diff options
| author | Baolin Wang <baolin.wang@linaro.org> | 2017-01-03 19:28:47 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-01-12 13:39:12 +0300 |
| commit | 78ccc1966c9e3dc379a89fb3efb06db35a297680 (patch) | |
| tree | 08d10b1863a006c09bd4199d62497596eff38c11 | |
| parent | a2118d0974095b994a8aa7b32a6a213b961f4f3e (diff) | |
| download | linux-78ccc1966c9e3dc379a89fb3efb06db35a297680.tar.xz | |
usb: host: xhci: Fix possible wild pointer when handling abort command
commit 2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597 upstream.
When current command was supposed to be aborted, host will free the command
in handle_cmd_completion() function. But it might be still referenced by
xhci->current_cmd, which need to set NULL.
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/host/xhci-ring.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index f7431f4df5a3..8a8c133280ab 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1368,8 +1368,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, */ if (cmd_comp_code == COMP_CMD_ABORT) { xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; - if (cmd->status == COMP_CMD_ABORT) + if (cmd->status == COMP_CMD_ABORT) { + if (xhci->current_cmd == cmd) + xhci->current_cmd = NULL; goto event_handled; + } } cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3])); |