net: systemport: do not crash freeing an unitialized TX ring

Callers of bcm_sysport_init_tx_ring() can currently fail, and will
always call bcm_sysport_fini_tx_ring() in a loop ending at the number of
TX queues (32) without checking if the TX ring was successfully
initialized or not.

Update bcm_sysport_fini_tx_ring() to return early and avoid a crash
de-referencing ring->cbs if the TX ring was not initialized, since
ring->cbs is the last part of the initialization done by
bcm_sysport_init_tx_ring() that could fail.

Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Reported-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 0 deletions

diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
index c81bf74685c0..531bb7c57531 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -1175,6 +1175,13 @@ static void bcm_sysport_fini_tx_ring(struct bcm_sysport_priv *priv,
         if (!(reg & TDMA_DISABLED))
                 netdev_warn(priv->netdev, "TDMA not stopped!\n");
 
+        /* ring->cbs is the last part in bcm_sysport_init_tx_ring which could
+         * fail, so by checking this pointer we know whether the TX ring was
+         * fully initialized or not.
+         */
+        if (!ring->cbs)
+                return;
+
         napi_disable(&ring->napi);
         netif_napi_del(&ring->napi);