Hi,
Let's say a function driver queues a request on ep0 and before the
completion handler could run composition switch/physical disconnect
happens. This request will be in pending list since gadget_giveback is
not done but the composite driver will free the request from
composite_dev_cleanup. Now, once the next connect happens, another ep0
request is queued and while handling the completion of that request,
gadget driver might end up accessing the old/stale request leading to
list_poison since pending list is corrupted.
To fix this, the function drivers might want to use setup_pending(mark
it to true) flag so that when composite_dev_cleanup is run the requests
are given back from usb_ep_dequeue; clear the setup pending flag in
function driver when completion handler is run successfully. I can see
this issue in almost all the function drivers.
Looking for suggestions and comments.
--Pratham
