mlx4_core: Fix possible bad free in mlx4_buf_free()

When mlx4_buf_free() is called from the error path of mlx4_buf_alloc(), it may be passed a buffer structure that does not have all pages filled in. Add a check for NULL to mlx4_buf_free() so we avoid passing NULL to dma_free_coherent() (which will crash). Signed-off-by: N Ali Ayoub <ali@mellanox.co.il> Signed-off-by: N Jack Morgenstein <jackm@dev.mellanox.co.il> Signed-off-by: N Roland Dreier <rolandd@cisco.com>

mlx4_core: Fix possible bad free in mlx4_buf_free()
When mlx4_buf_free() is called from the error path of mlx4_buf_alloc(), it may be passed a buffer structure that does not have all pages filled in. Add a check for NULL to mlx4_buf_free() so we avoid passing NULL to dma_free_coherent() (which will crash). Signed-off-by: N Ali Ayoub <ali@mellanox.co.il> Signed-off-by: N Jack Morgenstein <jackm@dev.mellanox.co.il> Signed-off-by: N Roland Dreier <rolandd@cisco.com>
3bba11e5 · Ali Ayoub · Roland Dreier · 9418d5dc · 3bba11e5
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

drivers/net/mlx4/alloc.c drivers/net/mlx4/alloc.c +4 -3

未找到文件。
--- a/drivers/net/mlx4/alloc.c
+++ b/drivers/net/mlx4/alloc.c
@@ -171,9 +171,10 @@ void mlx4_buf_free(struct mlx4_dev *dev, int size, struct mlx4_buf *buf)
 				  buf->u.direct.map);
 	else {
 		for (i = 0; i < buf->nbufs; ++i)
-			dma_free_coherent(&dev->pdev->dev, PAGE_SIZE,
-					  buf->u.page_list[i].buf,
-					  buf->u.page_list[i].map);
+			if (buf->u.page_list[i].buf)
+				dma_free_coherent(&dev->pdev->dev, PAGE_SIZE,
+						  buf->u.page_list[i].buf,
+						  buf->u.page_list[i].map);
 		kfree(buf->u.page_list);
 	}
 }