From david.vrabel@csr.com  Mon Oct 12 15:07:32 2009
From: David Vrabel <david.vrabel@csr.com>
Date: Mon, 12 Oct 2009 15:45:15 +0000
Subject: USB: whci-hcd: handle early deletion of endpoints
To: Greg KH <gregkh@suse.de>
Cc: linux-usb@vger.kernel.org, David Vrabel <david.vrabel@csr.com>
Message-ID: <1255362318-10226-4-git-send-email-david.vrabel@csr.com>


If an endpoint is deleted before it's been fully added to the hardware
list, the associated qset will not be fully initialized and an oops will
occur when complete(&qset->remove_complete) is called.  This can happen
if a queued URB is cancelled.

Fix this by only removing the qset from the hardware list if the
cancelled URB had qTDs.

Signed-off-by: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/host/whci/asl.c |   19 ++++++++++++-------
 drivers/usb/host/whci/pzl.c |   20 +++++++++++++-------
 2 files changed, 25 insertions(+), 14 deletions(-)

--- a/drivers/usb/host/whci/asl.c
+++ b/drivers/usb/host/whci/asl.c
@@ -305,6 +305,7 @@ int asl_urb_dequeue(struct whc *whc, str
 	struct whc_urb *wurb = urb->hcpriv;
 	struct whc_qset *qset = wurb->qset;
 	struct whc_std *std, *t;
+	bool has_qtd = false;
 	int ret;
 	unsigned long flags;
 
@@ -315,17 +316,21 @@ int asl_urb_dequeue(struct whc *whc, str
 		goto out;
 
 	list_for_each_entry_safe(std, t, &qset->stds, list_node) {
-		if (std->urb == urb)
+		if (std->urb == urb) {
+			if (std->qtd)
+				has_qtd = true;
 			qset_free_std(whc, std);
-		else
+		} else
 			std->qtd = NULL; /* so this std is re-added when the qset is */
 	}
 
-	asl_qset_remove(whc, qset);
-	wurb->status = status;
-	wurb->is_async = true;
-	queue_work(whc->workqueue, &wurb->dequeue_work);
-
+	if (has_qtd) {
+		asl_qset_remove(whc, qset);
+		wurb->status = status;
+		wurb->is_async = true;
+		queue_work(whc->workqueue, &wurb->dequeue_work);
+	} else
+		qset_remove_urb(whc, qset, urb, status);
 out:
 	spin_unlock_irqrestore(&whc->lock, flags);
 
--- a/drivers/usb/host/whci/pzl.c
+++ b/drivers/usb/host/whci/pzl.c
@@ -333,6 +333,7 @@ int pzl_urb_dequeue(struct whc *whc, str
 	struct whc_urb *wurb = urb->hcpriv;
 	struct whc_qset *qset = wurb->qset;
 	struct whc_std *std, *t;
+	bool has_qtd = false;
 	int ret;
 	unsigned long flags;
 
@@ -343,17 +344,22 @@ int pzl_urb_dequeue(struct whc *whc, str
 		goto out;
 
 	list_for_each_entry_safe(std, t, &qset->stds, list_node) {
-		if (std->urb == urb)
+		if (std->urb == urb) {
+			if (std->qtd)
+				has_qtd = true;
 			qset_free_std(whc, std);
-		else
+		} else
 			std->qtd = NULL; /* so this std is re-added when the qset is */
 	}
 
-	pzl_qset_remove(whc, qset);
-	wurb->status = status;
-	wurb->is_async = false;
-	queue_work(whc->workqueue, &wurb->dequeue_work);
-
+	if (has_qtd) {
+		pzl_qset_remove(whc, qset);
+		update_pzl_hw_view(whc);
+		wurb->status = status;
+		wurb->is_async = false;
+		queue_work(whc->workqueue, &wurb->dequeue_work);
+	} else
+		qset_remove_urb(whc, qset, urb, status);
 out:
 	spin_unlock_irqrestore(&whc->lock, flags);