[PATCH v2] net: meth: Fix skb allocation failure handling in RX init
From: Haoxiang Li <hidden>
Date: 2026-06-24 03:20:41
Also in:
lkml
Subsystem:
networking drivers, the rest · Maintainers:
Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds
meth_init_rx_ring() does not check the return value of alloc_skb(). If the allocation fails, the NULL skb is passed to skb_reserve() and then dereferenced through skb->head. Add check for alloc_skb() to prevent potential null pointer dereference. And unwind the RX entries that were already allocated and DMA-mapped before returning. Signed-off-by: Haoxiang Li <redacted> --- Changes in v2: - Add error handling to free the resources that were already allocated. Thanks, Pavan. - Drop the fixes tag. Thanks, Andrew. --- drivers/net/ethernet/sgi/meth.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/drivers/net/ethernet/sgi/meth.c b/drivers/net/ethernet/sgi/meth.c
index f7c3a5a766b7..bf5f47692023 100644
--- a/drivers/net/ethernet/sgi/meth.c
+++ b/drivers/net/ethernet/sgi/meth.c@@ -228,6 +228,9 @@ static int meth_init_rx_ring(struct meth_private *priv) for (i = 0; i < RX_RING_ENTRIES; i++) { priv->rx_skbs[i] = alloc_skb(METH_RX_BUFF_SIZE, 0); + if (!priv->rx_skbs[i]) + goto err_free_skbs; + /* 8byte status vector + 3quad padding + 2byte padding, * to put data on 64bit aligned boundary */ skb_reserve(priv->rx_skbs[i],METH_RX_HEAD);
@@ -240,6 +243,17 @@ static int meth_init_rx_ring(struct meth_private *priv) } priv->rx_write = 0; return 0; + +err_free_skbs: + while (i--) { + dma_unmap_single(&priv->pdev->dev, priv->rx_ring_dmas[i], + METH_RX_BUFF_SIZE, DMA_FROM_DEVICE); + priv->rx_ring[i] = 0; + priv->rx_ring_dmas[i] = 0; + kfree_skb(priv->rx_skbs[i]); + priv->rx_skbs[i] = NULL; + } + return -ENOMEM; } static void meth_free_tx_ring(struct meth_private *priv) {
--
2.25.1