tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: ethernet: nixge: fix NULL dereference

In function nixge_hw_dma_bd_release() dereference of NULL pointer
priv->rx_bd_v is possible for the case of its allocation failure in
nixge_hw_dma_bd_init().

Move for() loop with priv->rx_bd_v dereference under the check for
its validity.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
Signed-off-by: Yuri Karpov <YKarpov@ispras.ru>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Yuri Karpov and committed by
David S. Miller 9256db4e dcc14cfd

+13 -12
+13 -12
drivers/net/ethernet/ni/nixge.c
··· 249 249 struct sk_buff *skb; 250 250 int i; 251 251 252 - for (i = 0; i < RX_BD_NUM; i++) { 253 - phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], 254 - phys); 252 + if (priv->rx_bd_v) { 253 + for (i = 0; i < RX_BD_NUM; i++) { 254 + phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], 255 + phys); 255 256 256 - dma_unmap_single(ndev->dev.parent, phys_addr, 257 - NIXGE_MAX_JUMBO_FRAME_SIZE, 258 - DMA_FROM_DEVICE); 257 + dma_unmap_single(ndev->dev.parent, phys_addr, 258 + NIXGE_MAX_JUMBO_FRAME_SIZE, 259 + DMA_FROM_DEVICE); 259 260 260 - skb = (struct sk_buff *)(uintptr_t) 261 - nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], 262 - sw_id_offset); 263 - dev_kfree_skb(skb); 264 - } 261 + skb = (struct sk_buff *)(uintptr_t) 262 + nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], 263 + sw_id_offset); 264 + dev_kfree_skb(skb); 265 + } 265 266 266 - if (priv->rx_bd_v) 267 267 dma_free_coherent(ndev->dev.parent, 268 268 sizeof(*priv->rx_bd_v) * RX_BD_NUM, 269 269 priv->rx_bd_v, 270 270 priv->rx_bd_p); 271 + } 271 272 272 273 if (priv->tx_skb) 273 274 devm_kfree(ndev->dev.parent, priv->tx_skb);