Re: [PATCH RFC net] ps3/gelic: Fix possible NULL pointer dereference
From: Dan Carpenter
Date: Wed Feb 21 2024 - 13:32:55 EST
This driver is PPC so I have never looked at the code before. I noticed
another issue that was introduced last December in commit 3ce4f9c3fbb3
("net/ps3_gelic_net: Add gelic_descr structures").
net/ethernet/toshiba/ps3_gelic_net.c
375 static int gelic_descr_prepare_rx(struct gelic_card *card,
376 struct gelic_descr *descr)
377 {
378 static const unsigned int rx_skb_size =
379 ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) +
380 GELIC_NET_RXBUF_ALIGN - 1;
381 dma_addr_t cpu_addr;
382 int offset;
383
384 if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE)
385 dev_info(ctodev(card), "%s: ERROR status\n", __func__);
386
387 descr->skb = netdev_alloc_skb(*card->netdev, rx_skb_size);
388 if (!descr->skb) {
389 descr->hw_regs.payload.dev_addr = 0; /* tell DMAC don't touch memory */
390 return -ENOMEM;
391 }
392 descr->hw_regs.dmac_cmd_status = 0;
393 descr->hw_regs.result_size = 0;
394 descr->hw_regs.valid_size = 0;
395 descr->hw_regs.data_error = 0;
396 descr->hw_regs.payload.dev_addr = 0;
397 descr->hw_regs.payload.size = 0;
398 descr->skb = NULL;
^^^^^^^^^^^^^^^^^^
NULL
399
400 offset = ((unsigned long)descr->skb->data) &
^^^^^^^^^^^^
Dereferenced here.
401 (GELIC_NET_RXBUF_ALIGN - 1);
402 if (offset)
403 skb_reserve(descr->skb, GELIC_NET_RXBUF_ALIGN - offset);
404 /* io-mmu-map the skb */
405 cpu_addr = dma_map_single(ctodev(card), descr->skb->data,
406 GELIC_NET_MAX_FRAME, DMA_FROM_DEVICE);
regards,
dan carpenter