net: fddi: fix a possible null-ptr-deref
authorYueHaibing <yuehaibing@huawei.com>
Fri, 8 Jun 2018 02:58:25 +0000 (10:58 +0800)
committerDavid S. Miller <davem@davemloft.net>
Fri, 8 Jun 2018 22:47:46 +0000 (18:47 -0400)
bp->SharedMemAddr is set to NULL while bp->SharedMemSize lesser-or-equal 0,
then memset will trigger null-ptr-deref.

fix it by replacing pci_alloc_consistent with dma_zalloc_coherent.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/fddi/skfp/skfddi.c

index 2414f1dc8ddd8e10a36f8f279bca0a64bb24acf8..72433f3efc747e78b83ae32ac91a203d7aed3914 100644 (file)
@@ -297,11 +297,11 @@ static int skfp_init_one(struct pci_dev *pdev,
        return 0;
 err_out5:
        if (smc->os.SharedMemAddr) 
-               pci_free_consistent(pdev, smc->os.SharedMemSize,
-                                   smc->os.SharedMemAddr, 
-                                   smc->os.SharedMemDMA);
-       pci_free_consistent(pdev, MAX_FRAME_SIZE,
-                           smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA);
+               dma_free_coherent(&pdev->dev, smc->os.SharedMemSize,
+                                 smc->os.SharedMemAddr,
+                                 smc->os.SharedMemDMA);
+       dma_free_coherent(&pdev->dev, MAX_FRAME_SIZE,
+                         smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA);
 err_out4:
        free_netdev(dev);
 err_out3:
@@ -328,17 +328,17 @@ static void skfp_remove_one(struct pci_dev *pdev)
        unregister_netdev(p);
 
        if (lp->os.SharedMemAddr) {
-               pci_free_consistent(&lp->os.pdev,
-                                   lp->os.SharedMemSize,
-                                   lp->os.SharedMemAddr,
-                                   lp->os.SharedMemDMA);
+               dma_free_coherent(&pdev->dev,
+                                 lp->os.SharedMemSize,
+                                 lp->os.SharedMemAddr,
+                                 lp->os.SharedMemDMA);
                lp->os.SharedMemAddr = NULL;
        }
        if (lp->os.LocalRxBuffer) {
-               pci_free_consistent(&lp->os.pdev,
-                                   MAX_FRAME_SIZE,
-                                   lp->os.LocalRxBuffer,
-                                   lp->os.LocalRxBufferDMA);
+               dma_free_coherent(&pdev->dev,
+                                 MAX_FRAME_SIZE,
+                                 lp->os.LocalRxBuffer,
+                                 lp->os.LocalRxBufferDMA);
                lp->os.LocalRxBuffer = NULL;
        }
 #ifdef MEM_MAPPED_IO
@@ -394,7 +394,9 @@ static  int skfp_driver_init(struct net_device *dev)
        spin_lock_init(&bp->DriverLock);
        
        // Allocate invalid frame
-       bp->LocalRxBuffer = pci_alloc_consistent(&bp->pdev, MAX_FRAME_SIZE, &bp->LocalRxBufferDMA);
+       bp->LocalRxBuffer = dma_alloc_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,
+                                              &bp->LocalRxBufferDMA,
+                                              GFP_ATOMIC);
        if (!bp->LocalRxBuffer) {
                printk("could not allocate mem for ");
                printk("LocalRxBuffer: %d byte\n", MAX_FRAME_SIZE);
@@ -407,23 +409,22 @@ static  int skfp_driver_init(struct net_device *dev)
        if (bp->SharedMemSize > 0) {
                bp->SharedMemSize += 16;        // for descriptor alignment
 
-               bp->SharedMemAddr = pci_alloc_consistent(&bp->pdev,
-                                                        bp->SharedMemSize,
-                                                        &bp->SharedMemDMA);
+               bp->SharedMemAddr = dma_zalloc_coherent(&bp->pdev.dev,
+                                                       bp->SharedMemSize,
+                                                       &bp->SharedMemDMA,
+                                                       GFP_ATOMIC);
                if (!bp->SharedMemAddr) {
                        printk("could not allocate mem for ");
                        printk("hardware module: %ld byte\n",
                               bp->SharedMemSize);
                        goto fail;
                }
-               bp->SharedMemHeap = 0;  // Nothing used yet.
 
        } else {
                bp->SharedMemAddr = NULL;
-               bp->SharedMemHeap = 0;
-       }                       // SharedMemSize > 0
+       }
 
-       memset(bp->SharedMemAddr, 0, bp->SharedMemSize);
+       bp->SharedMemHeap = 0;
 
        card_stop(smc);         // Reset adapter.
 
@@ -442,15 +443,15 @@ static  int skfp_driver_init(struct net_device *dev)
 
 fail:
        if (bp->SharedMemAddr) {
-               pci_free_consistent(&bp->pdev,
-                                   bp->SharedMemSize,
-                                   bp->SharedMemAddr,
-                                   bp->SharedMemDMA);
+               dma_free_coherent(&bp->pdev.dev,
+                                 bp->SharedMemSize,
+                                 bp->SharedMemAddr,
+                                 bp->SharedMemDMA);
                bp->SharedMemAddr = NULL;
        }
        if (bp->LocalRxBuffer) {
-               pci_free_consistent(&bp->pdev, MAX_FRAME_SIZE,
-                                   bp->LocalRxBuffer, bp->LocalRxBufferDMA);
+               dma_free_coherent(&bp->pdev.dev, MAX_FRAME_SIZE,
+                                 bp->LocalRxBuffer, bp->LocalRxBufferDMA);
                bp->LocalRxBuffer = NULL;
        }
        return err;