lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Mar 2017 11:53:05 -0700 From: Michael Chan <michael.chan@...adcom.com> To: Salam Noureddine <noureddine@...sta.com> Cc: Network Development <netdev@...r.kernel.org>, "michael.chan@...adcom.com" <mchan@...adcom.com>, "prashant.sreedharan@...adcom.com" <prashant@...adcom.com>, Siva Reddy Kallam <siva.kallam@...adcom.com> Subject: Re: Null pointer dereference in tg3_poll_work running linux-3.4 On Tue, Mar 28, 2017 at 11:32 AM, Salam Noureddine <noureddine@...sta.com> wrote: > Hi, > > We've seen a very rare kernel panic in tg3_poll_work on hardware > running linux-3.4. > I haven't seen any upstream patches that seem to fix this issue in the > tg3 driver. > The disassembly shows that the panic is happening in tg3_rx which is > inlined into > tg3_poll_work. In the code below, the "data" pointer seem to be Null, The data pointer is derived from the opaque value in the receive descriptor. When the hardware completes a receive packet, the opaque value is returned so that the driver can retrieve the proper entry in the ring and locate the "data" pointer for the buffer. I don't remember any bug fixes related to this logic. One possibility is that there is DMA corruption and we are getting a bad opaque value. If you have the core dump, it will be useful to look at the receive completion ring. These opaque values are simple index values and should be in sequence.
Powered by blists - more mailing lists