From d7da214bbbc2b3baa7bb4b18aa0337ace27b2b68 Mon Sep 17 00:00:00 2001
From: Devin Kim <dojip.kim@lge.com>
Date: Mon, 10 Mar 2014 23:40:58 -0700
Subject: [PATCH] usb: dwc3: gadget: Protect against ep disabling during
 completion

In dwc3_cleanup_done_reqs(), a potential race condition
could arise when dwc3_gadget_giveback() temporarily
releases the main spinlock.  If during this window the
very endpoint being handled becomes disabled, it would
lead to a NULL pointer dereference in the code that
follows.  Guard against this by making sure the endpoint
is still enabled after returning from the giveback call.

cherry-picked from:
https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/drivers/usb/dwc3/gadget.c?h=msm-3.10&id=b7ed96c4fc37351d77af87c792cd5d11ceb1e6e4

Change-Id: Idb7651c57db3273623cf664153e7cbaf0bf9dd9d
CRs-fixed: 628972
Bug: 18541764
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Devin Kim <dojip.kim@lge.com>
---
 drivers/usb/dwc3/gadget.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index a3f6e58faf22..751013f63aeb 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1600,6 +1600,13 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
 		 */
 		req->request.actual += req->request.length - count;
 		dwc3_gadget_giveback(dep, req, status);
+
+		/* EP possibly disabled during giveback? */
+		if (!(dep->flags & DWC3_EP_ENABLED)) {
+			dev_dbg(dwc->dev, "%s disabled while handling ep event\n",
+					dep->name);
+			return 0;
+		}
 		if (s_pkt)
 			break;
 		if ((event->status & DEPEVT_STATUS_LST) &&
-- 
GitLab