Modify

Opened 3 years ago

Closed 2 years ago

#18256 closed defect (fixed)

pppd restart may cause NULL pointer deference

Reported by: spiritbook Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: ppp; kernel; Cc:

Description

env: Linux 3.10.44 + pppd 2.4.6

when i am doing /etc/init.d/network restart
sometimes a oops occur

[  342.020000] CPU 0 Unable to handle kernel paging request at virtual address 000001f4, epc == 80fc17e8, ra == 80fc17a8
[  342.020000] Oops[#1]:
[  342.020000] CPU: 0 PID: 1128 Comm: pppd Tainted: G        W    3.10.44 #35
[  342.020000] task: 804a5920 ti: 809f0000 task.ti: 809f0000
[  342.020000] $ 0   : 00000000 00000001 00000001 00000000
[  342.020000] $ 4   : 804e1800 00000000 802ab614 00010000
[  342.020000] $ 8   : 802b0000 00010000 802a9260 6f707070
[  342.020000] $12   : 00000000 00000001 00000000 00070012
[  342.020000] $16   : 804e1800 00000000 8059f160 8059f180
[  342.020000] $20   : 80550be8 8059f180 8180e3d0 802b0000
[  342.020000] $24   : 00000000 8014fb00                  
[  342.020000] $28   : 809f0000 809f1ce8 802653c0 80fc17a8
[  342.020000] Hi    : 00000000
[  342.020000] Lo    : ec4e4000
[  342.020000] epc   : 80fc17e8 0x80fc17e8
[  342.020000]     Tainted: G        W   
[  342.020000] ra    : 80fc17a8 0x80fc17a8
[  342.020000] Status: 1100e402 KERNEL EXL 
[  342.020000] Cause : 00800008
[  342.020000] BadVA : 000001f4
[  342.020000] PrId  : 00019650 (MIPS 24KEc)
[  342.020000] Modules linked in: url_log rg_sys pppoe ppp_async iptable_nat pppox ppp_generic nf_nat_ipv4 nf_conntrack_ipv4 iptable_raw iptable_mangle iptable_filter ipt_REJECT ipt_MASQUERADE ip_tables xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_CT x_tables ums_usbat ums_sddr55 ums_sddr09 ums_karma ums_jumpshot ums_isd200 ums_freecom ums_datafab ums_cypress ums_alauda slhc nf_nat_irc nf_nat_ftp nf_nat nf_defrag_ipv4 nf_conntrack_irc nf_conntrack_ftp crc_itu_t crc_ccitt rt2860v2_ap ledtrig_usbdev vfat fat ntfs nls_utf8 nls_iso8859_1 nls_cp437 eeprom_93cx6 arc4 crypto_blkcipher usb_storage leds_gpio dwc2_platform dwc2 ohci_hcd ehci_platform ehci_hcd sd_mod scsi_mod gpio_button_hotplug ext4 crc16 jbd2 mbcache usbcore nls_base usb_common crypto_hash
[  342.020000] Process pppd (pid: 1128, threadinfo=809f0000, task=804a5920, tls=778b6440)
[  342.020000] Stack : 8059f2e0 80550be0 80550be8 00000001 80bc8770 8059f160 80fc2164 80bc87f8
          8059f180 80550be8 8059f180 80188f00 804f2d80 8042f700 80bc8770 00000000
          80550be0 80550be0 00000008 80188fac 80550be8 8059f180 80550be0 00000008
          80bc87f8 8008e830 8101b760 80a31d20 00000000 8008b040 00000000 00000000
          804a5920 80550460 80310000 802b0000 00010000 00000001 802b0000 800363f8
          ...
[  342.020000] Call Trace:
[  342.020000] [<80fc17e8>] 0x80fc17e8
[  342.020000] 
[  342.020000] 
Code: 41626000  30420001  000000c0 <8c6301f4> 8c640000  2484ffff  ac640000  10400002  41606000 
[  342.480000] ---[ end trace d919561d19e24c02 ]---

review the code, i think it may be caused by
@function : pppoe_release

	if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
		dev_put(po->pppoe_dev);
		po->pppoe_dev = NULL;
	}

here "po->pppoe_dev" may be NULL, cause when interface going down

@function: pppoe_device_event -> pppoe_flush_dev

			if (po->pppoe_dev == dev &&
			    sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
				pppox_unbind_sock(sk);
				sk->sk_state = PPPOX_ZOMBIE;
				sk->sk_state_change(sk);
				po->pppoe_dev = NULL;
				dev_put(dev);
			}

here "po->pppoe_dev" set to NULL.

is it the right replace cause the oops?
does it need if (po->pppoe_dev == NULL) before using it ?
Thanks.

Attachments (0)

Change History (2)

comment:1 in reply to: ↑ description Changed 3 years ago by spiritbook

i add some debug , found that the 'po' is the same pointer int the two function

pppoe_flush_dev
			if (po->pppoe_dev == dev &&
			    sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
				pppox_unbind_sock(sk);
				sk->sk_state = PPPOX_ZOMBIE;
				sk->sk_state_change(sk);
				po->pppoe_dev = NULL;
                                pr_info("po->pppoe_dev = NULL %p\n", po);
				dev_put(dev);
			}
pppoe_release

    pr_info("pppoe_release %p\n", po);

	if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
        pr_info("pppoe_release 1\n");
		dev_put(po->pppoe_dev);
		po->pppoe_dev = NULL;
	}

the ouput

[  132.230000] po->pppoe_dev = NULL 81768800
[  132.360000] pppoe_release 81768800
[  132.370000] pppoe_release 1

thanks

comment:2 Changed 2 years ago by nbd

  • Resolution set to fixed
  • Status changed from new to closed

fixed in r47026, r47027

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.