On Sat, Sep 16, 2023, Michael Grzeschik wrote:
> On the call of dwc3_gadget_ep_free_request the request is possibly
> still queued in some list. To avoid use after free issues in the driver,
> we ensure that the request is unlinked before it gets freed.
>
The caller of usb_ep_free_request must guarantee the request is not
queued. This looks like a workaround to some other issue in the gadget
driver.
Thanks,
Thinh
> Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
> ---
> drivers/usb/dwc3/gadget.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 858fe4c299b7af..f4bc33590f570f 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -1165,8 +1165,19 @@ static void dwc3_gadget_ep_free_request(struct usb_ep *ep,
> struct usb_request *request)
> {
> struct dwc3_request *req = to_dwc3_request(request);
> + struct dwc3_ep *dep = to_dwc3_ep(ep);
> + struct dwc3 *dwc = dep->dwc;
> + unsigned long flags;
>
> trace_dwc3_free_request(req);
> +
> + spin_lock_irqsave(&dwc->lock, flags);
> +
> + if (!list_is_singular(&req->list))
> + list_del(&req->list);
> +
> + spin_unlock_irqrestore(&dwc->lock, flags);
> +
> kfree(req);
> }
>
> --
> 2.39.2
>
