aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2013-03-15 14:02:14 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-04-05 09:26:05 -0700
commitcf0dd5c0a89b0b5d15073fdbbefdaea627e38966 (patch)
treeafeb18d7c166f96814cd0764e65ee5df40ccc5ce
parent0a9f03287a9290fb61aa74604b4f8fd7fdd3b64e (diff)
usb: gadget: udc-core: fix a regression during gadget driver unbinding
commit 511f3c5326eabe1ece35202a404c24c0aeacc246 upstream. This patch (as1666) fixes a regression in the UDC core. The core takes care of unbinding gadget drivers, and it does the unbinding before telling the UDC driver to turn off the controller hardware. When the call to the udc_stop callback is made, the gadget no longer has a driver. The callback routine should not be invoked with a pointer to the old driver; doing so can cause problems (such as use-after-free accesses in net2280). This patch should be applied, with appropriate context changes, to all the stable kernels going back to 3.1. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/gadget/udc-core.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c
index 4d90a800063..34a39076d3b 100644
--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -265,7 +265,7 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
usb_gadget_disconnect(udc->gadget);
udc->driver->disconnect(udc->gadget);
udc->driver->unbind(udc->gadget);
- usb_gadget_udc_stop(udc->gadget, udc->driver);
+ usb_gadget_udc_stop(udc->gadget, NULL);
} else {
usb_gadget_stop(udc->gadget, udc->driver);
}