Commit c603b06d authored May 08, 2019 by Chandana Kishori Chiluveru

usb: dwc3: Disable the irq before clearing run_stop bit

During composition switch dwc3_gadget_pullup() is called to perform a
disconnect, the driver must ensure that no transfers are in progress
before clearing the run/stop bit.
Their is a case where host sending a Setup packet just before clear
run/stop bit in pullup disable before the dwc->lock is acquired, this
allows for a race in which a ep0 queue is failed with -ESHUTDOWN
and marking the freed request status(req->status) pointer to null.
After that when the request is allocated from next bind kernel panic
is seen with object poison overwritten with req->status pointer.

To fix this issue by disabling the irq before clearing the run-stop bit
so that interrupt handling for setup packet is prevented.

Change-Id: I979da8536bd6766153e25cf6120f00f348427a72
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

parent 3541909b

drivers/usb/dwc3/gadget.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -2107,7 +2107,12 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)
		pm_runtime_get_sync(dwc->dev);
		dbg_event(0xFF, "Pullup gsync",
		atomic_read(&dwc->dev->power.usage_count));

		disable_irq(dwc->irq);
		spin_lock_irqsave(&dwc->lock, flags);
		if (dwc->ep0state != EP0_SETUP_PHASE)
		dbg_event(0xFF, "EP0 is not in SETUP phase\n", 0);

		/*
		* If we are here after bus suspend notify otg state machine to
		* increment pm usage count of dwc to prevent pm_runtime_suspend
		@@ -2118,6 +2123,7 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)

		ret = dwc3_gadget_run_stop(dwc, is_on, false);
		spin_unlock_irqrestore(&dwc->lock, flags);
		enable_irq(dwc->irq);

		pm_runtime_mark_last_busy(dwc->dev);
		pm_runtime_put_autosuspend(dwc->dev);