usb: gadget: composite: dequeue cdev->req before free its buffer
authorLi Jun <B47624@freescale.com>
Thu, 28 Aug 2014 13:44:11 +0000 (21:44 +0800)
committerFelipe Balbi <balbi@ti.com>
Tue, 2 Sep 2014 14:16:45 +0000 (09:16 -0500)
commit f226708(usb: gadget: composite: dequeue cdev->req before free it in
composite_dev_cleanup) fixed a bug: free the usb request(i.e. cdev->req) but
does not dequeue it beforehand. This fix is not proper enough because it
dequeues the request after free its data buffer, considering the hardware can
access the buffer's memory anytime before the request's complettion rountine
runs, and usb_ep_dequeue always call the complettion rountine before it returns,
so the best way is to dequeue the request before free its buffer.

Suggested-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Li Jun <b47624@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
drivers/usb/gadget/composite.c

index 6935a822ce2b871553ff7074b7a0f781f057b4b3..4514e73d9e7090c33bcbb82da4093598f408a185 100644 (file)
@@ -1955,8 +1955,8 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
                usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
        }
        if (cdev->req) {
-               kfree(cdev->req->buf);
                usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
+               kfree(cdev->req->buf);
                usb_ep_free_request(cdev->gadget->ep0, cdev->req);
        }
        cdev->next_string_id = 0;