Two kcalloc() allocations (descriptor table and context table) can fail and are used unconditionally afterwards (ALIGN()/phys conversion and dereferences), leading to potential NULL pointer dereference.

Check both allocations and bail out early; on the second failure, free the first allocation to avoid a leak. Do not emit extra OOM logs.

Fixes: 73d739698017 ("sb1250-mac.c: De-typedef, de-volatile, de-etc...") Fixes: c477f3348abb ("drivers/net/sb1250-mac.c: kmalloc + memset conversion to kcalloc") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li lgs201920130244@gmail.com --- drivers/net/ethernet/broadcom/sb1250-mac.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/sb1250-mac.c b/drivers/net/ethernet/broadcom/sb1250-mac.c index 30865fe03eeb..e16a49e22488 100644 --- a/drivers/net/ethernet/broadcom/sb1250-mac.c +++ b/drivers/net/ethernet/broadcom/sb1250-mac.c @@ -625,6 +625,8 @@ static void sbdma_initctx(struct sbmacdma *d, struct sbmac_softc *s, int chan, d->sbdma_dscrtable_unaligned = kcalloc(d->sbdma_maxdescr + 1, sizeof(*d->sbdma_dscrtable), GFP_KERNEL); + if (!d->sbdma_dscrtable_unaligned) + return; /* avoid NULL deref in ALIGN/phys conversion */

/* * The descriptor table must be aligned to at least 16 bytes or the @@ -644,7 +646,11 @@ static void sbdma_initctx(struct sbmacdma *d, struct sbmac_softc *s, int chan,

d->sbdma_ctxtable = kcalloc(d->sbdma_maxdescr, sizeof(*d->sbdma_ctxtable), GFP_KERNEL); - + if (!d->sbdma_ctxtable) { + kfree(d->sbdma_dscrtable_unaligned); + d->sbdma_dscrtable_unaligned = NULL; + return; + } #ifdef CONFIG_SBMAC_COALESCE /* * Setup Rx/Tx DMA coalescing defaults