| From 21b5fcdccb32ff09b6b63d4a83c037150665a83f Mon Sep 17 00:00:00 2001 |
| From: Viraj Shah <viraj.shah@linutronix.de> |
| Date: Thu, 21 Oct 2021 11:36:44 +0200 |
| Subject: usb: musb: Balance list entry in musb_gadget_queue |
| |
| From: Viraj Shah <viraj.shah@linutronix.de> |
| |
| commit 21b5fcdccb32ff09b6b63d4a83c037150665a83f upstream. |
| |
| musb_gadget_queue() adds the passed request to musb_ep::req_list. If the |
| endpoint is idle and it is the first request then it invokes |
| musb_queue_resume_work(). If the function returns an error then the |
| error is passed to the caller without any clean-up and the request |
| remains enqueued on the list. If the caller enqueues the request again |
| then the list corrupts. |
| |
| Remove the request from the list on error. |
| |
| Fixes: ea2f35c01d5ea ("usb: musb: Fix sleeping function called from invalid context for hdrc glue") |
| Cc: stable <stable@vger.kernel.org> |
| Signed-off-by: Viraj Shah <viraj.shah@linutronix.de> |
| Link: https://lore.kernel.org/r/20211021093644.4734-1-viraj.shah@linutronix.de |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/usb/musb/musb_gadget.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/usb/musb/musb_gadget.c |
| +++ b/drivers/usb/musb/musb_gadget.c |
| @@ -1248,9 +1248,11 @@ static int musb_gadget_queue(struct usb_ |
| status = musb_queue_resume_work(musb, |
| musb_ep_restart_resume_work, |
| request); |
| - if (status < 0) |
| + if (status < 0) { |
| dev_err(musb->controller, "%s resume work: %i\n", |
| __func__, status); |
| + list_del(&request->list); |
| + } |
| } |
| |
| unlock: |
