[Intel-wired-lan] [PATCH iwl-net] idpf: only assign num refillqs if allocation was successful

[Joshua Hay]

As reported by AI review [1], if the refillqs allocation fails, refillqs
will be NULL but num_refillqs will be non-zero. The release function
will then dereference refillqs since it thinks the refillqs are present,
resulting in a NULL ptr dereference.

Only assign the num refillqs if the allocation was successful. This will
prevent the release function from entering the loop and accessing
refillqs.

[1] https://lore.kernel.org/netdev/20260227035625.2632753-1-k...@kernel.org/

Fixes: 95af467d9a4e3 ("idpf: configure resources for RX queues")
Signed-off-by: Joshua Hay <joshua.a....@intel.com>
Reviewed-by: Madhu Chittim <madhu.chit...@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktio...@intel.com>
---
 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c 
b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 252259993022..f6b3b15364ff 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -1860,13 +1860,13 @@ static int idpf_rxq_group_alloc(struct idpf_vport 
*vport,
                        idpf_queue_assign(HSPLIT_EN, q, hs);
                        idpf_queue_assign(RSC_EN, q, rsc);
 
-                       bufq_set->num_refillqs = num_rxq;
                        bufq_set->refillqs = kcalloc(num_rxq, swq_size,
                                                     GFP_KERNEL);
                        if (!bufq_set->refillqs) {
                                err = -ENOMEM;
                                goto err_alloc;
                        }
+                       bufq_set->num_refillqs = num_rxq;
                        for (unsigned int k = 0; k < bufq_set->num_refillqs; 
k++) {
                                struct idpf_sw_queue *refillq =
                                        &bufq_set->refillqs[k];
-- 
2.39.2