Message ID | 1644836933-141376-1-git-send-email-dh10.jung@samsung.com |
---|---|
Headers | show |
Series | Fix ep command fail issue in dequeue | expand |
On Mon, Feb 14, 2022 at 08:08:53PM +0900, Daehwan Jung wrote: > We added cleanup cancelled requests when ep cmd timeout on ep dequeue > because there's no complete interrupt then. But, we find out new case > that complete interrupt comes up later. list_for_each_entry_safe is > used when cleanup cancelled requests and it has vulnerabilty on multi-core > environment. dwc3_gadget_giveback unlocks dwc->lock temporarily and other > core(ISR) can get lock and try to cleanup them again. It could cause > list_del corruption and we use DWC3_EP_END_TRANSFER_PENDING to prevent it. > > 1. MTP server cancels -> ep dequeue -> ep cmd timeout(END_TRANSFER) > -> cleanup cancelled requests -> dwc3_gadget_giveback -> > list_del -> release lock temporarily > 2. Complete with END_TRANSFER -> ISR(dwc3_gadget_endpoint_command_complete) > gets lock -> cleanup cancelled requests -> dwc3_gadget_giveback > -> list_del > 3. MTP server process gets lock again > -> tries to access POISON list(list_del corruption) > > [2: MtpServer: 5032] dwc3 10b00000.dwc3: request cancelled > with wrong reason:5 > [2: MtpServer: 5032] list_del corruption, > ffffff88b6963968->next is LIST_POISON1 (dead000000000100) > > Signed-off-by: Daehwan Jung <dh10.jung@samsung.com> > --- > drivers/usb/dwc3/gadget.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) What commit id does this fix? thanks, greg k-h