[PATCH 01/12] firmware: xilinx-fpga: fix double free in probe error path

[PATCH 01/12] firmware: xilinx-fpga: fix double free in probe error path

[Ahmad Fatoum]

When firmwaremgr_register() fails, free(mgr) is called before jumping
to out_unreg. But the out: label (which out_unreg falls through to)
also calls free(mgr), resulting in a double free.

Remove the redundant free(mgr) before the goto, since the cleanup
labels already handle it.

Fixes: 2f4a47ef53 ("Added support for Zynq 7000 FPGA firmware loading")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/firmware/xilinx-fpga.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/firmware/xilinx-fpga.c b/drivers/firmware/xilinx-fpga.c
index 18d4e62ed1c3..7822521ef982 100644
--- a/drivers/firmware/xilinx-fpga.c
+++ b/drivers/firmware/xilinx-fpga.c
@@ -334,10 +334,8 @@ static int xilinx_fpga_probe(struct device *dev)
 	fh->device_node = dev->of_node;
 
 	ret = firmwaremgr_register(fh);
-	if (ret != 0) {
-		free(mgr);
+	if (ret != 0)
 		goto out_unreg;
-	}
 
 	return 0;
 out_unreg:
-- 
2.47.3

[PATCH 02/12] driver: fix missing va_end in dev_add_alias error path

[Ahmad Fatoum]

dev_add_alias() calls va_start(va, fmt) but returns -ENOMEM without
calling va_end(va) if the allocation fails.

Add the missing va_end(va) call before the error return.

Fixes: d914ef13a9 ("driver: add support for device aliases")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/base/driver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/driver.c b/drivers/base/driver.c
index 36a1fcda48c8..20beb1e9e6fa 100644
--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@@ -649,8 +649,10 @@ int dev_add_alias(struct device *dev, const char *fmt, ...)
 	va_end(va_copy);
 
 	alias = malloc(struct_size(alias, name, len + 1));
-	if (!alias)
+	if (!alias) {
+		va_end(va);
 		return -ENOMEM;
+	}
 
 	vsnprintf(alias->name, len + 1, fmt, va);
 
-- 
2.47.3

[PATCH 03/12] net: eth: avoid overlapping memcpy in eth_set_ethaddr

[Ahmad Fatoum]

eth_param_set_ethaddr() calls eth_set_ethaddr(edev, edev->ethaddr),
which results in memcpy(edev->ethaddr, ethaddr, ETH_ALEN) where source
and destination are the same buffer. This is undefined behavior with
memcpy.

Skip the memcpy when ethaddr already points to edev->ethaddr.

Fixes: b9170a1bde ("net: eth: Remove ethaddr_param")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 net/eth.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/eth.c b/net/eth.c
index 4201ed1c6b66..37f55e0b3612 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -42,7 +42,8 @@ int eth_set_ethaddr(struct eth_device *edev, const char *ethaddr)
 	if (ret)
 		return ret;
 
-	memcpy(edev->ethaddr, ethaddr, ETH_ALEN);
+	if (ethaddr != edev->ethaddr)
+		memcpy(edev->ethaddr, ethaddr, ETH_ALEN);
 
 	return 0;
 }
-- 
2.47.3

[PATCH 04/12] pmdomain: fix dereference before NULL check in genpd_get_from_provider

[Ahmad Fatoum]

genpd_get_from_provider() dereferences genpdspec->np in the variable
declaration before checking whether genpdspec itself is NULL.

Fixes: abf97f3993 ("pmdomain: look up pmdomain even if not have_genpd_providers")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/base/power.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/power.c b/drivers/base/power.c
index 543c85a3d9b8..936fc65ea8f8 100644
--- a/drivers/base/power.c
+++ b/drivers/base/power.c
@@ -255,13 +255,15 @@ static struct generic_pm_domain *genpd_get_from_provider(
 					struct of_phandle_args *genpdspec)
 {
 	struct generic_pm_domain *genpd = ERR_PTR(-ENOENT);
-	struct device_node *node = genpdspec->np;
 	struct of_genpd_provider *provider;
+	struct device_node *node;
 	int ret;
 
 	if (!genpdspec)
 		return ERR_PTR(-EINVAL);
 
+	node = genpdspec->np;
+
 	ret = of_device_ensure_probed(node);
 	if (ret) {
 		struct device_node *parent;
-- 
2.47.3

[PATCH 05/12] bootm: android: fix PTR_ERR called after clearing error pointer

[Ahmad Fatoum]

Both the kernel and initrd error paths set the pointer to NULL before
calling PTR_ERR(), which always yields 0 (apparent success) instead of
the actual error code from aimage_copy_component().

