+ ep_index = xhci_get_endpoint_index(&host_ep->desc); + + /* + * Usb core assumes a max packet value for ep0 on FS devices until the + * real value is read from the descriptor. Core resets Ep0 if values + * mismatch. Reconfigure the xhci ep0 endpoint context here in that case + */ + if (usb_endpoint_xfer_control(&host_ep->desc) && ep_index == 0) { + udev = container_of(host_ep, struct usb_device, ep0); + if (udev->speed == USB_SPEED_FULL) + xhci_check_ep0_maxpacket(xhci, xhci->devs[udev->slot_id]); + /* Nothing else should be done here for ep0 during ep reset */ + return; + } +Could there be a race condition between the xhci_endpoint_reset() and xhci_free_dev() functions, resulting in the xhci->devs[udev->slot_id] becoming null? If so, a null pointer dereference will happen in xhci_check_ep0_maxpacket() when accessing vdev->out_ctx.
should not race. xhci_free_dev() and xhci_endpoint_reset() for endpoint 0 should only be called by hub driver hub_free_dev() and usb_ep0_reinit() respectively. Hub driver takes care of concurrency for these Thanks Mathias
