* [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
@ 2026-07-01 6:50 Abdun Nihaal
2026-07-01 14:20 ` Maciej Fijalkowski
2026-07-03 14:12 ` Paolo Abeni
0 siblings, 2 replies; 3+ messages in thread
From: Abdun Nihaal @ 2026-07-01 6:50 UTC (permalink / raw)
To: skalluru
Cc: Abdun Nihaal, manishc, andrew+netdev, davem, edumazet, kuba,
pabeni, netdev, linux-kernel, horms, stable
In one of the error path in bnx2x_alloc_mem_bp(), bnx2x_free_mem_bp()
may be called with bp->fp uninitialized. And so, there could be a null
pointer dereference in bnx2x_free_mem_bp(). Fix that by adding a null
check before the only dereference of bp->fp in the function.
The issue was reported by Sashiko AI review.
Fixes: c3146eb676e7 ("bnx2x: Correct memory preparation and release")
Cc: stable@vger.kernel.org
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
---
Compile tested only.
Thanks to Simon Horman for pointing out the Sashiko review.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 5b2640bd31c3..25ee45cb7f3f 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
{
int i;
- for (i = 0; i < bp->fp_array_size; i++)
- kfree(bp->fp[i].tpa_info);
+ if (bp->fp)
+ for (i = 0; i < bp->fp_array_size; i++)
+ kfree(bp->fp[i].tpa_info);
kfree(bp->fp);
kfree(bp->sp_objs);
kfree(bp->fp_stats);
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
2026-07-01 6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
@ 2026-07-01 14:20 ` Maciej Fijalkowski
2026-07-03 14:12 ` Paolo Abeni
1 sibling, 0 replies; 3+ messages in thread
From: Maciej Fijalkowski @ 2026-07-01 14:20 UTC (permalink / raw)
To: Abdun Nihaal
Cc: skalluru, manishc, andrew+netdev, davem, edumazet, kuba, pabeni,
netdev, linux-kernel, horms, stable
On Wed, Jul 01, 2026 at 12:20:26PM +0530, Abdun Nihaal wrote:
> In one of the error path in bnx2x_alloc_mem_bp(), bnx2x_free_mem_bp()
> may be called with bp->fp uninitialized. And so, there could be a null
> pointer dereference in bnx2x_free_mem_bp(). Fix that by adding a null
> check before the only dereference of bp->fp in the function.
>
> The issue was reported by Sashiko AI review.
>
> Fixes: c3146eb676e7 ("bnx2x: Correct memory preparation and release")
> Cc: stable@vger.kernel.org
> Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
> ---
> Compile tested only.
> Thanks to Simon Horman for pointing out the Sashiko review.
Should we include Reported-by tag given to Sashiko? I did that in my last
changes, I guess it would be good to track the amount of things fixed that
originated from Sashiko review.
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
>
> drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 5b2640bd31c3..25ee45cb7f3f 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
> {
> int i;
>
> - for (i = 0; i < bp->fp_array_size; i++)
> - kfree(bp->fp[i].tpa_info);
> + if (bp->fp)
> + for (i = 0; i < bp->fp_array_size; i++)
> + kfree(bp->fp[i].tpa_info);
> kfree(bp->fp);
> kfree(bp->sp_objs);
> kfree(bp->fp_stats);
> --
> 2.43.0
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp()
2026-07-01 6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
2026-07-01 14:20 ` Maciej Fijalkowski
@ 2026-07-03 14:12 ` Paolo Abeni
1 sibling, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2026-07-03 14:12 UTC (permalink / raw)
To: Abdun Nihaal, skalluru
Cc: manishc, andrew+netdev, davem, edumazet, kuba, netdev,
linux-kernel, horms, stable
On 7/1/26 8:50 AM, Abdun Nihaal wrote:
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 5b2640bd31c3..25ee45cb7f3f 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -4712,8 +4712,9 @@ void bnx2x_free_mem_bp(struct bnx2x *bp)
> {
> int i;
>
> - for (i = 0; i < bp->fp_array_size; i++)
> - kfree(bp->fp[i].tpa_info);
> + if (bp->fp)
> + for (i = 0; i < bp->fp_array_size; i++)
> + kfree(bp->fp[i].tpa_info);
I think that a cleaner fix would be moving bp->fp_array_size
initialization after bp->fp.
/P
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-03 14:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 6:50 [PATCH net] bnx2x: fix null pointer dereference in bnx2x_free_mem_bp() Abdun Nihaal
2026-07-01 14:20 ` Maciej Fijalkowski
2026-07-03 14:12 ` Paolo Abeni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox