On Tue, Oct 25, 2022 at 03:10:14PM -0700, Thinh Nguyen wrote: > When servicing a transfer completion event, the dwc3 driver will reclaim > TRBs of started requests up to the request associated with the interrupt > event. Currently we don't check for interrupt due to missed isoc, and > the driver may attempt to reclaim TRBs beyond the associated event. This > causes invalid memory access when the hardware still owns the TRB. If > there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure > to stop servicing further. > > Note that only the last TRB of chained TRBs has its status updated with > missed isoc. > > Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") > Cc: stable@xxxxxxxxxxxxxxx > Reported-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> > Reported-by: Dan Vacura <w36195@xxxxxxxxxxxx> > Signed-off-by: Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx> > --- > Changes in v3: > - None > Changes in v2: > - No need to check for CHN=0 since only the last TRB has its status > updated to missed isoc > > > drivers/usb/dwc3/gadget.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index dd8ecbe61bec..230b3c660054 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, > if (event->status & DEPEVT_STATUS_SHORT && !chain) > return 1; > > + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && > + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) > + return 1; > + > if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || > (trb->ctrl & DWC3_TRB_CTRL_LST)) > return 1; > -- > 2.28.0 > No new issues seen with these changes. Changes look good to me. Reviewed-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> Tested-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> Regards, Jeff