| Message ID | 20220512093146.1301669-1-albertccwang@google.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] usb: dwc3: gadget: Move null pinter check after window closed | expand |
On Thu, May 12, 2022 at 05:31:46PM +0800, Albert Wang wrote: > After inspecting further, we do see the locking is implicit, with the > main gotcha being the unlock/re-lock. That creates a window for a race > to happen. This change moves the NULL check to be adjacent to where > to it's used and after the window is "closed". > > Fixes: 26288448120b ("usb: dwc3: gadget: Fix null pointer exception") > > Signed-off-by: Albert Wang <albertccwang@google.com> No blank line between Fixes: and signed-off-by please. > --- > v2: Remove redundant 'else' and add additional comments and more > descriptive commit text I see two v2 copies on the lists for this commit. Please send a v3, never duplicate the versions, that just causes confusion, right? thanks, greg k-h
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 19477f4bbf54..fda58951cf27 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3366,14 +3366,19 @@ static bool dwc3_gadget_endpoint_trbs_complete(struct dwc3_ep *dep, struct dwc3 *dwc = dep->dwc; bool no_started_trb = true; - if (!dep->endpoint.desc) - return no_started_trb; - + /* + * This function eventually leads to dwc3_giveback() which unlocks + * the dwc->lock and relocks afterwards. This actually creates a + * a window for a race to happen. + */ dwc3_gadget_ep_cleanup_completed_requests(dep, event, status); if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) goto out; + if (!dep->endpoint.desc) + return no_started_trb; + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && list_empty(&dep->started_list) && (list_empty(&dep->pending_list) || status == -EXDEV))
After inspecting further, we do see the locking is implicit, with the main gotcha being the unlock/re-lock. That creates a window for a race to happen. This change moves the NULL check to be adjacent to where to it's used and after the window is "closed". Fixes: 26288448120b ("usb: dwc3: gadget: Fix null pointer exception") Signed-off-by: Albert Wang <albertccwang@google.com> --- v2: Remove redundant 'else' and add additional comments and more descriptive commit text drivers/usb/dwc3/gadget.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)