Hi,

In ppp_destroy_interface(), there is a chance that kfree(ppp) is called
twice, causing a kernel oops when ppp is opened again.  I was able to cause
this by running PPPOE, and killing -9 pppd and pppoe-daemon with one kill
command.  By doing this, the closing of ppp->dev causes a
ppp_disconnect_channel(), which calls kfree(ppp) assuming the ppp unit is
dead.  But destroy_interface() hasn't finished, and it tries to kfree(ppp)
also.  I simply moved the closing of the device to after the channels == 0
check.  Anyways, follows is the patch.  Please cc comments to
[EMAIL PROTECTED]

thanks,
Eli Chen


--- ppp_generic.c 2001/02/21 00:53:01 1.1.1.2
+++ ppp_generic.c 2001/07/03 20:37:22
@@ -2268,13 +2268,6 @@
  ppp->dev = 0;
  ppp_unlock(ppp);

- if (dev) {
-  rtnl_lock();
-  dev_close(dev);
-  unregister_netdevice(dev);
-  rtnl_unlock();
- }
-
  /*
   * We can't acquire any new channels (since we have the
   * all_ppp_lock) so if n_channels is 0, we can free the
@@ -2283,6 +2276,13 @@
   */
  if (ppp->n_channels == 0)
   kfree(ppp);
+
+ if (dev) {
+  rtnl_lock();
+  dev_close(dev);
+  unregister_netdevice(dev);
+  rtnl_unlock();
+ }

  spin_unlock(&all_ppp_lock);
 }


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to