From: Jarek Poplawski <jarkao2@o2.pl>
To: David Miller <davem@davemloft.net>
Cc: akpm@linux-foundation.org, netdev@vger.kernel.org,
bugme-daemon@bugzilla.kernel.org, snakebyte@gmx.de
Subject: Re: [Bugme-new] [Bug 8057] New: slab corruption running ip6sic
Date: Tue, 24 Apr 2007 09:31:51 +0200 [thread overview]
Message-ID: <20070424073151.GA2333@ff.dom.local> (raw)
In-Reply-To: <20070423064416.GB1684@ff.dom.local>
On Mon, Apr 23, 2007 at 08:44:16AM +0200, Jarek Poplawski wrote:
> On Fri, Apr 20, 2007 at 04:35:15PM -0700, David Miller wrote:
> > From: Jarek Poplawski <jarkao2@o2.pl>
> > Date: Mon, 12 Mar 2007 11:24:03 +0100
> >
> > > > the ipcomp handler is xfrm6_rcv(), which calls xfrm6_rcv_spi(), which contrary
> > > > to all other handlers returns -1 instead of 0 after calling kfree_skb() on the
> > > > skb. Changing the return value to 0 in xfrm6_input.c:xfrm6_rcv_spi() fixes the
> > > > problem.
> > > > But I got no clue at all if this would be a correct fix
> > >
> > > I think your diagnose is correct (all "return -1" should be
> > > changed to "return 0" in xfrm6_input.c).
>
> I've corrected this, yet:
>
> "Sorry! Of course should be:
> I think your diagnose is correct (all "return -1" should be
> changed to "return 0" in xfrm6_rcv_spi())."
>
> It's just like Eric diagnosed:
>
> xfrm6_rcv() calls tunnel6_rcv(), which calls handlers->handler()
> and if handler() returns anything but 0, skb is kfreed. But
> handler: xfrm6_tunnel_rcv() calls xfrm6_rcv_spi() and returns its
> return without changing, which is only 1 and -1. It seems, in
> every -1 case skb is kfreed by xfrm6_rcv_spi() or by functions
> called by it, probably meaning skb was handled (delivered or
> kfreed). The only path where skb is not kfreed returns 1.
>
> tunnel6_rcv() treats both returns the same way - so some skbs
> are kfreed 2 times.
OK, now I see this place is really "special" and there is more
than this. The same handler is used for 2 things, which expect
different error codes for similar things.
My proposal is: maybe Eric could change this in
xfrm6_tunnel_rcv() from xfrm6_tunnel.c e.g. like this:
return xfrm6_rcv_spi(skb, spi) > 0 ? : 0;
and, if no errors in testing, he could resubmit this patch?
Regards,
Jarek P.
next prev parent reply other threads:[~2007-04-24 7:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-22 21:49 Fw: [Bugme-new] [Bug 8057] New: slab corruption running ip6sic Andrew Morton
2007-03-12 10:24 ` Jarek Poplawski
2007-03-12 10:29 ` Jarek Poplawski
2007-04-20 23:35 ` David Miller
2007-04-23 6:44 ` Jarek Poplawski
2007-04-24 7:31 ` Jarek Poplawski [this message]
2007-04-25 0:47 ` Herbert Xu
2007-04-25 8:27 ` Eric Sesterhenn / Snakebyte
2007-04-25 12:05 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070424073151.GA2333@ff.dom.local \
--to=jarkao2@o2.pl \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=snakebyte@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.