From nobody Tue Dec 2 02:04:58 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EBE53081AD for ; Thu, 20 Nov 2025 07:44:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763624684; cv=none; b=FyO8xAyvaVBZO1JV5ARRUhc+rdxzOdgolYHgxb6GP5dBoxNFkiyRx/ZgS8x6dA2KFWgvgE9haJoBCGi+F+m2T/8SJcbwThWLQ8aDjWUJmYSlsxfeqMLUrQ/6+QMknUOJTErbboKcnvj35oEno6apkwOODHTc6vaDV1iORnwCE+o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763624684; c=relaxed/simple; bh=ha1erIMdzZdv5qvcs4mgGl9s5O9EkMelYJ+RUiGUGwk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=tRskUYWIaKaghRUR1m9MNFP+1D4zdJM8mwqzXWZWpPRrNFSvSWWs85Z+XZFXiB5RgcoKB00wdU24Qchq4gW8CVU61s3ycWMkCaMfrSOntVWyxU5EkXRUDBVQE9XR2LqxyA71stICOB1bwCLlb2UgpRknLplR1Zafdcc+/k/ODd8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=DuQ3m5I9; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=Weq89nje; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="DuQ3m5I9"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="Weq89nje" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AK56QOs4026346 for ; Thu, 20 Nov 2025 07:44:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=R8oPQ2tIzfsyrcfU58tcXlwJCxNHgkaZsEO zWR4XC+k=; b=DuQ3m5I93fCJryCzzlJ29LN7IJWhLGTn6eOvjut8mlCHd8E3iQJ Voc6bPA5vTmoUhCKWJbs07POyEjhX1Yn1FrEpU5i+GntQwFctdF4GFLYNuA1M+Ja eQysV5gqpH+/YE8tB8WnyK93DFKctf2Q84bUHluQjRHWDba4fGwiRvu5B4A0nHCz QU2n1x4j6mEelEBLV6xkWaJAncG0LMDn8x6RVnkbm+oxfDfraOYb0DWLCNNh6AQ2 L0nfsZ4FGnU2igudxt8hKCUPYDpgnmXA7uYTXU4K/AGmLhwOOzgG1vo0hN5y604u yjza5ju7x1rpXmEAe0M15CJ7VPqRs/uadpg== Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4ahvj3gdf4-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Thu, 20 Nov 2025 07:44:42 +0000 (GMT) Received: by mail-pj1-f72.google.com with SMTP id 98e67ed59e1d1-34566e62f16so712373a91.1 for ; Wed, 19 Nov 2025 23:44:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1763624681; x=1764229481; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=R8oPQ2tIzfsyrcfU58tcXlwJCxNHgkaZsEOzWR4XC+k=; b=Weq89njes46T6WjrZgUN/f8KfO+7si0yX92uarU3Kdxwf2NCuTplUB1cOv7Hw0vqiS CblTfWrnMX1ULChmjb3tctmOdt0a/tgO/AGK/Q2hq/0oQB3uMYCVg30mRdde9dbLD9z+ vGcu59eu4YZB3urPapBVKgq06ZgtVtAkLRUQUbYz2u1cv0adf5FIWURGsH4XSxKBHHsL tqKhtLYy9ywVnS+r484RxgyB+4OpP2E7/L4e2knqz32V6HTVktN97tKgQkLD7Jz6vqNA smKTEzWk7OMX7o3pPmwWlUmaRv7Yhknt2CCvwDYr6DYKQsR26eBDguK+CMs29CZqsv7n W/LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763624681; x=1764229481; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=R8oPQ2tIzfsyrcfU58tcXlwJCxNHgkaZsEOzWR4XC+k=; b=L6jvKNOKuAMVXBbaxONqThZWQ+5CgY+KhXL75QzufBOObporjDrNmyXoTO0ByBWPMI ZANjxZc2Cx5ZsDomuwgSsOa2Hu3ucJ3vhexNLU9wbas6gosQl6WO7ubTeLUYTbKKe/mo LQvo7+hBWlH2iiREb1e20pDHs2YvVXYEygJPJJTinXyzqNyTDq7s/L7fGrvC9Dn/oRJ5 ve5DxA7EnLQtD69yOQ/LmrmbUA9JNYDbmtM9ZCehbZpnLDD3CbL93n3LPO0o2I3LA8RE 0mheH+SsOzR/TA0I2Hc2CrNWkfitPkgKAoH9/5CKWcxSy6Phgi/eIBIu4nubwz0ZjSWj Zn1Q== X-Forwarded-Encrypted: i=1; AJvYcCVfB9CELzjooyNqseEvsGoQZzunXveCFXzhiSwb2/7Y80lL2eWd2cHqu4/fQMd9+TSeW7uYhiKw4yOLIDo=@vger.kernel.org X-Gm-Message-State: AOJu0YxpAnrb13A2xT6/w3Eo3tdwUC2KOUAOjz2xvc9pmCSKfUR0gjNK +YTucvGadzXTESPC4x6v35mQ9psfLlekPKwWmd9ZFTgLrQQ/Qih3J9vdroszkoGUApWPFGDs673 oa1B8ZLOTQUYscxO25k+d+3usW+IlqM5vSPhk+Tboc+T7/uXrjXBOkHYZToS7MxVtAC7qBObxH3 QfQw== X-Gm-Gg: ASbGncu/KdXgBGxBFZh6w3yUDRVJ8Yj7IGMSGtOp4nyY76suI0nXKSVMQpP+q19LkiM M7EYu0P6fBSf/F9EAIWAbmwoLReHUm5PmyF39rtO2OO745dm3shNOn4DOnZh5WKNRN0BN4/eTvF m9Se/l4ZWqvtzXEOlUlq+D+KclEYp2HWHqj+BzSbiqt7+MhjAGZ9n6W6pAqAPWgfp8/gRZO7Knk 0zRXB1Y2J4YfvV4sqFy7a6kN+dXlsunmlDQPSrNIE2774gKpGtUS4beTiuseOr9fw8dL+tSM5ZT yLWYK9zu68U0lGF3ET2xfPukUvUIUUlx+vh/tDn/NgcWzBfEoMq6KHRu/dcx7Nt8Eid3p4Q+2X7 EwuH1BmhjPvIyTZZEUVBCJMdsk3K7RMeyH8CUqWQytD9UHLhq+v/JjxFTUIPmg8h3JZvE7Ao= X-Received: by 2002:a17:90b:4a47:b0:340:d578:f2a2 with SMTP id 98e67ed59e1d1-34727bca163mr2514974a91.6.1763624680944; Wed, 19 Nov 2025 23:44:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IElExYVG2exYQ0DILRMUl6ASzBzwHJ3cf6tAOs+E2g7W3itb6uI8bJAZEOi8X3h87htoUbTFA== X-Received: by 2002:a17:90b:4a47:b0:340:d578:f2a2 with SMTP id 98e67ed59e1d1-34727bca163mr2514949a91.6.1763624680240; Wed, 19 Nov 2025 23:44:40 -0800 (PST) Received: from hu-mnagar-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34727c4b663sm1475067a91.9.2025.11.19.23.44.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 23:44:39 -0800 (PST) From: Manish Nagar To: Greg Kroah-Hartman , Thinh Nguyen Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v3] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Date: Thu, 20 Nov 2025 13:14:35 +0530 Message-Id: <20251120074435.1983091-1-manish.nagar@oss.qualcomm.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Authority-Analysis: v=2.4 cv=J8WnLQnS c=1 sm=1 tr=0 ts=691ec6ea cx=c_pps a=RP+M6JBNLl+fLTcSJhASfg==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=6UeiqGixMTsA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=jIQo8A4GAAAA:8 a=ohm9b1kf839YKAti0RMA:9 a=iS9zxrgQBfv6-_F4QbHw:22 X-Proofpoint-GUID: qjARi4HBr2umDgxUh-pUO5TwwSnU_lPR X-Proofpoint-ORIG-GUID: qjARi4HBr2umDgxUh-pUO5TwwSnU_lPR X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTIwMDA0NCBTYWx0ZWRfXwN0Lvbj1z51I pTIwl8pRbZPm/shtL5fVf/3tBj5BDdGw5vp+DWpWtm+rmTjE1US50bLwPryb42PKPnwAFPtTSsi OCbxGQB+YfdFPPg9cuR3gMjc97UWs1lEEb+jH0aV3l2aQMSi34EslmpDLOUODZiHS4mVk6tpEpI 2iKEPSWAr0AEdAJZbrZPrgTeO5YWzdMIuK+ecpVpasueeDkgxlgqcQAYjuiAEE3zXQpW86VrPz2 r6HEVuWMRMwXxTJNTqngcMxEtt1vhMDS7Ek4sbOgRaVyNpEuhgwNsp2lcX6zlabRkDFA6Fj6u5c 5pXkd+ql+8Fi1Ara1iWLHMnipEay4iuju0k6nhCvnPQM6SsO7XAX7a4vdKZmkCoXI8+NTPYCC5E cXeP/QgwCgU2qA0cmGZezON7us2j2w== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-20_02,2025-11-18_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 suspectscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 adultscore=0 spamscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511200044 Content-Type: text/plain; charset="utf-8" This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable@vger.kernel.org Suggested-by: Thinh Nguyen Acked-by: Thinh Nguyen Signed-off-by: Manish Nagar --- Changes in v3: - Add the fixes tag , cc stable and acked-by tag. Changes in v2:=20 - Add a check for request completion, in v1 I am avoiding this by wait for completion for ep0 then process the other eps. Link to v2: Link: https://lore.kernel.org/all/20251119171926.1622603-1-manish.nagar@oss= .qualcomm.com/ Link to v1: Link: https://lore.kernel.org/all/20251028080553.618304-1-manish.nagar@oss.= qualcomm.com/ drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c index b4229aa13f37..e0bad5708664 100644 --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -94,6 +94,7 @@ static int __dwc3_gadget_ep0_queue(struct dwc3_ep *dep, req->request.actual =3D 0; req->request.status =3D -EINPROGRESS; req->epnum =3D dep->number; + req->status =3D DWC3_REQUEST_STATUS_QUEUED; =20 list_add_tail(&req->list, &dep->pending_list); =20 diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 6f18b4840a25..5e4997f974dd 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -228,6 +228,13 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct = dwc3_request *req, { struct dwc3 *dwc =3D dep->dwc; =20 + /* + * The request might have been processed and completed while the + * spinlock was released. Skip processing if already completed. + */ + if (req->status =3D=3D DWC3_REQUEST_STATUS_COMPLETED) + return; + dwc3_gadget_del_and_unmap_request(dep, req, status); req->status =3D DWC3_REQUEST_STATUS_COMPLETED; =20 --=20 2.25.1