lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Fri, 23 Oct 2015 14:05:45 +0300
From:	Sergei Shtylyov <>
To:	Yasushi SHOJI <>
Subject: Re: sh_eth.c::sh_eth_rx(): mdp->rx_skbuff[entry] can be NULL

On 10/23/2015 12:17 AM, Sergei Shtylyov wrote:


>> If memory is not yet available
>> when the controller is trying to use the invalid descriptor, the
>> controller will see it and DMA will stop.
>     That means leaving RACT=0 and that's what the driver is even doing...
>     Hm, then I don't understand how the error you've described can occur,
> unless we encounter OOM during sh_eth_ring_format()...
>> Is it acceptable path to go?
>     I'm not seeing a bug in this function, perhaps I'm missing something?

    Nevermind, I'm seeing the bug now -- occurred to me before I went to bed 

>> To achieve zero copy, the driver push the sk_buffs filled with
>> received packet to the netdev core with netif_receive_skb() then
>> netdev_alloc_skb() sk_buffs in the sh_eth_rx(), the poll method of the
>> driver, and update the corresponding descriptor.
>> If the allocation failed, it just leave the function, leaving old
>> pointer in the descriptor as is.
>     Yes, but note that it also leaves RACT=0, which basically means an invalid
> descriptor, encountering which the reception should just stop.

    The problem is that the first loop has no way of identifying the bad 
descriptors. Looks like we only can fix that by checking rx_skbuff[entry] for 

MBR, Sergei

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists