[ 3.5.y.z extended stable ] Patch "usb: gadget: udc-core: fix a regression during gadget driver" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Mon Mar 25 18:02:38 UTC 2013 

This is a note to let you know that I have just added a patch titled

    usb: gadget: udc-core: fix a regression during gadget driver

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 4d020b04215c9811df493a3f24fe91205fe356b5 Mon Sep 17 00:00:00 2001
From: Alan Stern <stern at rowland.harvard.edu>
Date: Fri, 15 Mar 2013 14:02:14 -0400
Subject: [PATCH] usb: gadget: udc-core: fix a regression during gadget driver
 unbinding

commit 511f3c5326eabe1ece35202a404c24c0aeacc246 upstream.

This patch (as1666) fixes a regression in the UDC core.  The core
takes care of unbinding gadget drivers, and it does the unbinding
before telling the UDC driver to turn off the controller hardware.
When the call to the udc_stop callback is made, the gadget no longer
has a driver.  The callback routine should not be invoked with a
pointer to the old driver; doing so can cause problems (such as
use-after-free accesses in net2280).

This patch should be applied, with appropriate context changes, to all
the stable kernels going back to 3.1.

Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi at ti.com>
[ luis: backported to 3.5; adjust context ]
Luis Henriques <luis.henriques at canonical.com>
---
 drivers/usb/gadget/udc-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c
index e5e44f8..b0af333 100644
--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -265,7 +265,7 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
 		udc->driver->disconnect(udc->gadget);
 		usb_gadget_disconnect(udc->gadget);
 		udc->driver->unbind(udc->gadget);
-		usb_gadget_udc_stop(udc->gadget, udc->driver);
+		usb_gadget_udc_stop(udc->gadget, NULL);
 	} else {
 		usb_gadget_stop(udc->gadget, udc->driver);
 	}
--
1.8.1.2

More information about the kernel-team mailing list