Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-17 01:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
d25d85061b
linux/drivers/usb
History
Wesley Cheng d25d85061b usb: dwc3: gadget: Use list_replace_init() before traversing lists 
The list_for_each_entry_safe() macro saves the current item (n) and
the item after (n+1), so that n can be safely removed without
corrupting the list.  However, when traversing the list and removing
items using gadget giveback, the DWC3 lock is briefly released,
allowing other routines to execute.  There is a situation where, while
items are being removed from the cancelled_list using
dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable
routine is running in parallel (due to UDC unbind).  As the cleanup
routine removes n, and the pullup disable removes n+1, once the
cleanup retakes the DWC3 lock, it references a request who was already
removed/handled.  With list debug enabled, this leads to a panic.
Ensure all instances of the macro are replaced where gadget giveback
is used.

Example call stack:

Thread#1:
__dwc3_gadget_ep_set_halt() - CLEAR HALT
  -> dwc3_gadget_ep_cleanup_cancelled_requests()
    ->list_for_each_entry_safe()
    ->dwc3_gadget_giveback(n)
      ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]
      ->spin_unlock
      ->Thread#2 executes
      ...
    ->dwc3_gadget_giveback(n+1)
      ->Already removed!

Thread#2:
dwc3_gadget_pullup()
  ->waiting for dwc3 spin_lock
  ...
  ->Thread#1 released lock
  ->dwc3_stop_active_transfers()
    ->dwc3_remove_requests()
      ->fetches n+1 item from cancelled_list (n removed by Thread#1)
      ->dwc3_gadget_giveback()
        ->dwc3_gadget_del_and_unmap_request()- n+1
deleted[cancelled_list]
        ->spin_unlock

Fix this condition by utilizing list_replace_init(), and traversing
through a local copy of the current elements in the endpoint lists.
This will also set the parent list as empty, so if another thread is
also looping through the list, it will be empty on the next iteration.

Fixes: d4f1afe5e8 ("usb: dwc3: gadget: move requests to cancelled_list")
Cc: stable <stable@vger.kernel.org>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1627543994-20327-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-08-05 11:01:34 +02:00
..
atm usb: atm: cxacru: Fix typo in comment 2021-05-21 20:05:40 +02:00
c67x00 usb/c67x00: Replace tasklet with work 2021-01-26 18:36:37 +01:00
cdns3 usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro 2021-07-29 14:28:15 +08:00
chipidea Linux 5.13-rc7 2021-06-21 10:56:05 +02:00
class USB: usbtmc: Fix RCU stall warning 2021-07-27 15:52:37 +02:00
common usb: otg-fsm: Fix hrtimer list corruption 2021-07-27 16:31:31 +02:00
core Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" 2021-07-21 11:36:34 +02:00
dwc2 usb: dwc2: gadget: Fix sending zero length packet in DDMA mode. 2021-07-21 09:50:55 +02:00
dwc3 usb: dwc3: gadget: Use list_replace_init() before traversing lists 2021-08-05 11:01:34 +02:00
early usb: early: ehci-dbgp: convert to readl_poll_timeout_atomic() 2020-09-25 16:29:09 +02:00
gadget usb: gadget: f_hid: idle uses the highest byte for duration 2021-07-28 08:24:39 +02:00
host usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses 2021-07-27 16:31:17 +02:00
image
isp1760 usb: isp1760: Fix meaningless check in isp1763_run() 2021-06-15 15:40:58 +02:00
misc usb: ftdi-elan: remove redundant continue statement in a while-loop 2021-06-24 14:12:09 +02:00
mon
mtu3 usb: mtu3: use clock bulk to get clocks 2021-06-15 15:46:45 +02:00
musb usb: musb: Fix suspend and resume issues for PHYs on I2C and SPI 2021-07-27 16:31:02 +02:00
phy usb: phy: Fix page fault from usb_phy_uevent 2021-07-21 09:48:36 +02:00
renesas_usbhs usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() 2021-07-21 09:50:00 +02:00
roles usb: roles: add helper usb_role_string() 2021-05-27 09:17:18 +02:00
serial USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 2021-08-05 09:47:25 +02:00
storage USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS 2021-07-21 09:15:45 +02:00
typec usb: typec: stusb160x: Don't block probing of consumer of "connector" nodes 2021-07-21 09:16:40 +02:00
usbip Scheduler updates for this cycle are: 2021-04-28 13:33:57 -07:00
Kconfig
Makefile usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver 2020-12-29 12:36:13 +08:00
usb-skeleton.c