tcpm: Change the get_chip_info() to prevent race conditions

The original get_chip_info() returns a point of point to the chip_info.
This way helps to cache the chip_info to a static variable and the
function just returns the pointer to the static variable.

This static variable has a race condition on the PS8805 chip. The PS8805
chip returns a different PID when the firmware is corrupted, i.e. 0x8803
instead of 0x8805. The !live case fixes the PID, by modifying the static
variable directly. When another task calls the same function for the
live case, the static variable is modified and has a race condition.

This change fixes the issue by changing the get_chip_info() parameter to
a point of the chip_info. The caller has to allocate a buffer in the
stack and pass the address to the function. For the !live case, the
function copies the cache value from the static variable to the buffer.
So the static variable doesn't have a race condition.

BRANCH=None
BUG=b:159588335
TEST=Used ectool to check the PD chip PID 0x8805 (was 0x8803).
localhost ~ # ectool pdchipinfo 1
vendor_id: 0x1da0
product_id: 0x8805
device_id: 0x1
fw_version: 0x0
min_req_fw_version: 0x0

Change-Id: Ic24615af77ea58016d286480572d2a282c4fa09a
Signed-off-by: Wai-Hong Tam <waihong@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2264477
Reviewed-by: Julius Werner <jwerner@chromium.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/fuzz/usb_pd_fuzz.c b/fuzz/usb_pd_fuzz.c
index 1c0a40f225..ab0ab2439e 100644
--- a/fuzz/usb_pd_fuzz.c
+++ b/fuzz/usb_pd_fuzz.c
@@ -44,7 +44,7 @@ static int mock_tcpm_transmit(int port, enum tcpm_transmit_type type,
 		uint16_t header, const uint32_t *data) { return EC_SUCCESS; }
 static void mock_tcpc_alert(int port) {}
 static int mock_tcpci_get_chip_info(int port, int live,
-		struct ec_response_pd_chip_info_v1 **info)
+		struct ec_response_pd_chip_info_v1 *info)
 {
 	return EC_ERROR_UNIMPLEMENTED;
 }