[PATCH v3] usb: dwc3: gadget: Prevent EP resource conflicts during StartTransfer

[Selvarasu Ganesan]

The below “No resource for ep” warning appears when a StartTransfer
command is issued for bulk or interrupt endpoints in
`dwc3_gadget_ep_enable` while a previous StartTransfer on the same
endpoint is still in progress. The gadget functions drivers can invoke
`usb_ep_enable` (which triggers a new StartTransfer command) before the
earlier transfer has completed. Because the previous StartTransfer is
still active, `dwc3_gadget_ep_disable` can skip the required
`EndTransfer` due to `DWC3_EP_DELAY_STOP`, leading to the endpoint
resources are busy for previous StartTransfer and warning ("No resource
for ep") from dwc3 driver.

Additionally, a race condition exists between dwc3_gadget_ep_disable()
and dwc3_gadget_ep_queue() when manipulating dep->flags. When
dwc3_gadget_ep_disable() calls dwc3_gadget_giveback(), the dwc->lock is
temporarily released. If dwc3_gadget_ep_queue() runs in that window, it
may set the DWC3_EP_TRANSFER_STARTED flag as part of
dwc3_send_gadget_ep_cmd(). When ep_disable resumes, it unconditionally
clears all flags except those explicitly masked, potentially clearing
DWC3_EP_TRANSFER_STARTED even though a new transfer has started. This
leads to "No resource for ep" warnings on subsequent StartTransfer
attempts.

The underlying framework issue is that usb_ep_disable() is expected to
complete pending requests before returning, but is allowed to be called
from interrupt context where sleeping to wait for completion is not
possible.

As temporary workarounds for this framework limitation:

1. In __dwc3_gadget_ep_enable(), add a check for the
   DWC3_EP_TRANSFER_STARTED flag before issuing a new StartTransfer.
   This prevents a second StartTransfer on an already busy endpoint,
   eliminating the resource conflict.

2. In __dwc3_gadget_ep_disable(), preserve the DWC3_EP_TRANSFER_STARTED
   flag when masking dep->flags if it is actually set, preventing the
   race with dwc3_gadget_ep_queue() from corrupting the flag state.

These changes eliminate the "No resource for ep" warnings and potential
kernel panics caused by panic_on_warn.

dwc3 13200000.dwc3: No resource for ep1out
WARNING: CPU: 0 PID: 700 at drivers/usb/dwc3/gadget.c:398 dwc3_send_gadget_ep_cmd+0x2f8/0x76c
Call trace:
dwc3_send_gadget_ep_cmd+0x2f8/0x76c
__dwc3_gadget_ep_enable+0x490/0x7c0
dwc3_gadget_ep_enable+0x6c/0xe4
usb_ep_enable+0x5c/0x15c
mp_eth_stop+0xd4/0x11c
__dev_close_many+0x160/0x1c8
__dev_change_flags+0xfc/0x220
dev_change_flags+0x24/0x70
devinet_ioctl+0x434/0x524
inet_ioctl+0xa8/0x224
sock_do_ioctl+0x74/0x128
sock_ioctl+0x3bc/0x468
__arm64_sys_ioctl+0xa8/0xe4
invoke_syscall+0x58/0x10c
el0_svc_common+0xa8/0xdc
do_el0_svc+0x1c/0x28
el0_svc+0x38/0x88
el0t_64_sync_handler+0x70/0xbc
el0t_64_sync+0x1a8/0x1ac

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Selvarasu Ganesan <selvarasu.g@xxxxxxxxxxx>
---

Note: No Fixes tag is added because this is a workaround for the
gadget framework issue where the gadget framework calls usb_ep_disable()
in interrupt context without ensuring endpoint flushing completes.
A proper fix requires refactoring the framework to make sure
usb_ep_disable is invoked in process context.

Changes in v3:
 - Revised the commit message to detail the real gadget framework issue
   pointed out by the reviewer.
 - Merged the two fixes for the same ep wringing into one patch.
Link to v2: https://lore.kernel.org/linux-usb/20251117155920.643-1-selvarasu.g@xxxxxxxxxxx/

Changes in v2:
- Removed change-id.
- Updated commit message.
Link to v1: https://lore.kernel.org/linux-usb/20251117152812.622-1-selvarasu.g@xxxxxxxxxxx/
---
 drivers/usb/dwc3/gadget.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 0a688904ce8c5..3af1bbfe3d92b 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -971,8 +971,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
 	 * Issue StartTransfer here with no-op TRB so we can always rely on No
 	 * Response Update Transfer command.
 	 */
-	if (usb_endpoint_xfer_bulk(desc) ||
-			usb_endpoint_xfer_int(desc)) {
+	if ((usb_endpoint_xfer_bulk(desc) ||
+			usb_endpoint_xfer_int(desc)) &&
+			!(dep->flags & DWC3_EP_TRANSFER_STARTED)) {
 		struct dwc3_gadget_ep_cmd_params params;
 		struct dwc3_trb	*trb;
 		dma_addr_t trb_dma;
@@ -1096,6 +1097,23 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep)
 	 */
 	if (dep->flags & DWC3_EP_DELAY_STOP)
 		mask |= (DWC3_EP_DELAY_STOP | DWC3_EP_TRANSFER_STARTED);
+
+	/*
+	 * When dwc3_gadget_ep_disable() calls dwc3_gadget_giveback(),
+	 * the dwc->lock is temporarily released. If dwc3_gadget_ep_queue()
+	 * runs in that window it may set the DWC3_EP_TRANSFER_STARTED flag as
+	 * part of dwc3_send_gadget_ep_cmd. The original code cleared the flag
+	 * unconditionally in the mask operation, which could overwrite the
+	 * concurrent modification.
+	 *
+	 * As a workaround for the interrupt context constraint where we cannot
+	 * wait for endpoint flushing, preserve the DWC3_EP_TRANSFER_STARTED
+	 * flag if it is set, avoiding resource conflicts until the framework
+	 * is fixed to properly synchronize endpoint lifecycle management.
+	 */
+	if (dep->flags & DWC3_EP_TRANSFER_STARTED)
+		mask |= DWC3_EP_TRANSFER_STARTED;
+
 	dep->flags &= mask;
 
 	/* Clear out the ep descriptors for non-ep0 */
-- 
2.34.1