ENGR00321224 usb: gadget: composite: try to dequeue cdev->req before …

…free it

If cdev->req was queued when remove composite driver, usb_ep_free_request
cannot free it, this request may get to run its completion function next time
this gadget driver load again, but the memory of completion function symbol is
invalid after the driver removal, which will result in kernel panic like below:

... ...
ci_hdrc ci_hdrc.0: enabling a non-empty endpoint!
root@imx6sxsabresd:~# Unable to handle kernel paging request at virtual address 7f02eb2c
pgd = 80004000
[7f02eb2c] *pgd=a8b41811, *pte=00000000, *ppte=00000000
Internal error: Oops: 80000007 [wandboard-org#1] PREEMPT SMP ARM
Modules linked in: g_ncm libcomposite configfs ov5642_camera ov5640_camera evbug [last unloaded: configfs]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.31-daily-02005-g914c72a torvalds#20
task: 80c7b5c8 ti: 80c70000 task.ti: 80c70000
PC is at 0x7f02eb2c
LR is at _ep_nuke+0xdc/0x118
pc : [<7f02eb2c>]    lr : [<803e6a90>]    psr: 200f0193
sp : 80c71d30  ip : 00000000  fp : a8c1513c
r10: a803f608  r9 : 00000000  r8 : a803f5d0
r7 : a8c15134  r6 : a8c1513c  r5 : a8c1513c  r4 : a8c15100
r3 : 7f02eb2c  r2 : 00010101  r1 : a8c15100  r0 : a803f5d0
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 10c53c7d  Table: a92a804a  DAC: 00000015
Process swapper/0 (pid: 0, stack limit = 0x80c70238)
Stack: (0x80c71d30 to 0x80c72000)
1d20:                                     a803f010 ffffffea 00000001 c08661ac
1d40: 00000000 0000004b a8008900 a803f2f0 a803f010 803e7934 80c71d94 80047614
1d60: 00000000 00000001 80c784e4 a803f010 a803f014 80c83290 81545c00 00000000
1d80: 803e6be0 a803f150 80c6ec00 81545c00 00000000 a803f010 a8008950 00000000
1da0: 00000000 0000004b a8008900 80cc47ce 00000001 803e4810 803e47c0 a83a3140
1dc0: a8008950 80076be0 12d4bd61 00000000 00989680 a8008900 a8008950 a83a3140
1de0: c0802100 80c70000 00000000 80c70000 80c70000 80076d44 a8008900 a8008950
1e00: 80c71f20 80079a10 8007998c 0000004b 0000004b 800763a8 80c6def0 8000e948
1e20: c080210c 80c78904 80c71e48 80008558 800306d8 800306e8 200f0113 ffffffff
1e40: 80c71e7c 8000dc80 00000000 00000000 00000101 80c70000 00000202 00000057
1e60: 00000000 80c72080 80c70000 00000000 80c70000 80c70000 80d072c0 80c71e90
1e80: 800306d8 800306e8 200f0113 ffffffff 00000057 a8009240 80cc47ce 80c6d7a0
1ea0: 00000000 0000000a 80d072c0 80c720c0 ffffac69 80c70010 80c80564 00200000
1ec0: 80c70000 600f0193 00000057 00000000 c0802100 00000000 00000000 80c70000
1ee0: 80c70000 800308b4 80c70030 80030b50 80c6def0 8000e94c c080210c 80c78904
1f00: 80c71f20 80008558 8005cfc0 8044a8bc 600f0013 ffffffff 80c71f54 8000dc80
1f20: 80c71f68 00000055 05ffdea3 00000014 05fc1b18 00000014 81545130 80c7dd68
1f40: 00000000 00000000 80c70000 80c70000 00000017 80c71f68 8005cfc0 8044a8bc
1f60: 600f0013 ffffffff 05ffdea3 00000014 80d1c98c 80c70000 81545130 80d1c98c
