| Message ID | b29acbeab531b666095dfdafd8cb5c7654fbb3e1.1666735451.git.Thinh.Nguyen@synopsys.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f78961f8380b940e0cfc7e549336c21a2ad44f4d |
| Headers | show |
| Series | usb: dwc3: gadget: Fix isoc interrupt check | expand |
On Tue, Oct 25, 2022 at 03:10:14PM -0700, Thinh Nguyen wrote: > When servicing a transfer completion event, the dwc3 driver will reclaim > TRBs of started requests up to the request associated with the interrupt > event. Currently we don't check for interrupt due to missed isoc, and > the driver may attempt to reclaim TRBs beyond the associated event. This > causes invalid memory access when the hardware still owns the TRB. If > there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure > to stop servicing further. > > Note that only the last TRB of chained TRBs has its status updated with > missed isoc. > > Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") > Cc: stable@vger.kernel.org > Reported-by: Jeff Vanhoof <jdv1029@gmail.com> > Reported-by: Dan Vacura <w36195@motorola.com> > Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> > --- > Changes in v3: > - None > Changes in v2: > - No need to check for CHN=0 since only the last TRB has its status > updated to missed isoc > > > drivers/usb/dwc3/gadget.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index dd8ecbe61bec..230b3c660054 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, > if (event->status & DEPEVT_STATUS_SHORT && !chain) > return 1; > > + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && > + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) > + return 1; > + > if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || > (trb->ctrl & DWC3_TRB_CTRL_LST)) > return 1; > -- > 2.28.0 > No new issues seen with these changes. Changes look good to me. Reviewed-by: Jeff Vanhoof <jdv1029@gmail.com> Tested-by: Jeff Vanhoof <jdv1029@gmail.com> Regards, Jeff
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index dd8ecbe61bec..230b3c660054 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, if (event->status & DEPEVT_STATUS_SHORT && !chain) return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) + return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || (trb->ctrl & DWC3_TRB_CTRL_LST)) return 1;
When servicing a transfer completion event, the dwc3 driver will reclaim TRBs of started requests up to the request associated with the interrupt event. Currently we don't check for interrupt due to missed isoc, and the driver may attempt to reclaim TRBs beyond the associated event. This causes invalid memory access when the hardware still owns the TRB. If there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure to stop servicing further. Note that only the last TRB of chained TRBs has its status updated with missed isoc. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable@vger.kernel.org Reported-by: Jeff Vanhoof <jdv1029@gmail.com> Reported-by: Dan Vacura <w36195@motorola.com> Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> --- Changes in v3: - None Changes in v2: - No need to check for CHN=0 since only the last TRB has its status updated to missed isoc drivers/usb/dwc3/gadget.c | 4 ++++ 1 file changed, 4 insertions(+)