usb: gadget: udc-core: Race between disconnect/unbind and setup
authorKevin Cernekee <cernekee@gmail.com>
Thu, 9 Aug 2012 08:23:52 +0000 (11:23 +0300)
committerFelipe Balbi <balbi@ti.com>
Thu, 23 Aug 2012 08:04:19 +0000 (11:04 +0300)
usb_gadget_remove_driver() runs through a four-step sequence to shut down
the gadget driver.  For the case of a composite gadget + at91 UDC, this
would look like:

    udc->driver->disconnect(udc->gadget);          // composite_disconnect()
    usb_gadget_disconnect(udc->gadget);            // at91_pullup(gadget, 0)
    udc->driver->unbind(udc->gadget);              // composite_unbind()
    usb_gadget_udc_stop(udc->gadget, udc->driver); // at91_stop()

The UDC driver can receive SETUP packets from the host up until the
point when usb_gadget_disconnect() returns.  On rare occasions, the
gadget driver may see this sequence:

    udc->driver->disconnect(udc->gadget);          // composite_disconnect()
    udc->driver->setup(udc->gadget, &ctrl);        // composite_setup()
    udc->driver->unbind(udc->gadget);              // composite_unbind()

Some gadget drivers, such as composite, assume this will never happen
and crash as a result.

The fix is to quiesce the UDC hardware (via usb_gadget_disconnect)
before running the gadget driver through the disconnect/unbind sequence.

Reviewed-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
drivers/usb/gadget/udc-core.c

index e5e44f8cde9a3c99052e19e5e8c641ab3123a534..bae243c23141ec44c8c473491a3c1f591e28b3d0 100644 (file)
@@ -262,8 +262,8 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
        kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
 
        if (udc_is_newstyle(udc)) {
-               udc->driver->disconnect(udc->gadget);
                usb_gadget_disconnect(udc->gadget);
+               udc->driver->disconnect(udc->gadget);
                udc->driver->unbind(udc->gadget);
                usb_gadget_udc_stop(udc->gadget, udc->driver);
        } else {