From: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Apr 2023 20:06:25 +0200
The address of a data structure member was determined before
a corresponding null pointer check in the implementation of
the function “dwc2_hsotg_handle_outdone”.
Thus avoid the risk for undefined behaviour by moving the assignment
for the variable “req” behind some condition checks.
This issue was detected by using the Coccinelle software.
Fixes: 5b7d70c6dbf2 ("USB: Gadget driver for Samsung HS/OtG block")
Signed-off-by: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/usb/dwc2/gadget.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
index 8b15742d9e8a..cab04816dd6c 100644
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -2389,7 +2389,7 @@ static void dwc2_hsotg_handle_outdone(struct dwc2_hsotg *hsotg, int epnum)
u32 epsize = dwc2_readl(hsotg, DOEPTSIZ(epnum));
struct dwc2_hsotg_ep *hs_ep = hsotg->eps_out[epnum];
struct dwc2_hsotg_req *hs_req = hs_ep->req;
- struct usb_request *req = &hs_req->req;
+ struct usb_request *req;
unsigned int size_left = DXEPTSIZ_XFERSIZE_GET(epsize);
int result = 0;
@@ -2408,6 +2408,8 @@ static void dwc2_hsotg_handle_outdone(struct dwc2_hsotg *hsotg, int epnum)
if (using_desc_dma(hsotg))
size_left = dwc2_gadget_get_xfersize_ddma(hs_ep);
+ req = &hs_req->req;
+
if (using_dma(hsotg)) {
unsigned int size_done;
--
2.40.0
