From: Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx> commit f78961f8380b940e0cfc7e549336c21a2ad44f4d upstream. When servicing a transfer completion event, the dwc3 driver will reclaim TRBs of started requests up to the request associated with the interrupt event. Currently we don't check for interrupt due to missed isoc, and the driver may attempt to reclaim TRBs beyond the associated event. This causes invalid memory access when the hardware still owns the TRB. If there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure to stop servicing further. Note that only the last TRB of chained TRBs has its status updated with missed isoc. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable@xxxxxxxxxxxxxxx Reported-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> Reported-by: Dan Vacura <w36195@xxxxxxxxxxxx> Signed-off-by: Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx> Reviewed-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> Tested-by: Jeff Vanhoof <jdv1029@xxxxxxxxx> Link: https://lore.kernel.org/r/b29acbeab531b666095dfdafd8cb5c7654fbb3e1.1666735451.git.Thinh.Nguyen@xxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/dwc3/gadget.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -2800,6 +2800,10 @@ static int dwc3_gadget_ep_reclaim_comple if (event->status & DEPEVT_STATUS_SHORT && !chain) return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) + return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || (trb->ctrl & DWC3_TRB_CTRL_LST)) return 1;