* Null dereference in socket.c
@ 2007-09-28 22:58 Chuck Ebbert
2007-09-28 23:00 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Chuck Ebbert @ 2007-09-28 22:58 UTC (permalink / raw)
To: netdev
After debugging an oops (https://bugzilla.redhat.com/attachment.cgi?id=209231)
I find it happens here in socket.c::sock_ioctl() line 902:
default:
=============> err = sock->ops->ioctl(sock, cmd, arg);
/*
* If this ioctl is unknown try to hand it down
* to the NIC driver.
*/
if (err == -ENOIOCTLCMD)
err = dev_ioctl(cmd, argp);
break;
ioctl is NULL and the kernel jumps to address 0. Should we add a check
for that?
Bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=306801
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Null dereference in socket.c
2007-09-28 22:58 Null dereference in socket.c Chuck Ebbert
@ 2007-09-28 23:00 ` David Miller
2007-09-28 23:42 ` Stephen Hemminger
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2007-09-28 23:00 UTC (permalink / raw)
To: cebbert; +Cc: netdev
From: Chuck Ebbert <cebbert@redhat.com>
Date: Fri, 28 Sep 2007 18:58:36 -0400
> After debugging an oops (https://bugzilla.redhat.com/attachment.cgi?id=209231)
> I find it happens here in socket.c::sock_ioctl() line 902:
>
> default:
> =============> err = sock->ops->ioctl(sock, cmd, arg);
>
> /*
> * If this ioctl is unknown try to hand it down
> * to the NIC driver.
> */
> if (err == -ENOIOCTLCMD)
> err = dev_ioctl(cmd, argp);
> break;
>
>
> ioctl is NULL and the kernel jumps to address 0. Should we add a check
> for that?
>
> Bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=306801
Every protocol should provide a non-NULL ->ioctl() method,
find out which one isn't and fix it.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Null dereference in socket.c
2007-09-28 23:00 ` David Miller
@ 2007-09-28 23:42 ` Stephen Hemminger
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Hemminger @ 2007-09-28 23:42 UTC (permalink / raw)
To: David Miller; +Cc: cebbert, netdev
On Fri, 28 Sep 2007 16:00:57 -0700 (PDT)
David Miller <davem@davemloft.net> wrote:
> From: Chuck Ebbert <cebbert@redhat.com>
> Date: Fri, 28 Sep 2007 18:58:36 -0400
>
> > After debugging an oops (https://bugzilla.redhat.com/attachment.cgi?id=209231)
> > I find it happens here in socket.c::sock_ioctl() line 902:
> >
> > default:
> > =============> err = sock->ops->ioctl(sock, cmd, arg);
> >
> > /*
> > * If this ioctl is unknown try to hand it down
> > * to the NIC driver.
> > */
> > if (err == -ENOIOCTLCMD)
> > err = dev_ioctl(cmd, argp);
> > break;
> >
> >
> > ioctl is NULL and the kernel jumps to address 0. Should we add a check
> > for that?
> >
> > Bug report:
> > https://bugzilla.redhat.com/show_bug.cgi?id=306801
>
> Every protocol should provide a non-NULL ->ioctl() method,
> find out which one isn't and fix it
Auditing the net-2.6.24 tree all instances found by cscope are safe.
--
Stephen Hemminger <shemminger@linux-foundation.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-09-28 23:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-28 22:58 Null dereference in socket.c Chuck Ebbert
2007-09-28 23:00 ` David Miller
2007-09-28 23:42 ` Stephen Hemminger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox