From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Daehwan Jung <dh10.jung@samsung.com>
Cc: Felipe Balbi <balbi@kernel.org>,
Muchun Song <songmuchun@bytedance.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-usb@vger.kernel.org,
open list <linux-kernel@vger.kernel.org>
Subject: Re: usb: gadget: function: add spinlock for rndis response list
Date: Fri, 18 Feb 2022 08:57:45 +0100 [thread overview]
Message-ID: <Yg9ReVfKxHUPOTvZ@kroah.com> (raw)
In-Reply-To: <1645162195-54476-1-git-send-email-dh10.jung@samsung.com>
On Fri, Feb 18, 2022 at 02:29:55PM +0900, Daehwan Jung wrote:
> There's no lock for rndis response list. It could cause list corruption
> if two different list_add at the same time like below.
> It's better to add in rndis_add_response / rndis_free_response
> / rndis_get_next_response to prevent any race condition on response list.
>
> [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.
> next->prev should be prev (ffffff80651764d0),
> but was ffffff883dc36f80. (next=ffffff80651764d0).
>
> [ 361.904380] [1: irq/191-dwc3:16979] Call trace:
> [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90
> [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0
> [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84
> [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4
> [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60
> [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0
> [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc
> [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc
> [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec
> [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c
>
> Fixes: f6281af9d62e ("usb: gadget: rndis: use list_for_each_entry_safe")
> Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
> ---
> drivers/usb/gadget/function/rndis.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
> index b7ccf1803656..b4d58324e2d2 100644
> --- a/drivers/usb/gadget/function/rndis.c
> +++ b/drivers/usb/gadget/function/rndis.c
> @@ -1011,16 +1011,21 @@ void rndis_add_hdr(struct sk_buff *skb)
> }
> EXPORT_SYMBOL_GPL(rndis_add_hdr);
>
> +/* add spinlock to prevent race condition for rndis response list */
> +static DEFINE_SPINLOCK(resp_lock);
Shouldn't this be one lock per rndis_params structure, and not a global
one for the whole driver?
thanks,
greg k-h
next prev parent reply other threads:[~2022-02-18 7:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20220218053230epcas2p1c63c8b28e7448988727221e0265c64fc@epcas2p1.samsung.com>
2022-02-18 5:29 ` usb: gadget: function: add spinlock for rndis response list Daehwan Jung
2022-02-18 7:57 ` Greg Kroah-Hartman [this message]
2022-02-21 8:28 ` Jung Daehwan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yg9ReVfKxHUPOTvZ@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=balbi@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=dh10.jung@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=songmuchun@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.