Re: 2.6.39-rc2 boot crash
From: Patrick McHardy
Date: Tue Apr 12 2011 - 11:40:15 EST
On 12.04.2011 14:49, Patrick McHardy wrote:
> On 12.04.2011 00:06, Evgeniy Polyakov wrote:
>> Hi.
>>
>> On Mon, Apr 11, 2011 at 05:07:47PM -0400, Eric B Munson (emunson@xxxxxxxxx) wrote:
>>>> I can't figure this out, the only thing that should have changed is the
>>>> time the initial PROC_CN_MCAST_LISTEN message is received. Apparently
>>>> at that point connector is not fully initialized yet. Please post your
>>>> config and the full boot log. Thanks.
>>>>
>>>
>>> I am still seeing this on Linus' tree, is there anything more I can do to help
>>> track the problem?
>
> Sorry, I had a hardware failure, I'm back working on this now.
>
>> Patrick, do you need my assist on this bug?
>
> Thanks, but I can meanwhile reproduce the problem, so I think I
> should have a fix soon.
I think this patch should fix the problem. Eric, could you please
give it a try?
commit ad676e0dbbe8658ce46e192f449689bf3011bdf5
Author: Patrick McHardy <kaber@xxxxxxxxx>
Date: Tue Apr 12 17:37:04 2011 +0200
connector: fix skb double free in cn_rx_skb()
When a skb is delivered to a registered callback, cn_call_callback()
incorrectly returns -ENODEV after freeing the skb, causing cn_rx_skb()
to free the skb a second time.
Reported-by: Eric B Munson <emunson@xxxxxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index d770058..219d88a 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -142,6 +142,7 @@ static int cn_call_callback(struct sk_buff *skb)
cbq->callback(msg, nsp);
kfree_skb(skb);
cn_queue_release_callback(cbq);
+ err = 0;
}
return err;