On Thu, 30 Aug 2007, Andrew Morton wrote:

On Thu, 30 Aug 2007 07:41:31 -0700 (PDT) [EMAIL PROTECTED] wrote:

http://bugzilla.kernel.org/show_bug.cgi?id=8961

This looks serious.

           Summary: BUG triggered by oidentd in netlink code

Aug 29 23:28:44 bowl kernel: [349587.500440] BUG: unable to handle kernel NULL
pointer dereference<1>BUG: unable to handle kernel NULL pointer dereference at
virtual address 00000054
Aug 29 23:28:44 bowl kernel: [349587.500454]  printing eip:
Aug 29 23:28:45 bowl kernel: [349587.500457] c03318ae
Aug 29 23:28:45 bowl kernel: [349587.500459] *pde = 00000000
Aug 29 23:28:45 bowl kernel: [349587.500464] Oops: 0000 [#1]
Aug 29 23:28:45 bowl kernel: [349587.500466] PREEMPT SMP
Aug 29 23:28:46 bowl kernel: [349587.500474] Modules linked in: w83627hf
hwmon_vid i2c_isa
Aug 29 23:28:46 bowl kernel: [349587.500483] CPU:    0
Aug 29 23:28:47 bowl kernel: [349587.500485] EIP:    0060:[<c03318ae>]    Not
tainted VLI
Aug 29 23:28:47 bowl kernel: [349587.500487] EFLAGS: 00010246   (2.6.22.3 #1)
Aug 29 23:28:47 bowl kernel: [349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e
Aug 29 23:28:48 bowl kernel: [349587.500506] eax: 00000000   ebx: 00000000


Seems to be a bug introduced by the netlink_run_queue conversion,
since there is no locking and netlink_run_queue doesn't check
for NULL results from skb_dequeue, it might pass NULL to
netlink_rcv_skb, which crashes.

Does this patch help?
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index dbeacd8..8e1078d 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -836,12 +836,17 @@ static int inet_diag_rcv_msg(struct sk_buff *skb, struct 
nlmsghdr *nlh)
        return inet_diag_get_exact(skb, nlh);
 }
 
+static DEFINE_MUTEX(inet_diag_mutex);
+
 static void inet_diag_rcv(struct sock *sk, int len)
 {
        unsigned int qlen = 0;
 
        do {
+               if (!mutex_trylock(&inet_diag_mutex))
+                       return;
                netlink_run_queue(sk, &qlen, &inet_diag_rcv_msg);
+               mutex_unlock(&inet_diag_mutex);
        } while (qlen);
 }
 

Reply via email to