[PATCH] usb: dwc3: gadget: fix crash in dwc3_gadget_giveback()
If the ep0 stalls or request are dequeued when gagdet is stopped, the request dma may not be mapped yet and dwc3_flush_cache() may be called with a NULL pointer.
Check req->request.dma before calling dwc3_flush_cache() and later the usb_gadget_unmap_request() functions since it means that usb_gadget_map_request() hasn't been called yet.
Fixes: fd15b58c1a9 ("dwc3: flush cache only if there is a buffer attached to a request") Signed-off-by: Neil Armstrong neil.armstrong@linaro.org --- drivers/usb/dwc3/gadget.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index fab32575647..92c7c6d08b7 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -248,7 +248,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
list_del(&req->list); req->trb = NULL; - if (req->request.length) + if (req->request.dma && req->request.length) dwc3_flush_cache((uintptr_t)req->request.dma, req->request.length);
if (req->request.status == -EINPROGRESS) @@ -256,7 +256,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
if (dwc->ep0_bounced && dep->number == 0) dwc->ep0_bounced = false; - else + else if (req->request.dma) usb_gadget_unmap_request(&dwc->gadget, &req->request, req->direction);
--- base-commit: 7e52d6ccfb76e2afc2d183b357abe2a2e2f948cf change-id: 20240528-topic-sm8x50-dwc3-gadget-crash-fix-fa0404ffce33
Best regards,
Hi Neil,
Thank you for the patch.
On mar., mai 28, 2024 at 10:35, Neil Armstrong neil.armstrong@linaro.org wrote:
If the ep0 stalls or request are dequeued when gagdet is stopped, the request dma may not be mapped yet and dwc3_flush_cache() may be called with a NULL pointer.
Check req->request.dma before calling dwc3_flush_cache() and later the usb_gadget_unmap_request() functions since it means that usb_gadget_map_request() hasn't been called yet.
Fixes: fd15b58c1a9 ("dwc3: flush cache only if there is a buffer attached to a request") Signed-off-by: Neil Armstrong neil.armstrong@linaro.org
Reviewed-by: Mattijs Korpershoek mkorpershoek@baylibre.com
drivers/usb/dwc3/gadget.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index fab32575647..92c7c6d08b7 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -248,7 +248,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
list_del(&req->list); req->trb = NULL;
- if (req->request.length)
if (req->request.dma && req->request.length) dwc3_flush_cache((uintptr_t)req->request.dma, req->request.length);
if (req->request.status == -EINPROGRESS)
@@ -256,7 +256,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
if (dwc->ep0_bounced && dep->number == 0) dwc->ep0_bounced = false;
- else
- else if (req->request.dma) usb_gadget_unmap_request(&dwc->gadget, &req->request, req->direction);
base-commit: 7e52d6ccfb76e2afc2d183b357abe2a2e2f948cf change-id: 20240528-topic-sm8x50-dwc3-gadget-crash-fix-fa0404ffce33
Best regards,
Neil Armstrong neil.armstrong@linaro.org
Hi,
On Tue, 28 May 2024 10:35:03 +0200, Neil Armstrong wrote:
If the ep0 stalls or request are dequeued when gagdet is stopped, the request dma may not be mapped yet and dwc3_flush_cache() may be called with a NULL pointer.
Check req->request.dma before calling dwc3_flush_cache() and later the usb_gadget_unmap_request() functions since it means that usb_gadget_map_request() hasn't been called yet.
[...]
Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-dfu (u-boot-dfu)
[1/1] usb: dwc3: gadget: fix crash in dwc3_gadget_giveback() https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/85ced6f4745f529...
-- Mattijs
participants (2)
-
Mattijs Korpershoek -
Neil Armstrong