USB: xhci: Avoid double free after streams are disabled.

When a device is disconnected, xhci_free_virt_device() is called.  Ramya
found that if the device had streams enabled, and then the driver freed
the streams with a call to usb_free_streams(), then about a minute after
he had called this, his machine crashed with a Bad DMA error.  It turns
out that xhci_free_virt_device() would attempt to free the endpoint's
stream_info data structure if it wasn't NULL, and the free streams
function was not setting it to NULL after freeing it.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Tested-by: Ramya Desai <ramya.desai@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 59f38a5..a9b836d 100644 (file)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1746,6 +1746,7 @@ cleanup:
        for (i = 0; i < num_eps; i++) {
                ep_index = xhci_get_endpoint_index(&eps[i]->desc);
                xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info);
+               vdev->eps[ep_index].stream_info = NULL;
                /* FIXME Unset maxPstreams in endpoint context and
                 * update deq ptr to point to normal string ring.
                 */
@@ -1826,6 +1827,7 @@ int xhci_free_streams(struct usb_hcd *hcd, struct usb_device *udev,
        for (i = 0; i < num_eps; i++) {
                ep_index = xhci_get_endpoint_index(&eps[i]->desc);
                xhci_free_stream_info(xhci, vdev->eps[ep_index].stream_info);
+               vdev->eps[ep_index].stream_info = NULL;
                /* FIXME Unset maxPstreams in endpoint context and
                 * update deq ptr to point to normal string ring.
                 */