usb: host: xhci: Fix possible wild pointer when handling abort command

When current command was supposed to be aborted, host will free the command
in handle_cmd_completion() function. But it might be still referenced by
xhci->current_cmd, which need to set NULL.

Cc: <stable@vger.kernel.org>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index acc37311c938..bc8be6f6669e 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1363,8 +1363,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
          */
         if (cmd_comp_code == COMP_CMD_ABORT) {
                 xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
-                if (cmd->status == COMP_CMD_ABORT)
+                if (cmd->status == COMP_CMD_ABORT) {
+                        if (xhci->current_cmd == cmd)
+                                xhci->current_cmd = NULL;
                         goto event_handled;
+                }
         }
 
         cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));