Re: OOPS iproute2/tc/u32_destroy in 2.6.22-rc3-git6

Sun, 03 Jun 2007 09:39:15 -0700 

Michal Piotrowski wrote:
> Strobl Anton pisze:
> 
>> While trying to stop qdisc/cbq with command
>>
>>    tc qdisc del dev eth1 root
>>
>> EIP is at u32_destroy+0x52/0xd8 [cls_u32]


Please try this patch.


[NET_SCHED]: Fix filter double free

cbq and atm destroy their filters twice when destroying inner classes
during qdisc destruction.

Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>

---
commit a2b6772f1b9524b8d3c67bee3b92956d44555b22
tree a4b8b9f3675606ff935d2422e26b24adf6c1ad3c
parent 1df4e603136d09c0aee78102a05fb960be3764bb
author Patrick McHardy <[EMAIL PROTECTED]> Sun, 03 Jun 2007 18:35:09 +0200
committer Patrick McHardy <[EMAIL PROTECTED]> Sun, 03 Jun 2007 18:35:09 +0200

 net/sched/sch_atm.c |    1 +
 net/sched/sch_cbq.c |    8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index be7d299..d1c383f 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -599,6 +599,7 @@ static void atm_tc_destroy(struct Qdisc *sch)
        /* races ? */
        while ((flow = p->flows)) {
                tcf_destroy_chain(flow->filter_list);
+               flow->filter_list = NULL;
                if (flow->ref > 1)
                        printk(KERN_ERR "atm_destroy: %p->ref = %d\n",flow,
                            flow->ref);
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index a294542..ee2d596 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1748,10 +1748,12 @@ cbq_destroy(struct Qdisc* sch)
         * classes from root to leafs which means that filters can still
         * be bound to classes which have been destroyed already. --TGR '04
         */
-       for (h = 0; h < 16; h++)
-               for (cl = q->classes[h]; cl; cl = cl->next)
+       for (h = 0; h < 16; h++) {
+               for (cl = q->classes[h]; cl; cl = cl->next) {
                        tcf_destroy_chain(cl->filter_list);
-
+                       cl->filter_list = NULL;
+               }
+       }
        for (h = 0; h < 16; h++) {
                struct cbq_class *next;

Reply via email to