: from is NULL but dereferenced.
drivers/android/binder.c:2920:29-33: ERROR: target_thread is NULL but
dereferenced.
drivers/android/binder.c:353:25-35: ERROR: node -> proc is NULL but
dereferenced.
drivers/android/binder.c:4888:16-20: ERROR: t is NULL but dereferenced.
regards,
dan
/202205210545.gks834ds-...@intel.com/config)
compiler: s390-linux-gcc (GCC) 11.3.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot
Reported-by: Dan Carpenter
smatch warnings:
drivers/scsi/hosts.c:243 scsi_add_host_with_dma() warn: variable dereferenced
people who have
checks for that as well.
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
u_wq);
984 }
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
if (!ret)
Where before we just checked for errors here. This condition is
impossible now.
1990 print_iommu_info();
1991
1992 out:
1993 return ret;
1994 }
regards,
dan carpenter
___
iommu mailing list
io
d *)++last_pte - (void
*)first_pte);
1375
1376 return freelist;
1377 }
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
smatch warnings:
drivers/iommu/dma-iommu.c:384 iommu_dma_init_domain() warn: variable
dereferenced before check 'dev' (see line 374)
vim +/dev +384 drivers/iommu/dma
On Wed, Jul 14, 2021 at 05:41:54PM +0800, Jason Wang wrote:
>
> 在 2021/7/14 下午4:05, Dan Carpenter 写道:
> > On Wed, Jul 14, 2021 at 10:14:32AM +0800, Jason Wang wrote:
> > > 在 2021/7/13 下午7:31, Dan Carpenter 写道:
> > > > On Tue, Jul 13, 2021 at 0
On Wed, Jul 14, 2021 at 10:14:32AM +0800, Jason Wang wrote:
>
> 在 2021/7/13 下午7:31, Dan Carpenter 写道:
> > On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote:
> > > @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v,
>
mplicated but
I'm not sure what. It calls container_of() and that looks buggy until
you spot the BUILD_BUG_ON_ZERO() compile time assert which ensures that
the container_of() is a no-op.
Only one of the callers checks for error pointers correctly so maybe
it's too complicated or maybe there sho
g->iova + msg->size - 1 > v->range.last)
But writing integer overflow check correctly is notoriously difficult.
Do you think you could send a fix for that which is separate from the
patcheset? We'd want to backport it to stable.
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
bugfix? Will it have any effect on runtime at all?
To me, hearing your thoughts on this is valuable even if you have to
guess. "I noticed this mistake during review and I don't think it will
affect runtime."
regards,
dan carpenter
___
iommu ma
On Mon, Jul 05, 2021 at 12:21:38PM -0300, Jason Gunthorpe wrote:
> On Mon, Jul 05, 2021 at 02:47:36PM +0100, Robin Murphy wrote:
> > On 2021-07-05 11:23, Dan Carpenter wrote:
> > > [ Ancient code, but the bug seems real enough still. -dan ]
> > >
> > > Hello U
om_chunk,
322 list);
323 goto iter_chunk;
324 }
325 }
326
327 return 0;
328
329 err_out:
330 usnic_uiom_unmap_sorted_intervals(intervals, pd);
331
enced
5333 int ret;
5334
5335 if (!info || !iommu || dmar_disabled)
^
Checked too late.
5336 return -EINVAL;
5337
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-f
ct virtio_blk_config, blk_size,
> >_size);
> > - if (!err)
> > + if (!err && blk_size > 0 && blk_size <= max_size)
>
> The check here is incorrect. I will use PAGE_SIZE as the maximum
> boundary in the new ve
In current kernels small allocations never fail, but checking for
allocation failure is the correct thing to do.
Fixes: 18abda7a2d55 ("iommu/vt-d: Fix general protection fault in
aux_detach_device()")
Signed-off-by: Dan Carpenter
---
drivers/iommu/intel/iommu.c | 2 ++
1 file
tr_init_done = true;
> > return soc_dev;
> >
> > out3:
> > @@ -246,6 +248,9 @@ const struct soc_device_attribute *soc_device_match(
> > if (!matches)
> > return NULL;
> >
> > + if (!soc_dev_attr_init_done && !early_s
.
iova_region_nr is either 1 or 5 so unsigned doesn't matter.
I once almost introduced a bug where the iterator was supposed to be
size_t. I fixed a bug by making it signed but I ended up introducing a
new bug. But generally that's pretty rare. The more common case is
that making i
This error path is supposed to return -EINVAL. It used to return
directly but we added some clean up and accidentally removed the
error code. Also I fixed a typo in the error message.
