From 9d8c6e4254f9c567f768b84dbfaa2efe5932af42 Mon Sep 17 00:00:00 2001 From: William Wu Date: Mon, 25 Apr 2022 10:16:38 +0800 Subject: [PATCH] usb: dwc2: hcd: only allow to write packet into TxFIFO in slave mode The dwc2_queue_transaction() do data transfer for DMA mode if both the params.host_dma and chan->qh are true. In a test-case with an otg cable hot plug stress test in DMA mode, if the chan->qh is NULL, it is possible to do dwc2_hc_write_packet() which should only be called in Slave mode and cause a crash: [ 633.852937] usb 1-1: reset high-speed USB device number 71 using dwc2 [ 633.853115] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000 ... [ 633.974040] Call trace: [ 633.974289] dwc2_hc_write_packet.isra.6+0xfc/0x128 [ 633.974734] dwc2_queue_transaction+0xc4/0x1f0 [ 633.975142] dwc2_hcd_queue_transactions+0x10c/0x4b8 [ 633.975595] dwc2_release_channel+0x12c/0x2a8 [ 633.975992] dwc2_complete_non_periodic_xfer.isra.5+0x2c/0x48 [ 633.976514] dwc2_hc_xfercomp_intr+0x370/0x488 [ 633.976921] dwc2_hc_n_intr+0x2c8/0x840 [ 633.977282] dwc2_handle_hcd_intr+0x424/0x7e0 [ 633.977677] _dwc2_hcd_irq+0x10/0x18 [ 633.978018] usb_hcd_irq+0x2c/0x48 Change-Id: I33f7976710d6cdceb1b4758655dba7890488585d Signed-off-by: William Wu --- drivers/usb/dwc2/hcd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c index e6fadfd689d4..4a40ad45aabf 100644 --- a/drivers/usb/dwc2/hcd.c +++ b/drivers/usb/dwc2/hcd.c @@ -2868,7 +2868,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg, if (!chan->xfer_started) { dwc2_hc_start_transfer(hsotg, chan); retval = 1; - } else { + } else if (!hsotg->params.host_dma) { retval = dwc2_hc_continue_transfer(hsotg, chan); } } else { @@ -2878,7 +2878,7 @@ static int dwc2_queue_transaction(struct dwc2_hsotg *hsotg, if (!chan->xfer_started) { dwc2_hc_start_transfer(hsotg, chan); retval = 1; - } else { + } else if (!hsotg->params.host_dma) { retval = dwc2_hc_continue_transfer(hsotg, chan); } }