usb: gadget: f_fs: edit epfile->ep under lock

commit 454915dde06a51133750c6745f0ba57361ba209d upstream.

epfile->ep is protected by ffs->eps_lock (not epfile->mutex) so clear it
while holding the spin lock.

Tested-by: John Stultz <john.stultz@linaro.org>
Tested-by: Chen Yu <chenyu56@huawei.com>
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 5c8429f23a892782febdb3c650efa8c168705227..c34abba7875fcdeacbc8f101496f8aab32634de5 100644 (file)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1722,17 +1722,17 @@ static void ffs_func_eps_disable(struct ffs_function *func)
        unsigned long flags;
 
        do {
-               if (epfile)
-                       mutex_lock(&epfile->mutex);
                spin_lock_irqsave(&func->ffs->eps_lock, flags);
                /* pending requests get nuked */
                if (likely(ep->ep))
                        usb_ep_disable(ep->ep);
                ++ep;
+               if (epfile)
+                       epfile->ep = NULL;
                spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
 
                if (epfile) {
-                       epfile->ep = NULL;
+                       mutex_lock(&epfile->mutex);
                        kfree(epfile->read_buffer);
                        epfile->read_buffer = NULL;
                        mutex_unlock(&epfile->mutex);