iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3c5880745b
linux/drivers/usb
History
Albert Wang 3c5880745b usb: dwc3: gadget: Move null pinter check to proper place 
When dwc3_gadget_ep_cleanup_completed_requests() called to
dwc3_gadget_giveback() where the dwc3 lock is released, other thread is
able to execute. In this situation, usb_ep_disable() gets the chance to
clear endpoint descriptor pointer which leds to the null pointer
dereference problem. So needs to move the null pointer check to a proper
place.

Example call stack:

Thread#1:
dwc3_thread_interrupt()
  spin_lock
  -> dwc3_process_event_buf()
   -> dwc3_process_event_entry()
    -> dwc3_endpoint_interrupt()
     -> dwc3_gadget_endpoint_trbs_complete()
      -> dwc3_gadget_ep_cleanup_completed_requests()
       ...
       -> dwc3_giveback()
          spin_unlock
          Thread#2 executes

Thread#2:
configfs_composite_disconnect()
  -> __composite_disconnect()
   -> ffs_func_disable()
    -> ffs_func_set_alt()
     -> ffs_func_eps_disable()
      -> usb_ep_disable()
         wait for dwc3 spin_lock
         Thread#1 released lock
         clear endpoint.desc

Fixes: 2628844812 ("usb: dwc3: gadget: Fix null pointer exception")
Cc: stable <stable@kernel.org>
Signed-off-by: Albert Wang <albertccwang@google.com>
Link: https://lore.kernel.org/r/20220518061315.3359198-1-albertccwang@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-05-19 18:15:03 +02:00
..
atm usb: remove third argument of usb_maxpacket() 2022-04-23 10:33:53 +02:00
c67x00 USB: c67x00: remove unnecessary check of res 2022-05-12 11:36:46 +02:00
cdns3 usb: cdns3: allocate TX FIFO size according to composite EP number 2022-05-19 18:14:29 +02:00
chipidea usb: udc: Fix typo in comment 2022-01-31 14:24:39 +01:00
class usb: usbtmc: Fix bug in pipe direction for control transfers 2022-03-15 18:45:31 +01:00
common usb: common: usb-conn-gpio: Make VBUS supply completely optional 2022-03-15 18:22:15 +01:00
core usb: hub: Simplify error and success path in port_over_current_notify 2022-05-19 18:14:49 +02:00
dwc2 usb: dwc2: gadget: don't reset gadget's driver->bus 2022-05-05 21:52:16 +02:00
dwc3 usb: dwc3: gadget: Move null pinter check to proper place 2022-05-19 18:15:03 +02:00
early usb: early: xhci-dbc: Fix xdbc number parsing 2022-03-15 18:20:34 +01:00
gadget usb: gadget: udc: Remove useless variable assignment in xudc_read_fifo() 2022-05-12 13:58:27 +02:00
host usb: Probe EHCI, OHCI controllers asynchronously 2022-05-19 18:11:25 +02:00
image scsi: Remove drivers/scsi/scsi.h 2022-02-22 21:11:02 -05:00
isp1760 usb: isp1760: Fix out-of-bounds array access 2022-05-19 18:10:59 +02:00
misc Revert "usb: misc: Add onboard_usb_hub driver" 2022-05-03 16:48:13 +02:00
mon
mtu3 usb: mtu3: fix USB 3.0 dual-role-switch from device to host 2022-04-21 19:06:41 +02:00
musb usb: musb: mediatek: Use clk_bulk API to simplify clock operations 2022-04-21 19:23:46 +02:00
phy usb: phy: generic: Get the vbus supply 2022-04-26 14:10:54 +02:00
renesas_usbhs usb: renesas_usbhs: Use platform_get_irq() to get the interrupt 2021-12-21 08:51:57 +01:00
roles
serial USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS 2022-04-21 10:08:06 +02:00
storage usb: remove third argument of usb_maxpacket() 2022-04-23 10:33:53 +02:00
typec Linux 5.18-rc5 2022-05-03 16:35:26 +02:00
usbip usb: usbip: add missing device lock on tweak configuration cmd 2022-04-21 19:01:25 +02:00
Kconfig usb: remove reference to deleted config STB03xxx 2021-08-18 15:32:19 +02:00
Makefile usb: host: remove line for obsolete config USB_HWA_HCD 2021-08-18 15:32:19 +02:00
usb-skeleton.c usb: usb-skeleton: Update min() to min_t() 2021-10-05 12:56:48 +02:00