From: Sarah Sharp Date: Fri, 30 Apr 2010 22:37:56 +0000 (-0700) Subject: USB: xhci: Avoid double free after streams are disabled. X-Git-Tag: firefly_0821_release~9833^2~2085^2~117 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8a007748fbadb8317d0af289f3bca5694354d63a;p=firefly-linux-kernel-4.4.55.git USB: xhci: Avoid double free after streams are disabled. When a device is disconnected, xhci_free_virt_device() is called. Ramya found that if the device had streams enabled, and then the driver freed the streams with a call to usb_free_streams(), then about a minute after he had called this, his machine crashed with a Bad DMA error. It turns out that xhci_free_virt_device() would attempt to free the endpoint's stream_info data structure if it wasn't NULL, and the free streams function was not setting it to NULL after freeing it. Signed-off-by: Sarah Sharp Tested-by: Ramya Desai Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 59f38a5f2fe6..a9b836d4b290 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1746,6 +1746,7 @@ cleanup: for (i = 0; i < num_eps; i++) { ep_index = xhci_get_endpoint_index(&eps[i]->desc); xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info); + vdev->eps[ep_index].stream_info = NULL; /* FIXME Unset maxPstreams in endpoint context and * update deq ptr to point to normal string ring. */ @@ -1826,6 +1827,7 @@ int xhci_free_streams(struct usb_hcd *hcd, struct usb_device *udev, for (i = 0; i < num_eps; i++) { ep_index = xhci_get_endpoint_index(&eps[i]->desc); xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info); + vdev->eps[ep_index].stream_info = NULL; /* FIXME Unset maxPstreams in endpoint context and * update deq ptr to point to normal string ring. */