| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAO7SqHCqADHoZMy7+quaF83-Ln24A=xx10D1Tv9=SX5DFsncpg@mail.gmail.com>
Date: Tue, 28 Mar 2017 11:32:40 -0700
From: Salam Noureddine <noureddine@...sta.com>
To: Network Development <netdev@...r.kernel.org>
Cc: mchan@...adcom.com, prashant@...adcom.com, siva.kallam@...adcom.com
Subject: Null pointer dereference in tg3_poll_work running linux-3.4
Hi,
We've seen a very rare kernel panic in tg3_poll_work on hardware
running linux-3.4.
I haven't seen any upstream patches that seem to fix this issue in the
tg3 driver.
The disassembly shows that the panic is happening in tg3_rx which is
inlined into
tg3_poll_work. In the code below, the "data" pointer seem to be Null,
tg3_recycle_rx(tnapi, tpr, opaque_key,
desc_idx, *post_ptr);
skb = netdev_alloc_skb(tp->dev,
len + TG3_RAW_IP_ALIGN);
if (skb == NULL)
goto drop_it_no_recycle;
skb_reserve(skb, TG3_RAW_IP_ALIGN);
pci_dma_sync_single_for_cpu(tp->pdev,
dma_addr, len, PCI_DMA_FROMDEVICE);
memcpy(skb->data,
data + TG3_RX_OFFSET(tp),
len);
pci_dma_sync_single_for_device(tp->pdev, dma_addr, len,
PCI_DMA_FROMDEVICE);
I am wondering if anyone has seen this before or if it was fixed and I
missed the patch for it. If not,
any ideas on how we could end up with data being null? I don't have a
reproduction scenario for
this one.
Thanks,
Salam
Powered by blists - more mailing lists