From f34541d7e823bff1be8e0d497e01dcbaf9c65edb Mon Sep 17 00:00:00 2001 From: Alex Elder Date: Tue, 25 Nov 2014 16:54:03 -0600 Subject: [PATCH] greybus: ignore a null cookie when canceling buffer It's possible for an in-flight buffer to be recorded as sent *after* a thread has begin the process of canceling it. In that case the Greybus message cookie will be set to NULL, and that value can end up getting passed to buffer_cancel(). Change buffer_cancel() so it properly handles (ignores) a null cookie pointer. Signed-off-by: Alex Elder Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/es1-ap-usb.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/staging/greybus/es1-ap-usb.c b/drivers/staging/greybus/es1-ap-usb.c index 204784329716..1832d0f41b8a 100644 --- a/drivers/staging/greybus/es1-ap-usb.c +++ b/drivers/staging/greybus/es1-ap-usb.c @@ -245,16 +245,22 @@ static void *buffer_send(struct greybus_host_device *hd, u16 dest_cport_id, return conceal_urb(urb); } +/* + * The cookie value supplied is the value that buffer_send() + * returned to its caller. It identifies the buffer that should be + * canceled. This function must also handle (which is to say, + * ignore) a null cookie value. + */ static void buffer_cancel(void *cookie) { - struct urb *urb = reveal_urb(cookie); /* * We really should be defensive and track all outstanding * (sent) buffers rather than trusting the cookie provided * is valid. For the time being, this will do. */ - usb_kill_urb(urb); + if (cookie) + usb_kill_urb(reveal_urb(cookie)); } static struct greybus_host_driver es1_driver = { -- 2.39.5