diff options
| author | Gregory Herrero <[email protected]> | 2015-09-22 15:16:53 +0200 |
|---|---|---|
| committer | Felipe Balbi <[email protected]> | 2015-10-01 12:40:18 -0500 |
| commit | 2e84da6e340a652e942c3513703020976b28190b (patch) | |
| tree | ce9eed27d1d501e5e40abab15c63039f72dfa4fd /include/linux/timerqueue.h | |
| parent | dd81dd7c8178c430040dc98c8144d4998ba2f7fb (diff) | |
usb: dwc2: host: kill remaining urbs using -ECONNRESET status
On a disconnect, dwc2 will kill all remaining urbs from qh list.
urbs are given back to hcd with -ETIMEDOUT status.
Some usb device driver, like mass storage, will unlink all urbs
using usb_hcd_unlink_urb when receiving a negative status different
from -ECONNRESET.
The following flow will then happen:
dwc2_hcd_disconnect()
-> dwc2_kill_all_urbs() try to kill first pending urb.
-> dwc2_host_complete(-ETIMEDOUT)
-> usb_hcd_giveback_urb(-ETIMEDOUT)
-> sg_complete()
-> usb_unlink_urb()
-> usb_put_dev(urb->dev)
-> dwc2_kill_all_urbs() try to kill next pending urb.
-> dwc2_host_complete(-ETIMEDOUT)
-> usb_hcd_giveback_urb(-ETIMEDOUT)
-> NULL pointer dereferencing because urb->dev has been freed for all
urbs of this device.
The root cause of this NULL pointer is to call call usb_unlink_urb()
while we are killing all urbs. To avoid this return urb with
-ECONNRESET status
This issue usually happens while removing mass storage device during
transfer.
Signed-off-by: Gregory Herrero <[email protected]>
Signed-off-by: Mian Yousaf Kaukab <[email protected]>
Tested-by: Robert Baldyga <[email protected]>
Tested-by: Dinh Nguyen <[email protected]>
Tested-by: John Youn <[email protected]>
Acked-by: John Youn <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions