From: Thomas Pugliese Date: Tue, 4 Mar 2014 17:24:56 +0000 (-0600) Subject: usb: wusbcore: don't mark WA_SEG_DTI_PENDING segs as done in urb_dequeue X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5090ecea133325f762704f00963bca1b024ee691;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git usb: wusbcore: don't mark WA_SEG_DTI_PENDING segs as done in urb_dequeue Data for transfer segments in the WA_SEG_DTI_PENDING state is actively being read by the driver. Let the buffer read callback handle the transfer cleanup since cleaning it up in wa_urb_dequeue will cause the read callback to access invalid memory if the transfer is completed. Signed-off-by: Thomas Pugliese Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c index 6e0d377d437c..cf7c95ceebe0 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -2005,6 +2005,16 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) case WA_SEG_DONE: case WA_SEG_ERROR: case WA_SEG_ABORTED: + break; + /* + * The buf_in data for a segment in the + * WA_SEG_DTI_PENDING state is actively being read. + * Let wa_buf_in_cb handle it since it will be called + * and will increment xfer->segs_done. Cleaning up + * here could cause wa_buf_in_cb to access the xfer + * after it has been completed/freed. + */ + case WA_SEG_DTI_PENDING: break; /* * In the states below, the HWA device already knows @@ -2015,7 +2025,6 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) */ case WA_SEG_SUBMITTED: case WA_SEG_PENDING: - case WA_SEG_DTI_PENDING: /* * Check if the abort was successfully sent. This could * be false if the HWA has been removed but we haven't