| Message ID | 20230915233113.2903645-1-m.grzeschik@pengutronix.de |
|---|---|
| State | New |
| Headers | show |
| Series | usb: dwc3: gadget: remove requests from any list before dealloc | expand |
On Sat, Sep 16, 2023, Michael Grzeschik wrote: > On the call of dwc3_gadget_ep_free_request the request is possibly > still queued in some list. To avoid use after free issues in the driver, > we ensure that the request is unlinked before it gets freed. > The caller of usb_ep_free_request must guarantee the request is not queued. This looks like a workaround to some other issue in the gadget driver. Thanks, Thinh > Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> > --- > drivers/usb/dwc3/gadget.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c > index 858fe4c299b7af..f4bc33590f570f 100644 > --- a/drivers/usb/dwc3/gadget.c > +++ b/drivers/usb/dwc3/gadget.c > @@ -1165,8 +1165,19 @@ static void dwc3_gadget_ep_free_request(struct usb_ep *ep, > struct usb_request *request) > { > struct dwc3_request *req = to_dwc3_request(request); > + struct dwc3_ep *dep = to_dwc3_ep(ep); > + struct dwc3 *dwc = dep->dwc; > + unsigned long flags; > > trace_dwc3_free_request(req); > + > + spin_lock_irqsave(&dwc->lock, flags); > + > + if (!list_is_singular(&req->list)) > + list_del(&req->list); > + > + spin_unlock_irqrestore(&dwc->lock, flags); > + > kfree(req); > } > > -- > 2.39.2 >
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 858fe4c299b7af..f4bc33590f570f 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1165,8 +1165,19 @@ static void dwc3_gadget_ep_free_request(struct usb_ep *ep, struct usb_request *request) { struct dwc3_request *req = to_dwc3_request(request); + struct dwc3_ep *dep = to_dwc3_ep(ep); + struct dwc3 *dwc = dep->dwc; + unsigned long flags; trace_dwc3_free_request(req); + + spin_lock_irqsave(&dwc->lock, flags); + + if (!list_is_singular(&req->list)) + list_del(&req->list); + + spin_unlock_irqrestore(&dwc->lock, flags); + kfree(req); }
On the call of dwc3_gadget_ep_free_request the request is possibly still queued in some list. To avoid use after free issues in the driver, we ensure that the request is unlinked before it gets freed. Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> --- drivers/usb/dwc3/gadget.c | 11 +++++++++++ 1 file changed, 11 insertions(+)