From: Lennert Buytenhek Date: Sun, 24 Aug 2008 00:33:47 +0000 (+0200) Subject: mv643xx_eth: fix NULL pointer dereference in rxq_process() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9e1f37724265725ad4c14fc2ef60a162dc13ac64;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git mv643xx_eth: fix NULL pointer dereference in rxq_process() When we are low on memory, the assumption that every descriptor in the receive ring will have an skbuff associated with it does not hold. rxq_process() was assuming that if the receive descriptor it is working on is not owned by the hardware, it can safely be processed and handed to the networking stack. But a descriptor in the receive ring not being owned by the hardware can also happen when we are low on memory and did not manage to refill the receive ring fully. This patch changes rxq_process()'s bailout condition from "the first receive descriptor to be processed is owned by the hardware" to "the first receive descriptor to be processed is owned by the hardware OR the number of valid receive descriptors in the ring is zero". Signed-off-by: Lennert Buytenhek --- diff --git a/drivers/net/mv643xx_eth.c b/drivers/net/mv643xx_eth.c index 30e6d4b8d564..e33dfc0165f6 100644 --- a/drivers/net/mv643xx_eth.c +++ b/drivers/net/mv643xx_eth.c @@ -527,7 +527,7 @@ static int rxq_process(struct rx_queue *rxq, int budget) int rx; rx = 0; - while (rx < budget) { + while (rx < budget && rxq->rx_desc_count) { struct rx_desc *rx_desc; unsigned int cmd_sts; struct sk_buff *skb;