Commit 25612f23 authored by Stefan Brüns's avatar Stefan Brüns Committed by Marek Vasut
Browse files

usb: dwc2: Do not mix data toggle for IN and OUT endpoints, check bounds

USB protocol allows for 16 IN and 16 OUT endpoints (USB 2.0 Spec, Endpoint Field). A function may have an EP 1 for both IN and OUT,
so these two should be kept separate. As EPs are either BULK or INTERRUPT
(or ISO), it is fine to have one array per direction for all transfer
types (also see e236519b


USB device address is 7 bits, so a bus may have more than 16 devices.
Check the device number, as the DWC2 driver only supports BULK/ISO for
the first 16 devices.
Signed-off-by: default avatarStefan Brüns <>
parent d2ff51b3
......@@ -34,7 +34,8 @@ struct dwc2_priv {
uint8_t *aligned_buffer;
uint8_t *status_buffer;
int bulk_data_toggle[MAX_DEVICE][MAX_ENDPOINT];
u8 in_data_toggle[MAX_DEVICE][MAX_ENDPOINT];
u8 out_data_toggle[MAX_DEVICE][MAX_ENDPOINT];
struct dwc2_core_regs *regs;
int root_hub_devnum;
......@@ -739,7 +740,7 @@ static int dwc_otg_submit_rh_msg(struct dwc2_priv *priv, struct usb_device *dev,
return stat;
int wait_for_chhltd(struct dwc2_hc_regs *hc_regs, uint32_t *sub, int *toggle)
int wait_for_chhltd(struct dwc2_hc_regs *hc_regs, uint32_t *sub, u8 *toggle)
int ret;
uint32_t hcint, hctsiz;
......@@ -775,7 +776,7 @@ static int dwc2_eptype[] = {
static int transfer_chunk(struct dwc2_hc_regs *hc_regs, void *aligned_buffer,
int *pid, int in, void *buffer, int num_packets,
u8 *pid, int in, void *buffer, int num_packets,
int xfer_len, int *actual_len, int odd_frame)
int ret = 0;
......@@ -829,7 +830,7 @@ static int transfer_chunk(struct dwc2_hc_regs *hc_regs, void *aligned_buffer,
int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
unsigned long pipe, int *pid, int in, void *buffer, int len)
unsigned long pipe, u8 *pid, int in, void *buffer, int len)
struct dwc2_core_regs *regs = priv->regs;
struct dwc2_hc_regs *hc_regs = &regs->hc_regs[DWC2_HC_CHANNEL];
......@@ -960,14 +961,19 @@ int _submit_bulk_msg(struct dwc2_priv *priv, struct usb_device *dev,
int devnum = usb_pipedevice(pipe);
int ep = usb_pipeendpoint(pipe);
u8* pid;
if (devnum == priv->root_hub_devnum) {
if ((devnum >= MAX_DEVICE) || (devnum == priv->root_hub_devnum)) {
dev->status = 0;
return -EINVAL;
return chunk_msg(priv, dev, pipe, &priv->bulk_data_toggle[devnum][ep],
usb_pipein(pipe), buffer, len);
if (usb_pipein(pipe))
pid = &priv->in_data_toggle[devnum][ep];
pid = &priv->out_data_toggle[devnum][ep];
return chunk_msg(priv, dev, pipe, pid, usb_pipein(pipe), buffer, len);
static int _submit_control_msg(struct dwc2_priv *priv, struct usb_device *dev,
......@@ -975,7 +981,8 @@ static int _submit_control_msg(struct dwc2_priv *priv, struct usb_device *dev,
struct devrequest *setup)
int devnum = usb_pipedevice(pipe);
int pid, ret, act_len;
int ret, act_len;
u8 pid;
/* For CONTROL endpoint pid should start with DATA1 */
int status_direction;
......@@ -1075,8 +1082,10 @@ static int dwc2_init_common(struct dwc2_priv *priv)
for (i = 0; i < MAX_DEVICE; i++) {
for (j = 0; j < MAX_ENDPOINT; j++)
priv->bulk_data_toggle[i][j] = DWC2_HC_PID_DATA0;
for (j = 0; j < MAX_ENDPOINT; j++) {
priv->in_data_toggle[i][j] = DWC2_HC_PID_DATA0;
priv->out_data_toggle[i][j] = DWC2_HC_PID_DATA0;
return 0;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment