From: lyz Date: Fri, 28 Mar 2014 03:37:03 +0000 (+0800) Subject: usb: qtd usb-after-free X-Git-Tag: firefly_0821_release~5754 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=57d0c9d8d7423e197b0e4bc4b22c4757801625f7;p=firefly-linux-kernel-4.4.55.git usb: qtd usb-after-free --- diff --git a/drivers/usb/dwc_otg_310/dwc_otg_hcd_ddma.c b/drivers/usb/dwc_otg_310/dwc_otg_hcd_ddma.c index e5dfa4c600c1..146e527ea0bd 100755 --- a/drivers/usb/dwc_otg_310/dwc_otg_hcd_ddma.c +++ b/drivers/usb/dwc_otg_310/dwc_otg_hcd_ddma.c @@ -665,7 +665,7 @@ static void init_non_isoc_dma_desc(dwc_otg_hcd_t * hcd, dwc_otg_qh_t * qh) qtd->in_process = 1; - if (qh->ep_type == UE_CONTROL) + if (qh->ep_type == UE_CONTROL) break; if (n_desc == MAX_DMA_DESC_NUM_GENERIC) @@ -716,7 +716,6 @@ void dwc_otg_hcd_start_xfer_ddma(dwc_otg_hcd_t * hcd, dwc_otg_qh_t * qh) init_non_isoc_dma_desc(hcd, qh); update_frame_list(hcd, qh, 1); - dwc_otg_hc_start_transfer_ddma(hcd->core_if, hc); break; case DWC_OTG_EP_TYPE_ISOC: @@ -943,13 +942,12 @@ static void complete_non_isoc_xfer_ddma(dwc_otg_hcd_t * hcd, dwc_otg_qtd_t *qtd, *qtd_tmp; dwc_otg_qh_t *qh; dwc_otg_host_dma_desc_t *dma_desc; - uint32_t n_bytes, n_desc, i; + uint32_t n_bytes, n_desc, i, qtd_n_desc; uint8_t failed = 0, xfer_done; n_desc = 0; qh = hc->qh; - if (hc->halt_status == DWC_OTG_HC_XFER_URB_DEQUEUE) { DWC_CIRCLEQ_FOREACH_SAFE(qtd, qtd_tmp, &hc->qh->qtd_list, qtd_list_entry) { qtd->in_process = 0; @@ -963,8 +961,8 @@ static void complete_non_isoc_xfer_ddma(dwc_otg_hcd_t * hcd, n_bytes = 0; xfer_done = 0; - - for (i = 0; i < qtd->n_desc; i++) { + qtd_n_desc = qtd->n_desc; + for (i = 0; i < qtd_n_desc; i++) { dma_desc = &qh->desc_list[n_desc]; n_bytes = qh->n_bytes[n_desc];