drivers/net/ethernet/broadcom/sb1250-mac.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
Two kcalloc() allocations (descriptor table and context table) can fail
and are used unconditionally afterwards (ALIGN()/phys conversion and
dereferences), leading to potential NULL pointer dereference.
Check both allocations and bail out early; on the second failure, free
the first allocation to avoid a leak. Do not emit extra OOM logs.
Fixes: 73d739698017 ("sb1250-mac.c: De-typedef, de-volatile, de-etc...")
Fixes: c477f3348abb ("drivers/net/sb1250-mac.c: kmalloc + memset conversion to kcalloc")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/net/ethernet/broadcom/sb1250-mac.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/sb1250-mac.c b/drivers/net/ethernet/broadcom/sb1250-mac.c
index 30865fe03eeb..e16a49e22488 100644
--- a/drivers/net/ethernet/broadcom/sb1250-mac.c
+++ b/drivers/net/ethernet/broadcom/sb1250-mac.c
@@ -625,6 +625,8 @@ static void sbdma_initctx(struct sbmacdma *d, struct sbmac_softc *s, int chan,
d->sbdma_dscrtable_unaligned = kcalloc(d->sbdma_maxdescr + 1,
sizeof(*d->sbdma_dscrtable),
GFP_KERNEL);
+ if (!d->sbdma_dscrtable_unaligned)
+ return; /* avoid NULL deref in ALIGN/phys conversion */
/*
* The descriptor table must be aligned to at least 16 bytes or the
@@ -644,7 +646,11 @@ static void sbdma_initctx(struct sbmacdma *d, struct sbmac_softc *s, int chan,
d->sbdma_ctxtable = kcalloc(d->sbdma_maxdescr,
sizeof(*d->sbdma_ctxtable), GFP_KERNEL);
-
+ if (!d->sbdma_ctxtable) {
+ kfree(d->sbdma_dscrtable_unaligned);
+ d->sbdma_dscrtable_unaligned = NULL;
+ return;
+ }
#ifdef CONFIG_SBMAC_COALESCE
/*
* Setup Rx/Tx DMA coalescing defaults
--
2.43.0
On Thu, 18 Sep 2025 20:10:51 +0800 Guangshuo Li wrote: > Fixes: 73d739698017 ("sb1250-mac.c: De-typedef, de-volatile, de-etc...") > Fixes: c477f3348abb ("drivers/net/sb1250-mac.c: kmalloc + memset conversion to kcalloc") neither of these tags is correct, the bug existed before them The Fixes tag should point to the commit that added the bug, not the last commit that touched the line > Cc: stable@vger.kernel.org > Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> > --- > drivers/net/ethernet/broadcom/sb1250-mac.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/broadcom/sb1250-mac.c b/drivers/net/ethernet/broadcom/sb1250-mac.c > index 30865fe03eeb..e16a49e22488 100644 > --- a/drivers/net/ethernet/broadcom/sb1250-mac.c > +++ b/drivers/net/ethernet/broadcom/sb1250-mac.c > @@ -625,6 +625,8 @@ static void sbdma_initctx(struct sbmacdma *d, struct sbmac_softc *s, int chan, > d->sbdma_dscrtable_unaligned = kcalloc(d->sbdma_maxdescr + 1, > sizeof(*d->sbdma_dscrtable), > GFP_KERNEL); > + if (!d->sbdma_dscrtable_unaligned) > + return; /* avoid NULL deref in ALIGN/phys conversion */ This comment is completely unnecessary Please make sure to read: https://www.kernel.org/doc/html/next/process/maintainer-netdev.html before proceeding -- pw-bot: cr
© 2016 - 2025 Red Hat, Inc.