On Monday, February 9, 2026 10:14 PM Alper Ak wrote:
> When iommu_attach_group() returns -ENODEV, the code sets err to 0 but
> still falls through to the error path, returning ERR_PTR(0).
>
> Returning ERR_PTR(0) evaluates to NULL and breaks the ERR_PTR/IS_ERR
> contract, causing the error to be silently ignored and potentially
> leading to NULL pointer dereferences by callers.
>
> Fix this by returning NULL when err is zero, and ERR_PTR(err) only
> for actual error codes.
This commit message doesn't make sense. First you say that the function has a
bug because ERR_PTR(0) evaluates to NULL and can cause problems when callers
don't handle NULL. Then you fix that by returning NULL explicitly.
While returning NULL through ERR_PTR(0) may not be very beautiful, this
function is defined to return NULL in certain cases and so the behavior is
correct.
Mikko
>
> This issue was reported by the Smatch static analyzer.
>
> Fixes: 06867a362de0 ("gpu: host1x: Set DMA mask based on IOMMU setup")
> Signed-off-by: Alper Ak <[email protected]>
> ---
> drivers/gpu/host1x/dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c
> index 3f475f0e6545..46a570b861ac 100644
> --- a/drivers/gpu/host1x/dev.c
> +++ b/drivers/gpu/host1x/dev.c
> @@ -450,7 +450,7 @@ static struct iommu_domain *host1x_iommu_attach(struct
> host1x *host)
> iommu_group_put(host->group);
> host->group = NULL;
>
> - return ERR_PTR(err);
> + return err ? ERR_PTR(err) : NULL;
> }
>
> static int host1x_iommu_init(struct host1x *host)
> --
> 2.43.0
>
>
