releases/3.4.4/usb-musb_gadget-fix-crash-caused-by-dangling-pointer.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 08f75bf14fadaa81fe362d5acda9b77b113dd0a2 Mon Sep 17 00:00:00 2001
 From: Grazvydas Ignotas <notasas@gmail.com>
 Date: Sat, 26 May 2012 00:21:33 +0300
 Subject: usb: musb_gadget: fix crash caused by dangling pointer

 From: Grazvydas Ignotas <notasas@gmail.com>

 commit 08f75bf14fadaa81fe362d5acda9b77b113dd0a2 upstream.

 usb_ep_ops.disable must clear external copy of the endpoint descriptor,
 otherwise musb crashes after loading/unloading several gadget modules
 in a row:

 Unable to handle kernel paging request at virtual address bf013730
 pgd = c0004000
 [bf013730] *pgd=8f26d811, *pte=00000000, *ppte=00000000
 Internal error: Oops: 7 [#1]
 Modules linked in: g_cdc [last unloaded: g_file_storage]
 CPU: 0    Not tainted  (3.2.17 #647)
 PC is at musb_gadget_enable+0x4c/0x24c
 LR is at _raw_spin_lock_irqsave+0x4c/0x58
 [<c027c030>] (musb_gadget_enable+0x4c/0x24c) from [<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc])
 [<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc]) from [<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc])
 [<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc]) from [<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc])
 [<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc]) from [<c027b744>] (musb_g_ep0_irq+0x844/0x924)
 [<c027b744>] (musb_g_ep0_irq+0x844/0x924) from [<c027a97c>] (musb_interrupt+0x79c/0x864)
 [<c027a97c>] (musb_interrupt+0x79c/0x864) from [<c027aaa8>] (generic_interrupt+0x64/0x7c)
 [<c027aaa8>] (generic_interrupt+0x64/0x7c) from [<c00797cc>] (handle_irq_event_percpu+0x28/0x178)
 ...

 Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
 Signed-off-by: Felipe Balbi <balbi@ti.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/usb/musb/musb_gadget.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/drivers/usb/musb/musb_gadget.c
 +++ b/drivers/usb/musb/musb_gadget.c
 @@ -1232,6 +1232,7 @@ static int musb_gadget_disable(struct us
  	}

  	musb_ep->desc = NULL;
 +	musb_ep->end_point.desc = NULL;

  	/* abort all pending DMA and requests */
  	nuke(musb_ep, -ESHUTDOWN);
	From 08f75bf14fadaa81fe362d5acda9b77b113dd0a2 Mon Sep 17 00:00:00 2001
	From: Grazvydas Ignotas <notasas@gmail.com>
	Date: Sat, 26 May 2012 00:21:33 +0300
	Subject: usb: musb_gadget: fix crash caused by dangling pointer

	From: Grazvydas Ignotas <notasas@gmail.com>

	commit 08f75bf14fadaa81fe362d5acda9b77b113dd0a2 upstream.

	usb_ep_ops.disable must clear external copy of the endpoint descriptor,
	otherwise musb crashes after loading/unloading several gadget modules
	in a row:

	Unable to handle kernel paging request at virtual address bf013730
	pgd = c0004000
	[bf013730] pgd=8f26d811, pte=00000000, *ppte=00000000
	Internal error: Oops: 7 [#1]
	Modules linked in: g_cdc [last unloaded: g_file_storage]
	CPU: 0 Not tainted (3.2.17 #647)
	PC is at musb_gadget_enable+0x4c/0x24c
	LR is at _raw_spin_lock_irqsave+0x4c/0x58
	[<c027c030>] (musb_gadget_enable+0x4c/0x24c) from [<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc])
	[<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc]) from [<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc])
	[<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc]) from [<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc])
	[<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc]) from [<c027b744>] (musb_g_ep0_irq+0x844/0x924)
	[<c027b744>] (musb_g_ep0_irq+0x844/0x924) from [<c027a97c>] (musb_interrupt+0x79c/0x864)
	[<c027a97c>] (musb_interrupt+0x79c/0x864) from [<c027aaa8>] (generic_interrupt+0x64/0x7c)
	[<c027aaa8>] (generic_interrupt+0x64/0x7c) from [<c00797cc>] (handle_irq_event_percpu+0x28/0x178)
	...

	Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
	Signed-off-by: Felipe Balbi <balbi@ti.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/usb/musb/musb_gadget.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/drivers/usb/musb/musb_gadget.c
	+++ b/drivers/usb/musb/musb_gadget.c
	@@ -1232,6 +1232,7 @@ static int musb_gadget_disable(struct us
	}

	musb_ep->desc = NULL;
	+ musb_ep->end_point.desc = NULL;

	/* abort all pending DMA and requests */
	nuke(musb_ep, -ESHUTDOWN);