Thread (3 messages) 3 messages, 3 authors, 7d ago

Re: [PATCH] net: meth: check skb allocation in meth_init_rx_ring()

From: Pavan Chebbi <pavan.chebbi@broadcom.com>
Date: 2026-06-22 05:57:57
Also in: lkml, stable 

On Mon, Jun 22, 2026 at 10:20 AM Haoxiang Li [off-list ref] wrote:
quoted hunk ↗ jump to hunk
meth_init_rx_ring() does not check the return value of alloc_skb().
If the allocation fails, the NULL skb is passed to skb_reserve() and
then dereferenced through skb->head.

Add check for alloc_skb() to prevent potential null pointer dereference.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <redacted>
---
 drivers/net/ethernet/sgi/meth.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/sgi/meth.c b/drivers/net/ethernet/sgi/meth.c
index f7c3a5a766b7..ceff3cc937ad 100644
--- a/drivers/net/ethernet/sgi/meth.c
+++ b/drivers/net/ethernet/sgi/meth.c
@@ -228,6 +228,9 @@ static int meth_init_rx_ring(struct meth_private *priv)

        for (i = 0; i < RX_RING_ENTRIES; i++) {
                priv->rx_skbs[i] = alloc_skb(METH_RX_BUFF_SIZE, 0);
+               if (!priv->rx_skbs[i])
+                       return -ENOMEM;
+
I think the fix is not complete. The caller meth_open() will not free
any successfully allocated skbs if the function ever returns -ENOMEM.

                /* 8byte status vector + 3quad padding + 2byte padding,
                 * to put data on 64bit aligned boundary */
                skb_reserve(priv->rx_skbs[i],METH_RX_HEAD);
--
2.25.1

Attachments

  • smime.p7s [application/pkcs7-signature] 5469 bytes
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help