diff --git a/drivers/staging/greybus/es1-ap-usb.c b/drivers/staging/greybus/es1-ap-usb.c index a98a2cb67211..a92f8934928a 100644 --- a/drivers/staging/greybus/es1-ap-usb.c +++ b/drivers/staging/greybus/es1-ap-usb.c @@ -95,7 +95,6 @@ static void cport_out_callback(struct urb *urb); static int alloc_gbuf_data(struct gbuf *gbuf, unsigned int size, gfp_t gfp_mask) { - u8 dest_cport_id = gbuf->dest_cport_id; u8 *buffer; if (gbuf->transfer_buffer) @@ -122,15 +121,6 @@ static int alloc_gbuf_data(struct gbuf *gbuf, unsigned int size, return -ENOMEM; buffer += GB_BUFFER_ALIGN; - /* Insert the cport id for outbound buffers */ - if (dest_cport_id != CPORT_ID_BAD && dest_cport_id > (u16)U8_MAX) { - pr_err("dest_cport_id (%hd) is out of range!\n", - gbuf->dest_cport_id); - kfree(buffer); - return -EINVAL; - } - *(buffer - 1) = gbuf->dest_cport_id; - gbuf->transfer_buffer = buffer; gbuf->transfer_buffer_length = size; @@ -212,6 +202,7 @@ static int submit_gbuf(struct gbuf *gbuf, gfp_t gfp_mask) struct greybus_host_device *hd = gbuf->hd; struct es1_ap_dev *es1 = hd_to_es1(hd); struct usb_device *udev = es1->usb_dev; + u16 dest_cport_id = gbuf->dest_cport_id; int retval; u8 *transfer_buffer; u8 *buffer; @@ -222,11 +213,17 @@ static int submit_gbuf(struct gbuf *gbuf, gfp_t gfp_mask) return -EINVAL; buffer = &transfer_buffer[-1]; /* yes, we mean -1 */ - /* Do one last check of the target CPort id */ - if (*buffer == CPORT_ID_BAD) { - pr_err("request to submit inbound buffer\n"); + /* Do one last check of the target CPort id before filling it in */ + if (dest_cport_id == CPORT_ID_BAD) { + pr_err("request to send inbound data buffer\n"); return -EINVAL; } + if (dest_cport_id > (u16)U8_MAX) { + pr_err("dest_cport_id (%hd) is out of range for ES1\n", + dest_cport_id); + return -EINVAL; + } + *buffer = dest_cport_id; /* Find a free urb */ urb = next_free_urb(es1, gfp_mask); diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index 103fc9746796..b5cd9a234fb6 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -241,12 +241,12 @@ static int gb_operation_message_init(struct gb_operation *operation, else dest_cport_id = CPORT_ID_BAD; - gbuf->hd = hd; - gbuf->dest_cport_id = dest_cport_id; - gbuf->status = -EBADR; /* Initial value--means "never set" */ ret = hd->driver->alloc_gbuf_data(gbuf, size, gfp_flags); if (ret) return ret; + gbuf->hd = hd; + gbuf->dest_cport_id = dest_cport_id; + gbuf->status = -EBADR; /* Initial value--means "never set" */ /* Fill in the header structure */ header = (struct gb_operation_msg_hdr *)gbuf->transfer_buffer;