kernel panic in if_ppp.c

Pavel Gulchouck gul at
Thu Apr 15 05:16:28 PDT 2004


I have systematic kernel panic when use pppd, debug shows it's
in m_freem() called from ppp_inproc().
In the source code I've see that in the "input queue full"
case there is "goto bad", when m is already freed by
IF_HANDOFF() or netisr_queue(), and after this goto system
crashes by second m_freem(m).
System works correctly after fixing this bug.
Checking condition "if (m)" after label "bad:" in the
line 1594 of net/pf_ppp.c is senseless because of m is
never changed its value in the ppp_inptoc() function.

Here's the patch.
Another way is to simple add "m = NULL" before "goto bad"
in the line 1582.

RELENG_5_2 has this bug too.

--- net/if_ppp.c.orig	Wed Jan 21 20:05:38 2004
+++ net/if_ppp.c	Thu Apr 15 14:57:16 2004
@@ -1580,5 +1580,5 @@
 	    if_printf(ifp, "input queue full\n");
-	goto bad;
+	goto bad2;
@@ -1592,6 +1592,6 @@
-    if (m)
-        m_freem(m);
+    m_freem(m);
+ bad2:

                                Lucky carrier,

More information about the freebsd-current mailing list