Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d32d784e authored by Mayank Rana's avatar Mayank Rana Committed by Hemant Kumar
Browse files

dwc3: gadget: Don't queue USB request if pull up is getting disabled 



There is possible race between pull up disable vs ep_queue() API.
Pull up disable sends END transfer command to per endpoint, and give
back started request and pending request back to function driver.
dwc3_gadget_giveback() API does release spinlock which may allow
ep_queue() or completion handling to queue next request. This results
into TRB pending without invoking end transfer command, whereas request
is being given back to function driver and being freed. Hence on setting
next pull up enable, USB controller accesses previous stale TRB causing
unmapped page fault. Fix this issue by checking pull up disable or not
while handling ep_queue().

Change-Id: I391aed05cbfe183cd3e2fe2f1aa335e4fd9ec37c
Signed-off-by: default avatarMayank Rana <mrana@codeaurora.org>
Signed-off-by: default avatarHemant Kumar <hemantk@codeaurora.org>
parent 8bd2a06b

drivers/usb/dwc3/ep0.c

+1 −1
Original line number Diff line number Diff line
@@ -204,7 +204,7 @@ int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request, 
	u32				reg;



	spin_lock_irqsave(&dwc->lock, flags);

	if (!dep->endpoint.desc) {

	if (!dep->endpoint.desc || !dwc->pullups_connected) {

		dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n",

				dep->name);

		ret = -ESHUTDOWN;

drivers/usb/dwc3/gadget.c

+2 −3
Original line number Diff line number Diff line
@@ -1426,7 +1426,7 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req) 
{

	struct dwc3		*dwc = dep->dwc;



	if (!dep->endpoint.desc) {

	if (!dep->endpoint.desc || !dwc->pullups_connected) {

		dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n",

				dep->name);

		return -ESHUTDOWN;
@@ -2068,6 +2068,7 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) 
		dwc->pullups_connected = true;

	} else {

		dwc3_gadget_disable_irq(dwc);

		dwc->pullups_connected = false;

		__dwc3_gadget_ep_disable(dwc->eps[0]);

		__dwc3_gadget_ep_disable(dwc->eps[1]);
@@ -2083,8 +2084,6 @@ static int dwc3_gadget_run_stop(struct dwc3 *dwc, int is_on, int suspend) 


		if (dwc->has_hibernation && !suspend)

			reg &= ~DWC3_DCTL_KEEP_CONNECT;



		dwc->pullups_connected = false;

	}



	dwc3_writel(dwc->regs, DWC3_DCTL, reg);