From nobody Tue Dec 2 02:19:46 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C23F9327C1F for ; Wed, 19 Nov 2025 17:19:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763572775; cv=none; b=J+ovtXPnovzNz+jTIfisPdlNDdFJK2zRgmxJ6dLgqsMoET8giahZXAM8YHzi8BVVQwdy4z4SVy5BFnEKjFb8TUDunkaDzZVe+k2gSmQhqFBFlk45+Z/fThvobMxj7h5PNMOfYyIMXgbER25Sx8b5jPuFe7+ZB8mnOiMxlKLQCG8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763572775; c=relaxed/simple; bh=xt0JnG7eaL+BXiskE6UyYQ+9J8ccTDqEFUl7e4yObCQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=TlFurbnEjneHW95zUwQGI/65F78Ammkk6Mcy/0cEpfb113tOlgDCpzOLoGVn56IfO9QSZqOvOLBWvKU89V/vCBogsv5DHNB2MQWnMg0dDAEkNfgF1lMinmV8Vv3NYOaZlJ1LHXureRHlSfZSCsr6ojQwZZEKkowfV7EB0+KXBJ4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=jsP7xGl2; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=FTyrkZp0; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="jsP7xGl2"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="FTyrkZp0" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AJFkcf82340724 for ; Wed, 19 Nov 2025 17:19:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=y8rNDgsg0qjbaeG5xWAjOWFb3HihIl4x51e nHOT+7O4=; b=jsP7xGl2wW1jQDy6M1WE8GpdJNlD8NI/2lLHcXPn67PvoO3A0/h 47A8klGSnflciO/rvkKGird9F9/JfRQQui/3Lwj+hJDEdytn8jdua0ThrJ13B1WJ afxBE03jfn3r+q3OIYSMvGSfaXRVGsL4YBJ3YjUgkWIf+jLTRmDvLeoOAVMoC0hK BACmNGOKJRXgzn4HsAl+INeaNqH+UNqUzXgzd82jTULOFHFmQoE9v8qkqedx4i3k prbo5bB749h4ooTKHRJ2AmYJNlzpez+V+yM7hKRiL+FeKJL+GmeIc9J7+8RQLe6y Kq0yZaUlsTwiDUNdzVhwJv6c24YAUkT2QfA== Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4ah6yqa7ke-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Wed, 19 Nov 2025 17:19:32 +0000 (GMT) Received: by mail-pl1-f197.google.com with SMTP id d9443c01a7336-29846a9efa5so187249525ad.0 for ; Wed, 19 Nov 2025 09:19:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1763572771; x=1764177571; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=y8rNDgsg0qjbaeG5xWAjOWFb3HihIl4x51enHOT+7O4=; b=FTyrkZp0/Vm8J8uX0maaxSOCxt8+suTDaycQIS6p5lKoEBk/niMg3VmBNtEilRk/61 gyQu28ZWeExAyjhMooUXVKbVP5yvkM8e/g3AxpsFN3BIiV52ds1jdrxbWkk90EiXWMwR ZcLBzl6bjCbf1tELQ9tQvreen+mseh9od/YXJ7CMxdwz1siuAD5Elo+X/rY9RW9OdcmZ IaubJo2YmaF8noR2RuP1MJn4NfAoTC49Mp+O0s5MVYqs0QlX156l0FDbBMgjbw+wvGMA 4lyBvrHSPUmvnc1YE/ETnd/OiTToUc6tGDhhZFsGBxm2W0oy71Sf71S77xeeAQmZ9RsK v6Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763572771; x=1764177571; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=y8rNDgsg0qjbaeG5xWAjOWFb3HihIl4x51enHOT+7O4=; b=YJ1RqGi6eSzkQ/49/oziWKqkQ8M0Ak+Nf6aueXQNDYcW35oZcskAyxksdLtjNSJh22 rhUsgSHXjBSXmeaQO4NavFhlGZxwp+hUo4uUJZPduu8pc6E/SfyYJw4m6SMHUO4d3sH+ txI2Lg9XS3HFTtRf3GwHlFC0T+FiYUCVYGqytPotQhvb8svm3Vy9OWYLtzvgxgrlX/SA 2qVXMw16Fipu4J4W9VbZXoLWor3BS1my3Oxc4HH4AW5b+XeGIPnS+nmV06dyGoHluNeD A6XmmrM9jvuiGR5rLqw5XJzgG659wt6sMBWHIXpHHLz+5q1yVB5bL/BWMignbx4Q/P42 aD9Q== X-Forwarded-Encrypted: i=1; AJvYcCUNjmweMHV4+V0tDssBzR7m2dW1OgVKx47R1LlopR1UExhWJRfmTC7OYzp0ufmZpxMmhKAyJ4FyRJFZ4vE=@vger.kernel.org X-Gm-Message-State: AOJu0YyU/94ynj75X8Vdu1TR80mqbv7OrggR31DYd8m46436Xc/7HdSh taZMxSNT7rhP02b7GN3gBMMClZKBWjS7pACnw/yLsEkCN17KjPPxFxgMi3BJ4S/KO4Pmyx2Rqv0 nMavfnZNB+jwS7vlE6sGoBqPsYyAoikjj/iSbwNF0e0wIfcHnRznIs9rGjiV0/DW/MMU= X-Gm-Gg: ASbGncuu8AoaJj8/aaG+NYlINf4Svf4StEBisyXD5mcFL8jMNDsW+XF+d6vG7zmdARL KqxhyilVV8NhJ70JEQRPJS8eJDw5rgtNskbG6NfQVtDLEhGioPgsxxM7UR3V50M/PsptjsTwN22 ER8h0MY85PtoqmI2ja2yD7BeKmrlnmeauW5paOVs9Z8ZwP9/SabjyoM2ocn9tvFIKedQbQH33uf ER6ea3Brqg+YHZZbQfxkNUYkwIFCMyBU+pVdNzQHUtqvMLG/RZMkVhoWE6pPD73DhEHWDhokmfn q0JhzixLLfSVil7W2SAOixVGmz8QsuDhcori9I0cGPUMYthVy3hvWkNpQJkBDV08jPwa2ewIFCo 2R04PN2foEVfFChrW6O5oBsSDhJCiLPBanxgvePS0hQv/YtlKfelO+WgGRk5r6gq+Iud1wYA= X-Received: by 2002:a17:903:1a43:b0:298:3545:81e2 with SMTP id d9443c01a7336-29b5b061747mr2262145ad.22.1763572771500; Wed, 19 Nov 2025 09:19:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IGtdBQiTGqGdTXLMm2W1bBROrJsb3/UzhGtNWPLbp9moqxQjGVc68bt28q9cBi4jPYR14gQqw== X-Received: by 2002:a17:903:1a43:b0:298:3545:81e2 with SMTP id d9443c01a7336-29b5b061747mr2261765ad.22.1763572771021; Wed, 19 Nov 2025 09:19:31 -0800 (PST) Received: from hu-mnagar-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29b5b25deefsm334235ad.56.2025.11.19.09.19.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 09:19:30 -0800 (PST) From: Manish Nagar To: Greg Kroah-Hartman , Thinh Nguyen Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Date: Wed, 19 Nov 2025 22:49:26 +0530 Message-Id: <20251119171926.1622603-1-manish.nagar@oss.qualcomm.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: Q34ANjci7jEvzWdYnlwvsx40Ewu9DqmU X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTE5MDEzNyBTYWx0ZWRfX6+2PCRjGpf8W fJvgRvceyvlD046sLpycUya9napU7BvMb9hGFZCmbiZoTmsKnuF+6dn8EcnkZrdb5bjsaKGUFvR wobNGMPIWDSlM6eydgaQl8Ocz7+eFINvVLOfwA2pAOimW0IoJPAW4BwL3IIMskWFWQaxxZGBlns dfO4Zw2fvOkYK/b3Wh3cPkJhs9nNs/VaqT/ON84wCukOimCG9UdXN6MXyWAsjBAynIVMIagAQ2X 1QiW/9W/ol848yDkE7POukalayEFK3GQxUlgSvoiR7rX5dC8JjWGzaQ/DFSsXOcV5HxXc0LB97T LLPlgf7trK72rRXZqtbx4TspicXECgBkuzX934YLQ== X-Authority-Analysis: v=2.4 cv=Ut1u9uwB c=1 sm=1 tr=0 ts=691dfc24 cx=c_pps a=cmESyDAEBpBGqyK7t0alAg==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=6UeiqGixMTsA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=jIQo8A4GAAAA:8 a=EUspDBNiAAAA:8 a=AwTnkmAtCOg3iBu9MrAA:9 a=1OuFwYUASf3TG4hYMiVC:22 X-Proofpoint-GUID: Q34ANjci7jEvzWdYnlwvsx40Ewu9DqmU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-19_05,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 malwarescore=0 adultscore=0 bulkscore=0 lowpriorityscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511190137 Content-Type: text/plain; charset="utf-8" Addresses race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. Add check for request completion for eps, and skip processing giveback for eps if already completed and add the request status for ep0 while queue via_dwc3_gadget_ep0_queue. Suggested-by: Thinh Nguyen Signed-off-by: Manish Nagar Acked-by: Thinh Nguyen --- v2: - Add a check for request completion, in v1 I am avoiding this by wait for completion for ep0 then process the other eps. drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c index b4229aa13f37..e0bad5708664 100644 --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -94,6 +94,7 @@ static int __dwc3_gadget_ep0_queue(struct dwc3_ep *dep, req->request.actual =3D 0; req->request.status =3D -EINPROGRESS; req->epnum =3D dep->number; + req->status =3D DWC3_REQUEST_STATUS_QUEUED; =20 list_add_tail(&req->list, &dep->pending_list); =20 diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 6f18b4840a25..5e4997f974dd 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -228,6 +228,13 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct = dwc3_request *req, { struct dwc3 *dwc =3D dep->dwc; =20 + /* + * The request might have been processed and completed while the + * spinlock was released. Skip processing if already completed. + */ + if (req->status =3D=3D DWC3_REQUEST_STATUS_COMPLETED) + return; + dwc3_gadget_del_and_unmap_request(dep, req, status); req->status =3D DWC3_REQUEST_STATUS_COMPLETED; =20 --=20 2.25.1