Mostly small misc fixes, here they are sorted by sub-subsystem:

ECC fixes:
 - Realtek Kconfig fix
 
 SPI NAND fixes:
 - Remove unexistent QE bit on FMSH FM25S01A
 
 Raw NAND fixes:
 - Prevent DMA device NULL pointer dereference in Cadence driver
 
 MTD devices fixes:
 - Possible integer overflow in read/write ioctls
 - Fix the IRQ handler pointer in the onenand driver, even if in practice
   it is never dereferenced.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmkbAdgACgkQJWrqGEe9
 VoShnAf9E5CJjYfrohe68WBTlAjUKRHMM+zMpHNoWklChm1wAtH7Od0QuxbL/ZKn
 IqYdt22TK+OmpcsKFbuOpW4muWZZANrjN1yNTcCAQcSfuTc7vUVdQaPWJjVhGPot
 Dar439rQ0wc1QWxQt+lxcCgyYA4p7usdzcKredNJJkP7el74+nM7+CGcl5lndOos
 ztevCoXreOskol+aWzBJWP+RXcUBR5bAQc1V7kQNUaaVH11zW5bm8C+8U6jNGD7X
 YlDTXvAemumDysugU8JXO2weKVXgXxUcm6xi7dFM7S1crmskEryAjJKPP6Z7vImL
 AYZRlFt8VeNIzEO9OvXRDET7C9IajQ==
 =/SoB
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull MTD fixes from Miquel Raynal:
 "Mostly small misc fixes, here they are sorted by sub-subsystem:

  ECC fixes:
   - Realtek Kconfig fix

  SPI NAND fixes:
   - Remove nonexistent QE bit on FMSH FM25S01A

  Raw NAND fixes:
   - Prevent DMA device NULL pointer dereference in Cadence driver

  MTD device fixes:
   - Possible integer overflow in read/write ioctls
   - Fix the IRQ handler pointer in the onenand driver, even if in
     practice it is never dereferenced.

* tag 'mtd/fixes-for-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
  mtd: onenand: Pass correct pointer to IRQ handler
  mtd: spinand: fmsh: remove QE bit for FM25S01A flash
  mtd: rawnand: cadence: fix DMA device NULL pointer dereference
  mtd: rawnand: realtek: Make rtl_ecc_engine_ops const
  mtd: nand: MTD_NAND_ECC_REALTEK should depend on HAS_DMA
  mtd: nand: realtek-ecc: Fix a IS_ERR() vs NULL bug in probe
  mtdchar: fix integer overflow in read/write ioctls

drivers/mtd/mtdchar.c

@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp)
 	uint8_t *datbuf = NULL, *oobbuf = NULL;
 	size_t datbuf_len, oobbuf_len;
 	int ret = 0;
+	u64 end;
 
 	if (copy_from_user(&req, argp, sizeof(req)))
 		return -EFAULT;
@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp)
 	req.len &= 0xffffffff;
 	req.ooblen &= 0xffffffff;
 
-	if (req.start + req.len > mtd->size)
+	if (check_add_overflow(req.start, req.len, &end) || end > mtd->size)
 		return -EINVAL;
 
 	datbuf_len = min_t(size_t, req.len, mtd->erasesize);
@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp)
 	size_t datbuf_len, oobbuf_len;
 	size_t orig_len, orig_ooblen;
 	int ret = 0;
+	u64 end;
 
 	if (copy_from_user(&req, argp, sizeof(req)))
 		return -EFAULT;
@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp)
 	req.len &= 0xffffffff;
 	req.ooblen &= 0xffffffff;
 
-	if (req.start + req.len > mtd->size) {
+	if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) {
 		ret = -EINVAL;
 		goto out;
 	}

drivers/mtd/nand/Kconfig

@@ -63,7 +63,7 @@ config MTD_NAND_ECC_MEDIATEK
 
 config MTD_NAND_ECC_REALTEK
         tristate "Realtek RTL93xx hardware ECC engine"
-        depends on HAS_IOMEM
+        depends on HAS_IOMEM && HAS_DMA
         depends on MACH_REALTEK_RTL || COMPILE_TEST
         select MTD_NAND_ECC
         help

drivers/mtd/nand/ecc-realtek.c

@@ -380,7 +380,7 @@ static void rtl_ecc_cleanup_ctx(struct nand_device *nand)
 		nand_ecc_cleanup_req_tweaking(&ctx->req_ctx);
 }
 
-static struct nand_ecc_engine_ops rtl_ecc_engine_ops = {
+static const struct nand_ecc_engine_ops rtl_ecc_engine_ops = {
 	.init_ctx = rtl_ecc_init_ctx,
 	.cleanup_ctx = rtl_ecc_cleanup_ctx,
 	.prepare_io_req = rtl_ecc_prepare_io_req,
@@ -418,8 +418,8 @@ static int rtl_ecc_probe(struct platform_device *pdev)
 
 	rtlc->buf = dma_alloc_noncoherent(dev, RTL_ECC_DMA_SIZE, &rtlc->buf_dma,
 					  DMA_BIDIRECTIONAL, GFP_KERNEL);
-	if (IS_ERR(rtlc->buf))
-		return PTR_ERR(rtlc->buf);
+	if (!rtlc->buf)
+		return -ENOMEM;
 
 	rtlc->dev = dev;
 	rtlc->engine.dev = dev;

drivers/mtd/nand/onenand/onenand_samsung.c

@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
 			err = devm_request_irq(&pdev->dev, r->start,
 					       s5pc110_onenand_irq,
 					       IRQF_SHARED, "onenand",
-					       &onenand);
+					       onenand);
 			if (err) {
 				dev_err(&pdev->dev, "failed to get irq\n");
 				return err;

drivers/mtd/nand/raw/cadence-nand-controller.c

@@ -2871,7 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, struct cdns_nand_ctrl *cdns_ctrl)
 static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
 {
 	dma_cap_mask_t mask;
-	struct dma_device *dma_dev = cdns_ctrl->dmac->device;
+	struct dma_device *dma_dev;
 	int ret;
 
 	cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev,
@@ -2915,6 +2915,7 @@ static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
 		}
 	}
 
+	dma_dev = cdns_ctrl->dmac->device;
 	cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
 						  cdns_ctrl->io.size,
 						  DMA_BIDIRECTIONAL, 0);

drivers/mtd/nand/spi/fmsh.c

@@ -58,7 +58,7 @@ static const struct spinand_info fmsh_spinand_table[] = {
 		     SPINAND_INFO_OP_VARIANTS(&read_cache_variants,
 					      &write_cache_variants,
 					      &update_cache_variants),
-		     SPINAND_HAS_QE_BIT,
+		     0,
 		     SPINAND_ECCINFO(&fm25s01a_ooblayout, NULL)),
 };