Commit e99b1eb7 authored Jun 07, 2019 by Pratham Pratap

usb: dwc3: Flush bh work before disabling dwc3_irq



Consider a case of quick pull-up disable after pull-up is enabled.
If a SETUP packet comes after bus reset event followed by connection
done event, there is a possibility of race between
composite_dev_cleanup() freeing cdev->req called from
configfs_composite_unbind() and composite_setup() storing req pointer
to stack. This causes use after free of cdev->req. To fix this flush
the bottom half work if there was any work pending before disabling
dwc3_irq.

Change-Id:I309f2117325c500f31e93925ac0a7b0d61ccc078
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>

parent 4c16f4bd

drivers/usb/dwc3/gadget.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2195,6 +2195,10 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)
	}		}

	disable_irq(dwc->irq);		disable_irq(dwc->irq);

			/* prevent pending bh to run later */
			flush_work(&dwc->bh_work);

	spin_lock_irqsave(&dwc->lock, flags);		spin_lock_irqsave(&dwc->lock, flags);
	if (dwc->ep0state != EP0_SETUP_PHASE)		if (dwc->ep0state != EP0_SETUP_PHASE)
	dbg_event(0xFF, "EP0 is not in SETUP phase\n", 0);		dbg_event(0xFF, "EP0 is not in SETUP phase\n", 0);