Commit f38f6500 authored by Hongchen Zhang's avatar Hongchen Zhang
Browse files

net: stmmac: fix potential double free of dma descriptor resources 

LoongArch inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I733VA



--------------------------------

reset the dma descriptor related resource's pointer to NULL,otherwise
a potential double free problem may be triggered:
stmmac_open
  alloc_dma_desc_resources
  init_dma_desc_rings
  stmmac_hw_setup  (Failed)
    goto init_error;
  free_dma_desc_resources(priv);
  (DMA related resource pointer not reset to NULL)
...
stmmac_open
  alloc_dma_desc_resources
    alloc_dma_tx_desc_resources (Failed)
      free_dma_tx_desc_resources
      (Double free of tx_q->tx_skbuff_dma tx_q->tx_skbuff)

Signed-off-by: default avatarHongchen Zhang <zhanghongchen@loongson.cn>
parent 52840607

drivers/net/ethernet/stmicro/stmmac/stmmac_main.c

+11 −0
Original line number Diff line number Diff line
@@ -1941,13 +1941,18 @@ static void __free_dma_rx_desc_resources(struct stmmac_priv *priv, 
		dma_free_coherent(priv->device, dma_conf->dma_rx_size *

				  sizeof(struct dma_extended_desc),

				  rx_q->dma_erx, rx_q->dma_rx_phy);

	rx_q->dma_rx = NULL;

	rx_q->dma_erx = NULL;



	if (xdp_rxq_info_is_reg(&rx_q->xdp_rxq))

		xdp_rxq_info_unreg(&rx_q->xdp_rxq);



	kfree(rx_q->buf_pool);

	rx_q->buf_pool = NULL;



	if (rx_q->page_pool)

		page_pool_destroy(rx_q->page_pool);

	rx_q->page_pool = NULL;

}



static void free_dma_rx_desc_resources(struct stmmac_priv *priv,
@@ -1993,8 +1998,14 @@ static void __free_dma_tx_desc_resources(struct stmmac_priv *priv, 


	dma_free_coherent(priv->device, size, addr, tx_q->dma_tx_phy);



	tx_q->dma_etx = NULL;

	tx_q->dma_entx = NULL;

	tx_q->dma_tx = NULL;



	kfree(tx_q->tx_skbuff_dma);

	tx_q->tx_skbuff_dma = NULL;

	kfree(tx_q->tx_skbuff);

	tx_q->tx_skbuff = NULL;

}



static void free_dma_tx_desc_resources(struct stmmac_priv *priv,