mmc: bcm2835: Fix possible NULL ptr dereference in bcm2835_request

This fixes a NULL pointer dereference in case of a MMC request with a
set block count command and no data.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>

diff --git a/drivers/mmc/host/bcm2835.c b/drivers/mmc/host/bcm2835.c
index 7d1b0db7fbb7dda0c54c9f0076afc2f39707d1d3..1f343a477b3d3ab2f03a391cf956b6f2546847ef 100644 (file)
--- a/drivers/mmc/host/bcm2835.c
+++ b/drivers/mmc/host/bcm2835.c
@@ -1200,7 +1200,8 @@ static void bcm2835_request(struct mmc_host *mmc, struct mmc_request *mrq)
                return;
        }
 
-       host->use_sbc = !!mrq->sbc && (host->mrq->data->flags & MMC_DATA_READ);
+       host->use_sbc = !!mrq->sbc && host->mrq->data &&
+                       (host->mrq->data->flags & MMC_DATA_READ);
        if (host->use_sbc) {
                if (bcm2835_send_command(host, mrq->sbc)) {
                        if (!host->use_busy)