From d953f720754e3a0111f62cfdc5c295acba9eb816 Mon Sep 17 00:00:00 2001
From: Andrew Thompson <thompsa@FreeBSD.org>
Date: Fri, 6 Mar 2009 17:04:47 +0000
Subject: [PATCH] Ensure the cached rq pointer is still valid before waking up
 the address, the zyd_cmd function may have timed out. It wouldnt cause a
 panic but could wakeup someone.

Spotted by:	HPS
---
 sys/dev/usb/wlan/if_zyd.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/sys/dev/usb/wlan/if_zyd.c b/sys/dev/usb/wlan/if_zyd.c
index 9eab351e24f7..fa9580a5843e 100644
--- a/sys/dev/usb/wlan/if_zyd.c
+++ b/sys/dev/usb/wlan/if_zyd.c
@@ -796,10 +796,14 @@ zyd_intr_write_callback(struct usb2_xfer *xfer)
 
 	switch (USB_GET_STATE(xfer)) {
 	case USB_ST_TRANSFERRED:
-		rqp = xfer->priv_fifo;
-		DPRINTF(sc, ZYD_DEBUG_CMD, "command %p transferred\n", rqp);
-		if ((rqp->flags & ZYD_CMD_FLAG_READ) == 0)
-			wakeup(rqp);	/* wakeup caller */
+		DPRINTF(sc, ZYD_DEBUG_CMD, "command %p transferred\n",
+		    xfer->priv_fifo);
+		STAILQ_FOREACH(rqp, &sc->sc_rqh, rq) {
+			/* Ensure the cached rq pointer is still valid */
+			if (rqp == xfer->priv_fifo &&
+			    (rqp->flags & ZYD_CMD_FLAG_READ) == 0)
+				wakeup(rqp);	/* wakeup caller */
+		}
 
 		/* FALLTHROUGH */
 	case USB_ST_SETUP: