Hey Scott, thank you very much for the fix! Can you confirm if this bug is related to https://dev.open-mesh.net/batman/ticket/86 ? This bug has very likely been caused by a memory corruption, but i couldnĀ“t find where. (i have not experienced any kernel panics by this however ...).
Thanks, best regards
Simon
On Thu, Dec 04, 2008 at 02:14:27PM +1300, Scott Raynel wrote:
> Hi there,
>
> I've been spending some time tracking down a bug that's been causing
> memory corruption followed by random kernel panics. Thanks to the
> kernel's slab memory debugger I tracked it down to a kfree in send.c
> that was freeing a block of memory that had been written to past the
> end of its allocation.
>
> Turned out to be a simple typo, which I've fixed in the following
> patch. When resizing the packet_buff struct in batman_if, the new
> length was being updated but the old length was being used for the
> kmalloc(), causing something later to think it had more memory
> allocated to write to, hence writing past the end of the allocation.
>
> Signed-off-by: Scott Raynel <scottray...@gmail.com>
>
> Index: send.c
> ===================================================================
> --- send.c (revision 1105)
> +++ send.c (working copy)
> @@ -159,7 +159,7 @@
> if ((hna_local_changed) && (batman_if->if_num == 0)) {
>
> new_len = sizeof(struct batman_packet) + (num_hna *
> ETH_ALEN);
> - new_buf = kmalloc(batman_if->pack_buff_len, GFP_ATOMIC);
> + new_buf = kmalloc(new_len, GFP_ATOMIC);
>
> /* keep old buffer if kmalloc should fail */
> if (new_buf) {
>
>
> Cheers,
>
> --
> Scott Raynel
> WAND Network Research Group
> Department of Computer Science
> University of Waikato
> New Zealand
>
>
>
> _______________________________________________
> B.A.T.M.A.N mailing list
> b.a.t.m....@open-mesh.net
> https://list.open-mesh.net/mm/listinfo/b.a.t.m.a.n
>
signature.asc
Description: Digital signature
