usb: dwc2: use temporary URB buffer for small control transfers

As a result of a hardware bug, small IN packets with length < 4 cause a
4-byte write to memory. Generally, buffers allocated with kmalloc
reserve at least one cacheline of memory, but the UVC driver passes
offsets into a struct as the buffer. This causes trampling of video
control min/max/default/range data.

e.g. on a generic UVC camera, these default values are nonsense:

$ v4l2-ctl -d0 --all
[...]
brightness 0x00980900 (int) : min=0 max=255 step=1 default=-8193 value=128
contrast 0x00980901 (int)   : min=0 max=100 step=1 default=57343 value=67
saturation 0x00980902 (int) : min=0 max=100 step=1 default=57343 value=62
hue 0x00980903 (int)        : min=-90 max=90 step=2 default=12287 value=0
gamma 0x00980910 (int)      : min=1 max=30 step=1 default=57343 value=29
[...]

Update the pre-existing DMA alignment code to catch this case.

Link: #3148
Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>

Author: P33M

drivers/usb/dwc2/hcd.c

@@ -2469,10 +2469,23 @@ static int dwc2_alloc_dma_aligned_buffer(struct urb *urb, gfp_t mem_flags)
 {
 	void *kmalloc_ptr;
 	size_t kmalloc_size;
+	bool small_ctrl;
 
-	if (urb->num_sgs || urb->sg ||
-	    urb->transfer_buffer_length == 0 ||
-	    !((uintptr_t)urb->transfer_buffer & (DWC2_USB_DMA_ALIGN - 1)))
+	if (urb->num_sgs || urb->sg || urb->transfer_buffer_length == 0)
+		return 0;
+
+	/*
+	 * Hardware bug: small IN packets with length < 4 cause a
+	 * 4-byte write to memory. This is only an issue for drivers that
+	 * insist on packing a device's various properties into a struct
+	 * and filling them one at a time with Control transfers (uvcvideo).
+	 * Force the use of align_buf so that the subsequent memcpy puts
+	 * the right number of bytes in the URB's buffer.
+	 */
+	small_ctrl = (urb->setup_packet &&
+		     le16_to_cpu(((struct usb_ctrlrequest *)(urb->setup_packet))->wLength) < 4);
+
+	if (!small_ctrl && !((uintptr_t)urb->transfer_buffer & (DWC2_USB_DMA_ALIGN - 1)))
 		return 0;
 
 	/*