tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

usb: cdns3: remove fetched trb from cache before dequeuing

After doorbell DMA fetches the TRB. If during dequeuing request
driver changes NORMAL TRB to LINK TRB but doesn't delete it from
controller cache then controller will handle cached TRB and packet
can be lost.

The example scenario for this issue looks like:
1. queue request - set doorbell
2. dequeue request
3. send OUT data packet from host
4. Device will accept this packet which is unexpected
5. queue new request - set doorbell
6. Device lost the expected packet.

By setting DFLUSH controller clears DRDY bit and stop DMA transfer.

Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
cc: <stable@vger.kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20221115100039.441295-1-pawell@cadence.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Pawel Laszczak and committed by
Greg Kroah-Hartman 1301c7b9 b1f02c6a

+12
+12
drivers/usb/cdns3/cdns3-gadget.c
··· 2614 2614 u8 req_on_hw_ring = 0; 2615 2615 unsigned long flags; 2616 2616 int ret = 0; 2617 + int val; 2617 2618 2618 2619 if (!ep || !request || !ep->desc) 2619 2620 return -EINVAL; ··· 2650 2649 2651 2650 /* Update ring only if removed request is on pending_req_list list */ 2652 2651 if (req_on_hw_ring && link_trb) { 2652 + /* Stop DMA */ 2653 + writel(EP_CMD_DFLUSH, &priv_dev->regs->ep_cmd); 2654 + 2655 + /* wait for DFLUSH cleared */ 2656 + readl_poll_timeout_atomic(&priv_dev->regs->ep_cmd, val, 2657 + !(val & EP_CMD_DFLUSH), 1, 1000); 2658 + 2653 2659 link_trb->buffer = cpu_to_le32(TRB_BUFFER(priv_ep->trb_pool_dma + 2654 2660 ((priv_req->end_trb + 1) * TRB_SIZE))); 2655 2661 link_trb->control = cpu_to_le32((le32_to_cpu(link_trb->control) & TRB_CYCLE) | ··· 2667 2659 } 2668 2660 2669 2661 cdns3_gadget_giveback(priv_ep, priv_req, -ECONNRESET); 2662 + 2663 + req = cdns3_next_request(&priv_ep->pending_req_list); 2664 + if (req) 2665 + cdns3_rearm_transfer(priv_ep, 1); 2670 2666 2671 2667 not_found: 2672 2668 spin_unlock_irqrestore(&priv_dev->lock, flags);