pch_gbe_alloc_tx_buffers() allocates an skb for each TX descriptor and then passes the returned pointer to skb_reserve(). If netdev_alloc_skb() fails, skb_reserve() dereferences NULL. Make pch_gbe_alloc_tx_buffers() return an error when an skb allocation fails. On failure while bringing the device up, clean any TX buffers that were already allocated and release the RX buffer pool through a shared cleanup helper before unwinding the IRQ setup. Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") Signed-off-by: Ruoyu Wang --- .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 35 ++++++++++++++----- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c index 62f05f4569b10..a426243a5fa34 100644 --- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c @@ -1420,13 +1420,23 @@ pch_gbe_alloc_rx_buffers_pool(struct pch_gbe_adapter *adapter, return 0; } +static void pch_gbe_free_rx_buffers_pool(struct pch_gbe_adapter *adapter, + struct pch_gbe_rx_ring *rx_ring) +{ + dma_free_coherent(&adapter->pdev->dev, rx_ring->rx_buff_pool_size, + rx_ring->rx_buff_pool, rx_ring->rx_buff_pool_logic); + rx_ring->rx_buff_pool_logic = 0; + rx_ring->rx_buff_pool_size = 0; + rx_ring->rx_buff_pool = NULL; +} + /** * pch_gbe_alloc_tx_buffers - Allocate transmit buffers * @adapter: Board private structure * @tx_ring: Tx descriptor ring */ -static void pch_gbe_alloc_tx_buffers(struct pch_gbe_adapter *adapter, - struct pch_gbe_tx_ring *tx_ring) +static int pch_gbe_alloc_tx_buffers(struct pch_gbe_adapter *adapter, + struct pch_gbe_tx_ring *tx_ring) { struct pch_gbe_buffer *buffer_info; struct sk_buff *skb; @@ -1440,12 +1450,15 @@ static void pch_gbe_alloc_tx_buffers(struct pch_gbe_adapter *adapter, for (i = 0; i < tx_ring->count; i++) { buffer_info = &tx_ring->buffer_info[i]; skb = netdev_alloc_skb(adapter->netdev, bufsz); + if (!skb) + return -ENOMEM; skb_reserve(skb, PCH_GBE_DMA_ALIGN); buffer_info->skb = skb; tx_desc = PCH_GBE_TX_DESC(*tx_ring, i); tx_desc->gbec_status = (DSC_INIT16); } - return; + + return 0; } /** @@ -1887,7 +1900,13 @@ int pch_gbe_up(struct pch_gbe_adapter *adapter) "Error: can't bring device up - alloc rx buffers pool failed\n"); goto freeirq; } - pch_gbe_alloc_tx_buffers(adapter, tx_ring); + err = pch_gbe_alloc_tx_buffers(adapter, tx_ring); + if (err) { + netdev_err(netdev, + "Error: can't bring device up - alloc tx buffers failed\n"); + pch_gbe_clean_tx_ring(adapter, tx_ring); + goto freebuf; + } pch_gbe_alloc_rx_buffers(adapter, rx_ring, rx_ring->count); adapter->tx_queue_len = netdev->tx_queue_len; pch_gbe_enable_dma_rx(&adapter->hw); @@ -1901,6 +1920,8 @@ int pch_gbe_up(struct pch_gbe_adapter *adapter) return 0; +freebuf: + pch_gbe_free_rx_buffers_pool(adapter, rx_ring); freeirq: pch_gbe_free_irq(adapter); out: @@ -1936,11 +1957,7 @@ void pch_gbe_down(struct pch_gbe_adapter *adapter) pch_gbe_clean_tx_ring(adapter, adapter->tx_ring); pch_gbe_clean_rx_ring(adapter, adapter->rx_ring); - dma_free_coherent(&adapter->pdev->dev, rx_ring->rx_buff_pool_size, - rx_ring->rx_buff_pool, rx_ring->rx_buff_pool_logic); - rx_ring->rx_buff_pool_logic = 0; - rx_ring->rx_buff_pool_size = 0; - rx_ring->rx_buff_pool = NULL; + pch_gbe_free_rx_buffers_pool(adapter, rx_ring); } /** -- 2.51.0