ehci: fix removed qhd get reused

Signed-off-by: HiFiPhile <[email protected]>

Author: HiFiPhile

src/host/usbh.c

@@ -844,7 +844,7 @@ static bool usbh_control_xfer_cb (uint8_t daddr, uint8_t ep_addr, xfer_result_t
             const uint8_t ep_status = tu_edpt_addr(0, 1 - request->bmRequestType_bit.direction);
             TU_ASSERT(hcd_edpt_xfer(rhport, daddr, ep_status, NULL, 0));
             break;
-          }   
+          }
 
         case CONTROL_STAGE_ACK: {
           // Abort all pending transfers if SET_CONFIGURATION request

src/portable/ehci/ehci.c

@@ -35,6 +35,7 @@
 
 #include "host/hcd.h"
 #include "host/usbh.h"
+#include "host/usbh_pvt.h"
 #include "ehci_api.h"
 #include "ehci.h"
 
@@ -866,14 +867,21 @@ static ehci_qhd_t *qhd_get_from_addr(uint8_t dev_addr, uint8_t ep_addr) {
   }
 
   ehci_qhd_t *qhd_pool = ehci_data.qhd_pool;
+
+  // protect qhd_pool since 'used' and 'removing' can be changed in isr
+  ehci_qhd_t *result = NULL;
+  usbh_spin_lock(false);
   for (uint32_t i = 0; i < QHD_MAX; i++) {
     if ((qhd_pool[i].dev_addr == dev_addr) &&
-        ep_addr == qhd_ep_addr(&qhd_pool[i])) {
-      return &qhd_pool[i];
+        ep_addr == qhd_ep_addr(&qhd_pool[i]) &&
+        qhd_pool[i].used && !qhd_pool[i].removing) {
+      result = &qhd_pool[i];
+      break;
     }
   }
+  usbh_spin_unlock(false);
 
-  return NULL;
+  return result;
 }
 
 // Init queue head with endpoint descriptor