leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7de8681be2
linux/drivers/usb
History
Jack Pham 7de8681be2 usb: gadget: u_audio: Free requests only after callback 
As per the kernel doc for usb_ep_dequeue(), it states that "this
routine is asynchronous, that is, it may return before the completion
routine runs". And indeed since v5.0 the dwc3 gadget driver updated
its behavior to place dequeued requests on to a cancelled list to be
given back later after the endpoint is stopped.

The free_ep() was incorrectly assuming that a request was ready to
be freed after calling dequeue which results in a use-after-free
in dwc3 when it traverses its cancelled list. Fix this by moving
the usb_ep_free_request() call to the callback itself in case the
ep is disabled.

Fixes: eb9fecb9e6 ("usb: gadget: f_uac2: split out audio core")
Reported-and-tested-by: Ferry Toth <fntoth@gmail.com>
Reviewed-and-tested-by: Peter Chen <peter.chen@nxp.com>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Link: https://lore.kernel.org/r/20210118084642.322510-2-jbrunet@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-18 18:43:09 +01:00
..
atm drivers: usb: atm: use pr_err() and pr_warn() instead of raw printk() 2020-12-09 15:22:51 +01:00
c67x00 Linux 5.9-rc3 2020-08-31 07:11:45 +02:00
cdns3 Below are main changes for v5.11-rc1: 2020-12-10 11:30:31 +01:00
chipidea usb: chipidea: tegra: Specify TX FIFO threshold in UDC SoC info 2021-01-13 11:26:34 +01:00
class Merge 5.11-rc3 into usb-next 2021-01-11 08:11:26 +01:00
common usb: common: ulpi: Constify static attribute_group struct 2020-11-26 13:40:43 +01:00
core kcov, usb: hide in_serving_softirq checks in __usb_hcd_giveback_urb 2021-01-07 14:17:29 +01:00
dwc2 usb: dwc2: disable Link Power Management on STM32MP15 HS OTG 2021-01-12 12:54:42 +01:00
dwc3 usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot 2021-01-15 16:51:31 +01:00
early usb: early: ehci-dbgp: convert to readl_poll_timeout_atomic() 2020-09-25 16:29:09 +02:00
gadget usb: gadget: u_audio: Free requests only after callback 2021-01-18 18:43:09 +01:00
host usb: host: ehci-tegra: Remove the driver 2021-01-13 11:26:34 +01:00
image USB: microtek: use set_host_byte() 2020-09-16 12:42:10 +02:00
isp1760 usb: isp1760-hcd: convert to readl_poll_timeout_atomic() 2020-09-25 16:30:05 +02:00
misc USB: yurex: fix control-URB timeout handling 2020-12-28 15:47:06 +01:00
mon
mtu3 usb: mtu3: fix memory corruption in mtu3_debugfs_regset() 2020-12-07 15:26:18 +01:00
musb usb: Fix fall-through warnings for Clang 2020-11-23 17:46:01 +01:00
phy usb: phy: phy-mxs-usb: Use of_device_get_match_data() 2021-01-18 18:35:46 +01:00
renesas_usbhs
roles device connection: Remove struct device_connection 2020-09-07 11:14:09 +02:00
serial USB: serial: iuu_phoenix: fix DMA from stack 2021-01-04 16:30:09 +01:00
storage usb: uas: Add PNY USB Portable SSD to unusual_uas 2021-01-05 14:05:10 +01:00
typec usb: typec: ucsi: Add support for USB role switch 2021-01-12 12:56:27 +01:00
usbip Merge 5.11-rc3 into usb-next 2021-01-11 08:11:26 +01:00
Kconfig
Makefile usb: host: imx21-hcd: Remove the driver 2020-11-13 15:22:46 +01:00
usb-skeleton.c