Hello Tudor Ambarus,
The patch ac803b56860f: "dmaengine: at_hdmac: Convert driver to use
virt-dma" from Oct 25, 2022 (linux-next), leads to the following
Smatch static checker warning:
drivers/dma/at_hdmac.c:1036 atc_prep_dma_memcpy() warn: pointer dereferenced without being set 'desc->vd.tx.chan'
drivers/dma/at_hdmac.c:1223 atc_prep_dma_memset_sg() warn: pointer dereferenced without being set 'desc->vd.tx.chan'
drivers/dma/at_hdmac.c:1387 atc_prep_slave_sg() warn: pointer dereferenced without being set 'desc->vd.tx.chan'
drivers/dma/at_hdmac.c:1543 atc_prep_dma_cyclic() warn: pointer dereferenced without being set 'desc->vd.tx.chan'
drivers/dma/at_xdmac.c:1499 at_xdmac_prep_dma_memset_sg() warn: pointer dereferenced without being set 'psg'
drivers/dma/at_hdmac.c
960 static struct dma_async_tx_descriptor *
961 atc_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dest, dma_addr_t src,
962 size_t len, unsigned long flags)
963 {
964 struct at_dma *atdma = to_at_dma(chan->device);
965 struct at_dma_chan *atchan = to_at_dma_chan(chan);
966 struct at_desc *desc = NULL;
967 size_t xfer_count;
968 size_t offset;
969 size_t sg_len;
970 unsigned int src_width;
971 unsigned int dst_width;
972 unsigned int i;
973 u32 ctrla;
974 u32 ctrlb;
975
976 dev_dbg(chan2dev(chan), "prep_dma_memcpy: d%pad s%pad l0x%zx f0x%lx\n",
977 &dest, &src, len, flags);
978
979 if (unlikely(!len)) {
980 dev_err(chan2dev(chan), "prep_dma_memcpy: length is zero!\n");
981 return NULL;
982 }
983
984 sg_len = DIV_ROUND_UP(len, ATC_BTSIZE_MAX);
985 desc = kzalloc(struct_size(desc, sg, sg_len), GFP_ATOMIC);
986 if (!desc)
987 return NULL;
988 desc->sglen = sg_len;
989
990 ctrlb = ATC_DEFAULT_CTRLB | ATC_IEN |
991 FIELD_PREP(ATC_SRC_ADDR_MODE, ATC_SRC_ADDR_MODE_INCR) |
992 FIELD_PREP(ATC_DST_ADDR_MODE, ATC_DST_ADDR_MODE_INCR) |
993 FIELD_PREP(ATC_FC, ATC_FC_MEM2MEM);
994
995 /*
996 * We can be a lot more clever here, but this should take care
997 * of the most common optimization.
998 */
999 src_width = dst_width = atc_get_xfer_width(src, dest, len);
1000
1001 ctrla = FIELD_PREP(ATC_SRC_WIDTH, src_width) |
1002 FIELD_PREP(ATC_DST_WIDTH, dst_width);
1003
1004 for (offset = 0, i = 0; offset < len;
1005 offset += xfer_count << src_width, i++) {
1006 struct atdma_sg *atdma_sg = &desc->sg[i];
1007 struct at_lli *lli;
1008
1009 atdma_sg->lli = dma_pool_alloc(atdma->lli_pool, GFP_NOWAIT,
1010 &atdma_sg->lli_phys);
1011 if (!atdma_sg->lli)
1012 goto err_desc_get;
1013 lli = atdma_sg->lli;
1014
1015 xfer_count = min_t(size_t, (len - offset) >> src_width,
1016 ATC_BTSIZE_MAX);
1017
1018 lli->saddr = src + offset;
1019 lli->daddr = dest + offset;
1020 lli->ctrla = ctrla | xfer_count;
1021 lli->ctrlb = ctrlb;
1022
1023 desc->sg[i].len = xfer_count << src_width;
1024
1025 atdma_lli_chain(desc, i);
1026 }
1027
1028 desc->total_len = len;
1029
1030 /* set end-of-link to the last link descriptor of list*/
1031 set_lli_eol(desc, i - 1);
1032
1033 return vchan_tx_prep(&atchan->vc, &desc->vd, flags);
Before this point desc->vd.tx.chan is NULL.
1034
1035 err_desc_get:
--> 1036 atdma_desc_free(&desc->vd);
This dereferences desc->vd.tx.chan so it will crash. The other warnings
are similar except for the "psg" one. That one will only crash if
"sg_len" is 1.
1037 return NULL;
1038 }
regards,
dan carpenter
