orinoco_usb: potential null dereference

Smatch complains that "upriv->read_urb" gets dereferenced before
checking for NULL.  It turns out that it's possible for
"upriv->read_urb" to be NULL so I added checks around the dereferences.

Also I remove an "if (upriv->bap_buf != NULL)" check because
"kfree(NULL) is OK.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 5 insertions, 5 deletions

diff --git a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c
index 020da76c9558..b7864001e7e1 100644
--- a/drivers/net/wireless/orinoco/orinoco_usb.c
+++ b/drivers/net/wireless/orinoco/orinoco_usb.c
@@ -1502,16 +1502,16 @@ static inline void ezusb_delete(struct ezusb_priv *upriv)
             ezusb_ctx_complete(list_entry(item,
                                           struct request_context, list));
 
-        if (upriv->read_urb->status == -EINPROGRESS)
+        if (upriv->read_urb && upriv->read_urb->status == -EINPROGRESS)
                 printk(KERN_ERR PFX "Some URB in progress\n");
 
         mutex_unlock(&upriv->mtx);
 
-        kfree(upriv->read_urb->transfer_buffer);
-        if (upriv->bap_buf != NULL)
-                kfree(upriv->bap_buf);
-        if (upriv->read_urb != NULL)
+        if (upriv->read_urb) {
+                kfree(upriv->read_urb->transfer_buffer);
                 usb_free_urb(upriv->read_urb);
+        }
+        kfree(upriv->bap_buf);
         if (upriv->dev) {
                 struct orinoco_private *priv = ndev_priv(upriv->dev);
                 orinoco_if_del(priv);