[045/119] USB: xhci: Fix bug memory free after failed initialization.

[Greg KH]

2.6.31-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Sarah Sharp <sarah.a.sharp@xxxxxxxxxxxxxxx>

commit d94c05e33d9212ee67b8d4998f984cc71df8168b upstream.

If the xHCI driver fails during the memory initialization, xhci->ir_set
may not be a valid pointer.  Check that it points to valid DMA'able memory
before writing to that address during the memory freeing process.

Signed-off-by: Sarah Sharp <sarah.a.sharp@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 drivers/usb/host/xhci-mem.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -756,9 +756,11 @@ void xhci_mem_cleanup(struct xhci_hcd *x
 	int i;
 
 	/* Free the Event Ring Segment Table and the actual Event Ring */
-	xhci_writel(xhci, 0, &xhci->ir_set->erst_size);
-	xhci_write_64(xhci, 0, &xhci->ir_set->erst_base);
-	xhci_write_64(xhci, 0, &xhci->ir_set->erst_dequeue);
+	if (xhci->ir_set) {
+		xhci_writel(xhci, 0, &xhci->ir_set->erst_size);
+		xhci_write_64(xhci, 0, &xhci->ir_set->erst_base);
+		xhci_write_64(xhci, 0, &xhci->ir_set->erst_dequeue);
+	}
 	size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
 	if (xhci->erst.entries)
 		pci_free_consistent(pdev, size,


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/