From: "Toshio" <andrej@ota.si>
To: <linux-kernel@vger.kernel.org>
Cc: <gvs@zemos.net>
Subject: unable to handle kernel NULL pointer dereference in skb_dequeue
Date: Fri, 3 Dec 2010 13:42:07 +0100 [thread overview]
Message-ID: <0fe401cb92e7$85ba2260$912e6720$@si> (raw)
I have also hit on Bug 20292 (https://bugzilla.kernel.org/show_bug.cgi?id=20292) in final 2.6.36. After investigating changes made between 2.6.35.4, which worked, and 2.6.36 which started oopsing, I think the problem was in double freeing of skb caused by change of return value for __pppoe_xmit in case of errors.
As it turned out this might be the cause of random BUG reports throught the kernel, whenever something touched skb. Most common BUG with my use case happened at skb_dequeue:
00000060 <skb_dequeue>:
60: 53 push %ebx
61: 89 c2 mov %eax,%edx
63: 9c pushf
64: 59 pop %ecx
65: fa cli
66: 8b 00 mov (%eax),%eax
68: 39 c2 cmp %eax,%edx
6a: 74 24 je 90 <skb_dequeue+0x30>
6c: 85 c0 test %eax,%eax
6e: 74 1a je 8a <skb_dequeue+0x2a>
70: ff 4a 08 decl 0x8(%edx)
73: 8b 18 mov (%eax),%ebx
75: c7 00 00 00 00 00 movl $0x0,(%eax)
7b: 8b 50 04 mov 0x4(%eax),%edx
7e: c7 40 04 00 00 00 00 movl $0x0,0x4(%eax)
85: 89 53 04 mov %edx,0x4(%ebx)
88:* 89 1a mov %ebx,(%edx)
8a: 51 push %ecx
8b: 9d popf
8c: 5b pop %ebx
8d: c3 ret
8e: 66 90 xchg %ax,%ax
90: b8 00 00 00 00 mov $0x0,%eax
95: eb f3 jmp 8a <skb_dequeue+0x2a>
97: 89 f6 mov %esi,%esi
99: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
This location corresponds to line "next = next->next" from inlined __skb_dequeue(). The only reason BUG could happen here is something overwriting or otherwise corrupting skb list.
Patch that works for me is below. Now I only hope I haven't (re)introduced a memory leak...
I am not subscribed to LKML, so please reply-to-all if you need to contact me.
-----------------------------------------------------------------------------
--- linux-2.6.36/drivers/net/pppoe.c 2010-10-20 22:30:22.000000000 +0200
+++ linux-2.6.36.toshio/drivers/net/pppoe.c 2010-12-03 13:11:56.000000000 +0100
@@ -924,8 +924,10 @@
/* Copy the data if there is no space for the header or if it's
* read-only.
*/
- if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+ if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) {
+ kfree_skb(skb);
goto abort;
+ }
__skb_push(skb, sizeof(*ph));
skb_reset_network_header(skb);
@@ -947,7 +949,6 @@
return 1;
abort:
- kfree_skb(skb);
return 0;
}
-----------------------------------------------------------------------------
Andrej Ota.
next reply other threads:[~2010-12-03 12:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-03 12:42 Toshio [this message]
2010-12-03 13:09 ` unable to handle kernel NULL pointer dereference in skb_dequeue Eric Dumazet
2010-12-03 14:37 ` Andrej Ota
2010-12-03 14:46 ` Eric Dumazet
2010-12-03 22:07 ` Jarek Poplawski
2010-12-03 22:16 ` Denys Fedoryshchenko
2010-12-10 19:51 ` Denys Fedoryshchenko
2010-12-10 20:18 ` David Miller
2010-12-10 21:30 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='0fe401cb92e7$85ba2260$912e6720$@si' \
--to=andrej@ota.si \
--cc=gvs@zemos.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.