On Mon, Nov 05, 2007 at 11:08:00PM +0300, Evgeniy Polyakov ([EMAIL PROTECTED])
wrote:
> On Tue, Oct 30, 2007 at 01:33:41AM -0700, David Miller ([EMAIL PROTECTED])
> wrote:
> > > The panic is in __teql_resolve (which has been inlined into
> > > teql_master_xmit) in
> > > net/sched/sch_teql.c at this line:
> > >
> > > if (n && n->tbl == mn->tbl &&
> > >
> > > Specifically the dereference of n->tbl is faulting as n is not valid.
>
> n is never valid (null), mn is garbage.
My fault, of course you are right, n is invalid because it is
dereferenced from qdisc, which was changed. That was too late in Moscow
for conclusions...
> > > And the address looks like part of an ASCCI string... "figt"
> >
> > I studied sch_teql.c a bit and I suspect that the slave list
> > management in teql_destroy() and teql_qdisc_init() might be
> > suspect.
>
> tecl_reset() is called from deactivate and qdisc is set to noop already,
> but subsequent teql_xmit does not know about it and dereference private
> data as teql qdisc and thus oopses. I will fix it tomorrow if you will
> not catch it first :)
It looks like I am.
Tested, works, fixed.
Signed-off-by: Evgeniy Polyakov <[EMAIL PROTECTED]>
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index f05ad9a..e0a44b9 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -263,6 +276,9 @@ __teql_resolve(struct sk_buff *skb, struct sk_buff
*skb_res, struct net_device *
static __inline__ int
teql_resolve(struct sk_buff *skb, struct sk_buff *skb_res, struct net_device
*dev)
{
+ if (dev->qdisc == &noop_qdisc)
+ return -ENODEV;
+
if (dev->hard_header == NULL ||
skb->dst == NULL ||
skb->dst->neighbour == NULL)
--
Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
