NTB: Fix issue where we may be accessing NULL ptr

smatch detected an issue in the function ntb_transport_max_size() where we could be dereferencing a dma channel pointer when it is NULL. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Dave Jiang <[email protected]> Signed-off-by: Jon Mason <[email protected]>
jix · Nov 8, 2015 · 04afde4 · 04afde4
1 parent 6a13feb
commit 04afde4
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
@@ -1996,23 +1996,24 @@ EXPORT_SYMBOL_GPL(ntb_transport_qp_num);
  */
 unsigned int ntb_transport_max_size(struct ntb_transport_qp *qp)
 {
-	unsigned int max;
+	unsigned int max_size;
 	unsigned int copy_align;
+	struct dma_chan *rx_chan, *tx_chan;
 
 	if (!qp)
 		return 0;
 
-	if (!qp->tx_dma_chan && !qp->rx_dma_chan)
-		return qp->tx_max_frame - sizeof(struct ntb_payload_header);
+	rx_chan = qp->rx_dma_chan;
+	tx_chan = qp->tx_dma_chan;
 
-	copy_align = max(qp->tx_dma_chan->device->copy_align,
-			 qp->rx_dma_chan->device->copy_align);
+	copy_align = max(rx_chan ? rx_chan->device->copy_align : 0,
+			 tx_chan ? tx_chan->device->copy_align : 0);
 
 	/* If DMA engine usage is possible, try to find the max size for that */
-	max = qp->tx_max_frame - sizeof(struct ntb_payload_header);
-	max -= max % (1 << copy_align);
+	max_size = qp->tx_max_frame - sizeof(struct ntb_payload_header);
+	max_size = round_down(max_size, 1 << copy_align);
 
-	return max;
+	return max_size;
 }
 EXPORT_SYMBOL_GPL(ntb_transport_max_size);