Fixes: c0b57581b73b ("iommu/mediatek: Add power-domain operation")
Signed-off-by: Dan Carpenter
--
, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
New smatch warnings:
drivers/iommu/intel/iommu.c:1471 domain_update_iotlb() error: we previously
assumed 'info' could be null (see line 1472)
Old smatch warnings:
drivers/iommu/intel/iommu.c:920
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
smatch warnings:
drivers/vfio/vfio_iommu_type1.c:648 vfio_iommu_type1_pin_pages() warn: variable
dereferenced before check 'iommu' (see line 640)
vim +/iommu +648 drivers/vfio
On Wed, Dec 09, 2020 at 10:01:49AM +, Song Bao Hua (Barry Song) wrote:
>
>
> > -Original Message-
> > From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> > Sent: Wednesday, December 9, 2020 8:00 PM
> > To: Song Bao Hua (Barry Song)
> >
The "data->flags" variable is a u64 so if one of the high 32 bits is
set the original code will allow it, but it should be rejected. The
fix is to declare "mask" as a u64 instead of a u32.
Fixes: d90573812eea ("iommu/uapi: Handle data and argsz filled by users&qu
patch adds a new dereference
3868
3869 if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) ||
3870 !entry || !entry->lo.fields_vapic.guest_mode)
^^
before "entry" has been checked for NULL.
3871 return 0;
3
The "page" pointer can be used with out being initialized.
Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory
zone")
Signed-off-by: Dan Carpenter
---
kernel/dma/pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma
return ret;
^^
This should be goto unlock;
> + }
> + return 0;
> }
> + ret = acpi_dev
On Wed, Aug 26, 2020 at 06:27:52AM -0400, FelixCuioc wrote:
> In the probe_acpi_namespace_devices function,when the physical
> node of the acpi device is NULL,the unlock function is missing.
> Add mutex_unlock(>physical_node_lock).
>
> Reported-by: Dan Carpenter
> Signed-of
r_unit *rmrru;
> + struct acpi_dmar_reserved_memory *rmrr;
> +
> + list_for_each_entry(rmrru, _rmrr_units, list) {
> + rmrr = container_of(rmrru->hdr,
> + struct acpi_dmar_reserved_memory,
> + header);
> + ret = dmar_acpi_insert_dev_scope(device_number, adev, (void
> *)(rmrr + 1),
> + ((void *)rmrr) +
> rmrr->header.length,
> + rmrru->devices,
> rmrru->devices_cnt);
> + if (ret)
> + break;
> + }
> + return 0;
> +}
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
-randconfig-m001-20200820 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
New smatch warnings:
drivers/iommu/intel/iommu.c:4850 probe_acpi_namespace_devices() warn
On Sat, Jun 27, 2020 at 01:45:16PM +0200, Richard Weinberger wrote:
> Hi!
>
> While porting on an old out-of-tree driver I noticed that dma_alloc_coherent()
> was used with dev being NULL.
>
> commit 148a97d5a02a62f81b5d6176f871c94a65e1f3af
> Author: Dan Carpenter
> Dat
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
smatch warnings:
drivers/rapidio/devices/rio_mport_cdev.c:939 rio_dma_transfer() error:
uninitialized symbol 'nents'.
#
https://github.com/0day-ci/linux/commit
On Fri, Jun 05, 2020 at 06:04:31AM +, Song Bao Hua (Barry Song) wrote:
>
>
> > -Original Message-
> > From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> > Sent: Thursday, June 4, 2020 11:37 PM
> > To: kbu...@lists.01.org; Song Bao Hua (Barry Song
rn -ENOMEM;
r->uniform_offset = true;
r->pfn_offset = pfn_offset;
return 0;
The code allocates "r" and then doesn't save it anywhere so there is
no point.
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
9.3.0-13) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
Reported-by: Dan Carpenter
smatch warnings:
kernel/dma/contiguous.c:274 dma_alloc_contiguous() warn: variable dereferenced
before check 'dev' (see line 272)
#
https://github.com/0day-ci
if (!dev)
> + return -ENODEV;
> +
> + if (!pfn_offset)
> + return 0;
> +
> + r = devm_kcalloc(dev, 1, sizeof(struct dma_pfn_offset_region),
> + GFP_KERNEL);
Use:r = devm_kzalloc(dev, sizeof(*r), GFP_KERNEL);
> + if (!r)
> + return -ENOMEM;
> +
> + r->uniform_offset = true;
> + r->pfn_offset = pfn_offset;
> +
> + return 0;
> +}
This function doesn't seem to do anything useful. Is part of it
missing?
> +EXPORT_SYMBOL_GPL(attach_uniform_dma_pfn_offset);
> +
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Thu, Mar 12, 2020 at 08:02:41PM +0800, Lu Baolu wrote:
> On 2020/3/12 19:37, Dan Carpenter wrote:
> > There were a couple places where we need to unlock before returning.
> >
> > Fixes: 91391b919e19 ("iommu/vt-d: Populate debugfs if IOMMUs are detected")
&
_from_pages(, pages, count, 0, size,
GFP_KERNEL))
^^
gfp here instead of GFP_KERNEL?
626 goto out_free_iova;
627
628 if (!(ioprot &
loc_remap() warn: use 'gfp' here
instead of GFP_XXX?
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Mon, Sep 16, 2019 at 10:29:36PM +0200, Christophe JAILLET wrote:
> 'iommu_group_get_for_dev()' never returns NULL, so this test can be
> simplified a bit.
>
It used to until commit 72dcac633475 ("iommu: Warn once when device_group
callback returns NULL").
Reviewed-by: Dan
;phys_addr = virt_to_phys(sq->queue);
136 dma_unmap_addr_set(sq, mapping, sq->dma_addr);
137 return 0;
138 }
Is this a bug?
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Wed, Apr 10, 2019 at 10:44:03AM +0100, Robin Murphy wrote:
> Hi Dan,
>
> On 10/04/2019 10:34, Dan Carpenter wrote:
> > Hello Jean-Philippe Brucker,
> >
> > This is a semi-automatic email about new static checker warnings.
> >
> > The patch fac83d29d
up now, almost a year
later. Sorry about that.
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
BLED() macro is really magical. You could write this like so:
if (IS_ENABLED(CONFIG_HYPERV_IOMMU) && x2apic_supported())
x2apic_phys = 1;
It works the same and is slightly more pleasant to look at.
regards,
dan carpenter
Hi Kenneth,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on cryptodev/master]
[also build test WARNING on v4.19-rc2 next-20180905]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
Smatch complains here:
lib/swiotlb.c:730 swiotlb_alloc_buffer()
warn: variable dereferenced before check 'dev' (see line 716)
"dev" isn't ever NULL in this function so we can just remove the check.
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/lib
master && master->ste.assigned)
^^
The old code assumes "master" can be NULL.
1958 arm_smmu_detach_dev(dev);
1959 iommu_group_remove_device(dev);
regards,
dan carpenter
___
iommu mailing
On Thu, Aug 24, 2017 at 08:47:33PM +0800, Baoquan He wrote:
> On 08/24/17 at 03:32pm, Dan Carpenter wrote:
> > Take a look at this code for example. But all the places which call
> > get_domain() are the same:
> >
> > drivers/iommu/amd_iommu.c
> > 2648
);
^^
imagined get_domain() returns NULL.
2652 if (IS_ERR(domain))
2653 goto free_mem;
2654
2655 dma_dom = to_dma_ops_domain(domain);
^
This will Oops.
2656
regards,
dan carpenter
On Thu, Aug 24, 2017 at 07:56:47PM +0800, Baoquan He wrote:
> In get_domain(), 'domain' could still be NULL before it's passed to
> dma_ops_domain() to dereference. For safety, check if 'domain' is
> NULL before passing to dma_ops_domain().
>
> Reported-by: Dan Carpenter <dan.ca
if (!dma_ops_domain(domain))
^^
Existing unchecked dereference inside the function.
2266 return ERR_PTR(-EBUSY);
2267
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoun
be checking fwspec?
556 dev_err(dev, "Cannot attach to IPMMU\n");
557 return -ENXIO;
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
;& master->ste.valid)
^^
Old code checked for NULL.
1811 arm_smmu_detach_dev(dev);
1812 iommu_group_remove_device(dev);
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.
My static checker complains that we return an uninitialized scalar if
the list is empty. If that's the case then we should return zero.
Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers
regions, head);
231 iommu_put_resv_regions(device->dev, _resv_regions);
232 if (ret)
233 break;
234 }
235 mutex_unlock(>mutex);
236 return ret;
237 }
238 EXPORT_SYMBOL_GPL(iommu_get_group_r
We should set "ret" to -EINVAL if iommu_group_get() fails.
Fixes: 55c99a4dc50f ("iommu/amd: Use iommu_attach_group()")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c
index 594849a..f8
*/
386 sg_miter_start(, sgt.sgl, sgt.orig_nents,
SG_MITER_FROM_SG);
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
umber &&
932 ptmp->subordinate->busn_res.end >=
pdev->bus->number)
933 goto got_pdev;
934 }
935
936 if (pdev && drhd->include_all) {
937 got_
"devid" needs to be signed for the error handling to work.
Fixes:b097d11a0fa3f ('iommu/amd: Manage iommu_group for ACPI HID devices')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index c430c10
My static checker complains that "dma_alias" is uninitialized unless we
are dealing with a pci device. This is true but harmless. Anyway, we
can flip the condition around to silence the warning.
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu
of_platform_device_create() returns NULL on error, it never returns
error pointers.
Fixes: 0df4fabe208d ('iommu/mediatek: Add mt8173 IOMMU driver')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
index 1a4022c..4
"larb_nr" needs to be signed for the error handling to work. "i" can
be int as well.
Fixes: 0df4fabe208d ('iommu/mediatek: Add mt8173 IOMMU driver')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iomm
of_platform_device_create() returns NULL on error, it never returns
error pointers.
Fixes: 8ed55c812fa8 ('iommu/exynos: Init from dt-specific callback instead of
initcall')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/
There is an extra semi-colon on this if statement so we always break on
the first iteration.
Fixes: 0204a4960982 ('iommu/vt-d: Add callback to device driver on page faults')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel
^^
The patch introduces a NULL dereference here.
453 } else if (req->srr) {
454 /* Page Stream Response */
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
The "req->addr" variable is a bit field declared as "u64 addr:52;".
The "address" variable is a u64. We need to cast "req->addr" to a u64
before the shift or the result is truncated to 52 bits.
Fixes: 0b9252a34858 ('iommu/vt-d: Implement page r
On Thu, Jun 11, 2015 at 09:43:27AM +0200, Joerg Roedel wrote:
On Wed, Jun 10, 2015 at 06:39:20PM +0300, Dan Carpenter wrote:
Hello Joerg Roedel,
The patch b61238c4a5e1: iommu/amd: Implement dm_region call-backs
from May 28, 2015, leads to the following static checker warning
The iommu_group_alloc() and iommu_group_get_for_dev() functions return
error pointers, they never return NULL.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index c520c0c..9c25e6be 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers
iommu_domain_free(group-default_domain);
^
Dereferenced inside function.
1583 group-default_domain = dm_domain;
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
;
^^
Unchecked dereference.
2286 dev-archdata.dma_ops = nommu_dma_ops;
2287 } else {
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
-list, head);
3161 }
3162 }
regards,
dan carpenter
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
Smatch found some error paths that don't unlock. Also we can return
-ENOMEM instead of -1 if we don't have an old root entry.
Fixes: 5908f10af4b9 ('iommu/vt-d: datatypes and functions used for kdump')
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
---
Releasing the lock is good, but we
On Tue, Jun 02, 2015 at 03:45:18PM +0200, Joerg Roedel wrote:
On Tue, Jun 02, 2015 at 01:09:58PM +0300, Dan Carpenter wrote:
Smatch found some error paths that don't unlock. Also we can return
-ENOMEM instead of -1 if we don't have an old root entry.
Fixes: 5908f10af4b9 ('iommu/vt-d
pasid_state-device_state and dev_state are the same, but it's nicer
to use dev_state consistently.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c
index 6d5a5c4..a1cbba9 100644
--- a/drivers/iommu/amd_iommu_v2.c
+++ b
. For
example, it treated the first allocation as a special case for some
reason. Anyway I cleaned it up a bit.
Fixes: ecf87b38d902 ('iommu/amd: Enhance AMD IR driver to suppport hierarchy
irqdomain')
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
---
Please review this carefully. I haven't
If we hit this error condition then we want to return a NULL pointer and
not a freed variable.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 6fbce01..69fa7da 100644
--- a/drivers/iommu/intel-iommu.c
+++ b
index needs to be signed for the error handling to work. I deleted a
little bit of obsolete cruft related to index and start_index as
well.
Fixes: 360eb3c5687e ('iommu/vt-d: use dedicated bitmap to track remapping entry
allocation status')
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
We should return NULL on error instead of the freed pointer.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index e78b8a4..a636d68 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -3867,6 +3867,7
write_file_bool() modifies 32 bits of data, so amd_iommu_unmap_flush
needs to be 32 bits as well or we'll corrupt memory. Fortunately it
looks like the data is aligned with a gap after the declaration so this
is harmless in production.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
branch be included in linux-next with a goal of being
accepted into v3.6.
Could you run Sparse over the driver?
http://lwn.net/Articles/205624/
It reports a bunch of endian problems. Some are definitely bugs
like:
*prev |= cpu_to_le32((u32)epos 20);
regards,
dan carpenter
write_file_bool() modifies 32 bits of data, so amd_iommu_unmap_flush
needs to be 32 bits as well or we'll corrupt memory. Fortunately it
looks like the data is aligned with a gap after the declaration so this
is harmless in production.
Signed-off-by: Dan Carpenter dan.carpen...@oracle.com
diff
81 matches
Mail list logo
