mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2025-08-10 01:06:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

usb: dwc3: gadget: fix crash in dwc3_gadget_giveback()

Browse Source 
If the ep0 stalls or request are dequeued when gagdet is stopped,
the request dma may not be mapped yet and dwc3_flush_cache() may be
called with a NULL pointer.

Check req->request.dma before calling dwc3_flush_cache() and later
the usb_gadget_unmap_request() functions since it means that
usb_gadget_map_request() hasn't been called yet.

Fixes: fd15b58c1a ("dwc3: flush cache only if there is a buffer attached to a request")
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Link: https://lore.kernel.org/r/20240528-topic-sm8x50-dwc3-gadget-crash-fix-v1-1-58434ab4b3d3@linaro.org
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
This commit is contained in:
Neil Armstrong 2024-05-28 10:35:03 +02:00 committed by Mattijs Korpershoek
parent c0ea27bccf
commit 85ced6f474
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/usb/dwc3/gadget.c
View File

@ -249,7 +249,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
list_del(&req->list);
req->trb = NULL;
if (req->request.length)
if (req->request.dma && req->request.length)
dwc3_flush_cache((uintptr_t)req->request.dma, req->request.length);
if (req->request.status == -EINPROGRESS)
@ -257,7 +257,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
if (dwc->ep0_bounced && dep->number == 0)
dwc->ep0_bounced = false;
else
else if (req->request.dma)
usb_gadget_unmap_request(&dwc->gadget, &req->request,
req->direction);