| Message ID | 5475E012.3060607@marvell.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, 26 Nov 2014 15:13:38 +0100 Mirko Lindner <mlindner@marvell.com> wrote: > If sky2->tx_le = pci_alloc_consistent() or sky2->tx_ring = kcalloc() in > sky2_alloc_buffers() fails, sky2->rx_ring = kcalloc() will never be called. > In this error case handling, sky2_rx_clean() is called from within > sky2_free_buffers(). > > In sky2_rx_clean() we find the following: > > ... > memset(sky2->rx_le, 0, RX_LE_BYTES); > ... > > This results in a memset using a NULL pointer and will crash the system. > > Signed-off-by: Mirko Lindner <mlindner@marvell.com> This matches my earlier patch, but this one is just as good Acked-by: Stephen Hemminger <stephen@networkplumber.org> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Mirko Lindner <mlindner@marvell.com> Date: Wed, 26 Nov 2014 15:13:38 +0100 > If sky2->tx_le = pci_alloc_consistent() or sky2->tx_ring = kcalloc() in > sky2_alloc_buffers() fails, sky2->rx_ring = kcalloc() will never be called. > In this error case handling, sky2_rx_clean() is called from within > sky2_free_buffers(). > > In sky2_rx_clean() we find the following: > > ... > memset(sky2->rx_le, 0, RX_LE_BYTES); > ... > > This results in a memset using a NULL pointer and will crash the system. > > Signed-off-by: Mirko Lindner <mlindner@marvell.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c index 53a1cc5..f8ab220 100644 --- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -1361,7 +1361,9 @@ static void sky2_rx_clean(struct sky2_port *sky2) { unsigned i; - memset(sky2->rx_le, 0, RX_LE_BYTES); + if (sky2->rx_le) + memset(sky2->rx_le, 0, RX_LE_BYTES); + for (i = 0; i < sky2->rx_pending; i++) { struct rx_ring_info *re = sky2->rx_ring + i;
If sky2->tx_le = pci_alloc_consistent() or sky2->tx_ring = kcalloc() in sky2_alloc_buffers() fails, sky2->rx_ring = kcalloc() will never be called. In this error case handling, sky2_rx_clean() is called from within sky2_free_buffers(). In sky2_rx_clean() we find the following: ... memset(sky2->rx_le, 0, RX_LE_BYTES); ... This results in a memset using a NULL pointer and will crash the system. Signed-off-by: Mirko Lindner <mlindner@marvell.com> --- drivers/net/ethernet/marvell/sky2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)