ring_doorbell_for_active_rings() API is being called from multiple context. This specific API tries to get virt_dev based endpoint using passed slot_id and ep_index. Some caller API is having check against slot_id and ep_index using xhci_get_virt_ep() API whereas xhci_handle_cmd_config_ep() API only check ep_index against -1 value but not upper bound i.e. EP_CTX_PER_DEV. Hence use xhci_get_virt_ep() API to get virt_dev based endpoint which checks both slot_id and ep_index to get valid endpoint. Signed-off-by: Mayank Rana <quic_mrana@xxxxxxxxxxx> --- drivers/usb/host/xhci-ring.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index d0b6806..3bab4f3 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -62,6 +62,9 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, u32 field1, u32 field2, u32 field3, u32 field4, bool command_must_succeed); +static struct xhci_virt_ep *xhci_get_virt_ep(struct xhci_hcd *xhci, + unsigned int slot_id, unsigned int ep_index); + /* * Returns zero if the TRB isn't in this segment, otherwise it returns the DMA * address of the TRB. @@ -457,7 +460,9 @@ static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci, unsigned int stream_id; struct xhci_virt_ep *ep; - ep = &xhci->devs[slot_id]->eps[ep_index]; + ep = xhci_get_virt_ep(xhci, slot_id, ep_index); + if (!ep) + return; /* A ring has pending URBs if its TD list is not empty */ if (!(ep->ep_state & EP_HAS_STREAMS)) { -- 2.7.4