Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1047772iob; Fri, 13 May 2022 21:01:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytT4C+Nfy8goagsXxuuLuDbJbQaFKGp3hJ1PAPM50/UVVWAvomUd/sGew0L+2bpO8h1n7q X-Received: by 2002:a05:600c:58a:b0:396:ec38:3a32 with SMTP id o10-20020a05600c058a00b00396ec383a32mr3425109wmd.17.1652500910215; Fri, 13 May 2022 21:01:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652500910; cv=none; d=google.com; s=arc-20160816; b=ii+fruJWmON8RBf5cj/vMtfeUNMkBfTWwUCNoS9UQKDAFyfWnvZM63tpSyFhZ964/b 9HBPYqzituR1Ux2PtQI2jCnOKh6W37Sz+1I6iuCAyjkwKQtBezW5mcqPzx9leFZPHFWf rSYiMdG11CAsql1KoZfc4c5n0DIiIGxuTrbKfppz5l44m9Jpz3HEGbJam7j2HshvWdQI 9PCJc2la+KvyVRmkOr6uLVr3ODzIvDNNhh5cYyGm1TQJeWvwkpkz+HQSQtWtkfsLiBb1 R86yoIKOYpn4AlyX5djWgBsJJaWOehYWJNFjNpJu6JXgXFrJdD7+pCfEmx4zCPx8qF3d 3Jjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=iDPt3SFY7fcmY0YfnSfRRxdWeY/8Vlzh36Vkje0XzM8=; b=k46xVG8hLofX3IBH0zxsc11c0j+ohZZnmEApGYp4zKDh0rDhW1rHCSUuwhjkxOmR// ZskgqcSK7QH2pMgm61GXWG4djmwgfwTwI2Rb8aHD0RjaZFVHUTeJZJYspScwD3shqFIL O2eK02A9YupzlzOynof22/XA92AKWcG79YnNgS6LbEC5doauzGVG6PxRZEItWCHzc/W5 A0mYpXaPCrmklnxUQB+vU9o7bQH7y5Fqrx6nz5Abbcxkzrf2kvz4n3XyiDPXofd3e2gy Mmj9i3BVGH7cNjcQ+J71FEWEepYnpvFmegQ5vw7n+jzswKcrmxX10tDDjBd9cTYhmM54 vbfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=KaXHXBnR; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id v19-20020a05600c215300b0038ed2f750edsi6480986wml.233.2022.05.13.21.01.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 21:01:50 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=KaXHXBnR; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 95E3E4A77EC; Fri, 13 May 2022 17:32:55 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356156AbiEMG5T (ORCPT + 99 others); Fri, 13 May 2022 02:57:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350833AbiEMG5R (ORCPT ); Fri, 13 May 2022 02:57:17 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C885351E5D for ; Thu, 12 May 2022 23:57:16 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id a6-20020a056902056600b0064b3d5c324eso5779443ybt.5 for ; Thu, 12 May 2022 23:57:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=iDPt3SFY7fcmY0YfnSfRRxdWeY/8Vlzh36Vkje0XzM8=; b=KaXHXBnRmMjnME4ARQhlwdpDglwTrHCQhEetad85l4axhrmYNyRHwHqNphN5bwcCuI +L63ZYMzUk3mwHr6PslYVF3h2yCPQZQ7f+8y3aLC25ST8PjIpdwOxF5mFky7F2GC1SuH LRzA76T9ZIw+J2uinFknSgKzHVgM/CyjPu3j2VhHece0/lHuqeXQNGRrcJdSiHFRQcsk Z8sDJXyhyreY74vzyrf/eXCdrMWtTRFnnuoKvlzvdJONTkRoLiny7KfFhtZmEf44T6lJ lV5E9wN4AkmYLdMBuI5zExltcJOGM8nLxjV0isQMpbPU9eHergU87xpQj3wv0y1mdKkp H4zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=iDPt3SFY7fcmY0YfnSfRRxdWeY/8Vlzh36Vkje0XzM8=; b=wUyfFq8ppAZ6pru1n2gDhpFTpRW9fm7Tio42Yt5BMZk1E+DFHv63ghz4cAPF1Kps3Z Hxmr1ANlMI212t9sK97581NvHeJX9tg3ZyOhxkRn0MIjQ38YuBTrlXUudA3YximXBwiF okXFK/eT+Loniyos4BNdGVw85J+Xc3+8nogA5gme/uNqwtr8xwv+Y0Q5M+0kySzODFN+ pNfh5fwc01tpP+rXPsxdM1juUeU7exw/PX0q5BIT4QPMDlTSFZWoCoBgSFY2a6TS1y+n SvvAlyvCMrWA+X4LOl3khmGvR/TaMqhN7YH2WwcWYIpY4q/DCW2qKcuoZGRmrUS5yJEP zcdg== X-Gm-Message-State: AOAM531BrfEeozLMR6/nXtVsyi0IQfcYP5M/aZsLgo/H9D67faeVdvCa iy7p2cha8GntBQmydfJRrIxt8yXBrkwJ4Ux+a2I= X-Received: from albertccwang.ntc.corp.google.com ([2401:fa00:fc:202:e637:c057:4cc2:c7d7]) (user=albertccwang job=sendgmr) by 2002:a25:848b:0:b0:648:4e74:bf92 with SMTP id v11-20020a25848b000000b006484e74bf92mr3312015ybk.364.1652425035948; Thu, 12 May 2022 23:57:15 -0700 (PDT) Date: Fri, 13 May 2022 14:57:09 +0800 Message-Id: <20220513065709.1606634-1-albertccwang@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.36.0.550.gb090851708-goog Subject: [PATCH v3] usb: dwc3: gadget: Move null pinter check after window closed From: Albert Wang To: balbi@kernel.org, gregkh@linuxfoundation.org, quic_jackp@quicinc.com Cc: badhri@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Albert Wang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-8.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM,MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After inspecting further, we do see the locking is implicit, with the main gotcha being the unlock/re-lock. That creates a window for a race to happen. This change moves the NULL check to be adjacent to where to it's used and after the window is "closed". Fixes: 26288448120b ("usb: dwc3: gadget: Fix null pointer exception") Signed-off-by: Albert Wang --- v3: Add change log to be compliant with the canonical patch format v2: Remove redundant 'else' and add additional comments and more descriptive commit text drivers/usb/dwc3/gadget.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 19477f4bbf54..fda58951cf27 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -3366,14 +3366,19 @@ static bool dwc3_gadget_endpoint_trbs_complete(struct dwc3_ep *dep, struct dwc3 *dwc = dep->dwc; bool no_started_trb = true; - if (!dep->endpoint.desc) - return no_started_trb; - + /* + * This function eventually leads to dwc3_giveback() which unlocks + * the dwc->lock and relocks afterwards. This actually creates a + * a window for a race to happen. + */ dwc3_gadget_ep_cleanup_completed_requests(dep, event, status); if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) goto out; + if (!dep->endpoint.desc) + return no_started_trb; + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && list_empty(&dep->started_list) && (list_empty(&dep->pending_list) || status == -EXDEV)) -- 2.36.0.550.gb090851708-goog