From: Peter Chen Date: Wed, 11 Mar 2015 02:07:47 +0000 (+0800) Subject: usb: gadget: lpc32xxx_udc: Fix NULL dereference X-Git-Tag: firefly_0821_release~176^2~2000^2~4^2~39 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=005a64307d5d3ef895e7821df4cad7739bab392e;p=firefly-linux-kernel-4.4.55.git usb: gadget: lpc32xxx_udc: Fix NULL dereference udc is then checked for NULL, if NULL, it is then dereferenced as udc->dev, it is found using Coccinelle. We simplify the code to fix this problem, and we delete some conditions at if {} which will never be met. Reported-by: Tapasweni Pathak Reported-by : Julia Lawall Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi --- diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c index 27fd41333f71..3b6a7852822d 100644 --- a/drivers/usb/gadget/udc/lpc32xx_udc.c +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c @@ -1803,23 +1803,14 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep, req = container_of(_req, struct lpc32xx_request, req); ep = container_of(_ep, struct lpc32xx_ep, ep); - if (!_req || !_req->complete || !_req->buf || + if (!_ep || !_req || !_req->complete || !_req->buf || !list_empty(&req->queue)) return -EINVAL; udc = ep->udc; - if (!_ep) { - dev_dbg(udc->dev, "invalid ep\n"); - return -EINVAL; - } - - - if ((!udc) || (!udc->driver) || - (udc->gadget.speed == USB_SPEED_UNKNOWN)) { - dev_dbg(udc->dev, "invalid device\n"); - return -EINVAL; - } + if (udc->gadget.speed == USB_SPEED_UNKNOWN) + return -EPIPE; if (ep->lep) { struct lpc32xx_usbd_dd_gad *dd;