This patch fixes multiple instances of null pointer dereference in this code. ep->udc is assigned to udc. ep is just an offset from _ep. _ep is then checked for NULL. udc is dereferenced under the NULL check for _ep, making an invalid pointer reference. udc is then checked for NULL, if NULL, it is then dereferenced as udc->dev. To fix these issues, shift assignment of udc by dereferencing ep after null check for _ep, replace both dev_dbg statements with pr_debug. Found using Coccinelle. Signed-off-by: Tapasweni Pathak <tapaswenipathak@xxxxxxxxx> Suggested-by : Julia Lawall <julia.lawall@xxxxxxx> Reviewed-by : Julia Lawall <julia.lawall@xxxxxxx> --- drivers/usb/gadget/udc/lpc32xx_udc.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c index 27fd413..6398539 100644 --- a/drivers/usb/gadget/udc/lpc32xx_udc.c +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c @@ -1807,17 +1807,16 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep, !list_empty(&req->queue)) return -EINVAL; - udc = ep->udc; - if (!_ep) { - dev_dbg(udc->dev, "invalid ep\n"); + pr_debug("invalid ep\n"); return -EINVAL; } + udc = ep->udc; if ((!udc) || (!udc->driver) || (udc->gadget.speed == USB_SPEED_UNKNOWN)) { - dev_dbg(udc->dev, "invalid device\n"); + pr_debug("invalid device\n"); return -EINVAL; } -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html