[bug report] mtd: rawnand: cadence: fix DMA device NULL pointer dereference

Dan Carpenter dan.carpenter at linaro.org
Sun Oct 26 23:36:38 PDT 2025 

Hello Niravkumar L Rabara,

This is a semi-automatic email about new static checker warnings.

Commit 5c56bf214af8 ("mtd: rawnand: cadence: fix DMA device NULL
pointer dereference") from Oct 23, 2025, leads to the following
Smatch complaint:

    drivers/mtd/nand/raw/cadence-nand-controller.c:2956 cadence_nand_init()
    warn: variable dereferenced before check 'cdns_ctrl->dmac' (see line 2918)

drivers/mtd/nand/raw/cadence-nand-controller.c
  2909          if (cdns_ctrl->caps1->has_dma) {
  2910                  cdns_ctrl->dmac = dma_request_chan_by_mask(&mask);
                        ^^^^^^^^^^^^^^^
This is only set sometimes


  2911                  if (IS_ERR(cdns_ctrl->dmac)) {
  2912                          ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac),
  2913                                              "%d: Failed to get a DMA channel\n", ret);
  2914                          goto disable_irq;
  2915                  }
  2916          }
  2917  
  2918          dma_dev = cdns_ctrl->dmac->device;
                          ^^^^^^^^^^^^^^^^^
Potential NULL dereference

  2919          cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
  2920                                                    cdns_ctrl->io.size,
  2921                                                    DMA_BIDIRECTIONAL, 0);
  2922  
  2923          ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma);
  2924          if (ret) {
  2925                  dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n");
  2926                  goto dma_release_chnl;
  2927          }
  2928  
  2929          nand_controller_init(&cdns_ctrl->controller);
  2930          INIT_LIST_HEAD(&cdns_ctrl->chips);
  2931  
  2932          cdns_ctrl->controller.ops = &cadence_nand_controller_ops;
  2933          cdns_ctrl->curr_corr_str_idx = 0xFF;
  2934  
  2935          ret = cadence_nand_chips_init(cdns_ctrl);
  2936          if (ret) {
  2937                  dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n",
  2938                          ret);
  2939                  goto unmap_dma_resource;
  2940          }
  2941  
  2942          kfree(cdns_ctrl->buf);
  2943          cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL);
  2944          if (!cdns_ctrl->buf) {
  2945                  ret = -ENOMEM;
  2946                  goto unmap_dma_resource;
  2947          }
  2948  
  2949          return 0;
  2950  
  2951  unmap_dma_resource:
  2952          dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma,
  2953                             cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
  2954  
  2955  dma_release_chnl:
  2956          if (cdns_ctrl->dmac)
                    ^^^^^^^^^^^^^^^
Checked here, after dereference.

  2957                  dma_release_channel(cdns_ctrl->dmac);
  2958  


regards,
dan carpenter

More information about the linux-mtd mailing list