mirror of
https://github.com/torvalds/linux.git
synced 2024-12-28 13:51:44 +00:00
2e84da6e34
On a disconnect, dwc2 will kill all remaining urbs from qh list. urbs are given back to hcd with -ETIMEDOUT status. Some usb device driver, like mass storage, will unlink all urbs using usb_hcd_unlink_urb when receiving a negative status different from -ECONNRESET. The following flow will then happen: dwc2_hcd_disconnect() -> dwc2_kill_all_urbs() try to kill first pending urb. -> dwc2_host_complete(-ETIMEDOUT) -> usb_hcd_giveback_urb(-ETIMEDOUT) -> sg_complete() -> usb_unlink_urb() -> usb_put_dev(urb->dev) -> dwc2_kill_all_urbs() try to kill next pending urb. -> dwc2_host_complete(-ETIMEDOUT) -> usb_hcd_giveback_urb(-ETIMEDOUT) -> NULL pointer dereferencing because urb->dev has been freed for all urbs of this device. The root cause of this NULL pointer is to call call usb_unlink_urb() while we are killing all urbs. To avoid this return urb with -ECONNRESET status This issue usually happens while removing mass storage device during transfer. Signed-off-by: Gregory Herrero <gregory.herrero@intel.com> Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com> Tested-by: Robert Baldyga <r.baldyga@samsung.com> Tested-by: Dinh Nguyen <dinguyen@opensource.altera.com> Tested-by: John Youn <johnyoun@synopsys.com> Acked-by: John Youn <johnyoun@synopsys.com> Signed-off-by: Felipe Balbi <balbi@ti.com> |
||
|---|---|---|
| .. | ||
| core_intr.c | ||
| core.c | ||
| core.h | ||
| debug.h | ||
| debugfs.c | ||
| gadget.c | ||
| hcd_ddma.c | ||
| hcd_intr.c | ||
| hcd_queue.c | ||
| hcd.c | ||
| hcd.h | ||
| hw.h | ||
| Kconfig | ||
| Makefile | ||
| pci.c | ||
| platform.c | ||