From: Heinrich Schuchardt Date: Sun, 27 Dec 2020 09:26:00 +0000 (+0100) Subject: dma: bcm6348: incorrect buffer allocation X-Git-Tag: v2025.01-rc5-pxa1908~2058^2~7 X-Git-Url: http://git.dujemihanovic.xyz/%22mailto:Murray.Jensen%40csiro.au/static/%7B%7B%20%28.OutputFormats.Get?a=commitdiff_plain;h=4908067b8f87ebaa9a26514dfe5a9ffba13deb2c;p=u-boot.git dma: bcm6348: incorrect buffer allocation Calling calloc() for 0 members does not make any sense. Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally unreasonable. The current code will lead to a NULL dereference in bcm6348_iudma_enable(). The assignments for ch_priv->busy_desc are obviously swapped. Signed-off-by: Heinrich Schuchardt --- diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c index 98577601b5..c04aa55cb4 100644 --- a/drivers/dma/bcm6348-iudma.c +++ b/drivers/dma/bcm6348-iudma.c @@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma) ch_priv->desc_id = 0; if (bcm6348_iudma_chan_is_rx(dma->id)) { ch_priv->desc_cnt = 0; - ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); + ch_priv->busy_desc = NULL; } else { ch_priv->desc_cnt = ch_priv->dma_ring_size; - ch_priv->busy_desc = NULL; + ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); } return 0;