xhci: Fix crash if scatter gather is used with Immediate Data Transfer (IDT).

A second regression was found in the immediate data transfer (IDT)
support which was added to 5.2 kernel

IDT is used to transfer small amounts of data (up to 8 bytes) in the
field normally used for data dma address, thus avoiding dma mapping.

If the data was not already dma mapped, then IDT support assumed data was
in urb->transfer_buffer, and did not take into accound that even
small amounts of data (8 bytes) can be in a scatterlist instead.

This caused a NULL pointer dereference when sg_dma_len() was used
with non-dma mapped data.

Solve this by not using IDT if scatter gather buffer list is used.

Fixes: 33e3935 ("usb: xhci: add Immediate Data Transfer support")
Cc: <[email protected]> # v5.2
Reported-by: Maik Stohn <[email protected]>
Tested-by: Maik Stohn <[email protected]>
CC: Nicolas Saenz Julienne <[email protected]>
Signed-off-by: Mathias Nyman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: matnyman

drivers/usb/host/xhci.h

@@ -2175,7 +2175,8 @@ static inline bool xhci_urb_suitable_for_idt(struct urb *urb)
 	if (!usb_endpoint_xfer_isoc(&urb->ep->desc) && usb_urb_dir_out(urb) &&
 	    usb_endpoint_maxp(&urb->ep->desc) >= TRB_IDT_MAX_SIZE &&
 	    urb->transfer_buffer_length <= TRB_IDT_MAX_SIZE &&
-	    !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP))
+	    !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP) &&
+	    !urb->num_sgs)
 		return true;
 
 	return false;