2e84da6e34
On a disconnect, dwc2 will kill all remaining urbs from qh list. urbs are given back to hcd with -ETIMEDOUT status. Some usb device driver, like mass storage, will unlink all urbs using usb_hcd_unlink_urb when receiving a negative status different from -ECONNRESET. The following flow will then happen: dwc2_hcd_disconnect() -> dwc2_kill_all_urbs() try to kill first pending urb. -> dwc2_host_complete(-ETIMEDOUT) -> usb_hcd_giveback_urb(-ETIMEDOUT) -> sg_complete() -> usb_unlink_urb() -> usb_put_dev(urb->dev) -> dwc2_kill_all_urbs() try to kill next pending urb. -> dwc2_host_complete(-ETIMEDOUT) -> usb_hcd_giveback_urb(-ETIMEDOUT) -> NULL pointer dereferencing because urb->dev has been freed for all urbs of this device. The root cause of this NULL pointer is to call call usb_unlink_urb() while we are killing all urbs. To avoid this return urb with -ECONNRESET status This issue usually happens while removing mass storage device during transfer. Signed-off-by: Gregory Herrero <gregory.herrero@intel.com> Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com> Tested-by: Robert Baldyga <r.baldyga@samsung.com> Tested-by: Dinh Nguyen <dinguyen@opensource.altera.com> Tested-by: John Youn <johnyoun@synopsys.com> Acked-by: John Youn <johnyoun@synopsys.com> Signed-off-by: Felipe Balbi <balbi@ti.com> |
||
---|---|---|
.. | ||
core_intr.c | ||
core.c | ||
core.h | ||
debug.h | ||
debugfs.c | ||
gadget.c | ||
hcd_ddma.c | ||
hcd_intr.c | ||
hcd_queue.c | ||
hcd.c | ||
hcd.h | ||
hw.h | ||
Kconfig | ||
Makefile | ||
pci.c | ||
platform.c |