From: Felipe Balbi <balbi@ti.com>
Date: Mon, 13 Oct 2014 20:36:16 +0000 (-0500)
Subject: usb: dwc3: gadget: WARN() on bogus usb_ep_queue()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=73359cef4fcc322c96019b2a5c1e99b08f3bbb57;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git

usb: dwc3: gadget: WARN() on bogus usb_ep_queue()

Some gadget/function drivers might want to do
improper request recycling by allocating a single
request from one particular endpoint and queueing
it to another completely unrelated endpoint.

One such case was found with f_loopback.c.

To prevent such cases from happening again, let's
WARN() so we get a loud enough failure and persuade
users to report errors.

Signed-off-by: Felipe Balbi <balbi@ti.com>
---

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 12f42842da10..20e4ee922c47 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1140,8 +1140,14 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
 	if (!dep->endpoint.desc) {
 		dev_dbg(dwc->dev, "trying to queue request %p to disabled %s\n",
 				request, ep->name);
-		spin_unlock_irqrestore(&dwc->lock, flags);
-		return -ESHUTDOWN;
+		ret = -ESHUTDOWN;
+		goto out;
+	}
+
+	if (WARN(req->dep != dep, "request %p belongs to '%s'\n",
+				request, req->dep->name)) {
+		ret = -EINVAL;
+		goto out;
 	}
 
 	dev_vdbg(dwc->dev, "queing request %p to %s length %d\n",
@@ -1149,6 +1155,8 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
 	trace_dwc3_ep_queue(req);
 
 	ret = __dwc3_gadget_ep_queue(dep, req);
+
+out:
 	spin_unlock_irqrestore(&dwc->lock, flags);
 
 	return ret;