In ppp_destroy_interface(), there is a chance that kfree(ppp) is called
twice, causing a kernel oops when ppp is opened again. I was able to cause
this by running PPPOE, and killing -9 pppd and pppoe-daemon with one kill
command. By doing this, the closing of ppp->dev causes a
ppp_disconnect_channel(), which calls kfree(ppp) assuming the ppp unit is
dead. But destroy_interface() hasn't finished, and it tries to kfree(ppp)
also. I simply moved the closing of the device to after the channels == 0
check. Anyways, follows is the patch. Please cc comments to
eli@routefree.com.
thanks,
Eli Chen
--- ppp_generic.c 2001/02/21 00:53:01 1.1.1.2
+++ ppp_generic.c 2001/07/03 20:37:22
@@ -2268,13 +2268,6 @@
ppp->dev = 0;
ppp_unlock(ppp);
- if (dev) {
- rtnl_lock();
- dev_close(dev);
- unregister_netdevice(dev);
- rtnl_unlock();
- }
-
/*
* We can't acquire any new channels (since we have the
* all_ppp_lock) so if n_channels is 0, we can free the
@@ -2283,6 +2276,13 @@
*/
if (ppp->n_channels == 0)
kfree(ppp);
+
+ if (dev) {
+ rtnl_lock();
+ dev_close(dev);
+ unregister_netdevice(dev);
+ rtnl_unlock();
+ }
spin_unlock(&all_ppp_lock);
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/