Re: [PATCH] PPPOE can kfree SKB twice (was Re: kernel panic problem. (smp, iptables?))

From: Rainer Clasen (
Date: Fri Jul 20 2001 - 10:36:55 EST

On Fri, Jul 20, 2001 at 12:28:35AM -0700, David S. Miller wrote:
> Rainer Clasen writes:
> > I am using tulip, dummy, Ben Grear's dot1q VLAN devices and some ISDN
> > syncppp and ISDN rawip devices are configured (but not actively used),
> > too.
> Can you test without dummy and VLAN? Man, I now have to audit that
> friggin' code too :-(

As first step I've removed dummy. Eliminating Vlan is difficult and will take
me some more time.

I could easily reproduce the oops with several nmap -sS through this router.

# ksymoops -K -L -o /lib/modules/2.4.6/ -m /boot/ < blurb
ksymoops 2.4.1 on i586 2.4.1. Options used
     -V (default)
     -K (specified)
     -L (specified)
     -o /lib/modules/2.4.6/ (specified)
     -m /boot/ (specified)

No modules in ksyms, skipping objects
Unable to handle kernel paging request at virtual address 67720a25 printing eip:
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c012612a>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010246
eax: 67720a0d ebx: 00000000 ecx: 67720a0d edx: 00000000
esi: c165d800 edi: c12d2680 ebp: 00000060 esp: c0209dd8
ds: 0018 es: 0018 ss: 0018
Process swapper (pid: 0, stackpage=c0209000)
Stack: c0181e4d fffff800 c165d800 c0182443 c165d800 c165d800 c12f3000 c12c10a0
       c12f3000 ffffffee c01853bd c165d800 00000020 c165d800 00000000 c12c10a0
       c0188935 c165d800 c165d800 00000000 00000004 c01961cc c019625d c165d800
Call Trace: [<c0181e4d>] [<c0182443>] [<c01853bd>] [<c0188935>] [<c01961cc>] [<c019625d>] [<c018aa56>]
       [<c01938b0>] [<c01961b2>] [<c01961cc>] [<c01938fa>] [<c018aa56>] [<c019385b>] [<c01938b0>] [<c0192c69>]
       [<c0192aa8>] [<c018aa56>] [<c01928f6>] [<c0192aa8>] [<c0185a8d>] [<c0113aff>] [<c0107e5d>] [<c0105120>]
       [<c0106b60>] [<c0105120>] [<c0105143>] [<c01051a7>] [<c0105000>]
Code: 8b 41 18 85 c0 7c 11 ff 49 14 0f 94 c0 84 c0 74 07 89 c8 e8

>>EIP; c012612a <__free_pages+2/1c> <=====
Trace; c0181e4d <skb_release_data+41/74>
Trace; c0182443 <skb_linearize+cf/130>
Trace; c01853bd <dev_queue_xmit+6d/244>
Trace; c0188935 <neigh_connected_output+95/c8>
Trace; c01961cc <ip_finish_output2+0/c8>
Trace; c019625d <ip_finish_output2+91/c8>
Trace; c018aa56 <nf_hook_slow+ee/144>
Trace; c01938b0 <ip_forward_finish+0/50>
Trace; c01961b2 <ip_finish_output+ee/f4>
Trace; c01961cc <ip_finish_output2+0/c8>
Trace; c01938fa <ip_forward_finish+4a/50>
Trace; c018aa56 <nf_hook_slow+ee/144>
Trace; c019385b <ip_forward+1eb/240>
Trace; c01938b0 <ip_forward_finish+0/50>
Trace; c0192c69 <ip_rcv_finish+1c1/1f8>
Trace; c0192aa8 <ip_rcv_finish+0/1f8>
Trace; c018aa56 <nf_hook_slow+ee/144>
Trace; c01928f6 <ip_rcv+376/3b0>
Trace; c0192aa8 <ip_rcv_finish+0/1f8>
Trace; c0185a8d <net_rx_action+135/258>
Trace; c0113aff <do_softirq+3f/68>
Trace; c0107e5d <do_IRQ+9d/b0>
Trace; c0105120 <default_idle+0/28>
Trace; c0106b60 <ret_from_intr+0/7>
Trace; c0105120 <default_idle+0/28>
Trace; c0105143 <default_idle+23/28>
Trace; c01051a7 <cpu_idle+3f/54>
Trace; c0105000 <_stext+0/0>
Code; c012612a <__free_pages+2/1c>
00000000 <_EIP>:
Code; c012612a <__free_pages+2/1c> <=====
   0: 8b 41 18 mov 0x18(%ecx),%eax <=====
Code; c012612d <__free_pages+5/1c>
   3: 85 c0 test %eax,%eax
Code; c012612f <__free_pages+7/1c>
   5: 7c 11 jl 18 <_EIP+0x18> c0126142 <__free_pages+1a/1c>
Code; c0126131 <__free_pages+9/1c>
   7: ff 49 14 decl 0x14(%ecx)
Code; c0126134 <__free_pages+c/1c>
   a: 0f 94 c0 sete %al
Code; c0126137 <__free_pages+f/1c>
   d: 84 c0 test %al,%al
Code; c0126139 <__free_pages+11/1c>
   f: 74 07 je 18 <_EIP+0x18> c0126142 <__free_pages+1a/1c>
Code; c012613b <__free_pages+13/1c>
  11: 89 c8 mov %ecx,%eax
Code; c012613d <__free_pages+15/1c>
  13: e8 00 00 00 00 call 18 <_EIP+0x18> c0126142 <__free_pages+1a/1c>

Kernel panic: Aiee, killing interrupt handler!


KeyID=759975BD fingerprint=887A 4BE3 6AB7 EE3C 4AE0  B0E1 0556 E25A 7599 75BD
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Jul 23 2001 - 21:00:13 EST