Re: PROBLEM: pppol2tp over pppoe NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
To: eric.dumazet@gmail.com
Cc: Misha Labjuk <spiked.yar@gmail.com>, netdev@vger.kernel.org
Subject: Re: PROBLEM: pppol2tp over pppoe NULL pointer dereference
Date: Wed, 02 Nov 2011 16:54:30 +0100	[thread overview]
Message-ID: <4EB167B6.4040202@dti2.net> (raw)
In-Reply-To: <1320217652.30178.1.camel@edumazet-laptop>

El 02/11/2011 8:07, Eric Dumazet escribió:
> Le mercredi 02 novembre 2011 à 09:04 +0400, Misha Labjuk a écrit :
>> 2011/11/2 Eric Dumazet <eric.dumazet@gmail.com>:
>>>
>>> On what kind of NIC this is happening ?
>>>
>>
>> Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit
>> Ethernet controller (rev 02)
>> Kernel driver in use: r8169
> 
> OK thanks, could you try the following patch as well ?
> 
> If we release reorder_q.lock, we must not keep a dangling pointer (tmp)
> and restart the whole loop.
> 
> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> index 34b2dde..bf8d50c 100644
> --- a/net/l2tp/l2tp_core.c
> +++ b/net/l2tp/l2tp_core.c
> @@ -397,6 +397,7 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
>  	 * expect to send up next, dequeue it and any other
>  	 * in-sequence packets behind it.
>  	 */
> +start:
>  	spin_lock_bh(&session->reorder_q.lock);
>  	skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
>  		if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
> @@ -433,7 +434,7 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
>  		 */
>  		spin_unlock_bh(&session->reorder_q.lock);
>  		l2tp_recv_dequeue_skb(session, skb);
> -		spin_lock_bh(&session->reorder_q.lock);
> +		goto start;
>  	}
>  
>  out:
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

	I've been using this same exact patch on an old kernel since a while ago. I had
one system that crashed here, now decommissioned. After some testing I was
unable to reproduce the bug in another systems but on the one that exhibited the
problem it fixed the crashes.

	Regards,
		Jorge
-- 
==============================================================
Jorge Boncompte - Ingenieria y Gestion de RED
DTI2 - Desarrollo de la Tecnologia de las Comunicaciones
--------------------------------------------------------------
C/ Abogado Enriquez Barrios, 5   14004 CORDOBA (SPAIN)
Tlf: +34 957 761395 / FAX: +34 957 450380
==============================================================
- There is only so much duct tape you can put on something
  before it just becomes a giant ball of duct tape.
==============================================================

next prev parent reply	other threads:[~2011-11-02 15:59 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-01 22:00 PROBLEM: pppol2tp over pppoe NULL pointer dereference Misha Labjuk
2011-11-01 22:35 ` Eric Dumazet
2011-11-02  5:04   ` Misha Labjuk
2011-11-02  7:07     ` Eric Dumazet
2011-11-02 15:54       ` Jorge Boncompte [DTI2] [this message]
2011-11-02 22:35       ` Misha Labjuk
2011-11-02 22:53         ` [PATCH] l2tp: fix l2tp_recv_dequeue() Eric Dumazet
2011-11-03  6:50           ` Eric Dumazet
2011-11-03  8:47         ` PROBLEM: pppol2tp over pppoe NULL pointer dereference Eric Dumazet
2011-11-03 22:02           ` David Miller
2011-11-01 22:56 ` [PATCH] udp: fix a race in encap_rcv handling Eric Dumazet
2011-11-02  4:51   ` David Miller
2011-11-01 23:58 ` PROBLEM: pppol2tp over pppoe NULL pointer dereference Eric Dumazet
2011-11-05  2:28   ` David Miller
2011-11-05  7:40     ` Eric Dumazet
2011-11-08 19:00       ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2011-11-18 15:35 Окунев Дмитрий Юрьевич

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EB167B6.4040202@dti2.net \
    --to=jorge@dti2.net \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=spiked.yar@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.