diff options
author | YueHaibing <yuehaibing@huawei.com> | 2018-06-08 05:58:25 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-06-09 01:47:46 +0300 |
commit | 6310a882fbe0b87e0950222f2ac197ed92e11792 (patch) | |
tree | 08c003839d82a89c3904bfc1639358f72fae525f /drivers/net/fddi/skfp/skfddi.c | |
parent | 58d813afbe89658a5972747460a5fe19dec4dbcb (diff) | |
download | linux-6310a882fbe0b87e0950222f2ac197ed92e11792.tar.xz |
net: fddi: fix a possible null-ptr-deref
bp->SharedMemAddr is set to NULL while bp->SharedMemSize lesser-or-equal 0,
then memset will trigger null-ptr-deref.
fix it by replacing pci_alloc_consistent with dma_zalloc_coherent.
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/fddi/skfp/skfddi.c')
-rw-r--r-- | drivers/net/fddi/skfp/skfddi.c | 55 |
1 files changed, 28 insertions, 27 deletions
diff --git a/drivers/net/fddi/skfp/skfddi.c b/drivers/net/fddi/skfp/skfddi.c index 2414f1dc8ddd..72433f3efc74 100644 --- a/drivers/net/fddi/skfp/skfddi.c +++ b/drivers/net/fddi/skfp/skfddi.c @@ -297,11 +297,11 @@ static int skfp_init_one(struct pci_dev *pdev, return 0; err_out5: if (smc->os.SharedMemAddr) - pci_free_consistent(pdev, smc->os.SharedMemSize, - smc->os.SharedMemAddr, - smc->os.SharedMemDMA); - pci_free_consistent(pdev, MAX_FRAME_SIZE, - smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA); + dma_free_coherent(&pdev->dev, smc->os.SharedMemSize, + smc->os.SharedMemAddr, + smc->os.SharedMemDMA); + dma_free_coherent(&pdev->dev, MAX_FRAME_SIZE, + smc->os.LocalRxBuffer, smc->os.LocalRxBufferDMA); err_out4: free_netdev(dev); err_out3: @@ -328,17 +328,17 @@ static void skfp_remove_one(struct pci_dev *pdev) unregister_netdev(p); if (lp->os.SharedMemAddr) { - pci_free_consistent(&lp->os.pdev, - lp->os.SharedMemSize, - lp->os.SharedMemAddr, - lp->os.SharedMemDMA); + dma_free_coherent(&pdev->dev, + lp->os.SharedMemSize, + lp->os.SharedMemAddr, + lp->os.SharedMemDMA); lp->os.SharedMemAddr = NULL; } if (lp->os.LocalRxBuffer) { - pci_free_consistent(&lp->os.pdev, - MAX_FRAME_SIZE, - lp->os.LocalRxBuffer, - lp->os.LocalRxBufferDMA); + dma_free_coherent(&pdev->dev, + MAX_FRAME_SIZE, + lp->os.LocalRxBuffer, + lp->os.LocalRxBufferDMA); lp->os.LocalRxBuffer = NULL; } #ifdef MEM_MAPPED_IO @@ -394,7 +394,9 @@ static int skfp_driver_init(struct net_device *dev) spin_lock_init(&bp->DriverLock); // Allocate invalid frame - bp->LocalRxBuffer = pci_alloc_consistent(&bp->pdev, MAX_FRAME_SIZE, &bp->LocalRxBufferDMA); + bp->LocalRxBuffer = dma_alloc_coherent(&bp->pdev.dev, MAX_FRAME_SIZE, + &bp->LocalRxBufferDMA, + GFP_ATOMIC); if (!bp->LocalRxBuffer) { printk("could not allocate mem for "); printk("LocalRxBuffer: %d byte\n", MAX_FRAME_SIZE); @@ -407,23 +409,22 @@ static int skfp_driver_init(struct net_device *dev) if (bp->SharedMemSize > 0) { bp->SharedMemSize += 16; // for descriptor alignment - bp->SharedMemAddr = pci_alloc_consistent(&bp->pdev, - bp->SharedMemSize, - &bp->SharedMemDMA); + bp->SharedMemAddr = dma_zalloc_coherent(&bp->pdev.dev, + bp->SharedMemSize, + &bp->SharedMemDMA, + GFP_ATOMIC); if (!bp->SharedMemAddr) { printk("could not allocate mem for "); printk("hardware module: %ld byte\n", bp->SharedMemSize); goto fail; } - bp->SharedMemHeap = 0; // Nothing used yet. } else { bp->SharedMemAddr = NULL; - bp->SharedMemHeap = 0; - } // SharedMemSize > 0 + } - memset(bp->SharedMemAddr, 0, bp->SharedMemSize); + bp->SharedMemHeap = 0; card_stop(smc); // Reset adapter. @@ -442,15 +443,15 @@ static int skfp_driver_init(struct net_device *dev) fail: if (bp->SharedMemAddr) { - pci_free_consistent(&bp->pdev, - bp->SharedMemSize, - bp->SharedMemAddr, - bp->SharedMemDMA); + dma_free_coherent(&bp->pdev.dev, + bp->SharedMemSize, + bp->SharedMemAddr, + bp->SharedMemDMA); bp->SharedMemAddr = NULL; } if (bp->LocalRxBuffer) { - pci_free_consistent(&bp->pdev, MAX_FRAME_SIZE, - bp->LocalRxBuffer, bp->LocalRxBufferDMA); + dma_free_coherent(&bp->pdev.dev, MAX_FRAME_SIZE, + bp->LocalRxBuffer, bp->LocalRxBufferDMA); bp->LocalRxBuffer = NULL; } return err; |