FAILED: patch "[PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" failed to apply to 4.14-stable tree

All of lore.kernel.org
 help / color / mirror / Atom feed

From: <gregkh@linuxfoundation.org>
To: mrana@codeaurora.org, felipe.balbi@linux.intel.com, jackp@codeaurora.org
Cc: <stable@vger.kernel.org>
Subject: FAILED: patch "[PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" failed to apply to 4.14-stable tree
Date: Thu, 14 Jun 2018 11:39:15 +0200	[thread overview]
Message-ID: <152896915596125@kroah.com> (raw)

The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 05645366f3893c160bd39ca49f3fe2f2f026f58b Mon Sep 17 00:00:00 2001
From: Mayank Rana <mrana@codeaurora.org>
Date: Fri, 23 Mar 2018 10:05:33 -0700
Subject: [PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue

dwc3_ep_dequeue() waits for completion of End Transfer command using
wait_event_lock_irq(), which will release the dwc3->lock while waiting
and reacquire after completion. This allows a potential race condition
with ep_disable() which also removes all requests from started_list
and pending_list.

The check for NULL r->trb should catch this but currently it exits to
the wrong 'out1' label which calls dwc3_gadget_giveback(). Since its
list entry was already removed, if CONFIG_DEBUG_LIST is enabled a
'list_del corruption' bug is thrown since its next/prev pointers are
already LIST_POISON1/2. If r->trb is NULL it should simply exit to
'out0'.

Fixes: cf3113d893d4 ("usb: dwc3: gadget: properly increment dequeue pointer on ep_dequeue")
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index eeb30133878e..69bf137aab37 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1395,7 +1395,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
 					dwc->lock);

 			if (!r->trb)
-				goto out1;
+				goto out0;

 			if (r->num_pending_sgs) {
 				struct dwc3_trb *trb;

                 reply	other threads:[~2018-06-14  9:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:eeb30133878 dfblob:69bf137aab3 )
 OR (
bs:"usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=152896915596125@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=felipe.balbi@linux.intel.com \
    --cc=jackp@codeaurora.org \
    --cc=mrana@codeaurora.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.