usb: dwc3: gadget: Protect against ep disabling during completion

In dwc3_cleanup_done_reqs(), a potential race condition could arise when dwc3_gadget_giveback() temporarily releases the main spinlock. If during this window the very endpoint being handled becomes disabled, it would lead to a NULL pointer dereference in the code that follows. Guard against this by making sure the endpoint is still enabled after returning from the giveback call. CRs-fixed: 628972 Change-Id: Ifdb823fff12747f699217d871a5959c85b5340f7 Signed-off-by: Jack Pham <jackp@codeaurora.org>
author: Jack Pham <jackp@codeaurora.org> 2014-03-10 23:40:58 -0700
committer: David Keitel <dkeitel@codeaurora.org> 2016-03-22 11:06:24 -0700
commit: c694893be5d6e142aad8ff41fdfbad8ab7df4280 (patch)
tree: 3224d66b1c3be3c4ddedb50ca7da54a97689de34 /drivers/usb
parent: 06b8c381255db5ece7a34818a86991a97f18c867 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 6ee0e0029dc8..c645345881b7 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1978,6 +1978,13 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
 
 		dwc3_gadget_giveback(dep, req, status);
 
+		/* EP possibly disabled during giveback? */
+		if (!(dep->flags & DWC3_EP_ENABLED)) {
+			dev_dbg(dwc->dev, "%s disabled while handling ep event\n",
+					dep->name);
+			return 0;
+		}
+
 		if (ret)
 			break;
 	} while (1);
author	Jack Pham <jackp@codeaurora.org>	2014-03-10 23:40:58 -0700
committer	David Keitel <dkeitel@codeaurora.org>	2016-03-22 11:06:24 -0700
commit	c694893be5d6e142aad8ff41fdfbad8ab7df4280 (patch)
tree	3224d66b1c3be3c4ddedb50ca7da54a97689de34 /drivers/usb
parent	06b8c381255db5ece7a34818a86991a97f18c867 (diff)