tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

octeon_ep_vf: add NULL check for napi_build_skb()

napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment paths, leading to a
NULL pointer dereference.

Add NULL checks after both napi_build_skb() calls, properly advancing
descriptors and consuming remaining fragments on failure.

Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260409184009.930359-3-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

David Carlier and committed by
Jakub Kicinski dd66b428 4e5bc3ff

+28 -2
+28 -2
drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
··· 414 414 data_offset = OCTEP_VF_OQ_RESP_HW_SIZE; 415 415 rx_ol_flags = 0; 416 416 } 417 - rx_bytes += buff_info->len; 418 - 419 417 if (buff_info->len <= oq->max_single_buffer_size) { 420 418 skb = napi_build_skb((void *)resp_hw, PAGE_SIZE); 419 + if (!skb) { 420 + oq->stats->alloc_failures++; 421 + desc_used++; 422 + read_idx = octep_vf_oq_next_idx(oq, read_idx); 423 + continue; 424 + } 425 + rx_bytes += buff_info->len; 421 426 skb_reserve(skb, data_offset); 422 427 skb_put(skb, buff_info->len); 423 428 desc_used++; ··· 432 427 u16 data_len; 433 428 434 429 skb = napi_build_skb((void *)resp_hw, PAGE_SIZE); 430 + if (!skb) { 431 + oq->stats->alloc_failures++; 432 + desc_used++; 433 + read_idx = octep_vf_oq_next_idx(oq, read_idx); 434 + data_len = buff_info->len - oq->max_single_buffer_size; 435 + while (data_len) { 436 + dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr, 437 + PAGE_SIZE, DMA_FROM_DEVICE); 438 + buff_info = (struct octep_vf_rx_buffer *) 439 + &oq->buff_info[read_idx]; 440 + buff_info->page = NULL; 441 + if (data_len < oq->buffer_size) 442 + data_len = 0; 443 + else 444 + data_len -= oq->buffer_size; 445 + desc_used++; 446 + read_idx = octep_vf_oq_next_idx(oq, read_idx); 447 + } 448 + continue; 449 + } 450 + rx_bytes += buff_info->len; 435 451 skb_reserve(skb, data_offset); 436 452 /* Head fragment includes response header(s); 437 453 * subsequent fragments contains only data.