* [PATCH] ppp_generic.c - kfree(ppp) called twice, kernel 2.4.0
@ 2001-07-03 20:50 Eli Chen
0 siblings, 0 replies; only message in thread
From: Eli Chen @ 2001-07-03 20:50 UTC (permalink / raw)
To: linux-kernel; +Cc: paulus
Hi,
In ppp_destroy_interface(), there is a chance that kfree(ppp) is called
twice, causing a kernel oops when ppp is opened again. I was able to cause
this by running PPPOE, and killing -9 pppd and pppoe-daemon with one kill
command. By doing this, the closing of ppp->dev causes a
ppp_disconnect_channel(), which calls kfree(ppp) assuming the ppp unit is
dead. But destroy_interface() hasn't finished, and it tries to kfree(ppp)
also. I simply moved the closing of the device to after the channels == 0
check. Anyways, follows is the patch. Please cc comments to
eli@routefree.com.
thanks,
Eli Chen
--- ppp_generic.c 2001/02/21 00:53:01 1.1.1.2
+++ ppp_generic.c 2001/07/03 20:37:22
@@ -2268,13 +2268,6 @@
ppp->dev = 0;
ppp_unlock(ppp);
- if (dev) {
- rtnl_lock();
- dev_close(dev);
- unregister_netdevice(dev);
- rtnl_unlock();
- }
-
/*
* We can't acquire any new channels (since we have the
* all_ppp_lock) so if n_channels is 0, we can free the
@@ -2283,6 +2276,13 @@
*/
if (ppp->n_channels == 0)
kfree(ppp);
+
+ if (dev) {
+ rtnl_lock();
+ dev_close(dev);
+ unregister_netdevice(dev);
+ rtnl_unlock();
+ }
spin_unlock(&all_ppp_lock);
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2001-07-03 20:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-07-03 20:50 [PATCH] ppp_generic.c - kfree(ppp) called twice, kernel 2.4.0 Eli Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).