Hi,
Manu Gautam <mgau...@codeaurora.org> writes:
> If a function driver tries to re-submit an already queued request,
> it can results in corruption of pending/started request lists.
> Catch such conditions and fail the request submission to DCD.
>
> Signed-off-by: Manu Gautam <mgau...@codeaurora.org>
> ---
> drivers/usb/dwc3/gadget.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 679c12e14522..51716c6b286a 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -1290,6 +1290,12 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep,
> struct dwc3_request *req)
> &req->request, req->dep->name))
> return -EINVAL;
>
> + if (req->request.status == -EINPROGRESS) {this test is really not enough. What if gadget driver set status to EINPROGRESS before submission? A better check would involve making sure req isn't part of dep->pending_list or dep->started_list or dep->cancelled_list. It's clear that this won't work very well as the amount of requests grow. Anyway, which gadget driver did this? Why is it only affecting dwc3? -- balbi
signature.asc
Description: PGP signature
