From owner-freebsd-current@FreeBSD.ORG Thu Apr 15 12:13:42 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E60E516A4CE for ; Thu, 15 Apr 2004 12:13:42 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EDE143D1D for ; Thu, 15 Apr 2004 12:13:42 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i3FJD1Pq001974; Thu, 15 Apr 2004 15:13:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i3FJD1aq001971; Thu, 15 Apr 2004 15:13:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 15 Apr 2004 15:13:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Pavel Gulchouck In-Reply-To: <20040415121619.GB31043@happy.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: current@freebsd.org Subject: Re: kernel panic in if_ppp.c X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 19:13:43 -0000 On Thu, 15 Apr 2004, Pavel Gulchouck wrote: > I have systematic kernel panic when use pppd, debug shows it's in > m_freem() called from ppp_inproc(). In the source code I've see that in > the "input queue full" case there is "goto bad", when m is already > freed by IF_HANDOFF() or netisr_queue(), and after this goto system > crashes by second m_freem(m). System works correctly after fixing this > bug. Checking condition "if (m)" after label "bad:" in the line 1594 of > net/pf_ppp.c is senseless because of m is never changed its value in the > ppp_inptoc() function. > > Here's the patch. > Another way is to simple add "m = NULL" before "goto bad" > in the line 1582. I went with this more simple approach because (a) I'm not all that familiar with the ppp implementation, and (b) we might as well avoid multiple labels in the return case (due to C lacking exceptions). Currently, this fix doesn't fit the charter for the RELENG_5_2 branch, which is focussed on security-only fixes. However, there's an on-going discussion of broadening the scope of the current security branches to release-engineering branches. If this happens, I'll merge it to that branch also (feel free to remind me if I forget :-). Thanks! Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > RELENG_5_2 has this bug too. > > --- net/if_ppp.c.orig Wed Jan 21 20:05:38 2004 > +++ net/if_ppp.c Thu Apr 15 14:57:16 2004 > @@ -1580,5 +1580,5 @@ > if_printf(ifp, "input queue full\n"); > ifp->if_iqdrops++; > - goto bad; > + goto bad2; > } > ifp->if_ipackets++; > @@ -1592,6 +1592,6 @@ > > bad: > - if (m) > - m_freem(m); > + m_freem(m); > + bad2: > sc->sc_if.if_ierrors++; > sc->sc_stats.ppp_ierrors++; > > -- > Lucky carrier, > Pavel. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >