> If airoha_qdma_init routine fails before airoha_qdma_tx_irq_init() runs > successfully for all TX NAPIs, airoha_qdma_cleanup() will > unconditionally runs netif_napi_del() on TX NAPIs, triggering a NULL > pointer dereference. Fix the issue relying on q_tx_irq size value to > check if the TX NAPIs is properly initialized in airoha_qdma_cleanup(). > Moreover, run netif_napi_add_tx() just if irq_q queue is properly > allocated. > > Fixes: 23020f049327 ("net: airoha: Introduce ethernet support for EN7581 SoC") > Signed-off-by: Lorenzo Bianconi > --- > drivers/net/ethernet/airoha/airoha_eth.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c > index fc79c456743c..fd8c4f817d85 100644 > --- a/drivers/net/ethernet/airoha/airoha_eth.c > +++ b/drivers/net/ethernet/airoha/airoha_eth.c > @@ -996,8 +996,6 @@ static int airoha_qdma_tx_irq_init(struct airoha_tx_irq_queue *irq_q, > struct airoha_eth *eth = qdma->eth; > dma_addr_t dma_addr; > > - netif_napi_add_tx(eth->napi_dev, &irq_q->napi, > - airoha_qdma_tx_napi_poll); > irq_q->q = dmam_alloc_coherent(eth->dev, size * sizeof(u32), > &dma_addr, GFP_KERNEL); > if (!irq_q->q) > @@ -1007,6 +1005,9 @@ static int airoha_qdma_tx_irq_init(struct airoha_tx_irq_queue *irq_q, > irq_q->size = size; > irq_q->qdma = qdma; > > + netif_napi_add_tx(eth->napi_dev, &irq_q->napi, > + airoha_qdma_tx_napi_poll); > + > airoha_qdma_wr(qdma, REG_TX_IRQ_BASE(id), dma_addr); > airoha_qdma_rmw(qdma, REG_TX_IRQ_CFG(id), TX_IRQ_DEPTH_MASK, > FIELD_PREP(TX_IRQ_DEPTH_MASK, size)); > @@ -1398,8 +1399,12 @@ static void airoha_qdma_cleanup(struct airoha_qdma *qdma) > } > } > > - for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++) > + for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++) { > + if (!qdma->q_tx_irq[i].size) > + continue; > + > netif_napi_del(&qdma->q_tx_irq[i].napi); > + } > > for (i = 0; i < ARRAY_SIZE(qdma->q_tx); i++) { > if (!qdma->q_tx[i].ndesc) > > -- > 2.53.0 > Commenting the issue reported by Sashiko here: https://sashiko.dev/#/patchset/20260420-airoha_qdma_init_rx_queue-fix-v2-0-d99347e5c18d%40kernel.org - Could a similar vulnerability still exist in the TX queue initialization and cleanup path? This issue is not related to this patch and already fixed here: https://patchwork.kernel.org/project/netdevbpf/patch/20260417-airoha_qdma_cleanup_tx_queue-fix-net-v4-1-e04bcc2c9642@kernel.org/ Regards, Lorenzo