Re: [PATCH net-next v08 8/9] hinic3: Add mac filter ops
From: Jakub Kicinski
Date: Mon Jan 05 2026 - 20:52:16 EST
AI code review points out:
> +static int hinic3_mac_filter_sync_hw(struct net_device *netdev,
> + struct list_head *del_list,
> + struct list_head *add_list,
> + int *add_count)
> +{
> + struct hinic3_mac_filter *ftmp;
> + struct hinic3_mac_filter *f;
> + int err;
> +
> + if (!list_empty(del_list)) {
> + list_for_each_entry_safe(f, ftmp, del_list, list) {
> + /* ignore errors when deleting mac */
> + hinic3_filter_addr_unsync(netdev, f->addr);
> + list_del(&f->list);
> + kfree(f);
> + }
> + }
> +
> + if (!list_empty(add_list)) {
> + list_for_each_entry_safe(f, ftmp, add_list, list) {
> + if (f->state != HINIC3_MAC_HW_SYNCING)
> + continue;
> +
> + err = hinic3_filter_addr_sync(netdev, f->addr);
> + if (err) {
> + netdev_err(netdev, "Failed to add mac\n");
> + return err;
> + }
> +
> + f->state = HINIC3_MAC_HW_SYNCED;
> + (*add_count)++;
> + }
> + }
> +
> + return 0;
> +}
[ ... ]
> + err = hinic3_mac_filter_sync_hw(netdev, &tmp_del_list,
> + &tmp_add_list, &add_count);
> + if (err) {
> + /* there were errors, delete all mac in hw */
> + hinic3_undo_add_filter_entries(mac_filter_list, &tmp_add_list);
[ ... ]
> + hinic3_mac_filter_sync_hw(netdev, &tmp_del_list,
> + &tmp_add_list, NULL);
^^^^
Can this NULL pointer dereference add_count in hinic3_mac_filter_sync_hw()?
When hinic3_filter_addr_sync() fails in the first call to
hinic3_mac_filter_sync_hw(), the function returns early with an error.
At that point tmp_add_list may still contain entries with state
HINIC3_MAC_HW_SYNCING (entries that were not yet processed).
The second call passes NULL for add_count. If tmp_add_list is not empty
and has entries with HINIC3_MAC_HW_SYNCING state, the code will execute
(*add_count)++ with add_count being NULL.