From 1837de74bbbabcaad873fab6a33940ad77178084 Mon Sep 17 00:00:00 2001 From: Li Jun Date: Thu, 28 Aug 2014 21:44:11 +0800 Subject: [PATCH] usb: gadget: composite: dequeue cdev->req before free its buffer commit c6876fd(usb: gadget: composite: dequeue cdev->req before free it in composite_dev_cleanup) fixed a bug: free the usb request(i.e. cdev->req) but does not dequeue it beforehand. This fix is not proper enough because it dequeues the request after free its data buffer, considering the hardware can access the buffer's memory anytime before the request's complettion rountine runs, and usb_ep_dequeue always call the complettion rountine before it returns, so the best way is to dequeue the request before free its buffer. Suggested-by: Felipe Balbi Signed-off-by: Li Jun Signed-off-by: Felipe Balbi --- drivers/usb/gadget/composite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 6935a822ce2b8..4514e73d9e709 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1955,8 +1955,8 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req); } if (cdev->req) { - kfree(cdev->req->buf); usb_ep_dequeue(cdev->gadget->ep0, cdev->req); + kfree(cdev->req->buf); usb_ep_free_request(cdev->gadget->ep0, cdev->req); } cdev->next_string_id = 0; -- 2.39.5