From 118d63f7f84cd400ba537f5d318c035c95c6776d Mon Sep 17 00:00:00 2001
From: Peter Chen <peter.chen@freescale.com>
Date: Wed, 11 Jan 2012 13:39:07 +0800
Subject: [PATCH] usb: gadget: fsl_udc: fix the usage of udc->max_ep

The max_ep is the number of endpoint * 2.

But in dtd_complete_irq, it does again * 2, it will deference wrong memory
after scanning max_ep - 1.

The another similar problem is at USB_REQ_SET_FEATURE (the pipe number
should be 0 and max_ep - 1).

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Matthieu castet <matthieu.castet@parrot.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
---
 drivers/usb/gadget/fsl_udc_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/fsl_udc_core.c b/drivers/usb/gadget/fsl_udc_core.c
index d7ea6c076ce9..b04712f19f1e 100644
--- a/drivers/usb/gadget/fsl_udc_core.c
+++ b/drivers/usb/gadget/fsl_udc_core.c
@@ -1430,7 +1430,7 @@ static void setup_received_irq(struct fsl_udc *udc,
 			int pipe = get_pipe_by_windex(wIndex);
 			struct fsl_ep *ep;
 
-			if (wValue != 0 || wLength != 0 || pipe > udc->max_ep)
+			if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep)
 				break;
 			ep = get_ep_by_pipe(udc, pipe);
 
@@ -1673,7 +1673,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
 	if (!bit_pos)
 		return;
 
-	for (i = 0; i < udc->max_ep * 2; i++) {
+	for (i = 0; i < udc->max_ep; i++) {
 		ep_num = i >> 1;
 		direction = i % 2;
 
-- 
2.34.1