From be0a8887bb931af0e21531da20c41533effbb0d6 Mon Sep 17 00:00:00 2001
From: Li Jun <B47624@freescale.com>
Date: Thu, 28 Aug 2014 21:44:11 +0800
Subject: [PATCH] usb: gadget: composite: dequeue cdev->req before free its
 buffer

commit f226708(usb: gadget: composite: dequeue cdev->req before free it in
composite_dev_cleanup) fixed a bug: free the usb request(i.e. cdev->req) but
does not dequeue it beforehand. This fix is not proper enough because it
dequeues the request after free its data buffer, considering the hardware can
access the buffer's memory anytime before the request's complettion rountine
runs, and usb_ep_dequeue always call the complettion rountine before it returns,
so the best way is to dequeue the request before free its buffer.

Suggested-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Li Jun <b47624@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---
 drivers/usb/gadget/composite.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 6935a822ce2b..4514e73d9e70 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1955,8 +1955,8 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
 		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
 	}
 	if (cdev->req) {
-		kfree(cdev->req->buf);
 		usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
+		kfree(cdev->req->buf);
 		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
 	}
 	cdev->next_string_id = 0;