Hi! > commit 3c5880745b4439ac64eccdb040e37fc1cc4c5406 upstream. > > When dwc3_gadget_ep_cleanup_completed_requests() called to > dwc3_gadget_giveback() where the dwc3 lock is released, other thread is > able to execute. In this situation, usb_ep_disable() gets the chance to > clear endpoint descriptor pointer which leds to the null pointer > dereference problem. So needs to move the null pointer check to a proper > place. Ok, but could someone check the error handling there? There's some cleanup at the out label, but moved code does not jump there. Best regards, Pavel > +++ b/drivers/usb/dwc3/gadget.c > @@ -2960,14 +2960,14 @@ static bool dwc3_gadget_endpoint_trbs_co > struct dwc3 *dwc = dep->dwc; > bool no_started_trb = true; > > - if (!dep->endpoint.desc) > - return no_started_trb; > - > dwc3_gadget_ep_cleanup_completed_requests(dep, event, status); > > if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) > goto out; > > + if (!dep->endpoint.desc) > + return no_started_trb; > + > if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && > list_empty(&dep->started_list) && > (list_empty(&dep->pending_list) || status == -EXDEV)) > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
