From f0ddf8d10f7d58592d2ebb60025b227c8047114d Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Thu, 9 Mar 2023 14:00:37 +0100 Subject: [PATCH] dcd_nrf5x: ISO OUT handling For incoming ISO OUT packets it was possible to start DMA from endpoint to RAM before transfer was started resulting in unrelated memory corruption. This is scenario that causes memory corruption: - ISO OUT packet is received - Packet is transferred by DMA to transfer buffer - xfer->started is cleared and xfer->buffer is updated as it is in every case - Application takes to long to handle it (it happens when debugger is connected breakpoint is hit slowing down software). - Next ISO OUT packet arrives At this point there was no check if transfer was started and packet was copied by DMA to location beyond previous data, possibly overwriting unrelated memory. This solves the issue by checking that transfer was started and there is buffer ready for incoming packet. --- src/portable/nordic/nrf5x/dcd_nrf5x.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/portable/nordic/nrf5x/dcd_nrf5x.c b/src/portable/nordic/nrf5x/dcd_nrf5x.c index afc14b010..4aeb85fc0 100644 --- a/src/portable/nordic/nrf5x/dcd_nrf5x.c +++ b/src/portable/nordic/nrf5x/dcd_nrf5x.c @@ -187,11 +187,16 @@ static void xact_out_dma(uint8_t epnum) } else { - // Trigger DMA move data from Endpoint -> SRAM - NRF_USBD->ISOOUT.PTR = (uint32_t) xfer->buffer; - NRF_USBD->ISOOUT.MAXCNT = xact_len; + if (xfer->started) + { + // Trigger DMA move data from Endpoint -> SRAM + NRF_USBD->ISOOUT.PTR = (uint32_t) xfer->buffer; + NRF_USBD->ISOOUT.MAXCNT = xact_len; - start_dma(&NRF_USBD->TASKS_STARTISOOUT); + start_dma(&NRF_USBD->TASKS_STARTISOOUT); + } else { + atomic_flag_clear(&_dcd.dma_running); + } } } else