BACKPORT: UPSTREAM: usb: dwc3: EP clear halt leading to clearing of delayed_status

The usb_ep_clear_halt() API can be called from the function driver, and translates to dwc3_gadget_ep_set_halt(). This routine is shared with when the host issues a clear feature ENDPOINT_HALT, and is differentiated by the protocol argument. If the following sequence occurs, there can be a situation where the delayed_status flag is improperly cleared for the wrong SETUP transaction: 1. Vendor specific control transfer returns USB_GADGET_DELAYED_STATUS. 2. DWC3 gadget sets dwc->delayed_status to '1'. 3. Another function driver issues a usb_ep_clear_halt() call. 4. DWC3 gadget issues dwc3_stop_active_transfer() and sets DWC3_EP_PENDING_CLEAR_STALL. 5. EP command complete interrupt triggers for the end transfer, and dwc3_ep0_send_delayed_status() is allowed to run, as delayed_status is '1' due to step#1. 6. STATUS phase is sent, and delayed_status is cleared. 7. Vendor specific control transfer is finished being handled, and issues usb_composite_setup_continue(). This results in queuing of a data phase. Cache the protocol flag so that DWC3 gadget is aware of when the clear halt is due to a SETUP request from the host versus when it is sourced from a function driver. This allows for the EP command complete interrupt to know if it needs to issue a delayed status phase. type 'struct dwc3' changed member 'union { struct { u8 clear_stall_protocol; u8 padding1; u8 padding2; u8 padding3; u8 padding4; u8 padding5; u8 padding6; u8 padding7; }; struct { u64 android_kabi_reserved1; }; union { }; }' was added. member 'u64 android_kabi_reserved1' was removed. Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20220414073902.21960-1-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2840d6dfcf4306878f7d17ac16d4a0a6422728cc) BUG: 263499807 [eserrao: Fixed KMI breakage by moving clear_stall_protocol to a new parent structure] Change-Id: I46bc6b0246218c60e36f2b6ce45dc9c156cee4f0 Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com>
2022-04-14 00:39:02 -07:00
parent 016d61094b
commit 82beac34d8
4 changed files with 825 additions and 776 deletions
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -1103,6 +1103,7 @@ struct dwc3_scratchpad_array {
 *		     address.
 * @num_ep_resized: carries the current number endpoints which have had its tx
 *		    fifo resized.
+ * @clear_stall_protocol: endpoint number that requires a delayed status phase.
 */
 struct dwc3 {
 	struct work_struct	drd_work;
@@ -1314,7 +1315,9 @@ struct dwc3 {
 	int			last_fifo_depth;
 	int			num_ep_resized;

-	ANDROID_KABI_RESERVE(1);
+	ANDROID_KABI_USE(1, struct{ u8 clear_stall_protocol; u8 padding1;
+				u8 padding2; u8 padding3; u8 padding4; u8 padding5;
+				u8 padding6; u8 padding7; });
 	ANDROID_KABI_RESERVE(2);
 	ANDROID_KABI_RESERVE(3);
 	ANDROID_KABI_RESERVE(4);
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -1085,6 +1085,7 @@ void dwc3_ep0_send_delayed_status(struct dwc3 *dwc)
 	unsigned int direction = !dwc->ep0_expect_in;

 	dwc->delayed_status = false;
+	dwc->clear_stall_protocol = 0;

 	if (dwc->ep0state != EP0_STATUS_PHASE)
 		return;
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2155,6 +2155,9 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
 		if (dep->flags & DWC3_EP_END_TRANSFER_PENDING ||
 		    (dep->flags & DWC3_EP_DELAY_STOP)) {
 			dep->flags |= DWC3_EP_PENDING_CLEAR_STALL;
+			if (protocol)
+				dwc->clear_stall_protocol = dep->number;
+
 			return 0;
 		}

@@ -3529,7 +3532,7 @@ static void dwc3_gadget_endpoint_command_complete(struct dwc3_ep *dep,
 		}

 		dep->flags &= ~(DWC3_EP_STALL | DWC3_EP_WEDGE);
-		if (dwc->delayed_status)
+		if (dwc->clear_stall_protocol == dep->number)
 			dwc3_ep0_send_delayed_status(dwc);
 	}