Commit b5e5797e authored Mar 06, 2026 by Joshua Hay Committed by Tony Nguyen Mar 23, 2026

idpf: only assign num refillqs if allocation was successful

As reported by AI review [1], if the refillqs allocation fails, refillqs
will be NULL but num_refillqs will be non-zero. The release function
will then dereference refillqs since it thinks the refillqs are present,
resulting in a NULL ptr dereference.

Only assign the num refillqs if the allocation was successful. This will
prevent the release function from entering the loop and accessing
refillqs.

[1] https://lore.kernel.org/netdev/20260227035625.2632753-1-kuba@kernel.org/



Fixes: 95af467d ("idpf: configure resources for RX queues")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>

parent 1eb0db7e

drivers/net/ethernet/intel/idpf/idpf_txrx.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1860,13 +1860,13 @@ static int idpf_rxq_group_alloc(struct idpf_vport *vport,
		idpf_queue_assign(HSPLIT_EN, q, hs);
		idpf_queue_assign(RSC_EN, q, rsc);

		bufq_set->num_refillqs = num_rxq;
		bufq_set->refillqs = kcalloc(num_rxq, swq_size,
		GFP_KERNEL);
		if (!bufq_set->refillqs) {
		err = -ENOMEM;
		goto err_alloc;
		}
		bufq_set->num_refillqs = num_rxq;
		for (unsigned int k = 0; k < bufq_set->num_refillqs; k++) {
		struct idpf_sw_queue *refillq =
		&bufq_set->refillqs[k];