From fa28b0304be8d09171a2e9907e615631efb0a161 Mon Sep 17 00:00:00 2001
From: Hemant Kumar <hemantk@codeaurora.org>
Date: Wed, 13 Jul 2016 12:05:40 -0700
Subject: [PATCH] usb: dwc3: Fix bug in ep disable operation

__dwc3_gadget_ep_disable API doing memset 0 with size
set to DWC3_TRB_NUM. Number of TRBs allocated for gsi
endpoints are less than DWC3_TRB_NUM. This results in
to memory corruption. Fix this bug by introducing
num_trbs member in dwc3_ep structure to save number of
trbs allocated in a dma pool upon dma pool creation.
Ep disable operation will use num_trbs of a dwc3_ep to
perform memset 0.

Change-Id: I94b5865ca22b4e1fde0d2cd8dcb218906327a916
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
---
 drivers/usb/dwc3/core.h     | 2 ++
 drivers/usb/dwc3/dwc3-msm.c | 2 ++
 drivers/usb/dwc3/gadget.c   | 6 ++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
index fa2a9d9a293a..4df5f3cd5b15 100644
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -513,6 +513,7 @@ struct dwc3_ep_events {
  * @trb_dma_pool: dma pool used to get aligned trb memory pool
  * @trb_pool: array of transaction buffers
  * @trb_pool_dma: dma address of @trb_pool
+ * @num_trbs: num of trbs in the trb dma pool
  * @free_slot: next slot which is going to be used
  * @busy_slot: first slot which is owned by HW
  * @desc: usb_endpoint_descriptor pointer
@@ -539,6 +540,7 @@ struct dwc3_ep {
 	struct dma_pool		*trb_dma_pool;
 	struct dwc3_trb		*trb_pool;
 	dma_addr_t		trb_pool_dma;
+	u32			num_trbs;
 	u32			free_slot;
 	u32			busy_slot;
 	const struct usb_ss_ep_comp_descriptor *comp_desc;
diff --git a/drivers/usb/dwc3/dwc3-msm.c b/drivers/usb/dwc3/dwc3-msm.c
index f9c0b6a04224..49bed21b1284 100644
--- a/drivers/usb/dwc3/dwc3-msm.c
+++ b/drivers/usb/dwc3/dwc3-msm.c
@@ -969,6 +969,8 @@ static int gsi_prepare_trbs(struct usb_ep *ep, struct usb_gsi_request *req)
 		return -ENOMEM;
 	}
 
+	dep->num_trbs = num_trbs;
+
 	dep->trb_pool = dma_pool_alloc(dep->trb_dma_pool,
 					   GFP_KERNEL, &dep->trb_pool_dma);
 	if (!dep->trb_pool) {
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 76d39a6fb68c..3e123b3da82d 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -390,18 +390,20 @@ int dwc3_send_gadget_ep_cmd(struct dwc3 *dwc, unsigned ep,
 static int dwc3_alloc_trb_pool(struct dwc3_ep *dep)
 {
 	struct dwc3		*dwc = dep->dwc;
+	u32			num_trbs = DWC3_TRB_NUM;
 
 	if (dep->trb_pool)
 		return 0;
 
 	dep->trb_pool = dma_zalloc_coherent(dwc->dev,
-			sizeof(struct dwc3_trb) * DWC3_TRB_NUM,
+			sizeof(struct dwc3_trb) * num_trbs,
 			&dep->trb_pool_dma, GFP_KERNEL);
 	if (!dep->trb_pool) {
 		dev_err(dep->dwc->dev, "failed to allocate trb pool for %s\n",
 				dep->name);
 		return -ENOMEM;
 	}
+	dep->num_trbs = num_trbs;
 
 	return 0;
 }
@@ -688,7 +690,7 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep)
 	 */
 	if (dep->number > 1) {
 		memset(&dep->trb_pool[0], 0,
-			sizeof(struct dwc3_trb) * DWC3_TRB_NUM);
+			sizeof(struct dwc3_trb) * dep->num_trbs);
 		dbg_event(dep->number, "Clr_TRB", 0);
 	}