AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-28 11:18:45 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
c0e73c1d6d
linux_dsm_epyc7002/drivers/usb/gadget/function
History
Jack Pham c9ccb0efaa usb: gadget: u_audio: Free requests only after callback 
[ Upstream commit 7de8681be2cde9f6953d3be1fa6ce05f9fe6e637 ]

As per the kernel doc for usb_ep_dequeue(), it states that "this
routine is asynchronous, that is, it may return before the completion
routine runs". And indeed since v5.0 the dwc3 gadget driver updated
its behavior to place dequeued requests on to a cancelled list to be
given back later after the endpoint is stopped.

The free_ep() was incorrectly assuming that a request was ready to
be freed after calling dequeue which results in a use-after-free
in dwc3 when it traverses its cancelled list. Fix this by moving
the usb_ep_free_request() call to the callback itself in case the
ep is disabled.

Fixes: eb9fecb9e6 ("usb: gadget: f_uac2: split out audio core")
Reported-and-tested-by: Ferry Toth <fntoth@gmail.com>
Reviewed-and-tested-by: Peter Chen <peter.chen@nxp.com>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Link: https://lore.kernel.org/r/20210118084642.322510-2-jbrunet@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-03-04 11:37:24 +01:00
..
f_acm.c USB: gadget: f_acm: add support for SuperSpeed Plus 2020-12-26 16:02:39 +01:00
f_ecm.c
f_eem.c
f_fs.c usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus 2020-12-26 16:02:39 +01:00
f_hid.c usb: gadget: Use fallthrough pseudo-keyword 2020-07-10 08:55:18 +02:00
f_loopback.c
f_mass_storage.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
f_mass_storage.h
f_midi.c USB: gadget: f_midi: setup SuperSpeed Plus descriptors 2020-12-26 16:02:39 +01:00
f_ncm.c usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. 2020-10-02 09:57:41 +03:00
f_obex.c
f_phonet.c usb: gadget: Use fallthrough pseudo-keyword 2020-07-10 08:55:18 +02:00
f_printer.c usb: gadget: function: printer: Fix a memory leak for interface descriptor 2021-01-12 20:18:21 +01:00
f_rndis.c USB: gadget: f_rndis: fix bitrate for SuperSpeed and above 2020-12-26 16:02:39 +01:00
f_serial.c
f_sourcesink.c
f_subset.c
f_tcm.c usb: gadget: config_ep_by_speed_and_alt instead of config_ep_by_speed 2020-10-02 09:57:40 +03:00
f_uac1_legacy.c usb: gadget: function: fix missing spinlock in f_uac1_legacy 2020-07-09 10:13:07 +03:00
f_uac1.c
f_uac2.c usb: gadget: f_uac2: reset wMaxPacketSize 2021-01-12 20:18:21 +01:00
f_uvc.c usb: gadget: uvc: Fix the wrong v4l2_device_unregister call 2020-10-02 09:57:45 +03:00
f_uvc.h
g_zero.h
Makefile
ndis.h
rndis.c
rndis.h
storage_common.c
storage_common.h
tcm.h
u_audio.c usb: gadget: u_audio: Free requests only after callback 2021-03-04 11:37:24 +01:00
u_audio.h
u_ecm.h
u_eem.h
u_ether_configfs.h
u_ether.c usb: gadget: u_ether: Fix MTU size mismatch with RX packet size 2021-01-12 20:18:21 +01:00
u_ether.h
u_fs.h
u_gether.h
u_hid.h
u_midi.h
u_ncm.h
u_phonet.h
u_printer.h
u_rndis.h
u_serial.c usb: gadget: u_serial: clear suspended flag when disconnecting 2020-10-02 09:57:41 +03:00
u_serial.h usb: gadget: u_serial.h: increase MAX_U_SERIAL_PORTS to 8 2020-06-18 10:23:22 +02:00
u_tcm.h
u_uac1_legacy.c usb: gadget: function: u_uac1_legacy: Demote obvious misuse of kerneldoc to standard comment blocks 2020-07-09 17:19:58 +02:00
u_uac1_legacy.h
u_uac1.h
u_uac2.h
u_uvc.h
uvc_configfs.c
uvc_configfs.h
uvc_queue.c
uvc_queue.h
uvc_v4l2.c
uvc_v4l2.h
uvc_video.c
uvc_video.h
uvc.h