From 5090ecea133325f762704f00963bca1b024ee691 Mon Sep 17 00:00:00 2001 From: Thomas Pugliese Date: Tue, 4 Mar 2014 11:24:56 -0600 Subject: usb: wusbcore: don't mark WA_SEG_DTI_PENDING segs as done in urb_dequeue Data for transfer segments in the WA_SEG_DTI_PENDING state is actively being read by the driver. Let the buffer read callback handle the transfer cleanup since cleaning it up in wa_urb_dequeue will cause the read callback to access invalid memory if the transfer is completed. Signed-off-by: Thomas Pugliese Signed-off-by: Greg Kroah-Hartman --- drivers/usb/wusbcore/wa-xfer.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c index 6e0d377d437..cf7c95ceebe 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -2005,6 +2005,16 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) case WA_SEG_DONE: case WA_SEG_ERROR: case WA_SEG_ABORTED: + break; + /* + * The buf_in data for a segment in the + * WA_SEG_DTI_PENDING state is actively being read. + * Let wa_buf_in_cb handle it since it will be called + * and will increment xfer->segs_done. Cleaning up + * here could cause wa_buf_in_cb to access the xfer + * after it has been completed/freed. + */ + case WA_SEG_DTI_PENDING: break; /* * In the states below, the HWA device already knows @@ -2015,7 +2025,6 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) */ case WA_SEG_SUBMITTED: case WA_SEG_PENDING: - case WA_SEG_DTI_PENDING: /* * Check if the abort was successfully sent. This could * be false if the HWA has been removed but we haven't -- cgit v1.2.3-70-g09d2