Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06ae205d authored Apr 15, 2019 by Chandana Kishori Chiluveru Committed by Jack Pham Oct 26, 2019

usb: dwc3: Fix use after free crash from dwc3 interrupt handler



If CONFIG_DEBUG_SHIRQ config option is enabled in kernel, shared
irq interrupt handler can be called from free_irq context and
accessing the freed dwc->ev_buf pointer in irq handler.

Hence fix this issue by explicitly checking for dwc->ev_buf pointer
in dwc3_check_event_buf() function.

Change-Id: I3311aa36408f17fb2560ad02c0929c52e96cc7e8
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>

parent b6b4a7e5

drivers/usb/dwc3/core.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -398,8 +398,10 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
		struct dwc3_event_buffer *evt;

		evt = dwc->ev_buf;
		if (evt)
		if (evt) {
		dwc3_free_one_event_buffer(dwc, evt);
		dwc->ev_buf = NULL;
		}

		/* free GSI related event buffers */
		dwc3_notify_event(dwc, DWC3_GSI_EVT_BUF_FREE, 0);

drivers/usb/dwc3/gadget.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -3661,12 +3661,16 @@ static irqreturn_t dwc3_thread_interrupt(int irq, void *_evt)

		static irqreturn_t dwc3_check_event_buf(struct dwc3_event_buffer *evt)
		{
		struct dwc3 *dwc = evt->dwc;
		struct dwc3 *dwc;
		u32 amount;
		u32 count;
		u32 reg;
		ktime_t start_time;

		if (!evt)
		return IRQ_NONE;

		dwc = evt->dwc;
		start_time = ktime_get();
		dwc->irq_cnt++;