netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[PATCH 2.6 NET] Fixes slab corruption in cbq_destroy

from [Thomas Graf] [Permanent Link][Original]
To: "David S. Miller" <davem@xxxxxxxxxxxxx>
Subject: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy
From: Thomas Graf <tgraf@xxxxxxx>
Date: Thu, 16 Sep 2004 15:28:56 +0200
Cc: Patrick McHardy <kaber@xxxxxxxxx>, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx
Sender: netdev-bounce@xxxxxxxxxxx 
Fixes slab corruption in cbq_destroy. cbq_destroy_filters and
qdisc_put_rtab(q->link.R_tab) are already called in cbq_destroy_class.
The latter lead to a slab corruption due to repeated freeing of
q->link.R_tab because q->link is part of q->classes. Problem introduced
in 1.21.

Signed-off-by: Thomas Graf <tgraf@xxxxxxx>


--- linux-2.6.9-rc2-bk2.orig/net/sched/sch_cbq.c        2004-09-16 
14:52:23.000000000 +0200
+++ linux-2.6.9-rc2-bk2/net/sched/sch_cbq.c     2004-09-16 14:53:53.000000000 
+0200
@@ -1770,10 +1770,6 @@
 #ifdef CONFIG_NET_CLS_POLICE
        q->rx_class = NULL;
 #endif
-       for (h = 0; h < 16; h++) {
-               for (cl = q->classes[h]; cl; cl = cl->next)
-                       cbq_destroy_filters(cl);
-       }
 
        for (h = 0; h < 16; h++) {
                struct cbq_class *next;
@@ -1783,8 +1779,6 @@
                        cbq_destroy_class(sch, cl);
                }
        }
-
-       qdisc_put_rtab(q->link.R_tab);
 }
 
 static void cbq_put(struct Qdisc *sch, unsigned long arg)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The ultimate TOE design, Alan Cox
Next by Date:  [PATCH 2.4 NET] Fixes slab corruption in cbq_destroy, Thomas Graf
Previous by Thread:  [IPSEC] Implement DSCP decapsulation, Herbert Xu
Next by Thread:  Re: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy, Patrick McHardy
Indexes:  [Date] [Thread] [Top] [All Lists]