[PATCH 5.12 103/296] usb: dwc3: gadget: Properly track pending and queued SG

From: Greg Kroah-Hartman
Date: Mon May 31 2021 - 12:23:24 EST


From: Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx>

commit 25dda9fc56bd90d45f9a4516bcfa5211e61b4290 upstream.

The driver incorrectly uses req->num_pending_sgs to track both the
number of pending and queued SG entries. It only prepares the next
request if the previous is done, and it doesn't update num_pending_sgs
until there is TRB completion interrupt. This may starve the controller
of more TRBs until the num_pending_sgs is decremented.

Fix this by decrementing the num_pending_sgs after they are queued and
properly track both num_mapped_sgs and num_queued_sgs.

Fixes: c96e6725db9d ("usb: dwc3: gadget: Correct the logic for queuing sgs")
Cc: <stable@xxxxxxxxxxxxxxx>
Reported-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Tested-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Acked-by: Felipe Balbi <balbi@xxxxxxxxxx>
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@xxxxxxxxxxxx>
Link: https://lore.kernel.org/r/ba24591dbcaad8f244a3e88bd449bb7205a5aec3.1620874069.git.Thinh.Nguyen@xxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/dwc3/gadget.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1236,6 +1236,7 @@ static int dwc3_prepare_trbs_sg(struct d
req->start_sg = sg_next(s);

req->num_queued_sgs++;
+ req->num_pending_sgs--;

/*
* The number of pending SG entries may not correspond to the
@@ -1243,7 +1244,7 @@ static int dwc3_prepare_trbs_sg(struct d
* don't include unused SG entries.
*/
if (length == 0) {
- req->num_pending_sgs -= req->request.num_mapped_sgs - req->num_queued_sgs;
+ req->num_pending_sgs = 0;
break;
}

@@ -2839,15 +2840,15 @@ static int dwc3_gadget_ep_reclaim_trb_sg
struct dwc3_trb *trb = &dep->trb_pool[dep->trb_dequeue];
struct scatterlist *sg = req->sg;
struct scatterlist *s;
- unsigned int pending = req->num_pending_sgs;
+ unsigned int num_queued = req->num_queued_sgs;
unsigned int i;
int ret = 0;

- for_each_sg(sg, s, pending, i) {
+ for_each_sg(sg, s, num_queued, i) {
trb = &dep->trb_pool[dep->trb_dequeue];

req->sg = sg_next(s);
- req->num_pending_sgs--;
+ req->num_queued_sgs--;

ret = dwc3_gadget_ep_reclaim_completed_trb(dep, req,
trb, event, status, true);
@@ -2870,7 +2871,7 @@ static int dwc3_gadget_ep_reclaim_trb_li

static bool dwc3_gadget_ep_request_completed(struct dwc3_request *req)
{
- return req->num_pending_sgs == 0;
+ return req->num_pending_sgs == 0 && req->num_queued_sgs == 0;
}

static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep,
@@ -2879,7 +2880,7 @@ static int dwc3_gadget_ep_cleanup_comple
{
int ret;

- if (req->num_pending_sgs)
+ if (req->request.num_mapped_sgs)
ret = dwc3_gadget_ep_reclaim_trb_sg(dep, req, event,
status);
else