Hello, On Fri, 22 May 2015, Eric W. Biederman wrote:
> ip_error does not check if in_dev is NULL before dereferencing it. > > IThe following sequence of calls is possible: > CPU A CPU B > ip_rcv_finish > ip_route_input_noref() > ip_route_input_slow() > inetdev_destroy() > dst_input() > > With the result that a network device can be destroyed while processing > an input packet. How can that happen in practice? May be network driver is missing a napi_disable() call in ndo_stop()? napi_disable is supposed to wait backlog before NETDEV_DOWN and NETDEV_UNREGISTER (where inetdev_destroy is called) handlers are notified. Any link to original crash report, info for used driver, etc? After commit 8030f54499925d ("[IPV4] devinet: Register inetdev earlier.") dev->ip_ptr is always present while packets are processed, only in_dev->ifa_list can be NULL. Regards -- Julian Anastasov <j...@ssi.bg> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html