Date: Thu, 15 Apr 2004 15:13:00 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Pavel Gulchouck <gul@gul.kiev.ua> Cc: current@freebsd.org Subject: Re: kernel panic in if_ppp.c Message-ID: <Pine.NEB.3.96L.1040415151115.95950G-100000@fledge.watson.org> In-Reply-To: <20040415121619.GB31043@happy.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Apr 2004, Pavel Gulchouck wrote: > I have systematic kernel panic when use pppd, debug shows it's in > m_freem() called from ppp_inproc(). In the source code I've see that in > the "input queue full" case there is "goto bad", when m is already > freed by IF_HANDOFF() or netisr_queue(), and after this goto system > crashes by second m_freem(m). System works correctly after fixing this > bug. Checking condition "if (m)" after label "bad:" in the line 1594 of > net/pf_ppp.c is senseless because of m is never changed its value in the > ppp_inptoc() function. > > Here's the patch. > Another way is to simple add "m = NULL" before "goto bad" > in the line 1582. I went with this more simple approach because (a) I'm not all that familiar with the ppp implementation, and (b) we might as well avoid multiple labels in the return case (due to C lacking exceptions). Currently, this fix doesn't fit the charter for the RELENG_5_2 branch, which is focussed on security-only fixes. However, there's an on-going discussion of broadening the scope of the current security branches to release-engineering branches. If this happens, I'll merge it to that branch also (feel free to remind me if I forget :-). Thanks! Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > RELENG_5_2 has this bug too. > > --- net/if_ppp.c.orig Wed Jan 21 20:05:38 2004 > +++ net/if_ppp.c Thu Apr 15 14:57:16 2004 > @@ -1580,5 +1580,5 @@ > if_printf(ifp, "input queue full\n"); > ifp->if_iqdrops++; > - goto bad; > + goto bad2; > } > ifp->if_ipackets++; > @@ -1592,6 +1592,6 @@ > > bad: > - if (m) > - m_freem(m); > + m_freem(m); > + bad2: > sc->sc_if.if_ierrors++; > sc->sc_stats.ppp_ierrors++; > > -- > Lucky carrier, > Pavel. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040415151115.95950G-100000>