96bd39df29
dwc3_ep_dequeue() waits for completion of End Transfer command using
wait_event_lock_irq(), which will release the dwc3->lock while waiting
and reacquire after completion. This allows a potential race condition
with ep_disable() which also removes all requests from started_list
and pending_list.
The check for NULL r->trb should catch this but currently it exits to
the wrong 'out1' label which calls dwc3_gadget_giveback(). Since its
list entry was already removed, if CONFIG_DEBUG_LIST is enabled a
'list_del corruption' bug is thrown since its next/prev pointers are
already LIST_POISON1/2. If r->trb is NULL it should simply exit to
'out0'.
Fixes:
|
||
---|---|---|
.. | ||
core.c | ||
core.h | ||
debug.h | ||
debugfs.c | ||
drd.c | ||
dwc3-exynos.c | ||
dwc3-keystone.c | ||
dwc3-of-simple.c | ||
dwc3-omap.c | ||
dwc3-pci.c | ||
dwc3-st.c | ||
ep0.c | ||
gadget.c | ||
gadget.h | ||
host.c | ||
io.h | ||
Kconfig | ||
Makefile | ||
trace.c | ||
trace.h | ||
ulpi.c |