Hi Felipe,
Just wondering if you had a chance to look at this. This fixes a
potential double-delete error which was caught when CONFIG_DEBUG_LIST=y
&& CONFIG_BUG_ON_DATA_CORRUPTION==y.
On Fri, Mar 23, 2018 at 10:05:33AM -0700, Jack Pham wrote:
> From: Mayank Rana <mrana@xxxxxxxxxxxxxx>
>
> dwc3_ep_dequeue() waits for completion of End Transfer command
> using wait_event_lock_irq(), which will release the dwc3->lock
> while waiting and reacquire after completion. This allows a
> potential race condition with ep_disable() which also removes
> all requests from started_list and pending_list. The check for
> NULL r->trb should catch this but currently it exits to the
> wrong 'out1' label which calls dwc3_gadget_giveback(). Since
> its list entry was already removed, if CONFIG_DEBUG_LIST is
> enabled a 'list_del corruption' bug is thrown since its
> next/prev pointers are already LIST_POISON1/2. If r->trb is
> NULL it should simply exit to 'out0'.
>
> Fixes: cf3113d893d4 ("usb: dwc3: gadget: properly increment dequeue pointer on ep_dequeue")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Mayank Rana <mrana@xxxxxxxxxxxxxx>
> Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
> ---
> drivers/usb/dwc3/gadget.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 2bda4eb..1238a97 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -1417,7 +1417,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
> dwc->lock);
>
> if (!r->trb)
> - goto out1;
> + goto out0;
>
> if (r->num_pending_sgs) {
> struct dwc3_trb *trb;
Thanks,
Jack
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