Swap the order so PTR_ERR() captures the error code before the pointer
is cleared.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/bootm-android-image.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/bootm-android-image.c b/common/bootm-android-image.c
index cb86123659ba..828400fef772 100644
--- a/common/bootm-android-image.c
+++ b/common/bootm-android-image.c
@@ -101,8 +101,8 @@ static int do_bootm_aimage(struct image_data *img_data)
 	if (hdr->kernel.size) {
 		kernel = aimage_copy_component(fd, ofs, hdr->kernel.size);
 		if (IS_ERR(kernel)) {
-			kernel = NULL;
 			ret = PTR_ERR(kernel);
+			kernel = NULL;
 			goto err_close;
 		}
 	}
@@ -112,8 +112,8 @@ static int do_bootm_aimage(struct image_data *img_data)
 	if (hdr->ramdisk.size) {
 		initrd = aimage_copy_component(fd, ofs, hdr->ramdisk.size);
 		if (IS_ERR(initrd)) {
-			initrd = NULL;
 			ret = PTR_ERR(initrd);
+			initrd = NULL;
 			goto err_close;
 		}
 	}
-- 
2.47.3

[PATCH 06/12] bootm: android: fix double close of fd

[Ahmad Fatoum]

On the success path, close(fd) is called before bootm_boot(), then
execution falls through to the err_close label which calls close(fd)
again.

Add an err_unlink label and jump past err_close on the success path
to avoid the double close.

Fixes: 8edffb6eef ("bootm: add generic android image handler")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/bootm-android-image.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/common/bootm-android-image.c b/common/bootm-android-image.c
index 828400fef772..6acc41c3dd66 100644
--- a/common/bootm-android-image.c
+++ b/common/bootm-android-image.c
@@ -128,9 +128,11 @@ static int do_bootm_aimage(struct image_data *img_data)
 
 	ret = bootm_boot(&bootm_data);
 
+	goto err_unlink;
+
 err_close:
 	close(fd);
-
+err_unlink:
 	if (kernel)
 		unlink(kernel);
 	if (initrd)
-- 
2.47.3

[PATCH 07/12] net: phy: add NULL check for phy driver in page accessors

[Ahmad Fatoum]

to_phy_driver() can return NULL if the device has no driver bound.
While phy_read_page() and phy_write_page() are only called on bound
devices in practice, the existing error messages already hint at
this possibility ("PHY driver not loaded?").

Add a NULL check for phydrv before dereferencing it, consistent with
the existing error handling.

Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/net/phy/phy-core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/phy/phy-core.c b/drivers/net/phy/phy-core.c
index 85e8c4b3e2c7..e74ad6f3a6e6 100644
--- a/drivers/net/phy/phy-core.c
+++ b/drivers/net/phy/phy-core.c
@@ -58,7 +58,7 @@ static int phy_read_page(struct phy_device *phydev)
 {
 	struct phy_driver *phydrv = to_phy_driver(phydev->dev.driver);
 
-	if (!phydrv->read_page) {
+	if (!phydrv || !phydrv->read_page) {
 		dev_warn_once(&phydev->dev, "read_page callback not available, PHY driver not loaded?\n");
 		return -EOPNOTSUPP;
 	}
@@ -70,7 +70,7 @@ static int phy_write_page(struct phy_device *phydev, int page)
 {
 	struct phy_driver *phydrv = to_phy_driver(phydev->dev.driver);
 
-	if (!phydrv->write_page) {
+	if (!phydrv || !phydrv->write_page) {
 		dev_warn_once(&phydev->dev, "write_page callback not available, PHY driver not loaded?\n");
 		return -EOPNOTSUPP;
 	}
-- 
2.47.3

[PATCH 08/12] open: add missing mode argument to O_CREAT calls

[Ahmad Fatoum]

POSIX requires a third mode argument when open() is called with
O_CREAT. While barebox doesn't enforce file permissions, passing
mode satisfies static analyzers and is correct practice.

Also fix creat() to actually forward its mode parameter to open()
instead of silently discarding it.

Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 commands/cat.c                    | 2 +-
 commands/echo.c                   | 2 +-
 commands/edit.c                   | 2 +-
 commands/uimage.c                 | 2 +-
 commands/uncompress.c             | 2 +-
 common/bbu.c                      | 2 +-
 common/console_common.c           | 2 +-
 common/fastboot.c                 | 4 ++--
 common/globalvar.c                | 2 +-
 drivers/usb/gadget/function/dfu.c | 6 +++---
 include/fcntl.h                   | 2 +-
 lib/libfile.c                     | 4 ++--
 lib/xymodem.c                     | 2 +-
 13 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/commands/cat.c b/commands/cat.c
index aa77b19907e0..57cf532fac24 100644
--- a/commands/cat.c
+++ b/commands/cat.c
@@ -55,7 +55,7 @@ static int do_cat(int argc, char *argv[])
 		return COMMAND_ERROR_USAGE;
 
 	if (outfile) {
-		outfd = open(outfile, oflags);
+		outfd = open(outfile, oflags, 0666);
 		if (outfd < 0) {
 			perror("open");
 			return 1;
diff --git a/commands/echo.c b/commands/echo.c
index 572b852ea32a..e39d9d30731b 100644
--- a/commands/echo.c
+++ b/commands/echo.c
@@ -96,7 +96,7 @@ static int do_echo(int argc, char *argv[])
 
 exit_parse:
 	if (file) {
-		fd = open(file, oflags);
+		fd = open(file, oflags, 0666);
 		if (fd < 0) {
 			perror("open");
 			return 1;
diff --git a/commands/edit.c b/commands/edit.c
index 28c9ab8877f7..c7262711d01f 100644
--- a/commands/edit.c
+++ b/commands/edit.c
@@ -243,7 +243,7 @@ static int save_file(const char *path)
 	int fd;
 	int ret = 0;
 
-	fd = open(path, O_WRONLY | O_TRUNC | O_CREAT);
+	fd = open(path, O_WRONLY | O_TRUNC | O_CREAT, 0666);
 	if (fd < 0) {
 		printf("could not open file for writing: %m\n");
 		return fd;
diff --git a/commands/uimage.c b/commands/uimage.c
index 72b827b5b276..d7e881b35f7d 100644
--- a/commands/uimage.c
+++ b/commands/uimage.c
@@ -67,7 +67,7 @@ static int do_uimage(int argc, char *argv[])
 	}
 
 	if (extract) {
-		fd = open(extract, O_WRONLY | O_CREAT | O_TRUNC);
+		fd = open(extract, O_WRONLY | O_CREAT | O_TRUNC, 0666);
 		if (fd < 0) {
 			perror("open");
 			ret = fd;
diff --git a/commands/uncompress.c b/commands/uncompress.c
index 10884d675b3d..32e60e78072a 100644
--- a/commands/uncompress.c
+++ b/commands/uncompress.c
@@ -23,7 +23,7 @@ static int do_uncompress(int argc, char *argv[])
 		return 1;
 	}
 
-	to = open(argv[2], O_WRONLY | O_CREAT);
+	to = open(argv[2], O_WRONLY | O_CREAT, 0666);
 	if (to < 0) {
 		perror("open");
 		ret = 1;
diff --git a/common/bbu.c b/common/bbu.c
index 07a51c112f0e..4b1cf2ee88b6 100644
--- a/common/bbu.c
+++ b/common/bbu.c
@@ -446,7 +446,7 @@ int bbu_flash(struct bbu_data *data, loff_t offset)
 	if (ret)
 		return ret;
 
-	fd = open(data->devicefile, oflags);
+	fd = open(data->devicefile, oflags, 0666);
 	if (fd < 0)
 		return fd;
 
diff --git a/common/console_common.c b/common/console_common.c
index 3a6b85fa09c6..20c93de68cdc 100644
--- a/common/console_common.c
+++ b/common/console_common.c
@@ -197,7 +197,7 @@ int log_writefile(const char *filepath)
 	int ret = 0, nbytes = 0, fd = -1;
 	struct log_entry *log;
 
-	fd = open(filepath, O_WRONLY | O_CREAT | O_TRUNC);
+	fd = open(filepath, O_WRONLY | O_CREAT | O_TRUNC, 0644);
 	if (fd < 0)
 		return -errno;
 
diff --git a/common/fastboot.c b/common/fastboot.c
index 96d7fbd8c787..84bda241aea1 100644
--- a/common/fastboot.c
+++ b/common/fastboot.c
@@ -443,7 +443,7 @@ static void cb_download(struct fastboot *fb, const char *cmd)
 		close(fb->download_fd);
 	}
 
