From 799d2fff1858004526ad75d66a5dd8a5cce6ad40 Mon Sep 17 00:00:00 2001
From: Mirko Lindner <mlindner@marvell.com>
Date: Wed, 26 Nov 2014 15:13:38 +0100
Subject: sky2: Fix crash inside sky2_rx_clean

If sky2->tx_le = pci_alloc_consistent() or sky2->tx_ring = kcalloc() in
sky2_alloc_buffers() fails, sky2->rx_ring = kcalloc() will never be called.
In this error case handling, sky2_rx_clean() is called from within
sky2_free_buffers().

In sky2_rx_clean() we find the following:

...
   memset(sky2->rx_le, 0, RX_LE_BYTES);
...

This results in a memset using a NULL pointer and will crash the system.

Signed-off-by: Mirko Lindner <mlindner@marvell.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/ethernet/marvell/sky2.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'drivers/net/ethernet/marvell/sky2.c')

diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
index 53a1cc52d496..f8ab220bd72c 100644
--- a/drivers/net/ethernet/marvell/sky2.c
+++ b/drivers/net/ethernet/marvell/sky2.c
@@ -1361,7 +1361,9 @@ static void sky2_rx_clean(struct sky2_port *sky2)
 {
 	unsigned i;
 
-	memset(sky2->rx_le, 0, RX_LE_BYTES);
+	if (sky2->rx_le)
+		memset(sky2->rx_le, 0, RX_LE_BYTES);
+
 	for (i = 0; i < sky2->rx_pending; i++) {
 		struct rx_ring_info *re = sky2->rx_ring + i;
 
-- 
cgit v1.2.3-59-g8ed1b