Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8

From: David S. Miller (davem@redhat.com)
Date: Thu May 24 2001 - 18:17:55 EST

Next message: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Previous message: Alan Cox: "Re: [CHECKER] error path memory leaks in 2.4.4 and 2.4.4-ac8"
In reply to: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Next in thread: Jeff Hartmann: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alan Cox writes:
> > [BUG] seems possible --- or is some precondition guarenteed?
> > /u2/engler/mc/oses/linux/2.4.4-ac8/net/ipv6/udp.c:438:udpv6_recvmsg: ERROR:FREE:453:438: WARN: Use-after-free of "skb"! set by 'kfree_skb':453
>
> Looks right. Left for DaveM

It's wrong, in the MSG_PEEK case skb->users is incremented by
skb_recv_datagram, so to truly get rid of it we do indeed need to
unlink it from the receive_queue then free it twice :-)

Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Previous message: Alan Cox: "Re: [CHECKER] error path memory leaks in 2.4.4 and 2.4.4-ac8"
In reply to: Alan Cox: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Next in thread: Jeff Hartmann: "Re: [CHECKER] free bugs in 2.4.4 and 2.4.4-ac8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu May 31 2001 - 21:00:20 EST