usb: dwc2: hcd: only allow to write packet into TxFIFO in slave mode

The dwc2_queue_transaction() do data transfer for DMA
mode if both the params.host_dma and chan->qh are true.
In a test-case with an otg cable hot plug stress test
in DMA mode, if the chan->qh is NULL, it is possible to
do dwc2_hc_write_packet() which should only be called
in Slave mode and cause a crash:

[  633.852937] usb 1-1: reset high-speed USB device number 71 using dwc2
[  633.853115] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000
...
[  633.974040] Call trace:
[  633.974289]  dwc2_hc_write_packet.isra.6+0xfc/0x128
[  633.974734]  dwc2_queue_transaction+0xc4/0x1f0
[  633.975142]  dwc2_hcd_queue_transactions+0x10c/0x4b8
[  633.975595]  dwc2_release_channel+0x12c/0x2a8
[  633.975992]  dwc2_complete_non_periodic_xfer.isra.5+0x2c/0x48
[  633.976514]  dwc2_hc_xfercomp_intr+0x370/0x488
[  633.976921]  dwc2_hc_n_intr+0x2c8/0x840
[  633.977282]  dwc2_handle_hcd_intr+0x424/0x7e0
[  633.977677]  _dwc2_hcd_irq+0x10/0x18
[  633.978018]  usb_hcd_irq+0x2c/0x48

Change-Id: I33f7976710d6cdceb1b4758655dba7890488585d
Signed-off-by: William Wu <william.wu@rock-chips.com>

drivers/usb/dwc2/hcd.c

@@ -2868,7 +2868,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
 			if (!chan->xfer_started) {
 				dwc2_hc_start_transfer(hsotg, chan);
 				retval = 1;
-			} else {
+			} else if (!hsotg->params.host_dma) {
 				retval = dwc2_hc_continue_transfer(hsotg, chan);
 			}
 		} else {
@@ -2878,7 +2878,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg,
 		if (!chan->xfer_started) {
 			dwc2_hc_start_transfer(hsotg, chan);
 			retval = 1;
-		} else {
+		} else if (!hsotg->params.host_dma) {
 			retval = dwc2_hc_continue_transfer(hsotg, chan);
 		}
 	}