 
            The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
Possible dependencies:
f78961f8380b ("usb: dwc3: gadget: Stop processing more requests on IMI") 5ee858975b13 ("usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields") e0c42ce590fe ("usb: dwc3: gadget: simplify IOC handling") d36929538f8b ("usb: dwc3: gadget: split scatterlist and linear handlers") 12a3a4ada816 ("usb: dwc3: gadget: make cleanup_completed_requests() return nothing") 8f608e8ab628 ("usb: dwc3: gadget: remove unnecessary 'dwc' parameter") 320338651d33 ("usb: dwc3: gadget: move handler closer to calling site") ed27442e5093 ("usb: dwc3: gadget: rename dwc3_gadget_start_isoc()") a24a6ab1493a ("usb: dwc3: gadget: remove some pointless checks") 0bd0f6d201eb ("usb: dwc3: gadget: remove allocated/queued request tracking") 66f5dd5a0379 ("usb: dwc3: gadget: rename done_trbs and done_reqs") fbea935accf4 ("usb: dwc3: gadget: rename dwc3_endpoint_transfer_complete()") 742a4fff5f29 ("usb: dwc3: gadget: XferComplete only for EP0") 38408464aa76 ("usb: dwc3: gadget: XferNotReady is Isoc-only") c96e6725db9d ("usb: dwc3: gadget: Correct the logic for queuing sgs") a31e63b608ff ("usb: dwc3: gadget: Correct handling of scattergather lists") c91815b59624 ("usb: dwc3: gadget: never call ->complete() from ->ep_queue()") 7fdca766499b ("usb: dwc3: gadget: simplify __dwc3_gadget_kick_transfer() prototype") 502a37b98a7b ("usb: dwc3: gadget: cache frame number in struct dwc3_ep") 64e010802997 ("usb: dwc3: gadget: simplify __dwc3_gadget_ep_queue()")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From f78961f8380b940e0cfc7e549336c21a2ad44f4d Mon Sep 17 00:00:00 2001 From: Thinh Nguyen Thinh.Nguyen@synopsys.com Date: Tue, 25 Oct 2022 15:10:14 -0700 Subject: [PATCH] usb: dwc3: gadget: Stop processing more requests on IMI
When servicing a transfer completion event, the dwc3 driver will reclaim TRBs of started requests up to the request associated with the interrupt event. Currently we don't check for interrupt due to missed isoc, and the driver may attempt to reclaim TRBs beyond the associated event. This causes invalid memory access when the hardware still owns the TRB. If there's a missed isoc TRB with IMI (interrupt on missed isoc), make sure to stop servicing further.
Note that only the last TRB of chained TRBs has its status updated with missed isoc.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable@vger.kernel.org Reported-by: Jeff Vanhoof jdv1029@gmail.com Reported-by: Dan Vacura w36195@motorola.com Signed-off-by: Thinh Nguyen Thinh.Nguyen@synopsys.com Reviewed-by: Jeff Vanhoof jdv1029@gmail.com Tested-by: Jeff Vanhoof jdv1029@gmail.com Link: https://lore.kernel.org/r/b29acbeab531b666095dfdafd8cb5c7654fbb3e1.166673545... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index dd8ecbe61bec..230b3c660054 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3248,6 +3248,10 @@ static int dwc3_gadget_ep_reclaim_completed_trb(struct dwc3_ep *dep, if (event->status & DEPEVT_STATUS_SHORT && !chain) return 1;
+ if ((trb->ctrl & DWC3_TRB_CTRL_ISP_IMI) && + DWC3_TRB_SIZE_TRBSTS(trb->size) == DWC3_TRBSTS_MISSED_ISOC) + return 1; + if ((trb->ctrl & DWC3_TRB_CTRL_IOC) || (trb->ctrl & DWC3_TRB_CTRL_LST)) return 1;