dma: bcm6348: incorrect buffer allocation
authorHeinrich Schuchardt <xypron.glpk@gmx.de>
Sun, 27 Dec 2020 09:26:00 +0000 (10:26 +0100)
committerTom Rini <trini@konsulko.com>
Mon, 18 Jan 2021 20:23:06 +0000 (15:23 -0500)
Calling calloc() for 0 members does not make any sense.
Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally
unreasonable.

The current code will lead to a NULL dereference in bcm6348_iudma_enable().

The assignments for ch_priv->busy_desc are obviously swapped.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
drivers/dma/bcm6348-iudma.c

index 98577601b58c27efa5a5dd8dd737dbb73f77e174..c04aa55cb42d0e6ef4db040dcaf6e193067fee66 100644 (file)
@@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma)
        ch_priv->desc_id = 0;
        if (bcm6348_iudma_chan_is_rx(dma->id)) {
                ch_priv->desc_cnt = 0;
-               ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
+               ch_priv->busy_desc = NULL;
        } else {
                ch_priv->desc_cnt = ch_priv->dma_ring_size;
-               ch_priv->busy_desc = NULL;
+               ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
        }
 
        return 0;