From 5090ecea133325f762704f00963bca1b024ee691 Mon Sep 17 00:00:00 2001
From: Thomas Pugliese <thomas.pugliese@gmail.com>
Date: Tue, 4 Mar 2014 11:24:56 -0600
Subject: usb: wusbcore: don't mark WA_SEG_DTI_PENDING segs as done in
 urb_dequeue

Data for transfer segments in the WA_SEG_DTI_PENDING state is actively
being read by the driver.  Let the buffer read callback handle the
transfer cleanup since cleaning it up in wa_urb_dequeue will cause the
read callback to access invalid memory if the transfer is completed.

Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 6e0d377..cf7c95c 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -2007,6 +2007,16 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status)
 		case WA_SEG_ABORTED:
 			break;
 			/*
+			 * The buf_in data for a segment in the
+			 * WA_SEG_DTI_PENDING state is actively being read.
+			 * Let wa_buf_in_cb handle it since it will be called
+			 * and will increment xfer->segs_done.  Cleaning up
+			 * here could cause wa_buf_in_cb to access the xfer
+			 * after it has been completed/freed.
+			 */
+		case WA_SEG_DTI_PENDING:
+			break;
+			/*
 			 * In the states below, the HWA device already knows
 			 * about the transfer.  If an abort request was sent,
 			 * allow the HWA to process it and wait for the
@@ -2015,7 +2025,6 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status)
 			 */
 		case WA_SEG_SUBMITTED:
 		case WA_SEG_PENDING:
-		case WA_SEG_DTI_PENDING:
 			/*
 			 * Check if the abort was successfully sent.  This could
 			 * be false if the HWA has been removed but we haven't
-- 
cgit v0.10.2