• K
    usb: gadget: udc-core: Race between disconnect/unbind and setup · 974e9323
    Kevin Cernekee 提交于
    usb_gadget_remove_driver() runs through a four-step sequence to shut down
    the gadget driver.  For the case of a composite gadget + at91 UDC, this
    would look like:
    
        udc->driver->disconnect(udc->gadget);          // composite_disconnect()
        usb_gadget_disconnect(udc->gadget);            // at91_pullup(gadget, 0)
        udc->driver->unbind(udc->gadget);              // composite_unbind()
        usb_gadget_udc_stop(udc->gadget, udc->driver); // at91_stop()
    
    The UDC driver can receive SETUP packets from the host up until the
    point when usb_gadget_disconnect() returns.  On rare occasions, the
    gadget driver may see this sequence:
    
        udc->driver->disconnect(udc->gadget);          // composite_disconnect()
        udc->driver->setup(udc->gadget, &ctrl);        // composite_setup()
        udc->driver->unbind(udc->gadget);              // composite_unbind()
    
    Some gadget drivers, such as composite, assume this will never happen
    and crash as a result.
    
    The fix is to quiesce the UDC hardware (via usb_gadget_disconnect)
    before running the gadget driver through the disconnect/unbind sequence.
    Reviewed-by: NPeter Chen <peter.chen@freescale.com>
    Signed-off-by: NKevin Cernekee <cernekee@gmail.com>
    Signed-off-by: NFelipe Balbi <balbi@ti.com>
    974e9323
udc-core.c 13.7 KB