[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aa43945b38cee751a8231084866b074d@192.168.253.23>
Date: Fri, 03 Dec 2010 15:37:18 +0100
From: Andrej Ota <andrej@....si>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: <linux-kernel@...r.kernel.org>, <gvs@...os.net>,
Rami Rosen <ramirose@...il.com>,
netdev <netdev@...r.kernel.org>
Subject: Re: unable to handle kernel NULL pointer dereference in
skb_dequeue
>> Patch that works for me is below. Now I only hope I haven't
>> (re)introduced a memory leak...
> Problem comes from commit 55c95e738da85 (fix return value of
> __pppoe_xmit() method)
>
> I am not sure patch is OK
Me neither. That's why I wrote "works for me". All I dare say is that it
works better than current code and is probably no worse than it was before
above mentioned commit. Apart from that, there is no point in having return
value for __pppoe_xmit if return value isn't needed.
Easiest way of triggering this BUG is by terminating PPPoE on the server
side, which then hits "if (!dev) { goto abort; }". This in turn calls
"kfree_skb(skb); return 0;" which returns to pppoe_rcv_core which then
goto-s to "abort_put" which again calls "kfree_skb(skb)". Voila the bug.
I don't know how to trigger "if (skb_cow_head(skb, ..." to see if I have
just caused another BUG. However, if I read file comments at the top, I see
a comment from 19/07/01 stating that I have to delete original skb if code
succeeds and never delete it on failure. About the skb copy mentioned in
the same comment, I don't know. 2001 was many commits ago.
Andrej Ota.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists