Re: [PATCH] net: meth: check skb allocation in meth_init_rx_ring()
From: Pavan Chebbi
Date: Mon Jun 22 2026 - 01:58:06 EST
On Mon, Jun 22, 2026 at 10:20 AM Haoxiang Li <haoxiang_li2024@xxxxxxx> wrote:
>
> meth_init_rx_ring() does not check the return value of alloc_skb().
> If the allocation fails, the NULL skb is passed to skb_reserve() and
> then dereferenced through skb->head.
>
> Add check for alloc_skb() to prevent potential null pointer dereference.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Haoxiang Li <haoxiang_li2024@xxxxxxx>
> ---
> drivers/net/ethernet/sgi/meth.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ethernet/sgi/meth.c b/drivers/net/ethernet/sgi/meth.c
> index f7c3a5a766b7..ceff3cc937ad 100644
> --- a/drivers/net/ethernet/sgi/meth.c
> +++ b/drivers/net/ethernet/sgi/meth.c
> @@ -228,6 +228,9 @@ static int meth_init_rx_ring(struct meth_private *priv)
>
> for (i = 0; i < RX_RING_ENTRIES; i++) {
> priv->rx_skbs[i] = alloc_skb(METH_RX_BUFF_SIZE, 0);
> + if (!priv->rx_skbs[i])
> + return -ENOMEM;
> +
I think the fix is not complete. The caller meth_open() will not free
any successfully allocated skbs if the function ever returns -ENOMEM.
> /* 8byte status vector + 3quad padding + 2byte padding,
> * to put data on 64bit aligned boundary */
> skb_reserve(priv->rx_skbs[i],METH_RX_HEAD);
> --
> 2.25.1
>
>
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature