Index: xhci.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/xhci.c,v
retrieving revision 1.106
diff -p -u -r1.106 xhci.c
--- xhci.c	17 Feb 2019 04:17:52 -0000	1.106
+++ xhci.c	7 May 2019 06:20:34 -0000
@@ -1839,6 +1839,19 @@ xhci_clear_endpoint_stall_async_task(voi
 	DPRINTFN(4, "xfer %#jx slot %ju dci %ju", (uintptr_t)xfer, xs->xs_idx,
 	    dci, 0);
 
+	/*
+	 * XXXMRG: Stall task can run after slot is disabled when yanked.
+	 * This hack notices that the xs has been memset() in
+	 * xhci_disable_slot() and returns.  Both xhci_reset_endpoint()
+	 * and xhci_set_dequeue() rely upon a valid ring setup for correct
+	 * operation, and the latter will fault, as would
+	 * usb_transfer_complete() if it got that far.
+	 */
+	if (xs->xs_idx == 0) {
+		DPRINTFN(4, "ends xs_idx is 0", 0, 0, 0, 0);
+		return;
+	}
+
 	xhci_reset_endpoint(xfer->ux_pipe);
 	xhci_set_dequeue(xfer->ux_pipe);
 
@@ -2085,7 +2098,7 @@ xhci_event_transfer(struct xhci_softc * 
 		KASSERTMSG((xfer->ux_status == USBD_CANCELLED ||
 		            xfer->ux_status == USBD_TIMEOUT),
 			   "xfer %p status %x", xfer, xfer->ux_status);
-		return;;
+		return;
 	}
 
 	/* Otherwise, set the status.  */