[PATCH 1/1] dma: bcm6348: incorrect buffer allocation
Heinrich Schuchardt
xypron.glpk at gmx.de
Sun Dec 27 10:26:00 CET 2020
Calling calloc() for 0 members does not make any sense.
Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally
unreasonable.
The current code will lead to a NULL dereference in bcm6348_iudma_enable().
The assignments for ch_priv->busy_desc are obviously swapped.
Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
I have no device to actually test the driver.
---
drivers/dma/bcm6348-iudma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c
index 91172d483c..81597c56a7 100644
--- a/drivers/dma/bcm6348-iudma.c
+++ b/drivers/dma/bcm6348-iudma.c
@@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma)
ch_priv->desc_id = 0;
if (bcm6348_iudma_chan_is_rx(dma->id)) {
ch_priv->desc_cnt = 0;
- ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
+ ch_priv->busy_desc = NULL;
} else {
ch_priv->desc_cnt = ch_priv->dma_ring_size;
- ch_priv->busy_desc = NULL;
+ ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
}
return 0;
--
2.29.2
More information about the U-Boot
mailing list