From 7fb9d732feb64946f280ee4843527cb5095c97ef Mon Sep 17 00:00:00 2001
From: "he.he" <he.he@amlogic.com>
Date: Tue, 16 Oct 2018 19:20:23 +0800
Subject: [PATCH] usb: adb reboot and then adb disconnect[1/1]

PD#174155: complete_ep 0xffffffc05bed2858, ep->queue empty!

Problem:
1. After adb process be killed, data buffer is freed and
this memory is allocated for the other. But the address
is hold by the controller.
2. Adbd in PC is running. So, the controller receive the
data and write to this memory.
3.The value of this memory is modified by the controller.
This could cause the memory problem.

Solution:
whenever io_data->aio equals 1, the data buffer is from a fixed array.

Verify:
verified by huang xiaojing

Change-Id: I2055ea013021c8411bf626ce170e6b32164bef4a
Signed-off-by: he.he <he.he@amlogic.com>
---
 drivers/usb/gadget/function/f_fs.c | 24 +++++-------------------
 1 file changed, 5 insertions(+), 19 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 055c03a113da..cb76db3ad3cc 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -848,7 +848,9 @@ static void ffs_user_copy_worker(struct work_struct *work)
 
 	if (io_data->read)
 		kfree(io_data->to_free);
+#ifndef CONFIG_AMLOGIC_USB
 	kfree(io_data->buf);
+#endif
 	kfree(io_data);
 }
 
@@ -952,7 +954,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 #ifdef CONFIG_AMLOGIC_USB
 	struct ffs_ep *ep = epfile->ep;
 	struct ffs_data_buffer *buffer = NULL;
-	int data_flag = -1;
 #else
 	struct ffs_ep *ep;
 #endif
@@ -1034,15 +1035,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 			goto error_mutex;
 		}
 #else
-		if (io_data->aio) {
-			spin_unlock_irq(&epfile->ffs->eps_lock);
-			data = kmalloc(data_len, GFP_KERNEL);
-			data_flag = 1;
-			if (unlikely(!data)) {
-				ret = -ENOMEM;
-				goto error_mutex;
-			}
-		} else {
 		/* Fire the request */
 		/*
 		 * Avoid kernel panic caused by race condition. For example,
@@ -1060,9 +1052,9 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 		 * To avoid this, during FunctionFS mount, we allocated the
 		 * data buffer for requests. And the memory resources has
 		 * been released in kill_sb.
+		 *reboot adb disconnect,so buffer aways used assign_ffs_buffer.
 		 */
 			buffer = assign_ffs_buffer(epfile->ffs);
-			data_flag = -1;
 			if (unlikely(!buffer)) {
 				ret = -ENOMEM;
 				spin_unlock_irq(&epfile->ffs->eps_lock);
@@ -1071,7 +1063,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 
 			data = buffer->data_ep;
 			spin_unlock_irq(&epfile->ffs->eps_lock);
-		}
 #endif
 
 		if (!io_data->read &&
@@ -1177,13 +1168,8 @@ error_mutex:
 	mutex_unlock(&epfile->mutex);
 error:
 #ifdef CONFIG_AMLOGIC_USB
-	if (data_flag > 0) {
-		kfree(data);
-		data = NULL;
-	} else {
-		if (buffer)
-			release_ffs_buffer(epfile->ffs, buffer);
-	}
+	if (buffer)
+		release_ffs_buffer(epfile->ffs, buffer);
 #else
 	kfree(data);
 #endif