On 4/19/23 22:12, Markus Elfring wrote:
> Date: Wed, 19 Apr 2023 20:06:25 +0200
>
> The address of a data structure member was determined before
> a corresponding null pointer check in the implementation of
> the function “dwc2_hsotg_handle_outdone”.
>
> Thus avoid the risk for undefined behaviour by moving the assignment
> for the variable “req” behind some condition checks.
>
> This issue was detected by using the Coccinelle software.
>
> Fixes: 5b7d70c6dbf2db786395cbd21750a1a4ce222f84 ("USB: Gadget driver for Samsung HS/OtG block")
> Signed-off-by: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx>
Acked-by: Minas Harutyunyan <Minas.Harutyunyan@xxxxxxxxxxxx>
> ---
> drivers/usb/dwc2/gadget.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
> index 8b15742d9e8a..cab04816dd6c 100644
> --- a/drivers/usb/dwc2/gadget.c
> +++ b/drivers/usb/dwc2/gadget.c
> @@ -2389,7 +2389,7 @@ static void dwc2_hsotg_handle_outdone(struct dwc2_hsotg *hsotg, int epnum)
> u32 epsize = dwc2_readl(hsotg, DOEPTSIZ(epnum));
> struct dwc2_hsotg_ep *hs_ep = hsotg->eps_out[epnum];
> struct dwc2_hsotg_req *hs_req = hs_ep->req;
> - struct usb_request *req = &hs_req->req;
> + struct usb_request *req;
> unsigned int size_left = DXEPTSIZ_XFERSIZE_GET(epsize);
> int result = 0;
>
> @@ -2408,6 +2408,8 @@ static void dwc2_hsotg_handle_outdone(struct dwc2_hsotg *hsotg, int epnum)
> if (using_desc_dma(hsotg))
> size_left = dwc2_gadget_get_xfersize_ddma(hs_ep);
>
> + req = &hs_req->req;
> +
> if (using_dma(hsotg)) {
> unsigned int size_done;
>
> --
> 2.40.0
>
