bnxt_en: Fix NULL pointer dereference at bnxt_free_irq().
authorMichael Chan <michael.chan@broadcom.com>
Wed, 11 Apr 2018 15:50:18 +0000 (11:50 -0400)
committerDavid S. Miller <davem@davemloft.net>
Wed, 11 Apr 2018 18:42:00 +0000 (14:42 -0400)
When open fails during ethtool -L ring change, for example, the driver
may crash at bnxt_free_irq() because bp->bnapi is NULL.

If we fail to allocate all the new rings, bnxt_open_nic() will free
all the memory including bp->bnapi.  Subsequent call to bnxt_close_nic()
will try to dereference bp->bnapi in bnxt_free_irq().

Fix it by checking for !bp->bnapi in bnxt_free_irq().

Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/broadcom/bnxt/bnxt.c

index 9cb8b4b..f83769d 100644 (file)
@@ -6090,7 +6090,7 @@ static void bnxt_free_irq(struct bnxt *bp)
        free_irq_cpu_rmap(bp->dev->rx_cpu_rmap);
        bp->dev->rx_cpu_rmap = NULL;
 #endif
-       if (!bp->irq_tbl)
+       if (!bp->irq_tbl || !bp->bnapi)
                return;
 
        for (i = 0; i < bp->cp_nr_rings; i++) {