Netdev List
 help / color / mirror / Atom feed
* [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
@ 2026-07-01  6:50 Abdun Nihaal
  2026-07-01 14:20 ` Maciej Fijalkowski
  2026-07-03 14:12 ` Paolo Abeni
  0 siblings, 2 replies; 3+ messages in thread
From: Abdun Nihaal @ 2026-07-01  6:50 UTC (permalink / raw)
  To: skalluru
  Cc: Abdun Nihaal, manishc, andrew+netdev, davem, edumazet, kuba,
	pabeni, netdev, linux-kernel, horms, stable

In one of the error path in bnx2x_alloc_mem_bp(), bnx2x_free_mem_bp()
may be called with bp->fp uninitialized. And so, there could be a null
pointer dereference in bnx2x_free_mem_bp(). Fix that by adding a null
check before the only dereference of bp->fp in the function.

The issue was reported by Sashiko AI review.

Fixes: c3146eb676e7 ("bnx2x: Correct memory preparation and release")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
---
Compile tested only.
Thanks to Simon Horman for pointing out the Sashiko review.

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 5b2640bd31c3..25ee45cb7f3f 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
 {
 	int i;
 
-	for (i = 0; i < bp->fp_array_size; i++)
-		kfree(bp->fp[i].tpa_info);
+	if (bp->fp)
+		for (i = 0; i < bp->fp_array_size; i++)
+			kfree(bp->fp[i].tpa_info);
 	kfree(bp->fp);
 	kfree(bp->sp_objs);
 	kfree(bp->fp_stats);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
  2026-07-01  6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
@ 2026-07-01 14:20 ` Maciej Fijalkowski
  2026-07-03 14:12 ` Paolo Abeni
  1 sibling, 0 replies; 3+ messages in thread
From: Maciej Fijalkowski @ 2026-07-01 14:20 UTC (permalink / raw)
  To: Abdun Nihaal
  Cc: skalluru, manishc, andrew+netdev, davem, edumazet, kuba, pabeni,
	netdev, linux-kernel, horms, stable

On Wed, Jul 01, 2026 at 12:20:26PM +0530, Abdun Nihaal wrote:
> In one of the error path in bnx2x_alloc_mem_bp(), bnx2x_free_mem_bp()
> may be called with bp->fp uninitialized. And so, there could be a null
> pointer dereference in bnx2x_free_mem_bp(). Fix that by adding a null
> check before the only dereference of bp->fp in the function.
> 
> The issue was reported by Sashiko AI review.
> 
> Fixes: c3146eb676e7 ("bnx2x: Correct memory preparation and release")
> Cc: stable@vger.kernel.org
> Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
> ---
> Compile tested only.
> Thanks to Simon Horman for pointing out the Sashiko review.

Should we include Reported-by tag given to Sashiko? I did that in my last
changes, I guess it would be good to track the amount of things fixed that
originated from Sashiko review.

Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>

> 
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 5b2640bd31c3..25ee45cb7f3f 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
>  {
>  	int i;
>  
> -	for (i = 0; i < bp->fp_array_size; i++)
> -		kfree(bp->fp[i].tpa_info);
> +	if (bp->fp)
> +		for (i = 0; i < bp->fp_array_size; i++)
> +			kfree(bp->fp[i].tpa_info);
>  	kfree(bp->fp);
>  	kfree(bp->sp_objs);
>  	kfree(bp->fp_stats);
> -- 
> 2.43.0
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
  2026-07-01  6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
  2026-07-01 14:20 ` Maciej Fijalkowski
@ 2026-07-03 14:12 ` Paolo Abeni
  1 sibling, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2026-07-03 14:12 UTC (permalink / raw)
  To: Abdun Nihaal, skalluru
  Cc: manishc, andrew+netdev, davem, edumazet, kuba, netdev,
	linux-kernel, horms, stable

On 7/1/26 8:50 AM, Abdun Nihaal wrote:
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 5b2640bd31c3..25ee45cb7f3f 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
>  {
>  	int i;
>  
> -	for (i = 0; i < bp->fp_array_size; i++)
> -		kfree(bp->fp[i].tpa_info);
> +	if (bp->fp)
> +		for (i = 0; i < bp->fp_array_size; i++)
> +			kfree(bp->fp[i].tpa_info);

I think that a cleaner fix would be moving bp->fp_array_size
initialization after bp->fp.

/P


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03 14:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01  6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
2026-07-01 14:20 ` Maciej Fijalkowski
2026-07-03 14:12 ` Paolo Abeni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox