* [bug report] mtd: rawnand: cadence: fix DMA device NULL pointer dereference
@ 2025-10-27 6:36 Dan Carpenter
2025-10-28 2:23 ` Niravkumar L Rabara
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2025-10-27 6:36 UTC (permalink / raw)
To: Niravkumar L Rabara; +Cc: linux-mtd
Hello Niravkumar L Rabara,
This is a semi-automatic email about new static checker warnings.
Commit 5c56bf214af8 ("mtd: rawnand: cadence: fix DMA device NULL
pointer dereference") from Oct 23, 2025, leads to the following
Smatch complaint:
drivers/mtd/nand/raw/cadence-nand-controller.c:2956 cadence_nand_init()
warn: variable dereferenced before check 'cdns_ctrl->dmac' (see line 2918)
drivers/mtd/nand/raw/cadence-nand-controller.c
2909 if (cdns_ctrl->caps1->has_dma) {
2910 cdns_ctrl->dmac = dma_request_chan_by_mask(&mask);
^^^^^^^^^^^^^^^
This is only set sometimes
2911 if (IS_ERR(cdns_ctrl->dmac)) {
2912 ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac),
2913 "%d: Failed to get a DMA channel\n", ret);
2914 goto disable_irq;
2915 }
2916 }
2917
2918 dma_dev = cdns_ctrl->dmac->device;
^^^^^^^^^^^^^^^^^
Potential NULL dereference
2919 cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
2920 cdns_ctrl->io.size,
2921 DMA_BIDIRECTIONAL, 0);
2922
2923 ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma);
2924 if (ret) {
2925 dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n");
2926 goto dma_release_chnl;
2927 }
2928
2929 nand_controller_init(&cdns_ctrl->controller);
2930 INIT_LIST_HEAD(&cdns_ctrl->chips);
2931
2932 cdns_ctrl->controller.ops = &cadence_nand_controller_ops;
2933 cdns_ctrl->curr_corr_str_idx = 0xFF;
2934
2935 ret = cadence_nand_chips_init(cdns_ctrl);
2936 if (ret) {
2937 dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n",
2938 ret);
2939 goto unmap_dma_resource;
2940 }
2941
2942 kfree(cdns_ctrl->buf);
2943 cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL);
2944 if (!cdns_ctrl->buf) {
2945 ret = -ENOMEM;
2946 goto unmap_dma_resource;
2947 }
2948
2949 return 0;
2950
2951 unmap_dma_resource:
2952 dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma,
2953 cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
2954
2955 dma_release_chnl:
2956 if (cdns_ctrl->dmac)
^^^^^^^^^^^^^^^
Checked here, after dereference.
2957 dma_release_channel(cdns_ctrl->dmac);
2958
regards,
dan carpenter
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] mtd: rawnand: cadence: fix DMA device NULL pointer dereference
2025-10-27 6:36 [bug report] mtd: rawnand: cadence: fix DMA device NULL pointer dereference Dan Carpenter
@ 2025-10-28 2:23 ` Niravkumar L Rabara
0 siblings, 0 replies; 2+ messages in thread
From: Niravkumar L Rabara @ 2025-10-28 2:23 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-mtd
On 27/10/2025 2:36 pm, Dan Carpenter wrote:
> Hello Niravkumar L Rabara,
>
> This is a semi-automatic email about new static checker warnings.
>
> Commit 5c56bf214af8 ("mtd: rawnand: cadence: fix DMA device NULL
> pointer dereference") from Oct 23, 2025, leads to the following
> Smatch complaint:
>
> drivers/mtd/nand/raw/cadence-nand-controller.c:2956 cadence_nand_init()
> warn: variable dereferenced before check 'cdns_ctrl->dmac' (see line 2918)
>
> drivers/mtd/nand/raw/cadence-nand-controller.c
> 2909 if (cdns_ctrl->caps1->has_dma) {
> 2910 cdns_ctrl->dmac = dma_request_chan_by_mask(&mask);
> ^^^^^^^^^^^^^^^
> This is only set sometimes
>
>
> 2911 if (IS_ERR(cdns_ctrl->dmac)) {
> 2912 ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac),
> 2913 "%d: Failed to get a DMA channel\n", ret);
> 2914 goto disable_irq;
> 2915 }
> 2916 }
> 2917
> 2918 dma_dev = cdns_ctrl->dmac->device;
> ^^^^^^^^^^^^^^^^^
> Potential NULL dereference
>
> 2919 cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
> 2920 cdns_ctrl->io.size,
> 2954
> 2955 dma_release_chnl:
> 2956 if (cdns_ctrl->dmac)
> ^^^^^^^^^^^^^^^
> Checked here, after dereference.
>
> 2957 dma_release_channel(cdns_ctrl->dmac);
> 2958
>
>
> regards,
> dan carpenter
Dan thanks for the bug report, next time I will make sure to check using
smatch before submitting the patch.
I will submit a patch to fix this.
Thanks,
Nirav
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-28 2:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-27 6:36 [bug report] mtd: rawnand: cadence: fix DMA device NULL pointer dereference Dan Carpenter
2025-10-28 2:23 ` Niravkumar L Rabara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox