Commit 04afde45 authored by Dave Jiang's avatar Dave Jiang Committed by Jon Mason
Browse files

NTB: Fix issue where we may be accessing NULL ptr 



smatch detected an issue in the function ntb_transport_max_size() where
we could be dereferencing a dma channel pointer when it is NULL.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDave Jiang <dave.jiang@intel.com>
Signed-off-by: default avatarJon Mason <jdmason@kudzu.us>
parent 6a13feb9

drivers/ntb/ntb_transport.c

+9 −8
Original line number Diff line number Diff line
@@ -1996,23 +1996,24 @@ EXPORT_SYMBOL_GPL(ntb_transport_qp_num); 
 */

unsigned int ntb_transport_max_size(struct ntb_transport_qp *qp)

{

	unsigned int max;

	unsigned int max_size;

	unsigned int copy_align;

	struct dma_chan *rx_chan, *tx_chan;



	if (!qp)

		return 0;



	if (!qp->tx_dma_chan && !qp->rx_dma_chan)

		return qp->tx_max_frame - sizeof(struct ntb_payload_header);

	rx_chan = qp->rx_dma_chan;

	tx_chan = qp->tx_dma_chan;



	copy_align = max(qp->tx_dma_chan->device->copy_align,

			 qp->rx_dma_chan->device->copy_align);

	copy_align = max(rx_chan ? rx_chan->device->copy_align : 0,

			 tx_chan ? tx_chan->device->copy_align : 0);



	/* If DMA engine usage is possible, try to find the max size for that */

	max = qp->tx_max_frame - sizeof(struct ntb_payload_header);

	max -= max % (1 << copy_align);

	max_size = qp->tx_max_frame - sizeof(struct ntb_payload_header);

	max_size = round_down(max_size, 1 << copy_align);



	return max;

	return max_size;

}

EXPORT_SYMBOL_GPL(ntb_transport_max_size);