>
> OK, you have CONFIG_DEBUG_PAGEALLOC set. That's the patch which unmaps
> pages from kernel virtual address space when they are freed.
>
> That patch seems quite stable on uniprocessor at least - there are question
> marks over its honesty on SMP.
>
> I would be inclined to say that this is a hitherto undiscovered
> use-after-free bug.
Good inclination. See patch.
As far as I can tell, sock->stamp is only ever used for
SIOCGSTAMP, which probably doesn't need to be support for
these rpc sockets, but I guess it doesn't hurt..
NeilBrown
--------------------------------------------
Extract ->stamp from skb *before* freeing it in svcsock.c
As we sometime copy and free an skb, and sometime us it
in-place, we must be careful to extract information from
it *before* it might be freed, not after.
----------- Diffstat output ------------
./net/sunrpc/svcsock.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
diff ./net/sunrpc/svcsock.c~current~ ./net/sunrpc/svcsock.c
--- ./net/sunrpc/svcsock.c~current~ 2003-05-21 13:17:52.000000000 +1000
+++ ./net/sunrpc/svcsock.c 2003-05-26 09:11:32.000000000 +1000
@@ -589,6 +589,8 @@ svc_udp_recvfrom(struct svc_rqst *rqstp)
rqstp->rq_addr.sin_port = skb->h.uh->source;
rqstp->rq_addr.sin_addr.s_addr = skb->nh.iph->saddr;
+ svsk->sk_sk->stamp = skb->stamp;
+
if (skb_is_nonlinear(skb)) {
/* we have to copy */
local_bh_disable();
@@ -629,7 +631,6 @@ svc_udp_recvfrom(struct svc_rqst *rqstp)
serv->sv_stats->netudpcnt++;
/* One down, maybe more to go... */
- svsk->sk_sk->stamp = skb->stamp;
svc_sock_received(svsk);
return len;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/