1f80: 00000000 80c7dd68 00000000 8044a9fc 00000000 80c78564 806493ac 80c70000
1fa0: 80cc47ba 80c70000 80cc47ba 8000ec68 0000cf94 8005c894 80c70000 80c78480
1fc0: 00000000 80c26a9c ffffffff ffffffff 80c26548 00000000 00000000 80c61770
1fe0: 10c53c7d 80c784e0 80c6176c 80c7c3c4 8000406a 80008074 00000000 00000000
[<803e6a90>] (_ep_nuke+0xdc/0x118) from [<803e7934>] (udc_irq+0x5c8/0xcf4)
[<803e7934>] (udc_irq+0x5c8/0xcf4) from [<803e4810>] (ci_irq+0x50/0x118)
[<803e4810>] (ci_irq+0x50/0x118) from [<80076be0>] (handle_irq_event_percpu+0x54/0x17c)
[<80076be0>] (handle_irq_event_percpu+0x54/0x17c) from [<80076d44>] (handle_irq_event+0x3c/0x5c)
[<80076d44>] (handle_irq_event+0x3c/0x5c) from [<80079a10>] (handle_fasteoi_irq+0x84/0x14c)
[<80079a10>] (handle_fasteoi_irq+0x84/0x14c) from [<800763a8>] (generic_handle_irq+0x2c/0x3c)
[<800763a8>] (generic_handle_irq+0x2c/0x3c) from [<8000e948>] (handle_IRQ+0x40/0x90)
[<8000e948>] (handle_IRQ+0x40/0x90) from [<80008558>] (gic_handle_irq+0x2c/0x5c)
[<80008558>] (gic_handle_irq+0x2c/0x5c) from [<8000dc80>] (__irq_svc+0x40/0x70)
Exception stack(0x80c71e48 to 0x80c71e90)
1e40:                   00000000 00000000 00000101 80c70000 00000202 00000057
1e60: 00000000 80c72080 80c70000 00000000 80c70000 80c70000 80d072c0 80c71e90
1e80: 800306d8 800306e8 200f0113 ffffffff
[<8000dc80>] (__irq_svc+0x40/0x70) from [<800306e8>] (__do_softirq+0xc8/0x200)
[<800306e8>] (__do_softirq+0xc8/0x200) from [<800308b4>] (do_softirq+0x50/0x58)
[<800308b4>] (do_softirq+0x50/0x58) from [<80030b50>] (irq_exit+0x9c/0xd0)
[<80030b50>] (irq_exit+0x9c/0xd0) from [<8000e94c>] (handle_IRQ+0x44/0x90)
[<8000e94c>] (handle_IRQ+0x44/0x90) from [<80008558>] (gic_handle_irq+0x2c/0x5c)
[<80008558>] (gic_handle_irq+0x2c/0x5c) from [<8000dc80>] (__irq_svc+0x40/0x70)
Exception stack(0x80c71f20 to 0x80c71f68)
1f20: 80c71f68 00000055 05ffdea3 00000014 05fc1b18 00000014 81545130 80c7dd68
1f40: 00000000 00000000 80c70000 80c70000 00000017 80c71f68 8005cfc0 8044a8bc
1f60: 600f0013 ffffffff
[<8000dc80>] (__irq_svc+0x40/0x70) from [<8044a8bc>] (cpuidle_enter_state+0x50/0xe0)
[<8044a8bc>] (cpuidle_enter_state+0x50/0xe0) from [<8044a9fc>] (cpuidle_idle_call+0xb0/0x148)
[<8044a9fc>] (cpuidle_idle_call+0xb0/0x148) from [<8000ec68>] (arch_cpu_idle+0x10/0x54)
[<8000ec68>] (arch_cpu_idle+0x10/0x54) from [<8005c894>] (cpu_startup_entry+0x104/0x150)
[<8005c894>] (cpu_startup_entry+0x104/0x150) from [<80c26a9c>] (start_kernel+0x324/0x330)
Code: bad PC value
---[ end trace 71c853bf79d571a9 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 60 seconds..

Signed-off-by: Li Jun <[email protected]>

drivers/usb/gadget/composite.c

@@ -1637,6 +1637,7 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
 	}
 	if (cdev->req) {
 		kfree(cdev->req->buf);
+		usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
 		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
 	}
 	cdev->next_string_id = 0;