From: Dongwoo Lee <dwoo08.lee@samsung.com>
Date: Fri, 6 Mar 2020 05:04:13 +0000 (+0900)
Subject: usb: dwc2: gadget: Expand buffer size of control endpoint
X-Git-Tag: accepted/tizen/unified/20210330.111217~116
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1b6b91e49c9382c1f7ebf639ae9e226f92c321a3;p=platform%2Fkernel%2Flinux-rpi.git

usb: dwc2: gadget: Expand buffer size of control endpoint

We found the case that buffer of control endpoint, which was allocated
with 8 bytes previously, is corrupted when the host races for setting
up interfaces. Even worse, it overwrites memory for other structure
such as usb_request for control endpoint and it causes kernel panic.
Especially in Tizen, it often happens when the target is configured as
multi-functional device: sdb + mtp.

In our emprical examination the buffer can be corrupted upto size of
456 bytes. With this result, the size of buffer will be enlarged to
512 bytes to prevent kernel panic even if it happens.

Change-Id: I20eb1283f3c82e09453960b72787175f734e7ec4
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
---

diff --git a/drivers/usb/dwc2/core.h b/drivers/usb/dwc2/core.h
index a8c6ba2..bd1181e 100644
--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -676,7 +676,7 @@ struct dwc2_hw_params {
 };
 
 /* Size of control and EP0 buffers */
-#define DWC2_CTRL_BUFF_SIZE 8
+#define DWC2_CTRL_BUFF_SIZE 512
 
 /**
  * struct dwc2_gregs_backup - Holds global registers state before