From: Mayank Rana <mrana@xxxxxxxxxxxxxx>
dwc3_ep_dequeue() waits for completion of End Transfer command
using wait_event_lock_irq(), which will release the dwc3->lock
while waiting and reacquire after completion. This allows a
potential race condition with ep_disable() which also removes
all requests from started_list and pending_list. The check for
NULL r->trb should catch this but currently it exits to the
wrong 'out1' label which calls dwc3_gadget_giveback(). Since
its list entry was already removed, if CONFIG_DEBUG_LIST is
enabled a 'list_del corruption' bug is thrown since its
next/prev pointers are already LIST_POISON1/2. If r->trb is
NULL it should simply exit to 'out0'.
Fixes: cf3113d893d4 ("usb: dwc3: gadget: properly increment dequeue pointer on ep_dequeue")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Mayank Rana <mrana@xxxxxxxxxxxxxx>
Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
---
drivers/usb/dwc3/gadget.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 2bda4eb..1238a97 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1417,7 +1417,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
dwc->lock);
if (!r->trb)
- goto out1;
+ goto out0;
if (r->num_pending_sgs) {
struct dwc3_trb *trb;
--
2.9.1.200.gb1ec08f