kernel panic in if_ppp.c

From: Pavel Gulchouck <gul_at_gul.kiev.ua>
Date: Thu, 15 Apr 2004 15:16:19 +0300
Hi.

I have systematic kernel panic when use pppd, debug shows it's
in m_freem() called from ppp_inproc().
In the source code I've see that in the "input queue full"
case there is "goto bad", when m is already freed by
IF_HANDOFF() or netisr_queue(), and after this goto system
crashes by second m_freem(m).
System works correctly after fixing this bug.
Checking condition "if (m)" after label "bad:" in the
line 1594 of net/pf_ppp.c is senseless because of m is
never changed its value in the ppp_inptoc() function.

Here's the patch.
Another way is to simple add "m = NULL" before "goto bad"
in the line 1582.

RELENG_5_2 has this bug too.

--- net/if_ppp.c.orig	Wed Jan 21 20:05:38 2004
+++ net/if_ppp.c	Thu Apr 15 14:57:16 2004
_at__at_ -1580,5 +1580,5 _at__at_
 	    if_printf(ifp, "input queue full\n");
 	ifp->if_iqdrops++;
-	goto bad;
+	goto bad2;
     }
     ifp->if_ipackets++;
_at__at_ -1592,6 +1592,6 _at__at_
 
  bad:
-    if (m)
-        m_freem(m);
+    m_freem(m);
+ bad2:
     sc->sc_if.if_ierrors++;
     sc->sc_stats.ppp_ierrors++;

-- 
                                Lucky carrier,
                                                  Pavel.
Received on Thu Apr 15 2004 - 03:16:28 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:51 UTC