From 399fa239e44b21cac2b709f3059d4c620294ccbd Mon Sep 17 00:00:00 2001
From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Date: Thu, 2 Mar 2017 16:07:13 +0530
Subject: [PATCH] USB: composite: Check return value before
 composite_setup_complete()

Currently driver is calling composite_setup_complete() when request
queuing to control endpoint fails. During disconnect or composition switch,
ep_queue() fails with -ESHUTDOWN return value. In this case also, driver is
calling composite_setup_complete(), which leads to invalid pointer
dereference. Fix it by not calling composite_setup_complete() in case of
return value of -ESHUTDOWN as anyhow composite_unbind() will take care of
clearing pending flags before freeing request buffers.

Change-Id: I87ea6ecb1e925c6b36dede59486e49ba3a4e90c7
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
---
 drivers/usb/gadget/composite.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index a53b23789d7a..f537201c73fb 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1942,7 +1942,9 @@ unknown:
 			if (value < 0) {
 				DBG(cdev, "ep_queue --> %d\n", value);
 				req->status = 0;
-				composite_setup_complete(gadget->ep0, req);
+				if (value != -ESHUTDOWN)
+					composite_setup_complete(gadget->ep0,
+									req);
 			}
 			return value;
 		}
@@ -2031,7 +2033,8 @@ try_fun_setup:
 		if (value < 0) {
 			DBG(cdev, "ep_queue --> %d\n", value);
 			req->status = 0;
-			composite_setup_complete(gadget->ep0, req);
+			if (value != -ESHUTDOWN)
+				composite_setup_complete(gadget->ep0, req);
 		}
 	} else if (value == USB_GADGET_DELAYED_STATUS && w_length != 0) {
 		WARN(cdev,
-- 
2.11.0