From: Li Jun Date: Thu, 28 Aug 2014 13:44:11 +0000 (+0800) Subject: usb: gadget: composite: dequeue cdev->req before free its buffer X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=be0a8887bb931af0e21531da20c41533effbb0d6;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git usb: gadget: composite: dequeue cdev->req before free its buffer commit f226708(usb: gadget: composite: dequeue cdev->req before free it in composite_dev_cleanup) fixed a bug: free the usb request(i.e. cdev->req) but does not dequeue it beforehand. This fix is not proper enough because it dequeues the request after free its data buffer, considering the hardware can access the buffer's memory anytime before the request's complettion rountine runs, and usb_ep_dequeue always call the complettion rountine before it returns, so the best way is to dequeue the request before free its buffer. Suggested-by: Felipe Balbi Signed-off-by: Li Jun Signed-off-by: Felipe Balbi --- diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 6935a822ce2b..4514e73d9e70 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1955,8 +1955,8 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req); } if (cdev->req) { - kfree(cdev->req->buf); usb_ep_dequeue(cdev->gadget->ep0, cdev->req); + kfree(cdev->req->buf); usb_ep_free_request(cdev->gadget->ep0, cdev->req); } cdev->next_string_id = 0;