summaryrefslogtreecommitdiffstats
path: root/drivers/usb/dwc2/hcd_intr.c
diff options
context:
space:
mode:
authorDouglas Anderson <dianders@chromium.org>2016-01-29 03:19:55 +0100
committerFelipe Balbi <balbi@kernel.org>2016-03-04 14:14:40 +0100
commit16e80218816488f016418717d23c660abe073a67 (patch)
tree74dd155a1274bbc7eace92a76e7907c19d7ffddd /drivers/usb/dwc2/hcd_intr.c
parentusb: dwc2: host: Set host_rx_fifo_size to 525 for rk3066 (diff)
downloadlinux-16e80218816488f016418717d23c660abe073a67.tar.xz
linux-16e80218816488f016418717d23c660abe073a67.zip
usb: dwc2: host: Avoid use of chan->qh after qh freed
When poking around with USB devices with slub_debug enabled, I found another obvious use after free. Turns out that in dwc2_hc_n_intr() I was in a state when the contents of chan->qh was filled with 0x6b, indicating that chan->qh was freed but chan still had a reference to it. Let's make sure that whenever we free qh we also make sure we remove a reference from its channel. The bug fixed here doesn't appear to be new--I believe I just got lucky and happened to see it while stress testing. Acked-by: John Youn <johnyoun@synopsys.com> Signed-off-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> Tested-by: Heiko Stuebner <heiko@sntech.de> Tested-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Felipe Balbi <balbi@kernel.org>
Diffstat (limited to 'drivers/usb/dwc2/hcd_intr.c')
-rw-r--r--drivers/usb/dwc2/hcd_intr.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
index 4270f6c719c6..0d0fd2a7f1f9 100644
--- a/drivers/usb/dwc2/hcd_intr.c
+++ b/drivers/usb/dwc2/hcd_intr.c
@@ -1943,6 +1943,16 @@ static void dwc2_hc_n_intr(struct dwc2_hsotg *hsotg, int chnum)
}
dwc2_writel(hcint, hsotg->regs + HCINT(chnum));
+
+ /*
+ * If we got an interrupt after someone called
+ * dwc2_hcd_endpoint_disable() we don't want to crash below
+ */
+ if (!chan->qh) {
+ dev_warn(hsotg->dev, "Interrupt on disabled channel\n");
+ return;
+ }
+
chan->hcint = hcint;
hcint &= hcintmsk;