USB: gadgetfs AIO tweaks

This patch (as837) fixes several mistakes in the AIO interface of the
gadgetfs driver:

	The ki_retry method is not supposed to do a put on the kiocb.
	The extra call to aio_put_req() causes memory corruption.
	(Note: This call was removed before, by patch as691, and then
	mysteriously re-introduced later.)

	Even if a read transfer is cancelled, we can and should send
	to the user all the data that did manage to get transferred.

	Testing for AIO cancellation in the I/O completion handler
	is both racy and (now) unnecessary.  aio_complete() does its
	own checking, in a safe manner.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/usb/gadget/inode.c

@@ -576,7 +576,6 @@ static ssize_t ep_aio_read_retry(struct kiocb *iocb)
 	}
 	kfree(priv->buf);
 	kfree(priv);
-	aio_put_req(iocb);
 	return len;
 }
 
@@ -590,18 +589,17 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
 	spin_lock(&epdata->dev->lock);
 	priv->req = NULL;
 	priv->epdata = NULL;
-	if (priv->iv == NULL
+
-			|| unlikely(req->actual == 0)
+	/* if this was a write or a read returning no data then we
-			|| unlikely(kiocbIsCancelled(iocb))) {
+	 * don't need to copy anything to userspace, so we can
+	 * complete the aio request immediately.
+	 */
+	if (priv->iv == NULL || unlikely(req->actual == 0)) {
 		kfree(req->buf);
 		kfree(priv);
 		iocb->private = NULL;
 		/* aio_complete() reports bytes-transferred _and_ faults */
-		if (unlikely(kiocbIsCancelled(iocb)))
+		aio_complete(iocb, req->actual ? req->actual : req->status,
-			aio_put_req(iocb);
-		else
-			aio_complete(iocb,
-				req->actual ? req->actual : req->status,
 				req->status);
 	} else {
 		/* retry() won't report both; so we hide some faults */