Commit 6310a882 authored by YueHaibing's avatar YueHaibing Committed by David S. Miller

net: fddi: fix a possible null-ptr-deref

bp->SharedMemAddr is set to NULL while bp->SharedMemSize lesser-or-equal 0,
then memset will trigger null-ptr-deref.

fix it by replacing pci_alloc_consistent with dma_zalloc_coherent.
Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 58d813af
...@@ -297,11 +297,11 @@ static int skfp_init_one(struct pci_dev *pdev, ...@@ -297,11 +297,11 @@ static int skfp_init_one(struct pci_dev *pdev,
return 0; return 0;
err_out5: err_out5:
if (smc->os.SharedMemAddr) if (smc->os.SharedMemAddr)
pci_free_consistent(pdev, smc->os.SharedMemSize, dma_free_coherent(&pdev->dev, smc->os.SharedMemSize,
smc->os.SharedMemAddr, smc->os.SharedMemAddr,
smc->os.SharedMemDMA); smc->os.SharedMemDMA);
pci_free_consistent(pdev, MAX_FRAME_SIZE, dma_free_coherent(&pdev->dev, MAX_FRAME_SIZE,
smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA); smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA);
err_out4: err_out4:
free_netdev(dev); free_netdev(dev);
err_out3: err_out3:
...@@ -328,17 +328,17 @@ static void skfp_remove_one(struct pci_dev *pdev) ...@@ -328,17 +328,17 @@ static void skfp_remove_one(struct pci_dev *pdev)
unregister_netdev(p); unregister_netdev(p);
if (lp->os.SharedMemAddr) { if (lp->os.SharedMemAddr) {
pci_free_consistent(&lp->os.pdev, dma_free_coherent(&pdev->dev,
lp->os.SharedMemSize, lp->os.SharedMemSize,
lp->os.SharedMemAddr, lp->os.SharedMemAddr,
lp->os.SharedMemDMA); lp->os.SharedMemDMA);
lp->os.SharedMemAddr = NULL; lp->os.SharedMemAddr = NULL;
} }
if (lp->os.LocalRxBuffer) { if (lp->os.LocalRxBuffer) {
pci_free_consistent(&lp->os.pdev, dma_free_coherent(&pdev->dev,
MAX_FRAME_SIZE, MAX_FRAME_SIZE,
lp->os.LocalRxBuffer, lp->os.LocalRxBuffer,
lp->os.LocalRxBufferDMA); lp->os.LocalRxBufferDMA);
lp->os.LocalRxBuffer = NULL; lp->os.LocalRxBuffer = NULL;
} }
#ifdef MEM_MAPPED_IO #ifdef MEM_MAPPED_IO
...@@ -394,7 +394,9 @@ static int skfp_driver_init(struct net_device *dev) ...@@ -394,7 +394,9 @@ static int skfp_driver_init(struct net_device *dev)
spin_lock_init(&bp->DriverLock); spin_lock_init(&bp->DriverLock);
// Allocate invalid frame // Allocate invalid frame
bp->LocalRxBuffer = pci_alloc_consistent(&bp->pdev, MAX_FRAME_SIZE, &bp->LocalRxBufferDMA); bp->LocalRxBuffer = dma_alloc_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,
&bp->LocalRxBufferDMA,
GFP_ATOMIC);
if (!bp->LocalRxBuffer) { if (!bp->LocalRxBuffer) {
printk("could not allocate mem for "); printk("could not allocate mem for ");
printk("LocalRxBuffer: %d byte\n", MAX_FRAME_SIZE); printk("LocalRxBuffer: %d byte\n", MAX_FRAME_SIZE);
...@@ -407,23 +409,22 @@ static int skfp_driver_init(struct net_device *dev) ...@@ -407,23 +409,22 @@ static int skfp_driver_init(struct net_device *dev)
if (bp->SharedMemSize > 0) { if (bp->SharedMemSize > 0) {
bp->SharedMemSize += 16; // for descriptor alignment bp->SharedMemSize += 16; // for descriptor alignment
bp->SharedMemAddr = pci_alloc_consistent(&bp->pdev, bp->SharedMemAddr = dma_zalloc_coherent(&bp->pdev.dev,
bp->SharedMemSize, bp->SharedMemSize,
&bp->SharedMemDMA); &bp->SharedMemDMA,
GFP_ATOMIC);
if (!bp->SharedMemAddr) { if (!bp->SharedMemAddr) {
printk("could not allocate mem for "); printk("could not allocate mem for ");
printk("hardware module: %ld byte\n", printk("hardware module: %ld byte\n",
bp->SharedMemSize); bp->SharedMemSize);
goto fail; goto fail;
} }
bp->SharedMemHeap = 0; // Nothing used yet.
} else { } else {
bp->SharedMemAddr = NULL; bp->SharedMemAddr = NULL;
bp->SharedMemHeap = 0; }
} // SharedMemSize > 0
memset(bp->SharedMemAddr, 0, bp->SharedMemSize); bp->SharedMemHeap = 0;
card_stop(smc); // Reset adapter. card_stop(smc); // Reset adapter.
...@@ -442,15 +443,15 @@ static int skfp_driver_init(struct net_device *dev) ...@@ -442,15 +443,15 @@ static int skfp_driver_init(struct net_device *dev)
fail: fail:
if (bp->SharedMemAddr) { if (bp->SharedMemAddr) {
pci_free_consistent(&bp->pdev, dma_free_coherent(&bp->pdev.dev,
bp->SharedMemSize, bp->SharedMemSize,
bp->SharedMemAddr, bp->SharedMemAddr,
bp->SharedMemDMA); bp->SharedMemDMA);
bp->SharedMemAddr = NULL; bp->SharedMemAddr = NULL;
} }
if (bp->LocalRxBuffer) { if (bp->LocalRxBuffer) {
pci_free_consistent(&bp->pdev, MAX_FRAME_SIZE, dma_free_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,
bp->LocalRxBuffer, bp->LocalRxBufferDMA); bp->LocalRxBuffer, bp->LocalRxBufferDMA);
bp->LocalRxBuffer = NULL; bp->LocalRxBuffer = NULL;
} }
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment