Commit 290cc1d5 authored Jun 07, 2019 by Pratham Pratap Committed by Ajay Agarwal Jun 24, 2019

usb: dwc3: Flush bh work before disabling dwc3_irq



Consider a case of quick pull-up disable after pull-up is enabled.
If a SETUP packet comes after bus reset event followed by connection
done event, there is a possibility of race between
composite_dev_cleanup() freeing cdev->req called from
configfs_composite_unbind() and composite_setup() storing req pointer
to stack. This causes use after free of cdev->req. To fix this
flush the bottom half work if there was any work pending before
disabling dwc3_irq.

Change-Id: I309f2117325c500f31e93925ac0a7b0d61ccc078
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>

parent c603b06d

drivers/usb/dwc3/gadget.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -2109,6 +2109,10 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)
		atomic_read(&dwc->dev->power.usage_count));

		disable_irq(dwc->irq);

		/* prevent pending bh to run later */
		flush_work(&dwc->bh_work);

		spin_lock_irqsave(&dwc->lock, flags);
		if (dwc->ep0state != EP0_SETUP_PHASE)
		dbg_event(0xFF, "EP0 is not in SETUP phase\n", 0);