> of_reserved_mem_lookup() may return NULL if the reserved memory region
> referenced by the "memory-region" phandle is not found in the reserved
> memory table (e.g. due to a misconfigured DTS or a removed
> memory-region node).  The current code dereferences the returned
> pointer without checking for NULL, leading to a kernel NULL pointer
> dereference at the following lines:
> 
>     dma_addr = rmem->base;                          // line 1156
>     num_desc = div_u64(rmem->size, buf_size);       // line 1160
> 
> Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if
> the lookup fails, which is consistent with the existing error handling
> for of_parse_phandle() failure in the same code block.
> 
> Fixes: 3a1ce9e3d01b ("net: airoha: Add the capability to allocate hwfd buffers via reserved-memory")
> Cc: stable@vger.kernel.org
> Signed-off-by: ZhaoJinming<zhaojinming@uniontech.com>

Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>

> ---
>  drivers/net/ethernet/airoha/airoha_eth.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
> index cecd66251dba..2444d3275a81 100644
> --- a/drivers/net/ethernet/airoha/airoha_eth.c
> +++ b/drivers/net/ethernet/airoha/airoha_eth.c
> @@ -1153,6 +1153,9 @@ static int airoha_qdma_init_hfwd_queues(struct airoha_qdma *qdma)
>  
>  		rmem = of_reserved_mem_lookup(np);
>  		of_node_put(np);
> +		if (!rmem)
> +			return -ENODEV;
> +
>  		dma_addr = rmem->base;
>  		/* Compute the number of hw descriptors according to the
>  		 * reserved memory size and the payload buffer size
> -- 
> 2.25.1