From 26a19ea699060fded98257e65b0ae5272a5ea1da Mon Sep 17 00:00:00 2001 From: Gregory Herrero Date: Thu, 5 Nov 2015 09:41:40 +0100 Subject: [PATCH] usb: dwc2: host: fix use of qtd after free in desc dma mode When completing non isoc xfer, dwc2_complete_non_isoc_xfer_ddma() is relying on qtd->n_desc to process the corresponding number of descriptors. During the processing of these descriptors, qtd could be unlinked and freed if xfer is done and urb is no more in progress. In this case, dwc2_complete_non_isoc_xfer_ddma() will read again qtd->n_desc whereas qtd has been freed. This will lead to unpredictable results since qtd->n_desc is no more valid value. To avoid this error, return a result != 0 in dwc2_process_non_isoc_desc(), so that dwc2_complete_non_isoc_xfer_ddma() stops desc processing. This has been seen with Slub debug enabled. Acked-by: John Youn Signed-off-by: Gregory Herrero Signed-off-by: Felipe Balbi --- drivers/usb/dwc2/hcd_ddma.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc2/hcd_ddma.c b/drivers/usb/dwc2/hcd_ddma.c index 5f7265637334..4801e693353a 100644 --- a/drivers/usb/dwc2/hcd_ddma.c +++ b/drivers/usb/dwc2/hcd_ddma.c @@ -1033,7 +1033,10 @@ static int dwc2_process_non_isoc_desc(struct dwc2_hsotg *hsotg, failed = dwc2_update_non_isoc_urb_state_ddma(hsotg, chan, qtd, dma_desc, halt_status, n_bytes, xfer_done); - if (failed || (*xfer_done && urb->status != -EINPROGRESS)) { + if (*xfer_done && urb->status != -EINPROGRESS) + failed = 1; + + if (failed) { dwc2_host_complete(hsotg, qtd, urb->status); dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh); dev_vdbg(hsotg->dev, "failed=%1x xfer_done=%1x status=%08x\n", -- 2.39.2