Hi!
commit 3c5880745b4439ac64eccdb040e37fc1cc4c5406 upstream.
When dwc3_gadget_ep_cleanup_completed_requests() called to dwc3_gadget_giveback() where the dwc3 lock is released, other thread is able to execute. In this situation, usb_ep_disable() gets the chance to clear endpoint descriptor pointer which leds to the null pointer dereference problem. So needs to move the null pointer check to a proper place.
Ok, but could someone check the error handling there? There's some cleanup at the out label, but moved code does not jump there.
Best regards, Pavel
+++ b/drivers/usb/dwc3/gadget.c @@ -2960,14 +2960,14 @@ static bool dwc3_gadget_endpoint_trbs_co struct dwc3 *dwc = dep->dwc; bool no_started_trb = true;
- if (!dep->endpoint.desc)
return no_started_trb;- dwc3_gadget_ep_cleanup_completed_requests(dep, event, status);
if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) goto out;
- if (!dep->endpoint.desc)
return no_started_trb;- if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && list_empty(&dep->started_list) && (list_empty(&dep->pending_list) || status == -EXDEV))