Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3406365pxf;
        Mon, 22 Mar 2021 05:52:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw81pLplL+ces0KdL1/6FCGwG9NuZKjUSToGiqe8XqbmudKzD1sc9AcwTDmg3U6xVBXGytI
X-Received: by 2002:a05:6402:888:: with SMTP id e8mr24991935edy.51.1616417520678;
        Mon, 22 Mar 2021 05:52:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616417520; cv=none;
        d=google.com; s=arc-20160816;
        b=vzq4FxdG4rRv0tb/kxcm0UQV8A8pYTG0r9PN1lTq6QOpH/Flg6+9DiyfG9GQE/3BdH
         +KGI3JBuXBLGN2De5zm0RM+cPJvX1gGE9KXGbb0ExB6PtjzIDX8nIi3W/DSVRf7yVLEx
         hnqYBBQygR9y7SzTMbVn2l7JtX26h+fNIYPKu8l5Bg8PryCyY1HNQ9DoqPBJ+2Xn7C32
         hz8lfWRFxmH/2wJ0TP6jDLoXw9H17bV4FDdKYUWjB+Jg3j8+YzcFHBmkSbpm201OIEFL
         7ORk5jX3Rsr5v8TZy+fEgGOXFrpk/YFiBxbH0plta0SmtCCwFW9fMbTCwOdxH/uWA8YX
         l6NQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=d+Fbs5NkHDh03KkBsZ+iE6ix1AetpgVf5RNeuHbhBS0=;
        b=g+AtoAi6pYIbwbPo1/hwVQz1MG0E7D9ViBCqw4D9y4wut/Mj3ZHHZaxqN8ufJparIR
         k4y/9ZmzNxXxRfln3+qjlS1cI18kTI1thFXZ8riL0YhgJqkKrO8txHDMSuGkZ7kPEjgA
         BZje7XZXyo1XVu7qke/YL2PzNWjB5zFt1Es0r8yx6eXswo9rS8s05RP4z9DEy8/k7G8s
         Y3TCnVy+mh5ivpfy8myOpuwBzjiHPFI+u2eEaiAL5d0JE46NZx/Xmo/f7UbGOCGcoRgf
         CRX5wviVEfpwSAzLyAjbJReMrx7weDYg7MU7Rm7VfLvHbFaGUKUx0VHyZa1DAyXYbUaE
         1nIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=acmRTDal;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b15si11763613edz.247.2021.03.22.05.51.37;
        Mon, 22 Mar 2021 05:52:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=acmRTDal;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231329AbhCVMux (ORCPT <rfc822;macmurkernel@gmail.com>
        + 99 others); Mon, 22 Mar 2021 08:50:53 -0400
Received: from mail.kernel.org ([198.145.29.99]:35334 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232300AbhCVMmM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Mar 2021 08:42:12 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 214D96199F;
        Mon, 22 Mar 2021 12:39:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1616416786;
        bh=EFDnB3WoNVk9gyb2gRnm2fXLjPkIU6fjClEcWeY1Y+4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=acmRTDalw1NQmabwoiSRqOQIBRNivuOVtyD19ZkNAvdrlsjIcRuQkavm86ARiVZMr
         /Kp0T7DbzOR/K7UJtwVhrFoOP1CyjLFiAG0JjLVP+J6JxK7K5TBVXZhX07DL9ijcYd
         dSYq3tjZC4vgDQtvjXlQDykmuV3OOeKrMCh5ab4k=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wesley Cheng <wcheng@codeaurora.org>
Subject: [PATCH 5.10 122/157] usb: dwc3: gadget: Prevent EP queuing while stopping transfers
Date:   Mon, 22 Mar 2021 13:27:59 +0100
Message-Id: <20210322121937.632529901@linuxfoundation.org>
X-Mailer: git-send-email 2.31.0
In-Reply-To: <20210322121933.746237845@linuxfoundation.org>
References: <20210322121933.746237845@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wesley Cheng <wcheng@codeaurora.org>

commit f09ddcfcb8c569675066337adac2ac205113471f upstream.

In the situations where the DWC3 gadget stops active transfers, once
calling the dwc3_gadget_giveback(), there is a chance where a function
driver can queue a new USB request in between the time where the dwc3
lock has been released and re-aquired.  This occurs after we've already
issued an ENDXFER command.  When the stop active transfers continues
to remove USB requests from all dep lists, the newly added request will
also be removed, while controller still has an active TRB for it.
This can lead to the controller accessing an unmapped memory address.

Fix this by ensuring parameters to prevent EP queuing are set before
calling the stop active transfers API.

Fixes: ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller")
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1615507142-23097-1-git-send-email-wcheng@codeaurora.org
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -783,8 +783,6 @@ static int __dwc3_gadget_ep_disable(stru
 
 	trace_dwc3_gadget_ep_disable(dep);
 
-	dwc3_remove_requests(dwc, dep);
-
 	/* make sure HW endpoint isn't stalled */
 	if (dep->flags & DWC3_EP_STALL)
 		__dwc3_gadget_ep_set_halt(dep, 0, false);
@@ -803,6 +801,8 @@ static int __dwc3_gadget_ep_disable(stru
 		dep->endpoint.desc = NULL;
 	}
 
+	dwc3_remove_requests(dwc, dep);
+
 	return 0;
 }
 
@@ -1617,7 +1617,7 @@ static int __dwc3_gadget_ep_queue(struct
 {
 	struct dwc3		*dwc = dep->dwc;
 
-	if (!dep->endpoint.desc || !dwc->pullups_connected) {
+	if (!dep->endpoint.desc || !dwc->pullups_connected || !dwc->connected) {
 		dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n",
 				dep->name);
 		return -ESHUTDOWN;
@@ -2150,6 +2150,7 @@ static int dwc3_gadget_pullup(struct usb
 	if (!is_on) {
 		u32 count;
 
+		dwc->connected = false;
 		/*
 		 * In the Synopsis DesignWare Cores USB3 Databook Rev. 3.30a
 		 * Section 4.1.8 Table 4-7, it states that for a device-initiated
@@ -2174,7 +2175,6 @@ static int dwc3_gadget_pullup(struct usb
 			dwc->ev_buf->lpos = (dwc->ev_buf->lpos + count) %
 						dwc->ev_buf->length;
 		}
-		dwc->connected = false;
 	} else {
 		__dwc3_gadget_start(dwc);
 	}
@@ -3267,8 +3267,6 @@ static void dwc3_gadget_reset_interrupt(
 {
 	u32			reg;
 
-	dwc->connected = true;
-
 	/*
 	 * WORKAROUND: DWC3 revisions <1.88a have an issue which
 	 * would cause a missing Disconnect Event if there's a
@@ -3308,6 +3306,7 @@ static void dwc3_gadget_reset_interrupt(
 	 * transfers."
 	 */
 	dwc3_stop_active_transfers(dwc);
+	dwc->connected = true;
 
 	reg = dwc3_readl(dwc->regs, DWC3_DCTL);
 	reg &= ~DWC3_DCTL_TSTCTRL_MASK;