From c1bc107624d20a2f8e91ab1a323047a224eb3884 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 28 May 2016 07:48:10 +0300 Subject: [PATCH] usb: f_fs: off by one bug in _ffs_func_bind() commit 0015f9156092d07b3ec06d37d014328419d5832e upstream. This loop is supposed to set all the .num[] values to -1 but it's off by one so it skips the first element and sets one element past the end of the array. I've cleaned up the loop a little as well. Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver') Acked-by: Michal Nazarewicz Signed-off-by: Dan Carpenter Signed-off-by: Felipe Balbi [bwh: Backported to 3.2: - Adjust filename, context - Add 'i' for iteration but don't bother with 'eps_ptr' as the calculation is simpler here] Signed-off-by: Ben Hutchings --- drivers/usb/gadget/f_fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index c635c4c22284..9623556a8f1c 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -2165,7 +2165,7 @@ static int ffs_func_bind(struct usb_configuration *c, const int high = gadget_is_dualspeed(func->gadget) && func->ffs->hs_descs_count; - int ret; + int ret, i; /* Make it a single chunk, less management later on */ struct { @@ -2194,8 +2194,8 @@ static int ffs_func_bind(struct usb_configuration *c, memset(data->eps, 0, sizeof data->eps); memcpy(data->raw_descs, ffs->raw_descs + 16, sizeof data->raw_descs); memset(data->inums, 0xff, sizeof data->inums); - for (ret = ffs->eps_count; ret; --ret) - data->eps[ret].num = -1; + for (i = 0; i < ffs->eps_count; i++) + data->eps[i].num = -1; /* Save pointers */ func->eps = data->eps; -- 2.39.5