latest mainline kernel build.
> 
> I don't see any synchronization primitives used to protect 'ucsi', so
> I presume just checking that 'cci' is not null here should fix the
> problem. It seems like prior to commit 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields"),
> 'data' argument was checked in this condition, and it was always set to
> NULL from 'ucsi_acknowledge'. Thus, this problem did not exist.
> 
> Fixes: 3e082978c331 ("usb: typec: ucsi: Update UCSI structure to have message in and message out fields")
> Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>

This has been fixed in rc3 by reverting the offending commit:

	https://lore.kernel.org/lkml/20251222152204.2846-1-johan@kernel.org/

Johan

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.