From 4908067b8f87ebaa9a26514dfe5a9ffba13deb2c Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Sun, 27 Dec 2020 10:26:00 +0100
Subject: [PATCH] dma: bcm6348: incorrect buffer allocation

Calling calloc() for 0 members does not make any sense.
Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally
unreasonable.

The current code will lead to a NULL dereference in bcm6348_iudma_enable().

The assignments for ch_priv->busy_desc are obviously swapped.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 drivers/dma/bcm6348-iudma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c
index 9857760..c04aa55 100644
--- a/drivers/dma/bcm6348-iudma.c
+++ b/drivers/dma/bcm6348-iudma.c
@@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma)
 	ch_priv->desc_id = 0;
 	if (bcm6348_iudma_chan_is_rx(dma->id)) {
 		ch_priv->desc_cnt = 0;
-		ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
+		ch_priv->busy_desc = NULL;
 	} else {
 		ch_priv->desc_cnt = ch_priv->dma_ring_size;
-		ch_priv->busy_desc = NULL;
+		ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
 	}
 
 	return 0;
-- 
2.7.4