[PATCH] usb: gadget: udc-core: call udc_stop() before gadget unbind

From: Robert Baldyga
Date: Fri Dec 12 2014 - 08:17:48 EST

As usb function drivers assumes that all usb request will be completed
before function unbind call, we should supply such behavior. In some
cases ep_disable() won't kill all request effectively, because some
IN requests can be in running state. In such situation it's possible
to have unbind function called before last request completion, which
can cause problems.

For example unbinding f_ecm function while request on 'notify' endpoint
is not completed, ends up NULL pointer dereference in unbind() function.

usb_gadget_udc_stop() call causes completion of all requests so if it's
called before gadget unbind there is no risk that some of requests will
stay uncompleted.

Signed-off-by: Robert Baldyga <r.baldyga@xxxxxxxxxxx>
drivers/usb/gadget/udc/udc-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/udc-core.c b/drivers/usb/gadget/udc/udc-core.c
index e31d574..6f0d233 100644
--- a/drivers/usb/gadget/udc/udc-core.c
+++ b/drivers/usb/gadget/udc/udc-core.c
@@ -331,8 +331,8 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)

- udc->driver->unbind(udc->gadget);
+ udc->driver->unbind(udc->gadget);

udc->driver = NULL;
udc->dev.driver = NULL;

