1 From b7944a79716c115d881898e6a95705b262e7c1c9 Mon Sep 17 00:00:00 2001
2 From: Jonathan Bell <jonathan@raspberrypi.org>
3 Date: Tue, 7 Jan 2020 10:08:19 +0000
4 Subject: [PATCH] dwc_otg: constrain endpoint max packet and transfer
7 The hcd would unconditionally set the transfer length to the endpoint
8 packet size for non-isoc IN transfers. If the remaining buffer length
9 was less than the length of returned data, random memory would get
10 scribbled over, with bad effects if it crossed a page boundary.
12 Force a babble error if this happens by limiting the max transfer size
13 to the available buffer space. DMA will stop writing to memory on a
16 The hardware expects xfersize to be an integer multiple of maxpacket
17 size, so override hcchar.b.mps as well.
19 Signed-off-by: Jonathan Bell <jonathan@raspberrypi.org>
21 drivers/usb/host/dwc_otg/dwc_otg_hcd.c | 4 ++--
22 1 file changed, 2 insertions(+), 2 deletions(-)
24 --- a/drivers/usb/host/dwc_otg/dwc_otg_hcd.c
25 +++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd.c
26 @@ -1813,7 +1813,7 @@ int fiq_fsm_queue_split_transaction(dwc_
29 st->hcchar_copy.d32 = 0;
30 - st->hcchar_copy.b.mps = hc->max_packet;
31 + st->hcchar_copy.b.mps = min_t(uint32_t, hc->xfer_len, hc->max_packet);
32 st->hcchar_copy.b.epdir = hc->ep_is_in;
33 st->hcchar_copy.b.devaddr = hc->dev_addr;
34 st->hcchar_copy.b.epnum = hc->ep_num;
35 @@ -1858,7 +1858,7 @@ int fiq_fsm_queue_split_transaction(dwc_
36 st->hctsiz_copy.b.pid = hc->data_pid_start;
38 if (hc->ep_is_in || (hc->xfer_len > hc->max_packet)) {
39 - hc->xfer_len = hc->max_packet;
40 + hc->xfer_len = min_t(uint32_t, hc->xfer_len, hc->max_packet);
41 } else if (!hc->ep_is_in && (hc->xfer_len > 188)) {