FAILED: patch "[PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" failed to apply to 4.14-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: <gregkh@linuxfoundation.org>
To: mrana@codeaurora.org, felipe.balbi@linux.intel.com, jackp@codeaurora.org
Cc: <stable@vger.kernel.org>
Subject: FAILED: patch "[PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" failed to apply to 4.14-stable tree
Date: Thu, 14 Jun 2018 11:39:15 +0200	[thread overview]
Message-ID: <152896915596125@kroah.com> (raw)

The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 05645366f3893c160bd39ca49f3fe2f2f026f58b Mon Sep 17 00:00:00 2001
From: Mayank Rana <mrana@codeaurora.org>
Date: Fri, 23 Mar 2018 10:05:33 -0700
Subject: [PATCH] usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue

dwc3_ep_dequeue() waits for completion of End Transfer command using
wait_event_lock_irq(), which will release the dwc3->lock while waiting
and reacquire after completion. This allows a potential race condition
with ep_disable() which also removes all requests from started_list
and pending_list.

The check for NULL r->trb should catch this but currently it exits to
the wrong 'out1' label which calls dwc3_gadget_giveback(). Since its
list entry was already removed, if CONFIG_DEBUG_LIST is enabled a
'list_del corruption' bug is thrown since its next/prev pointers are
already LIST_POISON1/2. If r->trb is NULL it should simply exit to
'out0'.

Fixes: cf3113d893d4 ("usb: dwc3: gadget: properly increment dequeue pointer on ep_dequeue")
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index eeb30133878e..69bf137aab37 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1395,7 +1395,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
 					dwc->lock);

 			if (!r->trb)
-				goto out1;
+				goto out0;

 			if (r->num_pending_sgs) {
 				struct dwc3_trb *trb;

                 reply	other threads:[~2018-06-14  9:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:eeb30133878 dfblob:69bf137aab3 )
 OR (
bs:"usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=152896915596125@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=felipe.balbi@linux.intel.com \
    --cc=jackp@codeaurora.org \
    --cc=mrana@codeaurora.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).