[4.2.y-ckt stable] Patch "sh_eth: fix NULL pointer dereference in sh_eth_ring_format()" has been added to the 4.2.y-ckt tree

Kamal Mostafa kamal at canonical.com
Mon Apr 25 19:43:27 UTC 2016 

This is a note to let you know that I have just added a patch titled

    sh_eth: fix NULL pointer dereference in sh_eth_ring_format()

to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue

This patch is scheduled to be released in version 4.2.8-ckt9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 4.2.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

>From 446391008813bcfebb7281d651d1a38e700df88f Mon Sep 17 00:00:00 2001
From: Sergei Shtylyov <sergei.shtylyov at cogentembedded.com>
Date: Tue, 8 Mar 2016 01:36:28 +0300
Subject: sh_eth: fix NULL pointer dereference in sh_eth_ring_format()

[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]

In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
kernel oops by adding the 'rxdesc' check after the loop.

Reported-by: Wolfram Sang <wsa+renesas at sang-engineering.com>
Signed-off-by: Sergei Shtylyov <sergei.shtylyov at cogentembedded.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/net/ethernet/renesas/sh_eth.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index 675cd7f..880e177 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -1173,7 +1173,8 @@ static void sh_eth_ring_format(struct net_device *ndev)
 	mdp->dirty_rx = (u32) (i - mdp->num_rx_ring);

 	/* Mark the last entry as wrapping the ring. */
-	rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);
+	if (rxdesc)
+		rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);

 	memset(mdp->tx_ring, 0, tx_ringsize);

--
2.7.4

More information about the kernel-team mailing list