[PATCH 1/1] dma: bcm6348: incorrect buffer allocation
Calling calloc() for 0 members does not make any sense. Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally unreasonable.
The current code will lead to a NULL dereference in bcm6348_iudma_enable().
The assignments for ch_priv->busy_desc are obviously swapped.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- I have no device to actually test the driver. --- drivers/dma/bcm6348-iudma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c index 91172d483c..81597c56a7 100644 --- a/drivers/dma/bcm6348-iudma.c +++ b/drivers/dma/bcm6348-iudma.c @@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma) ch_priv->desc_id = 0; if (bcm6348_iudma_chan_is_rx(dma->id)) { ch_priv->desc_cnt = 0; - ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); + ch_priv->busy_desc = NULL; } else { ch_priv->desc_cnt = ch_priv->dma_ring_size; - ch_priv->busy_desc = NULL; + ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); }
return 0; -- 2.29.2
Hello Heinrich,
This is not swapped. busy_desc is only used in RX. Please, check the rest of the driver: https://github.com/u-boot/u-boot/blob/master/drivers/dma/bcm6348-iudma.c
Regards, Álvaro.
El 27/12/2020 a las 10:26, Heinrich Schuchardt escribió:
Calling calloc() for 0 members does not make any sense. Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally unreasonable.
The current code will lead to a NULL dereference in bcm6348_iudma_enable().
The assignments for ch_priv->busy_desc are obviously swapped.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
I have no device to actually test the driver.
drivers/dma/bcm6348-iudma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c index 91172d483c..81597c56a7 100644 --- a/drivers/dma/bcm6348-iudma.c +++ b/drivers/dma/bcm6348-iudma.c @@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma) ch_priv->desc_id = 0; if (bcm6348_iudma_chan_is_rx(dma->id)) { ch_priv->desc_cnt = 0;
ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));
ch_priv->busy_desc = NULL;
ch_priv->busy_desc = NULL;
ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool));}
return 0;
-- 2.29.2
On 12/27/20 11:18 AM, Álvaro Fernández Rojas wrote:
Hello Heinrich,
This is not swapped. busy_desc is only used in RX. Please, check the rest of the driver: https://github.com/u-boot/u-boot/blob/master/drivers/dma/bcm6348-iudma.c
Regards, Álvaro.
Thanks for reviewing. Why is calloc called with count = 0? Couldn't we as well assign NULL?
Best regards
Heinrich
El 27/12/2020 a las 10:26, Heinrich Schuchardt escribió:
Calling calloc() for 0 members does not make any sense. Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally unreasonable.
The current code will lead to a NULL dereference in bcm6348_iudma_enable().
The assignments for ch_priv->busy_desc are obviously swapped.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
I have no device to actually test the driver.
drivers/dma/bcm6348-iudma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/bcm6348-iudma.c b/drivers/dma/bcm6348-iudma.c index 91172d483c..81597c56a7 100644 --- a/drivers/dma/bcm6348-iudma.c +++ b/drivers/dma/bcm6348-iudma.c @@ -313,10 +313,10 @@ static int bcm6348_iudma_request(struct dma *dma) ch_priv->desc_id = 0; if (bcm6348_iudma_chan_is_rx(dma->id)) { ch_priv->desc_cnt = 0; - ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); + ch_priv->busy_desc = NULL; } else { ch_priv->desc_cnt = ch_priv->dma_ring_size; - ch_priv->busy_desc = NULL; + ch_priv->busy_desc = calloc(ch_priv->desc_cnt, sizeof(bool)); }
return 0;
2.29.2
On Sun, Dec 27, 2020 at 10:26:00AM +0100, Heinrich Schuchardt wrote:
Calling calloc() for 0 members does not make any sense. Setting ch_priv->busy_desc = NULL for ch_priv->desc_cnt > 0 is equally unreasonable.
The current code will lead to a NULL dereference in bcm6348_iudma_enable().
The assignments for ch_priv->busy_desc are obviously swapped.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
Applied to u-boot/master, thanks!
participants (3)
-
Heinrich Schuchardt -
Tom Rini -
Álvaro Fernández Rojas