-	fb->download_fd = open(fb->tempname, O_WRONLY | O_CREAT | O_TRUNC);
+	fb->download_fd = open(fb->tempname, O_WRONLY | O_CREAT | O_TRUNC, 0666);
 	if (fb->download_fd < 0) {
 		fastboot_tx_print(fb, FASTBOOT_MSG_FAIL, "internal error");
 			return;
@@ -591,7 +591,7 @@ static int fastboot_handle_sparse(struct fastboot *fb,
 			return ret;
 	}
 
-	fd = open(fentry->filename, flags);
+	fd = open(fentry->filename, flags, 0666);
 	if (fd < 0)
 		return -errno;
 
diff --git a/common/globalvar.c b/common/globalvar.c
index 1fac891ae073..876379b2538e 100644
--- a/common/globalvar.c
+++ b/common/globalvar.c
@@ -61,7 +61,7 @@ static int __nv_save(const char *prefix, const char *name, const char *val)
 
 	fname = basprintf("%s/%s", prefix, name);
 
-	fd = open(fname, O_CREAT | O_WRONLY | O_TRUNC);
+	fd = open(fname, O_CREAT | O_WRONLY | O_TRUNC, 0666);
 
 	free(fname);
 
diff --git a/drivers/usb/gadget/function/dfu.c b/drivers/usb/gadget/function/dfu.c
index 4d7001e48d85..a09eeb930bcc 100644
--- a/drivers/usb/gadget/function/dfu.c
+++ b/drivers/usb/gadget/function/dfu.c
@@ -258,14 +258,14 @@ static void dfu_do_open_dnload(struct dfu_work *dw)
 	pr_debug("do open dnload\n");
 
 	if (dfu_file_entry->flags & FILE_LIST_FLAG_SAFE) {
-		dfufd = open(DFU_TEMPFILE, O_WRONLY | O_CREAT);
+		dfufd = open(DFU_TEMPFILE, O_WRONLY | O_CREAT, 0666);
 	} else {
 		unsigned flags = O_WRONLY;
 
 		if (dfu_file_entry->flags & FILE_LIST_FLAG_CREATE)
 			flags |= O_CREAT | O_TRUNC;
 
-		dfufd = open(dfu_file_entry->filename, flags);
+		dfufd = open(dfu_file_entry->filename, flags, 0666);
 	}
 
 	if (dfufd < 0) {
@@ -324,7 +324,7 @@ static void dfu_do_copy(struct dfu_work *dw)
 	if (dfu_file_entry->flags & FILE_LIST_FLAG_CREATE)
 		flags |= O_CREAT | O_TRUNC;
 
-	fd = open(dfu_file_entry->filename, flags);
+	fd = open(dfu_file_entry->filename, flags, 0666);
 	if (fd < 0) {
 		perror("open");
 		dfu->dfu_state = DFU_STATE_dfuERROR;
diff --git a/include/fcntl.h b/include/fcntl.h
index 57c01002cc92..124d11e8345e 100644
--- a/include/fcntl.h
+++ b/include/fcntl.h
@@ -55,7 +55,7 @@ static inline int open(const char *pathname, int flags, ...)
 
 static inline int creat(const char *pathname, mode_t mode)
 {
-	return open(pathname, O_CREAT | O_WRONLY | O_TRUNC);
+	return open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode);
 }
 
 static inline int mknod(const char *pathname, mode_t mode, const char *devname)
diff --git a/lib/libfile.c b/lib/libfile.c
index 6924db587e8c..e55a4252daad 100644
--- a/lib/libfile.c
+++ b/lib/libfile.c
@@ -415,7 +415,7 @@ int write_file(const char *filename, const void *buf, size_t size)
 {
 	int fd, ret;
 
-	fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT);
+	fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, 0644);
 	if (fd < 0)
 		return fd;
 
@@ -511,7 +511,7 @@ int copy_file(const char *src, const char *dst, unsigned flags)
 		mode |= O_TRUNC;
 	}
 
-	dstfd = open(dst, mode);
+	dstfd = open(dst, mode, 0666);
 	if (dstfd < 0) {
 		printf("could not open %s: %m\n", dst);
 		ret = dstfd;
diff --git a/lib/xymodem.c b/lib/xymodem.c
index 84a91157713b..bd5e114ee270 100644
--- a/lib/xymodem.c
+++ b/lib/xymodem.c
@@ -394,7 +394,7 @@ static int xy_await_header(struct xyz_ctxt *proto)
 	xy_dbg("header received, filename=%s, file length=%d\n",
 	       proto->filename, proto->file_len);
 	if (proto->filename[0])
-		proto->fd = open(proto->filename, O_WRONLY | O_CREAT);
+		proto->fd = open(proto->filename, O_WRONLY | O_CREAT, 0666);
 	else
 		proto->state = PROTO_STATE_FINISHED_XFER;
 	proto->nb_received = 0;
-- 
2.47.3

