From: Mirko Lindner Date: Wed, 26 Nov 2014 14:13:38 +0000 (+0100) Subject: sky2: Fix crash inside sky2_rx_clean X-Git-Tag: firefly_0821_release~176^2~2717^2~107 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=799d2fff1858004526ad75d66a5dd8a5cce6ad40;p=firefly-linux-kernel-4.4.55.git sky2: Fix crash inside sky2_rx_clean If sky2->tx_le = pci_alloc_consistent() or sky2->tx_ring = kcalloc() in sky2_alloc_buffers() fails, sky2->rx_ring = kcalloc() will never be called. In this error case handling, sky2_rx_clean() is called from within sky2_free_buffers(). In sky2_rx_clean() we find the following: ... memset(sky2->rx_le, 0, RX_LE_BYTES); ... This results in a memset using a NULL pointer and will crash the system. Signed-off-by: Mirko Lindner Acked-by: Stephen Hemminger Signed-off-by: David S. Miller --- diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c index 53a1cc52d496..f8ab220bd72c 100644 --- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -1361,7 +1361,9 @@ static void sky2_rx_clean(struct sky2_port *sky2) { unsigned i; - memset(sky2->rx_le, 0, RX_LE_BYTES); + if (sky2->rx_le) + memset(sky2->rx_le, 0, RX_LE_BYTES); + for (i = 0; i < sky2->rx_pending; i++) { struct rx_ring_info *re = sky2->rx_ring + i;