Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6310a882 authored by YueHaibing's avatar YueHaibing Committed by David S. Miller
Browse files

net: fddi: fix a possible null-ptr-deref 



bp->SharedMemAddr is set to NULL while bp->SharedMemSize lesser-or-equal 0,
then memset will trigger null-ptr-deref.

fix it by replacing pci_alloc_consistent with dma_zalloc_coherent.

Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 58d813af

drivers/net/fddi/skfp/skfddi.c

+28 −27
Original line number Diff line number Diff line
@@ -297,10 +297,10 @@ static int skfp_init_one(struct pci_dev *pdev, 
	return 0;

err_out5:

	if (smc->os.SharedMemAddr) 

		pci_free_consistent(pdev, smc->os.SharedMemSize,

		dma_free_coherent(&pdev->dev, smc->os.SharedMemSize,

				  smc->os.SharedMemAddr,

				  smc->os.SharedMemDMA);

	pci_free_consistent(pdev, MAX_FRAME_SIZE,

	dma_free_coherent(&pdev->dev, MAX_FRAME_SIZE,

			  smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA);

err_out4:

	free_netdev(dev);
@@ -328,14 +328,14 @@ static void skfp_remove_one(struct pci_dev *pdev) 
	unregister_netdev(p);



	if (lp->os.SharedMemAddr) {

		pci_free_consistent(&lp->os.pdev,

		dma_free_coherent(&pdev->dev,

				  lp->os.SharedMemSize,

				  lp->os.SharedMemAddr,

				  lp->os.SharedMemDMA);

		lp->os.SharedMemAddr = NULL;

	}

	if (lp->os.LocalRxBuffer) {

		pci_free_consistent(&lp->os.pdev,

		dma_free_coherent(&pdev->dev,

				  MAX_FRAME_SIZE,

				  lp->os.LocalRxBuffer,

				  lp->os.LocalRxBufferDMA);
@@ -394,7 +394,9 @@ static int skfp_driver_init(struct net_device *dev) 
	spin_lock_init(&bp->DriverLock);

	

	// Allocate invalid frame

	bp->LocalRxBuffer = pci_alloc_consistent(&bp->pdev, MAX_FRAME_SIZE, &bp->LocalRxBufferDMA);

	bp->LocalRxBuffer = dma_alloc_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,

					       &bp->LocalRxBufferDMA,

					       GFP_ATOMIC);

	if (!bp->LocalRxBuffer) {

		printk("could not allocate mem for ");

		printk("LocalRxBuffer: %d byte\n", MAX_FRAME_SIZE);
@@ -407,23 +409,22 @@ static int skfp_driver_init(struct net_device *dev) 
	if (bp->SharedMemSize > 0) {

		bp->SharedMemSize += 16;	// for descriptor alignment



		bp->SharedMemAddr = pci_alloc_consistent(&bp->pdev,

		bp->SharedMemAddr = dma_zalloc_coherent(&bp->pdev.dev,

							bp->SharedMemSize,

							 &bp->SharedMemDMA);

							&bp->SharedMemDMA,

							GFP_ATOMIC);

		if (!bp->SharedMemAddr) {

			printk("could not allocate mem for ");

			printk("hardware module: %ld byte\n",

			       bp->SharedMemSize);

			goto fail;

		}

		bp->SharedMemHeap = 0;	// Nothing used yet.



	} else {

		bp->SharedMemAddr = NULL;

		bp->SharedMemHeap = 0;

	}			// SharedMemSize > 0

	}



	memset(bp->SharedMemAddr, 0, bp->SharedMemSize);

	bp->SharedMemHeap = 0;



	card_stop(smc);		// Reset adapter.
@@ -442,14 +443,14 @@ static int skfp_driver_init(struct net_device *dev) 


fail:

	if (bp->SharedMemAddr) {

		pci_free_consistent(&bp->pdev,

		dma_free_coherent(&bp->pdev.dev,

				  bp->SharedMemSize,

				  bp->SharedMemAddr,

				  bp->SharedMemDMA);

		bp->SharedMemAddr = NULL;

	}

	if (bp->LocalRxBuffer) {

		pci_free_consistent(&bp->pdev, MAX_FRAME_SIZE,

		dma_free_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,

				  bp->LocalRxBuffer, bp->LocalRxBufferDMA);

		bp->LocalRxBuffer = NULL;

	}