lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADm8Tem-jtBmmOO9S6jW-jzffCqe7X_DpJcy25KRkyY9Tn+TZA@mail.gmail.com>
Date: Fri, 12 Dec 2025 15:52:01 +0800
From: Tuo Li <islituo@...il.com>
To: klassert@...nel.org, andrew+netdev@...n.ch, 
	"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, 
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, mingo@...nel.org, 
	tglx@...utronix.de
Cc: netdev@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>
Subject: [BUG] net: 3com: 3c59x: Possible null-pointer dereferences caused by
 Compaq PCI BIOS32 problem

Hi,

I found a few potential null-pointer dereferences in vortex_probe1() in
Linux 6.18.

IIn this function, gendev is checked at lines 1109 and 1173, which
indicates that it may be NULL. However, it is later passed directly to
dma_alloc_coherent() at line 1211:

  vp->rx_ring = dma_alloc_coherent(gendev, ...)

This can lead to some null-pointer dereferences. Here is an example
calling context:

  dma_alloc_coherent(gendev, ...)
    dma_alloc_attrs(dev, ...)
      get_dma_ops(dev);
          if (dev->dma_ops)   // dereferenced here
      WARN_ON_ONCE(!dev->coherent_dma_mask);  // dereferenced here

Similarly, pdev is checked by an if statement at line 1466, but is then
used unconditionally when freeing DMA memory at line 1476:

  dma_free_coherent(&pdev->dev, ...)

It looks like these issues stem from the call at line 987 used as a
workaround for the Compaq PCI BIOS32 problem:

vortex_eisa_init(void)
  /* Special code to work-around the Compaq PCI BIOS32 problem. */
  if (compaq_ioaddr) {
    vortex_probe1(NULL, ioport_map(compaq_ioaddr, VORTEX_TOTAL_SIZE),
      compaq_irq, compaq_device_id, vortex_cards_found++);
  }

This passes a NULL gendev into vortex_probe1().

I am not fully sure whether these paths are reachable in practice and how
to fix it. Any feedback would be appreciated.

Sincerely,
Tuo Li

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