Revert "[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer"

This reverts commit 786dc1d3d7333f269e17d742886eac2188a2d9cc.

As Al so eloquently points out, the patch is crap. The old code was fine,
the new code was bogus.

It never dereferenced a user pointer, the "->" operator was to an array
member, which gives the _address_ of the member (in user space), not an
actual dereference at all.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3f8e062..bcbeaf7 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1078,9 +1078,7 @@
 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
 		return -EFAULT;
 
-	return proc_do_submiturb(ps, &uurb,
-		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
-		arg);
+	return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
 }
 
 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
@@ -1205,9 +1203,7 @@
 	if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg))
 		return -EFAULT;
 
-	return proc_do_submiturb(ps, &uurb,
-		(struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
-		arg);
+	return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg);
 }
 
 static int processcompl_compat(struct async *as, void __user * __user *arg)