Thread (2 messages) 2 messages, 2 authors, 1d ago

Re: [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()

From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date: 2026-07-01 14:21:31
Also in: lkml, stable

On Wed, Jul 01, 2026 at 12:20:26PM +0530, Abdun Nihaal wrote:
In one of the error path in bnx2x_alloc_mem_bp(), bnx2x_free_mem_bp()
may be called with bp->fp uninitialized. And so, there could be a null
pointer dereference in bnx2x_free_mem_bp(). Fix that by adding a null
check before the only dereference of bp->fp in the function.

The issue was reported by Sashiko AI review.

Fixes: c3146eb676e7 ("bnx2x: Correct memory preparation and release")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <redacted>
---
Compile tested only.
Thanks to Simon Horman for pointing out the Sashiko review.
Should we include Reported-by tag given to Sashiko? I did that in my last
changes, I guess it would be good to track the amount of things fixed that
originated from Sashiko review.

Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
quoted hunk ↗ jump to hunk
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 5b2640bd31c3..25ee45cb7f3f 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
 {
 	int i;
 
-	for (i = 0; i < bp->fp_array_size; i++)
-		kfree(bp->fp[i].tpa_info);
+	if (bp->fp)
+		for (i = 0; i < bp->fp_array_size; i++)
+			kfree(bp->fp[i].tpa_info);
 	kfree(bp->fp);
 	kfree(bp->sp_objs);
 	kfree(bp->fp_stats);
-- 
2.43.0
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help