From: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> Date: Fri, 14 Oct 2005 19:52:35 -0300
> > I think the new oops is due to either stack corruption or else a > > non-existent callback. Comments? > > > > Unable to handle kernel paging request at virtual address 5a5a5ade > > printing eip: > > c033a890 > > *pde = 00000000 > > Oops: 0000 [#1] > > Modules linked in: dccp_ccid3 dccp_tfrc_lib dccp e100 3c59x > > CPU: 0 > > EIP: 0060:[<c033a890>] Not tainted VLI > > EFLAGS: 00010246 (2.6.14-rc3) > > EIP is at icmp_send+0x130/0x3d0 > > eax: 5a5a5a5a ebx: c6ee3360 ecx: 5a5a5a5a edx: 0000005a > > Seems use after free, lemme give a quick look... Likely someone sets skb->sk in dccp without grabbing a reference count to the socket. Socket gets early free'd up, and later ICMP does a local response deref'ing the now gone skb->sk. Just a theory :-) This is why I don't think we should merge Herbert's fix just yet. If the skb->sk handling is still hosed, then it's still just a half-fix. - To unsubscribe from this list: send the line "unsubscribe dccp" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
