usb: gadget: fsl_udc: fix the usage of udc->max_ep

The max_ep is the number of endpoint * 2.

But in dtd_complete_irq, it does again * 2, it will deference wrong memory
after scanning max_ep - 1.

The another similar problem is at USB_REQ_SET_FEATURE (the pipe number
should be 0 and max_ep - 1).

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Matthieu castet <matthieu.castet@parrot.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>

diff --git a/drivers/usb/gadget/fsl_udc_core.c b/drivers/usb/gadget/fsl_udc_core.c
index d7ea6c0..b04712f 100644 (file)
--- a/drivers/usb/gadget/fsl_udc_core.c
+++ b/drivers/usb/gadget/fsl_udc_core.c
@@ -1430,7 +1430,7 @@ static void setup_received_irq(struct fsl_udc *udc,
                        int pipe = get_pipe_by_windex(wIndex);
                        struct fsl_ep *ep;
 
-                       if (wValue != 0 || wLength != 0 || pipe > udc->max_ep)
+                       if (wValue != 0 || wLength != 0 || pipe >= udc->max_ep)
                                break;
                        ep = get_ep_by_pipe(udc, pipe);
 
@@ -1673,7 +1673,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
        if (!bit_pos)
                return;
 
-       for (i = 0; i < udc->max_ep * 2; i++) {
+       for (i = 0; i < udc->max_ep; i++) {
                ep_num = i >> 1;
                direction = i % 2;