USB: ci13xxx_udc: Fix kernel panic during composition switch
The control endpoint requests are not nuked properly during composition switch. The stale request is getting completed during enumeration of the new composition. Kernel panics if completion handler access already freed data. This is happening with RNDIS interface. The Android composite driver dequeue the control request before removing the composition. The current code returns immediately if the queue is empty. The control endpoint queues are handled differently. The EP0 IN endpoint is only exposed to the composite driver. The controller driver takes care of queuing the request on EP0 IN or EP0 OUT based on control transfer direction. When the composite driver dequeue request on control endpoint, check both direction endpoints queues. When USB bus is reset, nuke the control endpoints. Flushing the endpoint will not call completion handler. Test endpoint queue list, request list, endpoint descriptor and soft pull up status under spinlock to prevent any races between dequeue and queue paths. CRs-Fixed: 474578 Change-Id: I3d7ca4be4d6cee65707879c6c9b501f442e53018 Signed-off-by:Pavankumar Kondeti <pkondeti@codeaurora.org> Signed-off-by:
Sridhar Gujje <sgujje@codeaurora.org>
Loading
Please sign in to comment