>> From: Fei Yang <fei.yang@xxxxxxxxx>
>>
>> The following kernel panic happens due to the io_data buffer gets
>> deallocated before the async io is completed. Add a check for the case
>> where io_data buffer should be deallocated by ffs_user_copy_worker.
>
> [snip]
>
> Please add tag - 'Fixes: 772a7a724f6 ("usb: gadget: f_fs: Allow scatter-gather buffers")
Sent [PATCH V2]
>> ---
>> drivers/usb/gadget/function/f_fs.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/gadget/function/f_fs.c
>> b/drivers/usb/gadget/function/f_fs.c
>> index 20413c2..47be961 100644
>> --- a/drivers/usb/gadget/function/f_fs.c
>> +++ b/drivers/usb/gadget/function/f_fs.c
>> @@ -1133,7 +1133,8 @@ static ssize_t ffs_epfile_io(struct file *file,
>> struct ffs_io_data *io_data)
>> error_mutex:
>> mutex_unlock(&epfile->mutex);
>> error:
>> - ffs_free_buffer(io_data);
>> + if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
>> + ffs_free_buffer(io_data);
>> return ret;
>> }
