[PATCH] usb: dwc3: gadget: remove requests from any list before dealloc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On the call of dwc3_gadget_ep_free_request the request is possibly
still queued in some list. To avoid use after free issues in the driver,
we ensure that the request is unlinked before it gets freed.

Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
---
 drivers/usb/dwc3/gadget.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 858fe4c299b7af..f4bc33590f570f 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1165,8 +1165,19 @@ static void dwc3_gadget_ep_free_request(struct usb_ep *ep,
 		struct usb_request *request)
 {
 	struct dwc3_request		*req = to_dwc3_request(request);
+	struct dwc3_ep			*dep = to_dwc3_ep(ep);
+	struct dwc3			*dwc = dep->dwc;
+	unsigned long			flags;
 
 	trace_dwc3_free_request(req);
+
+	spin_lock_irqsave(&dwc->lock, flags);
+
+	if (!list_is_singular(&req->list))
+		list_del(&req->list);
+
+	spin_unlock_irqrestore(&dwc->lock, flags);
+
 	kfree(req);
 }
 
-- 
2.39.2
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux