UPSTREAM: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request

As per the documentation, function usb_ep_free_request guarantees
the request will not be queued or no longer be re-queued (or
otherwise used). However, with the current implementation it
doesn't make sure that the request in ep0 isn't reused.

Fix this by dequeuing the ep0req on functionfs_unbind before
freeing the request to align with the definition.

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Signed-off-by: Udipto Goswami <>
Tested-by: Krishna Kurapati <>
Signed-off-by: Greg Kroah-Hartman <>

Bug: 265837309
Bug: 266213784
(cherry picked from commit ce405d561b020e5a46340eb5146805a625dcacee usb-linus)
Change-Id: Idbc5f13cedac59cbc893d229383b01662f4e4a03
Signed-off-by: Prashanth K <>
Signed-off-by: Lee Jones <>
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 5fd4fc4..914bbc91 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1900,6 +1900,8 @@
 	if (!WARN_ON(!ffs->gadget)) {
+		/* dequeue before freeing ep0req */
+		usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req);
 		usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
 		ffs->ep0req = NULL;
 		ffs->gadget = NULL;