[PATCH 09/12] hush: add NULL check for gl_pathv after do_glob_in_argv

[Ahmad Fatoum]

If do_glob_in_argv is called with argc <= 0, the internal loop
never executes and gl_pathv remains NULL from the zero-initialized
globbuf. The subsequent globbuf.gl_pathv[0] dereference would then
crash. Add a NULL check to return early in this case.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/hush.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/common/hush.c b/common/hush.c
index 2e0cc4229d35..972ddfede6da 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -851,6 +851,9 @@ static int run_pipe_real(struct p_context *ctx, struct pipe *pi)
 
 	do_glob_in_argv(&globbuf, child->argc - i, &child->argv[i]);
 
+	if (!globbuf.gl_pathv)
+		return -1;
+
 	remove_quotes(globbuf.gl_pathc, globbuf.gl_pathv);
 
 	if (!strcmp(globbuf.gl_pathv[0], "getopt") &&
-- 
2.47.3

[PATCH 10/12] i2c: rk3x: fix NULL pointer dereference on repeated NACK

[Ahmad Fatoum]

In the polling loop, if a NAKRCV interrupt triggers rk3x_i2c_stop()
which sets i2c->msg to NULL, a subsequent iteration with NAKRCV
still asserted will dereference the NULL msg pointer when checking
I2C_M_IGNORE_NAK. Add a NULL check so that a NULL msg falls through
to rk3x_i2c_stop(), which handles this case safely.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/i2c/busses/i2c-rk3x.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c
index 1fdce1c8de84..d35f3e1c15c8 100644
--- a/drivers/i2c/busses/i2c-rk3x.c
+++ b/drivers/i2c/busses/i2c-rk3x.c
@@ -462,7 +462,8 @@ static void rk3x_i2c_irq(struct rk3x_i2c *i2c)
 
 		ipd &= ~REG_INT_NAKRCV;
 
-		if (!(i2c->msg->flags & I2C_M_IGNORE_NAK))
+		if (!i2c->msg ||
+		    !(i2c->msg->flags & I2C_M_IGNORE_NAK))
 			rk3x_i2c_stop(i2c, -ENXIO);
 	}
 
-- 
2.47.3

[PATCH 11/12] mci: imx-esdhc: remove misleading NULL check for cmd pointer

[Ahmad Fatoum]

The ternary `cmd ? cmd->cmdidx : 0` suggests cmd can be NULL, but all
callers always pass a valid pointer and sdhci_set_cmd_xfer_mode()
unconditionally dereferences cmd a few lines later. Remove the
unnecessary guard to make the code consistent.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/mci/imx-esdhc-common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mci/imx-esdhc-common.c b/drivers/mci/imx-esdhc-common.c
index 66f3edc670e0..050621d7fb06 100644
--- a/drivers/mci/imx-esdhc-common.c
+++ b/drivers/mci/imx-esdhc-common.c
@@ -327,7 +327,7 @@ int __esdhc_send_cmd(struct fsl_esdhc_host *host, struct mci_cmd *cmd,
 	dma_addr_t dma = SDHCI_NO_DMA;
 	int ret;
 
-	host->last_cmd = cmd ? cmd->cmdidx : 0;
+	host->last_cmd = cmd->cmdidx;
 
 	sdhci_write32(&host->sdhci, SDHCI_INT_STATUS, -1);
 
-- 
2.47.3

[PATCH 12/12] mci: spi: initialize r1 to fix garbage return value

[Ahmad Fatoum]

If bcnt is 0, the while loop body never executes and r1 is returned
uninitialized. Initialize it to 0 (success) which is the correct
result when there are no blocks to write.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/mci/mci_spi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mci/mci_spi.c b/drivers/mci/mci_spi.c
index 3ab90d768fbd..b495cdaafcf4 100644
--- a/drivers/mci/mci_spi.c
+++ b/drivers/mci/mci_spi.c
@@ -172,7 +172,7 @@ static uint mmc_spi_writedata(struct mmc_spi_host *host, const void *xbuf,
 			      uint32_t bcnt, uint32_t bsize, int multi)
 {
 	const uint8_t *buf = xbuf;
-	uint8_t r1;
+	uint8_t r1 = 0;
 	uint16_t crc = 0;
 	uint8_t tok[2];
 	int i;
-- 
2.47.3