Skip to content

Commit ac00bc2

Browse files
gregkhgregkh
committed
Merge tag 'thunderbolt-for-v6.14-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-linus
Mika writes: thunderbolt: Fix for v6.14-rc7 This includes single USB4/Thunderbolt fix for v6.14-rc7: - Fix use-after-free in resume from hibernate. This has been in linux-next with no reported issues. * tag 'thunderbolt-for-v6.14-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: Prevent use-after-free in resume from hibernate
2 parents 80e54e8 + 5028433 commit ac00bc2

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

drivers/thunderbolt/tunnel.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1009,6 +1009,8 @@ static int tb_dp_dprx_start(struct tb_tunnel *tunnel)
10091009
*/
10101010
tb_tunnel_get(tunnel);
10111011

1012+
tunnel->dprx_started = true;
1013+
10121014
if (tunnel->callback) {
10131015
tunnel->dprx_timeout = dprx_timeout_to_ktime(dprx_timeout);
10141016
queue_delayed_work(tunnel->tb->wq, &tunnel->dprx_work, 0);
@@ -1021,9 +1023,12 @@ static int tb_dp_dprx_start(struct tb_tunnel *tunnel)
10211023

10221024
static void tb_dp_dprx_stop(struct tb_tunnel *tunnel)
10231025
{
1024-
tunnel->dprx_canceled = true;
1025-
cancel_delayed_work(&tunnel->dprx_work);
1026-
tb_tunnel_put(tunnel);
1026+
if (tunnel->dprx_started) {
1027+
tunnel->dprx_started = false;
1028+
tunnel->dprx_canceled = true;
1029+
cancel_delayed_work(&tunnel->dprx_work);
1030+
tb_tunnel_put(tunnel);
1031+
}
10271032
}
10281033

10291034
static int tb_dp_activate(struct tb_tunnel *tunnel, bool active)

drivers/thunderbolt/tunnel.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ enum tb_tunnel_state {
6363
* @allocated_down: Allocated downstream bandwidth (only for USB3)
6464
* @bw_mode: DP bandwidth allocation mode registers can be used to
6565
* determine consumed and allocated bandwidth
66+
* @dprx_started: DPRX negotiation was started (tb_dp_dprx_start() was called for it)
6667
* @dprx_canceled: Was DPRX capabilities read poll canceled
6768
* @dprx_timeout: If set DPRX capabilities read poll work will timeout after this passes
6869
* @dprx_work: Worker that is scheduled to poll completion of DPRX capabilities read
@@ -100,6 +101,7 @@ struct tb_tunnel {
100101
int allocated_up;
101102
int allocated_down;
102103
bool bw_mode;
104+
bool dprx_started;
103105
bool dprx_canceled;
104106
ktime_t dprx_timeout;
105107
struct delayed_work dprx_work;

0 commit comments

Comments
 (0)