octeon_ep_vf: add NULL check for napi_build_skb()

[ Upstream commit dd66b42854705e4e4ee7f14d260f86c578bed3e3 ]

napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment paths, leading to a
NULL pointer dereference.

Add NULL checks after both napi_build_skb() calls, properly advancing
descriptors and consuming remaining fragments on failure.

Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260409184009.930359-3-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ inlined missing octep_vf_oq_next_idx() helper as read_idx++ with wraparound ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
index b579d5b545c46d4d82456e8df36ccbfc118d212d..8347e696937cdbcaffb92bda460b9ab0ddc4f595 100644 (file)
--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
@@ -409,10 +409,17 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
                        data_offset = OCTEP_VF_OQ_RESP_HW_SIZE;
                        rx_ol_flags = 0;
                }
-               rx_bytes += buff_info->len;
-
                if (buff_info->len <= oq->max_single_buffer_size) {
                        skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+                       if (!skb) {
+                               oq->stats->alloc_failures++;
+                               desc_used++;
+                               read_idx++;
+                               if (read_idx == oq->max_count)
+                                       read_idx = 0;
+                               continue;
+                       }
+                       rx_bytes += buff_info->len;
                        skb_reserve(skb, data_offset);
                        skb_put(skb, buff_info->len);
                        read_idx++;
@@ -424,6 +431,31 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
                        u16 data_len;
 
                        skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+                       if (!skb) {
+                               oq->stats->alloc_failures++;
+                               desc_used++;
+                               read_idx++;
+                               if (read_idx == oq->max_count)
+                                       read_idx = 0;
+                               data_len = buff_info->len - oq->max_single_buffer_size;
+                               while (data_len) {
+                                       dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr,
+                                                      PAGE_SIZE, DMA_FROM_DEVICE);
+                                       buff_info = (struct octep_vf_rx_buffer *)
+                                                   &oq->buff_info[read_idx];
+                                       buff_info->page = NULL;
+                                       if (data_len < oq->buffer_size)
+                                               data_len = 0;
+                                       else
+                                               data_len -= oq->buffer_size;
+                                       desc_used++;
+                                       read_idx++;
+                                       if (read_idx == oq->max_count)
+                                               read_idx = 0;
+                               }
+                               continue;
+                       }
+                       rx_bytes += buff_info->len;
                        skb_reserve(skb, data_offset);
                        /* Head fragment includes response header(s);
                         * subsequent fragments contains only data.