<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><span style="font-family:arial,sans-serif">HI Eric</span><br></div><div class="gmail_quote"><div dir="ltr"><div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">
the problem is as follow:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">br_del_if()-->del_nbp():</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">
<br></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">list_del_rcu(&p->list);</font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">dev->priv_flags &= ~IFF_BRIDGE_PORT;</font></div>
<div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif" color="#0000ff">------>at this point, the nic be deleting still have rx_handler , so , may in br_handle_frame()</font></div>
<div class="gmail_default"><font face="arial, helvetica, sans-serif" color="#0000ff">------>br_port_exists() will return false,so br_get_port_rcu() will return NULL</font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif" color="#0000ff">------>so in br_handle_frame , there will be a null panic.</font></div>
<div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">netdev_rx_handler_unregister(dev);</font></div><div class="gmail_default">
<font face="arial, helvetica, sans-serif">synchronize_net();</font></div><br></div><div><br></div><div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">i have checked commit <span style="font-family:arial,sans-serif;font-size:13px">00cfec37484761a44, i think it didn't fix this bug..</span></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small">thanks.</div><br></div><div><br>
</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 12:55 PM, Eric Dumazet <span dir="ltr"><<a href="mailto:eric.dumazet@gmail.com" target="_blank">eric.dumazet@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Thu, 2013-06-20 at 11:08 +0800, xiaoming gao wrote:<br>
> From: newtongao <<a href="mailto:newtongao@tencent.com" target="_blank">newtongao@tencent.com</a>><br>
> Date: Wed, 19 Jun 2013 14:58:33 +0800<br>
> Subject: [PATCH] net bridge: add null pointer check,fix panic<br>
><br>
> in kernel 3.0, br_port_get_rcu() may return NULL when network interface be deleting from bridge,<br>
> but in function br_handle_frame and br_handle_local_finish, the pointer didn't be checked before using,<br>
> so all br_port_get_rcu callers must do null check,or there occurs the null pointer panic.<br>
><br>
> kernel 3.4 also has this bug,i have verified.<br>
> mainline kernel still did not check br_port_get_rcu()'s NULL pointer, but i have not tested it yet.<br>
<br>
</div>Please check current version before sending a patch.<br>
<br>
This was most probably fixed in commit 00cfec37484761a44<br>
("net: add a synchronize_net() in netdev_rx_handler_unregister()")<br>
<br>
Thanks<br>
<br>
<br>
</blockquote></div><br></div>
</div></div></div><br></div>