Hello Tudor Ambarus, The patch ac803b56860f: "dmaengine: at_hdmac: Convert driver to use virt-dma" from Oct 25, 2022 (linux-next), leads to the following Smatch static checker warning: drivers/dma/at_hdmac.c:1036 atc_prep_dma_memcpy() warn: pointer dereferenced without being set 'desc->vd.tx.chan' drivers/dma/at_hdmac.c:1223 atc_prep_dma_memset_sg() warn: pointer dereferenced without being set 'desc->vd.tx.chan' drivers/dma/at_hdmac.c:1387 atc_prep_slave_sg() warn: pointer dereferenced without being set 'desc->vd.tx.chan' drivers/dma/at_hdmac.c:1543 atc_prep_dma_cyclic() warn: pointer dereferenced without being set 'desc->vd.tx.chan' drivers/dma/at_xdmac.c:1499 at_xdmac_prep_dma_memset_sg() warn: pointer dereferenced without being set 'psg' drivers/dma/at_hdmac.c 960 static struct dma_async_tx_descriptor * 961 atc_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dest, dma_addr_t src, 962 size_t len, unsigned long flags) 963 { 964 struct at_dma *atdma = to_at_dma(chan->device); 965 struct at_dma_chan *atchan = to_at_dma_chan(chan); 966 struct at_desc *desc = NULL; 967 size_t xfer_count; 968 size_t offset; 969 size_t sg_len; 970 unsigned int src_width; 971 unsigned int dst_width; 972 unsigned int i; 973 u32 ctrla; 974 u32 ctrlb; 975 976 dev_dbg(chan2dev(chan), "prep_dma_memcpy: d%pad s%pad l0x%zx f0x%lx\n", 977 &dest, &src, len, flags); 978 979 if (unlikely(!len)) { 980 dev_err(chan2dev(chan), "prep_dma_memcpy: length is zero!\n"); 981 return NULL; 982 } 983 984 sg_len = DIV_ROUND_UP(len, ATC_BTSIZE_MAX); 985 desc = kzalloc(struct_size(desc, sg, sg_len), GFP_ATOMIC); 986 if (!desc) 987 return NULL; 988 desc->sglen = sg_len; 989 990 ctrlb = ATC_DEFAULT_CTRLB | ATC_IEN | 991 FIELD_PREP(ATC_SRC_ADDR_MODE, ATC_SRC_ADDR_MODE_INCR) | 992 FIELD_PREP(ATC_DST_ADDR_MODE, ATC_DST_ADDR_MODE_INCR) | 993 FIELD_PREP(ATC_FC, ATC_FC_MEM2MEM); 994 995 /* 996 * We can be a lot more clever here, but this should take care 997 * of the most common optimization. 998 */ 999 src_width = dst_width = atc_get_xfer_width(src, dest, len); 1000 1001 ctrla = FIELD_PREP(ATC_SRC_WIDTH, src_width) | 1002 FIELD_PREP(ATC_DST_WIDTH, dst_width); 1003 1004 for (offset = 0, i = 0; offset < len; 1005 offset += xfer_count << src_width, i++) { 1006 struct atdma_sg *atdma_sg = &desc->sg[i]; 1007 struct at_lli *lli; 1008 1009 atdma_sg->lli = dma_pool_alloc(atdma->lli_pool, GFP_NOWAIT, 1010 &atdma_sg->lli_phys); 1011 if (!atdma_sg->lli) 1012 goto err_desc_get; 1013 lli = atdma_sg->lli; 1014 1015 xfer_count = min_t(size_t, (len - offset) >> src_width, 1016 ATC_BTSIZE_MAX); 1017 1018 lli->saddr = src + offset; 1019 lli->daddr = dest + offset; 1020 lli->ctrla = ctrla | xfer_count; 1021 lli->ctrlb = ctrlb; 1022 1023 desc->sg[i].len = xfer_count << src_width; 1024 1025 atdma_lli_chain(desc, i); 1026 } 1027 1028 desc->total_len = len; 1029 1030 /* set end-of-link to the last link descriptor of list*/ 1031 set_lli_eol(desc, i - 1); 1032 1033 return vchan_tx_prep(&atchan->vc, &desc->vd, flags); Before this point desc->vd.tx.chan is NULL. 1034 1035 err_desc_get: --> 1036 atdma_desc_free(&desc->vd); This dereferences desc->vd.tx.chan so it will crash. The other warnings are similar except for the "psg" one. That one will only crash if "sg_len" is 1. 1037 return NULL; 1038 } regards, dan carpenter