| To: | Patrick McHardy <kaber@xxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy |
| From: | Thomas Graf <tgraf@xxxxxxx> |
| Date: | Thu, 16 Sep 2004 22:33:27 +0200 |
| Cc: | "David S. Miller" <davem@xxxxxxxxxxxxx>, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx |
| In-reply-to: | <4149AA12.10306@xxxxxxxxx> |
| References: | <20040916132856.GA27293@xxxxxxxxxxxxxx> <4149998C.6060501@xxxxxxxxx> <20040916140943.GC27293@xxxxxxxxxxxxxx> <4149AA12.10306@xxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
* Patrick McHardy <4149AA12.10306@xxxxxxxxx> 2004-09-16 16:58 > Thomas Graf wrote: > > >* Patrick McHardy <4149998C.6060501@xxxxxxxxx> 2004-09-16 15:47 > > > > > >>I don't see how there can be slab corruption. qdisc_put_rtab only > >>calls kfree if the table is found in qdisc_rtab_list, which only > >>happens once. But the patch is still fine as cleanup :) > >> > >> > > > >On second call to qdisc_put_rtab with tab pointing to an already > >freed qdisc_rate_table: > > > >sch_api.c:271: if (!tab || --tab->refcnt) > > > > > You're right, no double free but accessing and modifying of freed memory. My patch description was misleading should have been something like this: Fixes slab corruption in cbq_destroy. cbq_destroy_filters and qdisc_put_rtab(q->link.R_tab) are already called in cbq_destroy_class. The latter lead to a slab corruption due to use of q->link.R_tab after being freed by previous call to qdisc_put_rtab. Problem introduced in 1.21. |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy, David S. Miller |
|---|---|
| Next by Date: | Re: [PATCH 2.4 NET] Fixes slab corruption in cbq_destroy, David S. Miller |
| Previous by Thread: | Re: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy, Patrick McHardy |
| Next by Thread: | Re: [PATCH 2.6 NET] Fixes slab corruption in cbq_destroy, David S. Miller |
| Indexes: | [Date] [Thread] [Top] [All Lists] |