[PATCH] [Bug 24472] Kernel panic - not syncing: Fatal Exception

[PATCH] [Bug 24472] Kernel panic - not syncing: Fatal Exception

[Andrej Ota]

Move kfree_skb which was causing memory corruption to new location, while still keeping appropriate return value for function __pppoe_xmit. Prevents memory corruption and consequent kernel panic when PPPoE peer terminates the link.

Signed-off-by: Andrej Ota [andrej@ota.si]
Reported-by: Pawel Staszewski [pstaszewski@artcom.pl]
---
 drivers/net/pppoe.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index d72fb05..1a21dce 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -924,8 +924,10 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
 	/* Copy the data if there is no space for the header or if it's
 	 * read-only.
 	 */
-	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) {
+		kfree_skb(skb);
 		goto abort;
+	}

 	__skb_push(skb, sizeof(*ph));
 	skb_reset_network_header(skb);
@@ -947,7 +949,6 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
 	return 1;

 abort:
-	kfree_skb(skb);
 	return 0;
 }

---

Andrej Ota.

Re: [PATCH] [Bug 24472] Kernel panic - not syncing: Fatal Exception

[Jarek Poplawski]

On Fri, Dec 10, 2010 at 03:49:08PM +0100, Andrej Ota wrote:
> Move kfree_skb which was causing memory corruption to new location, while still keeping appropriate return value for function __pppoe_xmit. Prevents memory corruption and consequent kernel panic when PPPoE peer terminates the link.

Andrej, a slight misunderstanding - probably I should be more explicit.
I sent this link, which explains why return shouldn't be zero:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db7bf6d97c6956b7eb0f22131cb5c37bd41f33c0
So the simplest fix is to revert this one change only.
If you disagree with this let me know.

You should also fix the subject to something more meaningful, e.g.:
[PATCH] pppoe: Fix kernel panic caused by __pppoe_xmit

Please, break lines in the changelog around 70 lines and add it
fixes commit 55c95e738da85373965cb03b4f975d0fd559865b.

Thanks,
Jarek P.

> 
> Signed-off-by: Andrej Ota [andrej@ota.si]
> Reported-by: Pawel Staszewski [pstaszewski@artcom.pl]
> ---
>  drivers/net/pppoe.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
> index d72fb05..1a21dce 100644
> --- a/drivers/net/pppoe.c
> +++ b/drivers/net/pppoe.c
> @@ -924,8 +924,10 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
>  	/* Copy the data if there is no space for the header or if it's
>  	 * read-only.
>  	 */
> -	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
> +	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) {
> +		kfree_skb(skb);
>  		goto abort;
> +	}
> 
>  	__skb_push(skb, sizeof(*ph));
>  	skb_reset_network_header(skb);
> @@ -947,7 +949,6 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
>  	return 1;
> 
>  abort:
> -	kfree_skb(skb);
>  	return 0;
>  }
> 
> ---
> 
> Andrej Ota.

Re: [PATCH] pppoe.c: Fix kernel panic caused by __pppoe_xmit

[Jarek Poplawski]

On Sat, Dec 11, 2010 at 01:44:38PM +0100, Andrej Ota wrote:
> __pppoe_xmit function return value was invalid resulting in
> additional call to kfree_skb on already freed skb. This resulted in
> memory corruption and consequent kernel panic after PPPoE peer
> terminated the link.
> 
> This fixes commit 55c95e738da85373965cb03b4f975d0fd559865b.
> 
> Signed-off-by: Jarek Poplawski [jarkao2@gmail.com]
> Signed-off-by: Andrej Ota [andrej@ota.si]
> Reported-by: Pawel Staszewski [pstaszewski@artcom.pl]

Thanks Andrej! I've only updated emails a bit.
Jarek P.

Reported-by: Gorik Van Steenberge <gvs@zemos.net>
Reported-by: Daniel Kenzelmann <kernel.bugzilla@kenzelmann.dyndns.info>
Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Reported-by: Pawel Staszewski <pstaszewski@artcom.pl>
Diagnosed-by: Andrej Ota <andrej@ota.si>
Diagnosed-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Tested-by: Pawel Staszewski <pstaszewski@artcom.pl>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Andrej Ota <andrej@ota.si>

Re: [PATCH] pppoe.c: Fix kernel panic caused by __pppoe_xmit

[Andrej Ota]

> Thanks Andrej! I've only updated emails a bit.

Thank you for your help and support in submitting this patch.

Andrej Ota.

Re: [PATCH] pppoe.c: Fix kernel panic caused by __pppoe_xmit

[Denys Fedoryshchenko]

On Saturday 11 December 2010 22:08:23 Jarek Poplawski wrote:
> On Sat, Dec 11, 2010 at 01:44:38PM +0100, Andrej Ota wrote:
> > __pppoe_xmit function return value was invalid resulting in
> > additional call to kfree_skb on already freed skb. This resulted in
> > memory corruption and consequent kernel panic after PPPoE peer
> > terminated the link.
> > 
> > This fixes commit 55c95e738da85373965cb03b4f975d0fd559865b.
> > 
> > Signed-off-by: Jarek Poplawski [jarkao2@gmail.com]
> > Signed-off-by: Andrej Ota [andrej@ota.si]
> > Reported-by: Pawel Staszewski [pstaszewski@artcom.pl]
> 
> Thanks Andrej! I've only updated emails a bit.
> Jarek P.
> 
> Reported-by: Gorik Van Steenberge <gvs@zemos.net>
> Reported-by: Daniel Kenzelmann <kernel.bugzilla@kenzelmann.dyndns.info>
> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
> Reported-by: Pawel Staszewski <pstaszewski@artcom.pl>
> Diagnosed-by: Andrej Ota <andrej@ota.si>
> Diagnosed-by: Eric Dumazet <eric.dumazet@gmail.com>
> Tested-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
> Tested-by: Pawel Staszewski <pstaszewski@artcom.pl>
> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
> Signed-off-by: Andrej Ota <andrej@ota.si>
Thanks a lot!

Re: [PATCH] pppoe.c: Fix kernel panic caused by __pppoe_xmit

[David Miller]

From: Andrej Ota <andrej@ota.si>
Date: Sun, 12 Dec 2010 00:23:16 +0100

>> Thanks Andrej! I've only updated emails a bit.
> 
> Thank you for your help and support in submitting this patch.

Applied, thanks everyone.