Re: Fix for thread+network crashes in 2.0/2.1?

Henner Eisen (
Fri, 6 Mar 1998 01:51:27 +0100


A N Kuznetsov <> writes:

> Before "struct socket" is destoyed all the references from
> transport records (struct sock) are invalidated. If x25 does
> not make it, it is bug in x25.

I've tracked down the bug now! It's in the x25_accept() method (and
it seems that the rose, ax25 and netrom stacks also suffer from the same

x.25 destroys sock->sk in the x25_release() method. But in the
x25_accept() method, it forgets to update the sk->socket and sk->sleep
fields of the accepted sk. This leaves two instances of struct sock
that both use the wait queue of the socket listen()'ed on. After the
listen()'ed socket is released, the wait queue pointer of the accepted
socket refers to the freed former inode of the released listen socket.


Here's a patch:

--- n2.1.88-i4ldev/net/x25/af_x25.c Tue Feb 24 20:13:58 1998
+++ n2.1.88-ix25/net/x25/af_x25.c Thu Mar 5 15:29:09 1998
@@ -714,6 +714,8 @@

newsk = skb->sk;
newsk->pair = NULL;
+ newsk->socket = newsock;
+ newsk->sleep = &newsock->wait;

/* Now attach up the new socket */

I've tested with x.25 and the wait queue corruption problem has gone now!
The same patch should also work with the amateur packet radio sockets (just
different offset). If somebody observed wait queue corruption (often resulting
in total system lock up without any diagnostic output) after accepting
connections on such sockets, please try this patch, too.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to