Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8

David S. Miller (davem@redhat.com)
Thu, 24 May 2001 16:17:55 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Previous message: Alan Cox: "Re: [CHECKER] error path memory leaks in 2.4.4 and 2.4.4-ac8"
In reply to: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Next in thread: Greg KH: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"

Alan Cox writes:
> > [BUG] seems possible --- or is some precondition guarenteed?
> > /u2/engler/mc/oses/linux/2.4.4-ac8/net/ipv6/udp.c:438:udpv6_recvmsg: ERROR:FREE:453:438: WARN: Use-after-free of "skb"! set by 'kfree_skb':453
>
> Looks right. Left for DaveM

It's wrong, in the MSG_PEEK case skb->users is incremented by
skb_recv_datagram, so to truly get rid of it we do indeed need to
unlink it from the receive_queue then free it twice :-)

Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Previous message: Alan Cox: "Re: [CHECKER] error path memory leaks in 2.4.4 and 2.4.4-ac8"
In reply to: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Next in thread: Greg KH: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"