Hello!
On 9/14/23 4:56 AM, Xingxing Luo wrote:
> When multiple threads are performing USB transmission, musb->lock will be
> unlocked when musb_giveback is executed. At this time, qh may be released
> in the dequeue process in other threads, resulting in a wild pointer, so
> it needs to be here get qh again, and judge whether qh is NULL, and when
> dequeue, you need to set qh to NULL.
>
> Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed")
> Signed-off-by: Xingxing Luo <xingxing.luo@xxxxxxxxxx>
> ---
> drivers/usb/musb/musb_host.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
> index a02c29216955..9df27db5847a 100644
> --- a/drivers/usb/musb/musb_host.c
> +++ b/drivers/usb/musb/musb_host.c
> @@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb,
> musb_giveback(musb, urb, status);
> qh->is_ready = ready;
>
> + /*
> + * musb->lock had been unlocked in musb_giveback, so somtimes qh
Sometimes?
> + * may freed, need get it again
> + */
> + qh = musb_ep_get_qh(hw_ep, is_in);
> +
> /* reclaim resources (and bandwidth) ASAP; deschedule it, and
> * invalidate qh as soon as list_empty(&hep->urb_list)
> */
> - if (list_empty(&qh->hep->urb_list)) {
> + if (qh != NULL && list_empty(&qh->hep->urb_list)) {
Just qh, perhaps?
[...]
MBR, Sergey
