| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Oct 2015 23:48:01 +0300
From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To: Yasushi SHOJI <yashi@...ark-techno.com>, netdev@...r.kernel.org
Subject: Re: sh_eth.c::sh_eth_rx(): mdp->rx_skbuff[entry] can be NULL
Hello.
On 10/19/2015 06:01 PM, Yasushi SHOJI wrote:
> In a low memory situation with netdev_alloc_skb() failure,
> mdp->rx_skbuff[entry] can be left NULL, however, sh_eth_rx() seems to
> access it without checking NULL or not in the following code:
>
> skb = mdp->rx_skbuff[entry];
> mdp->rx_skbuff[entry] = NULL;
> if (mdp->cd->rpadir)
> skb_reserve(skb, NET_IP_ALIGN);
> dma_unmap_single(&ndev->dev, rxdesc->addr,
> ALIGN(mdp->rx_buf_sz, 16),
> DMA_FROM_DEVICE);
>
> I've put BUG_ON() to test skb and got the following backtrace. I can
> also enable slub poisoning to see some bad access.
>
> I'm not that familiar with this code base so I'm note including any
> patch yet. I appreciate if someone with insight in this code give a
> quick look and tell me that it's a real one or not. if this is a real
> case, I can take a deep look.
If you got the oops, it's real. Thanks for the reporting. I guess I should
check the new ravb driver as well...
Do you want to try fixing the bug yourself?
> BTW, the backtrace is from old 3.4.74+ kernel but the current tip is
> very close.
Yeah, this part didn't change in a long time...
> Thanks,
MBR, Sergei
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists