usb: host: xhci: Fix possible wild pointer when handling abort command

commit 2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597 upstream. When current command was supposed to be aborted, host will free the command in handle_cmd_completion() function. But it might be still referenced by xhci->current_cmd, which need to set NULL. Signed-off-by: Baolin Wang <baolin.wang@linaro.org> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Baolin Wang <baolin.wang@linaro.org> 2017-01-03 18:28:47 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-12 11:22:45 +0100
commit: 86bb666386ee632879c278d9e95378aed5f99ed9 (patch)
tree: d498cf66c17aa7c8b5c2658ee15849d0175d5e64 /drivers/usb/host/xhci-ring.c
parent: 3447b37729341141c5e05a879d4caefccf81a3af (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 5f2951dd4d79..1ea3741bbe1a 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1365,8 +1365,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
 	 */
 	if (cmd_comp_code == COMP_CMD_ABORT) {
 		xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
-		if (cmd->status == COMP_CMD_ABORT)
+		if (cmd->status == COMP_CMD_ABORT) {
+			if (xhci->current_cmd == cmd)
+				xhci->current_cmd = NULL;
 			goto event_handled;
+		}
 	}
 
 	cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));
author	Baolin Wang <baolin.wang@linaro.org>	2017-01-03 18:28:47 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-01-12 11:22:45 +0100
commit	86bb666386ee632879c278d9e95378aed5f99ed9 (patch)
tree	d498cf66c17aa7c8b5c2658ee15849d0175d5e64 /drivers/usb/host/xhci-ring.c
parent	3447b37729341141c5e05a879d4caefccf81a3af (diff)