usb: dwc3: Fix out of bound memory access for event buffer
The commit 323f5aa0f325 ("usb: dwc3: gadget: Clear
pending events when stopping controller") added a
race of writing to the GEVNTCOUNT between the run_stop
and the dwc3_check_event_buf. This causes the
GEVNTCOUNT to be decremented below zero by the controller
and is resulting in a huge values(0xFFFC) which is much
larger than the event buffer size(0x1000).
When this happens the next dwc3_interrupt will be accessing
the next page after the event buffer resulting in a
memory abort.
Fix this by discarding any interrupts that are fired
after the run_stop bit is cleared.
The earlier commit still leaves a window of an event being
generated by the controller between clearing the pending
events and clearing the run_stop bit preventing the controller
from being halted. Fix this by clearing the pending events
after the run_stop bit is cleared.
Change-Id: Ic5244485dc1af728848f40c45f920a6a6f880ac2
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
1 file changed