On Thu, 30 Aug 2007, Andrew Morton wrote:
On Thu, 30 Aug 2007 07:41:31 -0700 (PDT) [EMAIL PROTECTED] wrote:
http://bugzilla.kernel.org/show_bug.cgi?id=8961
This looks serious.
Summary: BUG triggered by oidentd in netlink code
Aug 29 23:28:44 bowl kernel: [349587.500440] BUG: unable to handle kernel NULL
pointer dereference<1>BUG: unable to handle kernel NULL pointer dereference at
virtual address 00000054
Aug 29 23:28:44 bowl kernel: [349587.500454] printing eip:
Aug 29 23:28:45 bowl kernel: [349587.500457] c03318ae
Aug 29 23:28:45 bowl kernel: [349587.500459] *pde = 00000000
Aug 29 23:28:45 bowl kernel: [349587.500464] Oops: 0000 [#1]
Aug 29 23:28:45 bowl kernel: [349587.500466] PREEMPT SMP
Aug 29 23:28:46 bowl kernel: [349587.500474] Modules linked in: w83627hf
hwmon_vid i2c_isa
Aug 29 23:28:46 bowl kernel: [349587.500483] CPU: 0
Aug 29 23:28:47 bowl kernel: [349587.500485] EIP: 0060:[<c03318ae>] Not
tainted VLI
Aug 29 23:28:47 bowl kernel: [349587.500487] EFLAGS: 00010246 (2.6.22.3 #1)
Aug 29 23:28:47 bowl kernel: [349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e
Aug 29 23:28:48 bowl kernel: [349587.500506] eax: 00000000 ebx: 00000000
Seems to be a bug introduced by the netlink_run_queue conversion,
since there is no locking and netlink_run_queue doesn't check
for NULL results from skb_dequeue, it might pass NULL to
netlink_rcv_skb, which crashes.
Does this patch help?
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index dbeacd8..8e1078d 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -836,12 +836,17 @@ static int inet_diag_rcv_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
return inet_diag_get_exact(skb, nlh);
}
+static DEFINE_MUTEX(inet_diag_mutex);
+
static void inet_diag_rcv(struct sock *sk, int len)
{
unsigned int qlen = 0;
do {
+ if (!mutex_trylock(&inet_diag_mutex))
+ return;
netlink_run_queue(sk, &qlen, &inet_diag_rcv_msg);
+ mutex_unlock(&inet_diag_mutex);
} while (qlen);
}
