Skip to content

Commit

Permalink
usb: gadget: udc-core: fix a regression during gadget driver unbinding
Browse files Browse the repository at this point in the history 
This patch (as1666) fixes a regression in the UDC core.  The core
takes care of unbinding gadget drivers, and it does the unbinding
before telling the UDC driver to turn off the controller hardware.
When the call to the udc_stop callback is made, the gadget no longer
has a driver.  The callback routine should not be invoked with a
pointer to the old driver; doing so can cause problems (such as
use-after-free accesses in net2280).

This patch should be applied, with appropriate context changes, to all
the stable kernels going back to 3.1.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
  • Loading branch information
Alan Stern authored and Felipe Balbi committed Mar 20, 2013
1 parent 699412d commit 511f3c5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/usb/gadget/udc-core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
usb_gadget_disconnect(udc->gadget);
udc->driver->disconnect(udc->gadget);
udc->driver->unbind(udc->gadget);
usb_gadget_udc_stop(udc->gadget, udc->driver);
usb_gadget_udc_stop(udc->gadget, NULL);

udc->driver = NULL;
udc->dev.driver = NULL;
Expand Down

0 comments on commit 511f3c5

Please sign in to comment.