idpf: only assign num refillqs if allocation was successful

As reported by AI review [1], if the refillqs allocation fails, refillqs
will be NULL but num_refillqs will be non-zero. The release function
will then dereference refillqs since it thinks the refillqs are present,
resulting in a NULL ptr dereference.

Only assign the num refillqs if the allocation was successful. This will
prevent the release function from entering the loop and accessing
refillqs.

[1] https://lore.kernel.org/netdev/20260227035625.2632753-1-kuba@kernel.org/

Fixes: 95af467d9a4e3 ("idpf: configure resources for RX queues")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>

diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 2522599930223fd35a07904752b199481f803e6a..f6b3b15364ff68400f726f7e7985778bda28486c 100644 (file)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -1860,13 +1860,13 @@ static int idpf_rxq_group_alloc(struct idpf_vport *vport,
                        idpf_queue_assign(HSPLIT_EN, q, hs);
                        idpf_queue_assign(RSC_EN, q, rsc);
 
-                       bufq_set->num_refillqs = num_rxq;
                        bufq_set->refillqs = kcalloc(num_rxq, swq_size,
                                                     GFP_KERNEL);
                        if (!bufq_set->refillqs) {
                                err = -ENOMEM;
                                goto err_alloc;
                        }
+                       bufq_set->num_refillqs = num_rxq;
                        for (unsigned int k = 0; k < bufq_set->num_refillqs; k++) {
                                struct idpf_sw_queue *refillq =
                                        &bufq_set->refillqs[k];